Page 141 / 296
Scroll up to view Page 136 - 140
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-29
201-10301-02, May 2005
c.
When you have finished gathering the Self Certificate Request data, click the Done button.
You will return to the Certificates screen where your pending “FWG114P v2” Self
Certificate Request will be listed, as illustrated in
Figure 8-19
below.
Figure 8-19:
Self Certificate Requests table
5.
Receive the certificate back from the Trusted Root CA and save it as a text file.
Note:
In the case of a Windows 2000 internal CA, the CA administrator might simply e-mail it
to back to you. Follow the procedures of your CA. Save the certificate you get back from the
CA as a text file called
final.txt
.
6.
Upload the new certificate.
a.
From the main menu VPN section, click on the Certificates link.
b.
Click the radio button of the Self Certificate Request you want to upload.
c.
Click the Upload Certificate button.
d.
Browse to the location of the file you saved in step 5 above which contains the certificate
from the CA.
e.
Click the Upload button.
FWG114P
Page 142 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-30
Virtual Private Networking
201-10301-02, May 2005
f.
You will now see the “FWG114P v2” entry in the Active Self Certificates table and the
pending “FWG114P v2” Self Certificate Request is gone, as illustrated below.
Figure 8-20:
Self Certificates table
7.
Associate the new certificate and the Trusted Root CA certificate on the FWG114P v2.
a.
Create a new IKE policy called
Scenario_2
with all the same properties of
Scenario_1
(see
“Scenario 1 IKE Policy” on page 8-22
) except now use the RSA Signature instead of
the shared key.
Figure 8-21:
IKE policy using RSA Signature
b.
Create a new VPN Auto Policy called
scenario2a
with all the same properties as
scenario1a
except that it uses the IKE policy called Scenario_2.
FWG1
Page 143 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-31
201-10301-02, May 2005
Now, the traffic from devices within the range of the LAN subnet addresses on FWG114P v2
A and Gateway B will be authenticated using the certificates rather than via a shared key.
8.
Set up Certificate Revocation List (CRL) checking.
a.
Get a copy of the CRL from the CA and save it as a text file.
Note:
The procedure for obtaining a CRL differs from a CA like Verisign and a CA, such
as a Windows 2000 certificate server, which an organization operates for providing
certificates for its members. Follow the procedures of your CA.
b.
From the main menu VPN section, click on the CRL link.
c.
Click Add to add a CRL.
d.
Click Browse to locate the CRL file.
e.
Click Upload.
Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by
IKE policies which use this CA.
Note:
You must update the CRLs regularly in order to maintain the validity of the
certificate-based VPN policies.
Page 144 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
8-32
Virtual Private Networking
201-10301-02, May 2005
Netgear VPN Client to FWG114P v2
Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an
FWG114P v2. This case study follows the Virtual Private Network Consortium (VPNC)
interoperability profile guidelines. The menu options for the FVS328, FVL328, FWAG114, and
FWG114P v2 are the same.
Configuration Profile
The configuration in this document follows the addressing and configuration mechanics defined
by the VPN Consortium. Gather all the necessary information before you begin the configuration
process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and
all of the parameters that need to be set on both sides. Check that there are no firewall restrictions.
Table 8-1.
Summary
VPN Consortium Scenario:
Scenario 1
Type of VPN
PC/Client-to-Gateway
Security Scheme:
IKE with Preshared Secret/Key (not Certificate-based)
Date Tested:
December 2003
Model/Firmware Tested:
Gateway
FWG114P firmware v 2.2
Client
NETGEAR ProSafe VPN Client v10.1
IP Addressing:
Gateway
Static IP address
Client
Dynamic
Page 145 / 296
Reference Manual for the ProSafe Wireless 802.11g
Firewall/Print Server Model FWG114P v2
Virtual Private Networking
8-33
201-10301-02, May 2005
Figure 8-22:
Addressing and Subnet Used for Examples
Step-By-Step Configuration of FWG114P v2 Gateway
1.
Log in to the FWG114P v2 gateway as in the illustration.
Out of the box, the FWG114P v2 is set for its default LAN address of
with
its default user name of
admin
and default password of
password
.
5?715<>1414
/$@#,A
#*DWHZD\
4141414
<<157415>>15;8
:$@#,A
:$@#,A
#@HWZRUN#$GGUHVVHV
#&OLHQW
A&#ZLWK#@(C*($B#
AUR6DIH#EA@#FOLHQW
#):*559A
+Á¡.?wjËoåÔ± ¤~Ë8¢Áj£j ÄË4¢ÁjÝ? £Ê+Á¢¥ÍË.jÁÜjÁ
485 ¤|+
19216811.live