1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FWG114P
    5. /
  5. 26
Page 126 / 296 Scroll up to view Page 121 - 125
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-14
Virtual Private Networking
201-10301-02, May 2005
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are strings generated using encryption and authentication schemes which
cannot be duplicated by anyone without access to the different values used in the production of the
string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation
uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities
(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The
FWG114P v2 is able to use certificates to authenticate users at the end points during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, and so on.
Each CA has its own certificate. The certificates of a CA are added to the FWG114P v2 and can
then be used to form IKE policies for the user. Once a CA certificate is added to the FWG114P v2
and a certificate is created for a user, the corresponding IKE policy is added to the FWG114P v2.
Whenever the user tries to send traffic through the FWG114P v2, the certificates are used in place
of pre-shared keys during initial key exchange as the authentication and key generation
mechanism. Once the keys are established and the tunnel is set up the connection proceeds
according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FWG114P v2 obtained from the corresponding CA. If the certificate is not present in
the CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FWG114P v2 CRL regularly in order for the CA-based
authentication process to remain valid.
Page 127 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-15
201-10301-02, May 2005
Walk-Through of Configuration Scenarios on the FWG114P
v2
There are a variety of configurations you might implement with the FWG114P v2. The scenarios
listed below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (
). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
VPN Consortium Scenarios without Any Product Implementation Details as presented in
“VPNC Scenario 1: Gateway to Gateway with Preshared Secrets” on page 8-19
and
“VPNC
Scenario 2: Gateway-to-Gateway with Certificates” on page 8-25
.
VPN Consortium Scenarios Based on the FWG114P v2 User Interface as presented in
“Scenario 1: FWG114P v2 to FWG114P v2 with Preshared Secrets” on page 8-20
and
“Scenario 2: FWG114P v2 to FWG114P v2 with Certificates” on page 8-26
.
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing.
How to Use the VPN Wizard to Configure a VPN Tunnel
Follow this procedure to configure a VPN tunnel using the VPN Wizard.
Note:
The LAN IP address ranges of each VPN endpoint must be different. The connection will
fail if both are using the NETGEAR default address range of 192.168.0.x.
1.
Log in to the FVS318 on LAN A at its default LAN address of
with its
default user name of
admin
and password of
password
. Click the VPN Wizard link in the
main menu to display this screen. Click
Next
to proceed.
Note:
If you have turned NAT off, before configuring VPN IPSec tunnels you must first
open UDP port 500 for inbound traffic as explained in
“Example: Port Forwarding for
VPN Tunnels when NAT is Off” on page 6-8
.
Page 128 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-16
Virtual Private Networking
201-10301-02, May 2005
Figure 8-5:
VPN Wizard Start Screen
2.
Fill in the Connection Name, pre-shared key, and select the type of target end point, and click
Next
to proceed.
Figure 8-6:
Connection Name and Remote IP Type
Page 129 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-17
201-10301-02, May 2005
3.
Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click
Next
.
Figure 8-7:
Remote IP
4.
Identify the IP addresses at the target endpoint which can use this tunnel, and click
Next
.
Figure 8-8:
Secure Connection Remote Accessibility
The Summary screen below displays.
Page 130 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-18
Virtual Private Networking
201-10301-02, May 2005
Figure 8-9:
VPN Wizard Summary
To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings
the VPN Wizard used, click the “
here
” link.
5.
Click
Done
to complete the configuration procedure. The VPN Settings menu displays
showing that the new tunnel is enabled
To view or modify the tunnel settings, select the radio button next to the tunnel entry and click
Edit.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top