1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 51
Page 251 / 469 Scroll up to view Page 246 - 250
Virtual Private Networking Using IPSec
and
L2TP Connections
251
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
To configure Mode Config on the VPN firewall:
1.
Select
VPN > IPSec VPN > Mode Config
.
The Mode Config screen displays:
Figure 164.
As an example, the screen shows two Mode Config records with the names EMEA Sales
and NA Sales:
For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool
(172.16.200.1 through 172.16.200.99) are shown.
For Americas Sales, a first pool (172.25.100.50 through 172.25.100.99), a second
pool (172.25.210.1 through 172.25.210.99), and a third pool (172.25.220.80 through
172.25.220.99) are shown.
2.
Under the List of Mode Config Records table, click the
Add
table button. The Add Mode
Config Record screen displays:
Figure 165.
Page 252 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
252
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
3.
Complete the settings as described in the following table:
Table 59.
Add Mode Config Record screen settings
Setting
Description
Client Pool
Record Name
A descriptive name of the Mode Config record for identification and management
purposes.
First Pool
Assign at least one range of IP pool addresses in the First Pool fields to enable the
VPN firewall to allocate these to remote VPN clients. The Second Pool and Third
Pool fields are optional. To specify any client pool, enter the starting IP address for
the pool in the Starting IP field, and enter the ending IP address for the pool in the
Ending IP field.
Note:
No IP pool should be within the range of the local network IP addresses. Use
a different range of private IP addresses such as 172.16.xxx.xx.
Second Pool
Third Pool
WINS Server
If there is a WINS server on the local network, enter its IP address in the Primary
field. You can enter the IP address of a second WINS server in the Secondary field.
DNS Server
Enter the IP address of the DNS server that is used by remote VPN clients in the
Primary field. You can enter the IP address of a second DNS server in the
Secondary field.
Traffic Tunnel Security Level
Note:
Generally, the default settings work well for a Mode Config configuration.
PFS Key Group
Select this check box to enable Perfect Forward Secrecy (PFS), and select a
Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the strength
of the algorithm in bits. The higher the group, the more secure the exchange. From
the drop-down list, select one of the following three strengths:
Group 1 (768 bit)
Group 2 (1024 bit)
. This is the default setting.
Group 5 (1536 bit)
SA Lifetime
The lifetime of the security association (SA) is the period or the amount of
transmitted data after which the SA becomes invalid and needs to be renegotiated.
From the drop-down list, select how the SA lifetime is specified:
Seconds
. In the SA Lifetime field, enter a period in seconds. The minimum
value is 300 seconds. The default setting is 3600 seconds.
KBytes
. In the SA Lifetime field, enter a number of kilobytes. The minimum
value is 1920000 KB.
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate the
security association (SA):
None
. No encryption.
DES
. Data Encryption Standard (DES).
3DES
. Triple DES. This is the default algorithm.
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Page 253 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
253
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
Click
Apply
to save your settings. The new Mode Config record is added to the List of Mode
Config Records table.
Continue the Mode Config configuration procedure by configuring an IKE policy.
5.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen in view (see
Figure
158
on page
232).
6.
Under the List of IKE Policies table, click the
Add
table button. The Add IKE Policy screen
displays the IPv4 settings (see the next figure).
7.
Specify the IP version for which you want to add an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
8
.
IPv6
. Select the
IPv6
radio button. The Add IKE Policy screen for IPv6 displays. This
screen is identical to the Add IKE Policy screen for IPv4 (see the next figure).
Note:
You can configure an IPv6 IKE policy to assign IPv4 addresses to
clients, but you cannot assign IPv6 addresses to clients.
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in the
VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
Local IP Address
The local IP address to which remote VPN clients have access. If you do not
specify a local IP address, the VPN firewall’s default LAN IP address is used (by
default, 192.168.1.1).
Local Subnet Mask
The local subnet mask. Typically, this is 255.255.255.0.
Note:
If you do not specify a local IP address, you do not need to specify a subnet
either.
Table 59.
Add Mode Config Record screen settings (continued)
Setting
Description
Page 254 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
254
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 166.
8.
On the Add IKE Policy screen, complete the settings as described in the following table.
Note:
The IKE policy settings that are described in the following table are
specifically for a Mode Config configuration.
Table
54
on page
234
explains the general IKE policy settings.
Page 255 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
255
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 60.
Add IKE Policy screen settings for a Mode Config configuration
Setting
Description
Mode Config Record
Do you want to use
Mode Config Record?
Select the
Yes
radio button.
Note:
Because Mode Config functions only in Aggressive mode, selecting the Yes
radio button sets the tunnel exchange mode to Aggressive mode. Mode Config
also requires that both the local and remote endpoints are defined by their FQDNs.
Select Mode
Config Record
From the drop-down list, select the Mode Config record that
you created in
Step
4
on page 253. This example uses NA
Sales.
General
Policy Name
A descriptive name of the IKE policy for identification and management purposes.
This example uses ModeConfigAME_Sales.
Note:
The name is not supplied to the remote VPN endpoint.
Direction / Type
Responder is automatically selected when you select the Mode Config record in
the Mode Config Record section of the screen. This ensures that the VPN firewall
responds to an IKE request from the remote endpoint but does not initiate one.
Exchange Mode
Aggressive mode is automatically selected when you select the Mode Config
record in the Mode Config Record section of the screen.
Local
Select Local Gateway
Select a WAN interface from the drop-down list to specify the WAN interface for the
local gateway.
Identifier Type
From the drop-down list, select
FQDN
.
Note:
Mode Config requires that the VPN firewall (that is, the local endpoint) is
defined by an FQDN.
Identifier
Enter an FQDN for the VPN firewall. This example uses
router.com.
Remote
Identifier Type
From the drop-down list, select
FQDN
.
Note:
Mode Config requires that the remote endpoint is defined by an FQDN.
Identifier
Enter the FQDN for the remote endpoint. This needs to be an
FQDN that is not used in any other IKE policy. This example
uses client.com.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top