1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FWG114P
    5. /
  5. 24
Page 116 / 296 Scroll up to view Page 111 - 115
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-4
Virtual Private Networking
201-10301-02, May 2005
The IKE Policy Configuration fields are defined in the following table.
Table 8-1.
IKE Policy Configuration Fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
Direction/Type
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
Initiator – Outgoing connections are allowed, but incoming are blocked.
Responder – Incoming connections are allowed, but outgoing are
blocked.
Both Directions – Both outgoing and incoming connections are allowed.
Remote Access – This is to allow only incoming client connections,
where the IP address of the remote client is unknown.
If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.
Exchange Mode
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
Main Mode is slower but more secure. Also, the “Identity” below must be
established by IP address.
Aggressive Mode is faster but less secure. The “Identity” below can be by
name (host name, domain name, e-mail address, and so on) instead of
by IP address.
Local
These parameters apply to the Local FWG114P v2 Wireless Firewall/Print
Server.
Local Identity Type
Use this field to identify the local FWG114P v2. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) -- your domain name.
By a Fully Qualified User Name -- your name, E-mail address, or
other ID.
By DER ASN.1 DN -- the binary DER encoding of your ASN.1 X.500
Distinguished Name.
Local Identity Data
This field lets you identify the local FWG114P v2 by name.
Page 117 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-5
201-10301-02, May 2005
Remote
These parameters apply to the target remote FWG114P v2, VPN gateway,
or VPN client.
Remote Identity Type
Use this field to identify the remote FWG114P v2. You can choose one of
the following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By a Fully Qualified User Name — your name, e-mail address, or
other ID.
By DER ASN.1 DN — the binary DER encoding of your ASN.1 X.500
Distinguished Name.
Remote Identity Data
This field lets you identify the target remote FWG114P v2 by name.
IKE SA Parameters
These parameters determine the properties of the IKE Security
Association.
Encryption Algorithm
Choose the encryption algorithm for this IKE policy:
DES is the default.
3DES is more secure.
Authentication Algorithm
If you enable Authentication Header (AH), this menu lets you to select from
these authentication algorithms:
MD5 is the default.
SHA-1 is more secure.
Authentication Method
You may select Pre-Shared Key or RSA Signature.
Pre-Shared Key
Specify the key according to the requirements of the Authentication
Algorithm you selected.
For MD5, the key length should be 16 bytes.
For SHA-1, the key length should be 20 bytes.
RSA Signature
RSA Signature requires a certificate.
Diffie-Hellman (D-H) Group
The DH Group setting determines the bit size used in the key exchange.
This must match the value used on the remote VPN gateway or client.
SA Life Time
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Table 8-1.
IKE Policy Configuration Fields
Field
Description
Page 118 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-6
Virtual Private Networking
201-10301-02, May 2005
VPN Policy Configuration for Auto Key Negotiation
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Figure 8-3:
VPN - Auto Policy Menu
Page 119 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-7
201-10301-02, May 2005
The VPN Auto Policy fields are defined in the following table.
Table 8-1.
VPN Auto Policy Configuration Fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The descriptive name of the VPN policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify VPN policies.
IKE Policy
The existing IKE policies are presented in a drop-down list.
Note:
Create the IKE policy BEFORE creating a VPN - Auto policy.
Remote VPN Endpoint
The address used to locate the remote VPN firewall or client to which you
wish to connect. The remote VPN endpoint must have this FWG114P v2’s
Local IP values entered as its “Remote VPN Endpoint.”
By its Fully Qualified Domain Name (FQDN) — your domain name.
By its IP Address.
Address Type
The address type used to locate the remote VPN firewall or client to which
you wish to connect.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By its IP Address.
Address Data
The address used to locate the remote VPN firewall or client to which you
wish to connect. The remote VPN endpoint must have this FWG114P v2’s
Local Identity Data entered as its “Remote VPN Endpoint.”
By its Fully Qualified Domain Name (FQDN) — your domain name.
By its IP Address.
SA Life Time
The duration of the Security Association before it expires.
Seconds - the amount of time before the SA expires. Over an hour is
common (3600).
Kbytes - the amount of traffic before the SA expires.
One of these can be set without setting the other.
IPSec PFS
If enabled, security is enhanced by ensuring that the key is changed at
regular intervals. Also, even if one key is broken, subsequent keys are no
easier to break. Each key has no relationship to the previous key.
PFS Key Group
If PFS is enabled, this setting determines the DH group bit size used in the
key exchange. This must match the value used on the remote gateway.
Page 120 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-8
Virtual Private Networking
201-10301-02, May 2005
Traffic Selector
These settings determine if and when a VPN tunnel will be established. If
network traffic meets
all
criteria, then a VPN tunnel will be created.
Local IP
The drop-down menu allows you to configure the source IP address of the
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The
choices are:
Default: ANY for all valid IP addresses in the Internet address space
Note:
Selecting ANY means all traffic goes through the IPSec tunnel
and prevents access to the Internet.
Single IP Address
Range of IP Addresses
Subnet Address
Remote IP
The drop-down menu allows you to configure the destination IP address of
the outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network
address space. The choices are:
ANY for all valid IP addresses in the Internet address space
Note:
Selecting ANY means all traffic goes through the IPSec tunnel
and prevents access to the Internet.
Single IP Address
Range of IP Addresses
Subnet Address
Authenticating Header (AH)
Configuration
AH specifies the authentication protocol for the VPN header. These
settings must match the remote VPN endpoint.
Enable Authentication
Use this checkbox to enable or disable AH for this VPN policy.
Authentication
Algorithm
If you enable AH, then select the authentication algorithm:
MD5 is the default.
SHA1 is more secure.
Encapsulated Security
Payload (ESP) Configuration
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both Encryption and Authentication.
Two ESP modes are available:
Plain ESP encryption
ESP encryption with authentication
These settings must match the remote VPN endpoint.
Table 8-1.
VPN Auto Policy Configuration Fields
Field
Description

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top