1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 48
Page 236 / 469 Scroll up to view Page 231 - 235
Virtual Private Networking Using IPSec
and
L2TP Connections
236
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Authentication Method
Select one of the following radio buttons to specify the authentication method:
Pre-shared key
. A secret that is shared between the VPN firewall and the
remote endpoint.
RSA-Signature
. Uses the active self-signed certificate that you uploaded on
the Certificates screen (see
Manage VPN Self-Signed Certificates
on
page
323). The pre-shared key is masked out when you select
RSA-Signature.
Pre-shared key
A key with a minimum length of 8 characters and no more
than 49 characters. Do not use a double quote (''), single
quote('), or space in the key.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm in bits. The higher the group, the
more secure the exchange. From the drop-down list, select one of the following
three strengths:
Group 1 (768 bit)
.
Group 2 (1024 bit)
. This is the default setting.
Group 5 (1536 bit)
.
Note:
Ensure that the DH Group is configured identically on both sides.
SA-Lifetime (sec)
The period in seconds for which the IKE SA is valid. When the period times out,
the next rekeying occurs. The default is 28800 seconds (8 hours).
Enable Dead Peer
Detection
Note:
See also
Configure Keep-Alives
and Dead Peer
Detection
on
page
265.
Select a radio button to specify whether Dead Peer Detection (DPD) is enabled:
Yes
. This feature is enabled. When the VPN firewall detects an IKE
connection failure, it deletes the IPSec and IKE SA and forces a
reestablishment of the connection. You need to specify the detection period in
the Detection Period field and the maximum number of times that the VPN
firewall attempts to reconnect in the Reconnect after failure count field.
No
. This feature is disabled. This is the default setting.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle.
Reconnect after
failure count
The maximum number of DPD failures before the VPN firewall
tears down the connection and then attempts to reconnect to
the peer. The default is 3 failures.
Table 54.
Add IKE Policy screen settings (continued)
Setting
Description
Page 237 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
237
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
5.
Click
Apply
to save your settings. The IKE policy is added to the List of IKE Policies table.
To edit an IKE policy:
1.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see
Figure
158
on page
232).
2.
Specify the IP version for which you want to edit an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
IPv6
. Select the
IPv6
radio button. The IKE Policies screen for IPv6 displays.
3.
In the List of IKE Policies table, click the
Edit
table button to the right of the IKE policy that
you want to edit. The Edit IKE Policy screen displays. This screen shows the same fields as
the Add IKE Policy screen (see
Figure
159
on page
233).
4.
Modify the settings that you wish to change (see the previous table).
Extended Authentication
XAUTH Configuration
Note:
For more
information about
XAUTH and its
authentication modes,
see
Configure XAUTH
for VPN Clients
on
page
246.
Select one of the following radio buttons to specify whether Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
None
. XAUTH is disabled. This the default setting.
Edge Device
. The VPN firewall functions as a VPN concentrator on which
one or more gateway tunnels terminate. The authentication modes that are
available for this configuration are User Database, RADIUS PAP, or RADIUS
CHAP.
IPSec Host
. The VPN firewall functions as a VPN client of the remote
gateway. In this configuration, the VPN firewall is authenticated by a remote
gateway with a user name and password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list,
select one of the following authentication types:
User Database
. XAUTH occurs through the VPN
firewall’s user database. You can add users on the Add
User screen (see
User Database Configuration
on
page
247).
Radius PAP
. XAUTH occurs through RADIUS Password
Authentication Protocol (PAP). The local user database is
first checked. If the user account is not present in the
local user database, the VPN firewall connects to a
RADIUS server. For more information, see
RADIUS Client
and Server Configuration
on page
247.
Radius CHAP
. XAUTH occurs through RADIUS
Challenge Handshake Authentication Protocol (CHAP).
For more information, see
RADIUS Client and Server
Configuration
on page
247.
Username
The user name for XAUTH.
Password
The password for XAUTH.
Table 54.
Add IKE Policy screen settings (continued)
Setting
Description
Page 238 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
238
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
5.
Click
Apply
to save your changes. The modified IKE policy is displayed in the List of IKE
Policies table.
Manage VPN Policies
You can create two types of VPN policies. When you use the VPN Wizard to create a VPN
policy, only the Auto method is available.
Manual
. You manually enter all settings (including the keys) for the VPN tunnel on the
VPN firewall and on the remote VPN endpoint. No third-party server or organization is
involved.
Auto
. Some settings for the VPN tunnel are generated automatically through the use of
the IKE (Internet Key Exchange) Protocol to perform negotiations between the two VPN
endpoints (the local ID endpoint and the remote ID endpoint). You still need to manually
enter all settings on the remote VPN endpoint (unless the remote VPN endpoint also has
a VPN Wizard).
In addition, a certification authority (CA) can also be used to perform authentication (see
Manage Digital Certificates for VPN Connections
on page
320). For gateways to use a CA to
perform authentication, each VPN gateway needs to have a certificate from the CA. For each
certificate, there is both a public key and a private key. The public key is freely distributed,
and is used by any sender to encrypt data intended for the receiver (the key owner). The
receiver then uses its private key to decrypt the data (without the private key, decryption is
impossible). The use of certificates for authentication reduces the amount of data entry that is
required on each VPN endpoint.
VPN Policies Screen
The VPN Policies screen allows you to add additional policies—either Auto or Manual—and
to manage the VPN policies already created. You can edit policies, enable or disable policies,
or delete them entirely. These are the rules for VPN policy use:
Traffic covered by a policy is automatically sent through a VPN tunnel.
When traffic is covered by two or more policies, the first matching policy is used. (In this
situation, the order of the policies is important. However, if you have only one policy for
each remote VPN endpoint, the policy order is not important.)
The VPN tunnel is created according to the settings in the security association (SA).
The remote VPN endpoint needs to have a matching SA; otherwise, it refuses the
connection.
To access the VPN Policies screen, select
VPN > IPSec VPN > VPN Policies
.
In the upper
right of the screen, the IPv4 radio button is selected by default. The VPN Policies screen
displays the IPv4 settings. (The following figure shows some examples.) To display the IPv6
settings on the IKE Policies screen, select the
IPv6
radio button.
Page 239 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
239
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 160.
Each policy contains the data that are described in the following table. These fields are
described in more detail in
Table
56
on page
241.
To delete one or more VPN polices:
1.
Select the check box to the left of each policy that you want to delete, or click the
Select
All
table button to select all VPN policies.
2.
Click the
Delete
table button.
To enable or disable one or more VPN policies:
1.
Select the check box to the left of each policy that you want to enable or disable, or click
the
Select All
table button to select all VPN Policies.
2.
Click the
Enable
or
Disable
table button.
Table 55.
VPN Policies screen information for IPv4 and IPv6
Item
Description
! (Status)
Indicates whether the policy is enabled (green circle) or disabled (gray circle). To enable
or disable a policy, select the check box to the left of the circle, and click the
Enable
or
Disable
table button, as appropriate.
Name
The name that identifies the VPN policy. When you use the VPN Wizard to create a VPN
policy, the name of the VPN policy (and of the automatically created accompanying IKE
policy) is the connection name.
Type
Auto or Manual as described previously (Auto is used during VPN Wizard configuration).
Local
IP address (either a single address, range of address, or subnet address) on your LAN.
Traffic needs to be from (or to) these addresses to be covered by this policy. (The subnet
address is supplied as the default IP address when you are using the VPN Wizard.)
Remote
IP address or address range of the remote network. Traffic needs to be to (or from) these
addresses to be covered by this policy. (The VPN Wizard default requires the remote
LAN IP address and subnet mask.)
Auth
The authentication algorithm that is used for the VPN tunnel. This setting needs to match
the setting on the remote endpoint.
Encr
The encryption algorithm that is used for the VPN tunnel. This setting needs to match the
setting on the remote endpoint.
Page 240 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
240
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
For information about how to add or edit a VPN policy, see
Manually Add or Edit a VPN Policy
on this page.
Manually Add or Edit a VPN Policy
To manually add a VPN policy:
1.
Select
VPN > IPSec VPN > VPN Policies
.
The VPN Policies screen displays the IPV4
settings (see
Figure
160
on page
239).
2.
Under the List of VPN Policies table, click the
Add
table button. The Add New VPN Policy
screen displays the IPv4 settings (see
Figure
161
on page
240).
3.
Specify the IP version for which you want to add a VPN policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
4
.
IPv6
. Select the
IPv6
radio button. The Add New VPN Policy screen for IPv6 displays
(see
Figure
162
on page
241).
Figure 161.
Add New VPN Policy screen for IPv4

Rate

124.8 / 5 based on 304 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top