1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 49
Page 241 / 469 Scroll up to view Page 236 - 240
Virtual Private Networking Using IPSec
and
L2TP Connections
241
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 162.
Add New VPN Policy screen for IPv6
4.
Complete the settings as described in the following table. The only differences between IPv4
and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6).
Table 56.
Add New VPN Policy screen settings for IPv4 and IPv6
Setting
Description
General
Policy Name
A descriptive name of the VPN policy for identification and management
purposes.
Note:
The name is not supplied to the remote VPN endpoint.
Page 242 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
242
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Policy Type
From the drop-down list, select one of the following policy types:
Auto Policy
. Some settings (the ones in the Manual Policy Parameters
section of the screen) for the VPN tunnel are generated automatically.
Manual Policy
. All settings need to be specified manually, including the
ones in the Manual Policy Parameters section of the screen.
Select Local Gateway
Select a WAN interface from the drop-down list to specify the WAN interface for
the local gateway.
Remote Endpoint
Select a radio button to specify how the remote endpoint is defined:
IP Address
. Enter the IP address of the remote endpoint in the fields to the
right of the radio button.
FQDN
. Enter the FQDN of the remote endpoint in the field to the right of the
radio button.
Enable NetBIOS?
Select this check box to enable NetBIOS broadcasts to travel over the VPN
tunnel. For more information about NetBIOS, see
Configure NetBIOS Bridging
with IPSec VPN
on page
268. This feature is disabled by default.
Enable RollOver?
Select this check box to allow the VPN tunnel to roll over to the other WAN
interface when the WAN mode is set to Auto-Rollover and an actual rollover
occurs. This feature is disabled by default.
Select a WAN interface from the drop-down list.
Enable Auto Initiate
Select this check box to enable the VPN tunnel to autoestablish itself without the
presence of any traffic.
Note:
The direction and type of the IKE policy that is associated with this VPN
policy need to be either Initiator or Both but cannot be Responder. For more
information, see
Manually Add or Edit an IKE Policy
on page
233.
Enable Keepalive
Note:
See also
Configure Keep-Alives
and Dead Peer
Detection
on page
265.
Select a radio button to specify if keep-alive is enabled:
Yes
. This feature is enabled: Periodically, the VPN firewall sends keep-alive
requests (ping packets) to the remote endpoint to keep the tunnel alive. You
need to specify the ping IP address in the Ping IP Address field, the
detection period in the Detection Period field, and the maximum number of
keep-alive requests that the VPN firewall sends in the Reconnect after
failure count field.
No
. This feature is disabled. This is the default setting.
Ping IP Address
The IP address that the VPN firewall pings. The address
needs to be of a host that can respond to ICMP ping
requests.
Detection Period
The period in seconds between the keep-alive requests. The
default setting is 10 seconds.
Reconnect after
failure count
The maximum number of keep-alive requests before the
VPN firewall tears down the connection and then attempts to
reconnect to the remote endpoint. The default setting is
3
keep-alive requests.
Table 56.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Page 243 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
243
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Traffic Selection
Local IP
From the drop-down list, select the address or addresses that are part of the
VPN tunnel on the VPN firewall:
Any
. All computers and devices on the network. Note that you cannot select
Any for both the VPN firewall and the remote endpoint.
Single
. A single IP address on the network. Enter the IP address in the Start
IP Address field.
Range
. A range of IP addresses on the network. Enter the starting IP
address in the Start IP Address field and the ending IP address in the End
IP Address field.
Subnet
. A subnet on the network. Enter the starting IP address in the Start
IP Address field. In addition:
-
Subnet Mask
. For IPv4 addresses on the IPv4 screen only, enter the
subnet mask.
-
IPv6 Prefix Length
. For IPv6 addresses on the IPv6 screen only, enter
the prefix length.
Remote IP
From the drop-down list, select the address or addresses that are part of the
VPN tunnel on the remote endpoint. The selections are the same as for the
Local IP drop-down list.
Manual Policy Parameters
Note:
These fields apply only when you select Manual Policy as the policy type. When you specify the
settings for the fields in this section, a security association (SA) is created.
SPI-Incoming
The Security Parameters Index (SPI) for the inbound policy. Enter a
hexadecimal value between 3 and 8 characters (for example, 0x1234).
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate
the security association (SA):
3DES
. Triple DES. This is the default algorithm.
None
. No encryption algorithm.
DES
. Data Encryption Standard (DES).
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Key-In
The encryption key for the inbound policy. The length of the key depends on the
selected encryption algorithm:
3DES
. Enter 24 characters.
None
. Key does not apply.
DES
. Enter 8 characters.
AES-128
. Enter 16 characters.
AES-192
. Enter 24 characters.
AES-256
. Enter 32 characters.
Table 56.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Page 244 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
244
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Key-Out
The encryption key for the outbound policy. The length of the key depends on
the selected encryption algorithm:
3DES
. Enter 24 characters.
DES
. Enter 8 characters.
AES-128
. Enter 16 characters.
AES-192
. Enter 24 characters.
AES-256
. Enter 32 characters.
SPI-Outgoing
The Security Parameters Index (SPI) for the outbound policy. Enter a
hexadecimal value between 3 and 8 characters (for example, 0x1234).
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in
the VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
Key-In
The integrity key for the inbound policy. The length of the key depends on the
selected integrity algorithm:
MD5
. Enter 16 characters.
SHA-1
. Enter 20 characters.
Key-Out
The integrity key for the outbound policy. The length of the key depends on the
selected integrity algorithm:
MD5
. Enter 16 characters.
SHA-1
. Enter 20 characters.
Auto Policy Parameters
Note:
These fields apply only when you select Auto Policy as the policy type.
SA Lifetime
The lifetime of the security association (SA) is the period or the amount of
transmitted data after which the SA becomes invalid and needs to be
renegotiated. From the drop-down list, select how the SA lifetime is specified:
Seconds
. In the SA Lifetime field, enter a period in seconds. The minimum
value is 300 seconds. The default setting is 3600 seconds.
KBytes
. In the SA Lifetime field, enter a number of kilobytes. The minimum
value is 1920000 KB.
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate
the security association (SA):
3DES
. Triple DES. This is the default algorithm.
None
. No encryption algorithm.
DES
. Data Encryption Standard (DES).
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Table 56.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Page 245 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
245
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
5.
Click
Apply
to save your settings. The VPN policy is added to the List of VPN Policies table.
To edit a VPN policy:
1.
Select
VPN > IPSec VPN > VPN Policies
.
The VPN Policies screen displays the IPv4
settings (see
Figure
160
on page
239).
2.
Specify the IP version for which you want to edit a VPN policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
IPv6
. Select the
IPv6
radio button. The VPN Policies screen for IPv6 displays.
3.
In the List of VPN Policies table, click the
Edit
table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. This screen shows the same fields
as the Add New VPN Policy screen (for IPv4, see
Figure
161
on page
240; for IPv6 see
Figure
162
on page
241).
4.
Modify the settings that you wish to change (see the previous table).
5.
Click
Apply
to save your changes. The modified VPN policy is displayed in the List of VPN
Policies table.
Configure Extended Authentication (XAUTH)
Configure XAUTH for VPN Clients
User Database Configuration
RADIUS Client and Server Configuration
When many VPN clients connect to a VPN firewall, you might want to use a unique user
authentication method beyond relying on a single common pre-shared key for all clients.
Although you could configure a unique VPN policy for each user, it is more efficient to
authenticate users from a stored list of user accounts. XAUTH provides the mechanism for
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in
the VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
PFS Key Group
Select this check box to enable Perfect Forward Secrecy (PFS), and select a
Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the
strength of the algorithm in bits. The higher the group, the more secure the
exchange. From the drop-down list, select one of the following three strengths:
Group 1 (768 bit)
.
Group 2 (1024 bit)
. This is the default setting.
Group 5 (1536 bit)
.
Select IKE Policy
Select an existing IKE policy that defines the characteristics of the Phase-1
negotiation. To display the selected IKE policy, click the
View Selected
button.
Table 56.
Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top