1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FWG114P
    5. /
  5. 28
Page 136 / 296 Scroll up to view Page 131 - 135
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-24
Virtual Private Networking
201-10301-02, May 2005
How to Check VPN Connections
You can test connectivity and view VPN status information on the FWG114P v2.
1.
To test connectivity between the Gateway A FWG114P v2 LAN and the Gateway B LAN,
follow these steps:
a.
Using our example, from a PC attached to the FWG114P v2 on LAN A, on a Windows PC
click the Start button on the taskbar and then click Run.
b.
Enter
ping -t
172.23.9.1
, and then click OK.
c.
This will cause a continuous ping to be sent to the LAN interface of Gateway B. After
between several seconds and two minutes, the ping response should change from “timed
out” to “reply.”
d.
At this point the connection is established.
2.
To test connectivity between the FWG114P v2 Gateway A and Gateway B WAN ports, follow
these steps:
a.
Using our example, log in to the FWG114P v2 on LAN A, go to the main menu
Maintenance section and click the Diagnostics link.
b.
To test connectivity to the WAN port of Gateway B, enter
22.23.24.25
, and then click
Ping.
c.
This will cause a ping to be sent to the WAN interface of Gateway B. After between
several seconds and two minutes, the ping response should change from “timed out” to
“reply.” You may have to run this test several times before you get the “reply” message
back from the target FWG114P v2.
d.
At this point the connection is established.
Note
: If you want to ping the FWG114P v2 as a test of network connectivity, be sure the
FWG114P v2 is configured to respond to a ping on the Internet WAN port by checking the
checkbox seen in
“Rules menu” on page 6-5
. However, to preserve a high degree of security,
you should turn off this feature when you are finished with testing.
3.
To view the FWG114P v2 event log and status of Security Associations, follow these steps:
a.
Go to the FWG114P v2 main menu VPN section and click the VPN Status link.
b.
The log screen will display a history of the VPN connections, and the IPSec SA and IKE
SA tables will report the status and data transmission statistics of the VPN tunnels for each
policy.
Page 137 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-25
201-10301-02, May 2005
VPNC Scenario 2: Gateway-to-Gateway with Certificates
The following is a typical gateway-to-gateway VPN that uses PKIX certificates for authentication.
Figure 8-16:
VPN Consortium Scenario 2
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
The
IKE Phase 1 parameters
used in Scenario 2 are:
Main mode
TripleDES
SHA-1
MODP group 2 (1024 bits)
Authentication with signatures authenticated by PKIX certificates; both Gateway A and
Gateway B have end-entity certificates that chain to a root authority called "Trusted Root CA."
SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The
IKE Phase 2 parameters
used in Scenario 2 are:
TripleDES
SHA-1
ESP tunnel mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
10.5.6.0/24
10.5.6.1
Gateway A
14.15.16.17
22.23.24.25
172.23.9.0/24
Internet
Gateway B
172.23.9.1
Page 138 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-26
Virtual Private Networking
201-10301-02, May 2005
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
Scenario 2: FWG114P v2 to FWG114P v2 with Certificates
The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509
(PKIX) certificates for authentication. The network setup is identical to the one given in scenario
1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in scenario 1, with the
exception that the identification is done with signatures authenticated by PKIX certificates.
Note
: Before completing this configuration scenario, make sure the correct Time Zone is set on the
FWG114P v2. For instructions on this topic, please see,
“Setting the Time Zone” on page 6-13
.
1.
Obtain a root certificate.
a.
Obtain the root certificate (which includes the public key) from a Certificate Authority
(CA)
Note:
The procedure for obtaining certificates differs from a CA like Verisign and a CA,
such as a Windows 2000 certificate server, which an organization operates for providing
certificates for its members. For example, an administrator of a Windows 2000 certificate
server might provide it to you via e-mail.
b.
Save the certificate as a text file called
trust.txt
.
2.
Install the trusted CA certificate for the Trusted Root CA.
a.
Log in to the FWG114P v2.
b.
From the main menu VPN section, click on the CA’s link.
c.
Click Add to add a CA.
d.
Click Browse to locate the
trust.txt
file.
e.
Click Upload.
3.
Create a certificate request for the FWG114P v2.
a.
From the main menu VPN section, click the Certificates link.
Page 139 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-27
201-10301-02, May 2005
b.
Click the Generate Request button to display the screen illustrated in
Figure 8-17
below.
.
Figure 8-17:
Generate Self Certificate Request menu
c.
Fill in the fields on the Add Self Certificate screen.
Required
Name. Enter a name to identify this certificate.
Subject. This is the name which other organizations will see as the holder (owner)
of this certificate. This should be your registered business name or official
company name. Generally, all certificates should have the same value in the
Subject field.
Hash Algorithm. Select the desired option: MD5 or SHA1.
Signature Algorithm. Select the desired option: DSS or RSA.
Signature Key Length. Select the desired option: 512, 1024, or 2048.
Optional
IP Address. If you use “IP type” in the IKE policy, you should input the IP
Address here. Otherwise, you should leave this blank.
Domain Name. If you have a domain name, you can enter it here. Otherwise, you
should leave this blank.
FWG114P
Page 140 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-28
Virtual Private Networking
201-10301-02, May 2005
E-mail Address. You can enter your e-mail address here.
d.
Click the Next button to continue. The FWG114P v2 generates a Self Certificate Request
as shown below.
Figure 8-18:
Self Certificate Request data
4.
Transmit the Self Certificate Request data to the Trusted Root CA.
a.
Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.
b.
Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,
you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign
and a CA, such as a Windows 2000 certificate server administrator will differ. Follow the
procedures of your CA.
Highlight, copy and
paste this data into
a text file.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top