1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 52
Page 256 / 469 Scroll up to view Page 251 - 255
Virtual Private Networking Using IPSec
and
L2TP Connections
256
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
IKE SA Parameters
Note:
Generally, the default settings work well for a Mode Config configuration.
Encryption Algorithm
To negotiate the security association (SA), from the drop-down list, select the
3DES
algorithm.
Authentication
Algorithm
From the drop-down list, select the
SHA-1
algorithm to be used in the VPN header
for the authentication process.
Authentication Method
Select
Pre-shared key
as the authentication method, and enter a key in the
Pre-shared key field.
Pre-shared key
A key with a minimum length of 8 characters and no more than
49 characters. Do not use a double quote (''), single quote('),
or space in the key. This example uses H8!spsf3#JYK2!.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm in bits. From the drop-down list,
select
Group 2 (1024 bit)
.
SA-Lifetime (sec)
The period in seconds for which the IKE SA is valid. When the period times out, the
next rekeying occurs. The default setting is 28800 seconds (8
hours). However, for
a Mode Config configuration, NETGEAR recommends 3600
seconds (1
hour).
Enable Dead Peer
Detection
Note:
See also
Configure
Keep-Alives and
Dead Peer Detection
on page
265.
Select a radio button to specify whether Dead Peer Detection (DPD) is enabled:
Yes
. This feature is enabled. When the VPN firewall detects an IKE connection
failure, it deletes the IPSec and IKE SA and forces a reestablishment of the
connection. You need to specify the detection period in the Detection Period
field and the maximum number of times that the VPN firewall attempts to
reconnect in the Reconnect after failure count field.
No
. This feature is disabled. This is the default setting.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle. The default setting is 10 seconds. This
example uses 30 seconds.
Reconnect after
failure count
The maximum number of DPD failures before the VPN firewall
tears down the connection and then attempts to reconnect to
the peer. The default setting is 3 failures.
Table 60.
Add IKE Policy screen settings for a Mode Config configuration (continued)
Setting
Description
Page 257 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
257
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
9.
Click
Apply
to save your settings. The IKE policy is added to the List of IKE Policies table.
Configure the ProSafe VPN Client for Mode Config
Operation
When the Mode Config feature is enabled, the following information is negotiated between
the VPN client and the VPN firewall during the authentication phase:
Virtual IP address of the VPN client
DNS server address (optional)
WINS server address (optional)
The virtual IP address that is issued by the VPN firewall is displayed in the VPN Client
Address field on the VPN client’s IPSec pane.
Extended Authentication
XAUTH Configuration
Note:
For more
information about
XAUTH and its
authentication
modes, see
Configure
XAUTH for VPN
Clients
on page
246.
Select one of the following radio buttons to specify whether Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
None
. XAUTH is disabled. This the default setting.
Edge Device
. The VPN firewall functions as a VPN concentrator on which one
or more gateway tunnels terminate. The authentication modes that are
available for this configuration are User Database, RADIUS PAP, and RADIUS
CHAP.
IPSec Host
. The VPN firewall functions as a VPN client of the remote
gateway. In this configuration, the VPN firewall is authenticated by a remote
gateway with a user name and password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list,
select one of the following authentication types:
User Database
. XAUTH occurs through the VPN firewall’s
user database. You can add users on the Add User screen
(see
User Database Configuration
on page
247).
Radius PAP
. XAUTH occurs through RADIUS Password
Authentication Protocol (PAP). The local user database is
first checked. If the user account is not present in the local
user database, the VPN firewall connects to a RADIUS
server. For more information, see
RADIUS Client and
Server Configuration
on page
247.
Radius CHAP
. XAUTH occurs through RADIUS
Challenge Handshake Authentication Protocol (CHAP).
For more information, see
RADIUS Client and Server
Configuration
on page
247.
Username
The user name for XAUTH.
Password
The password for XAUTH.
Table 60.
Add IKE Policy screen settings for a Mode Config configuration (continued)
Setting
Description
Page 258 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
258
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Note:
Perform these tasks from a computer that has the NETGEAR
ProSafe VPN Client installed.
To configure the VPN client for Mode Config operation, create authentication settings
(phase
1 settings), create an associated IPSec configuration (phase 2 settings), and specify
the global parameters.
Configure the Mode Config Authentication Settings (Phase 1 Settings)
To create new authentication settings:
1.
Right-click the VPN client icon in your Windows system tray, and select
Configuration
Panel
. The Configuration Panel screen displays:
Figure 167.
2.
In the tree list pane of the Configuration Panel screen, right-click
VPN Configuration
,
and
select
New Phase 1
.
Figure 168.
Page 259 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
259
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
3.
Change the name of the authentication phase (the default is Gateway):
a.
Right-click the authentication phase name.
b.
Select
Rename
.
c.
Type
GW_ModeConfig
.
d.
Click anywhere in the tree list pane.
Note:
This is the name for the authentication phase that is used only for the
VPN client, not during IKE negotiation. You can view and change this name in
the tree list pane. This name needs to be a unique name.
The Authentication pane displays in the
Configuration Panel screen, with the
Authentication tab selected by default:
Figure 169.
4.
Specify the settings that are described in the following table.
Table 61.
VPN client authentication settings (Mode Config)
Setting
Description
Interface
Select
Any
from the drop-down list.
Remote Gateway
Enter the remote IP address or DNS name of the VPN firewall. For example, enter
192.168.15.175
.
Preshared Key
Select the
Preshared Key
radio button. Enter the pre-shared key that you already
specified on the VPN firewall. For example, enter
H8!spsf3#JYK2!
. Confirm the key in
the Confirm field.
Page 260 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
260
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
5.
Click
Apply
to use the new settings immediately, and click
Save
to keep the settings for
future use.
6.
Click the
Advanced
tab in the Authentication pane. The Advanced pane displays:
Figure 170.
7.
Specify the settings that are described in the following table.
IKE
Encryption
Select the
3DES
encryption algorithm from the drop-down list.
Authentication
Select the
SHA1
authentication algorithm from the drop-down list.
Key Group
Select the
DH2 (1024)
key group from the drop-down list.
Note:
On the VPN firewall, this key group is referred to as
Diffie-Hellman Group 2 (1024 bit).
Table 62.
VPN client advanced authentication settings (Mode Config)
Setting
Description
Advanced features
Mode Config
Select this check box to enable Mode Config.
Aggressive Mode
Select this check box to enable aggressive mode as the mode of negotiation with
the VPN firewall.
Table 61.
VPN client authentication settings (Mode Config) (continued)
Setting
Description

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top