NETGEAR SRX5308 Router Manual PDF (Setup & Configuration Guide)

Page 261 / 469 Scroll up to view Page 256 - 260

Virtual Private Networking Using IPSec

and

L2TP Connections

261

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

8.

Click

Apply

to use the new settings immediately, and click

Save

to keep the settings for

future use.

Create the Mode Config IPSec Configuration (Phase 2 Settings)

Note:

On the VPN firewall, the IPSec configuration (phase 2 settings) is

referred to as the IKE settings.



To create an IPSec configuration:

1.

In the tree list pane of the Configuration Panel screen, right-click the

GW_ModeConfig

authentication phase name, and select

New Phase 2

.

2.

Change the name of the IPSec configuration (the default is Tunnel):

a.

Right-click the IPSec configuration name.

b.

Select

Rename

.

c.

Type

Tunnel_ModeConfig

.

d.

Click anywhere in the tree list pane.

Note:

This is the name for the IPSec configuration that is used only for the

VPN client, not during IPSec negotiation. You can view and change this name

in the tree list pane. This name needs to be a unique name.

The IPSec pane displays in the

Configuration Panel screen, with the IPSec tab selected

by default:

NAT-T

Select

Automatic

from the drop-down list to enable the VPN client and VPN

firewall to negotiate NAT-T.

Local and Remote ID

Local ID

As the type of ID, select

DNS

from the Local ID drop-down list because you

specified FQDN in the VPN firewall configuration.

As the value of the ID, enter

client.com

as the local ID for the VPN client.

Note:

The remote ID on the VPN firewall is the local ID on the VPN client.

Remote ID

As the type of ID, select

DNS

from the Remote ID drop-down list because you

specified an FQDN in the VPN firewall configuration.

As the value of the ID, enter

router.com

as the remote ID for the VPN firewall.

Note:

The local ID on the VPN firewall is the remote ID on the VPN client.

Table 62.

VPN client advanced authentication settings (Mode Config) (continued)

Setting

Description

Page 262 / 469

Virtual Private Networking Using IPSec

and

L2TP Connections

262

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Figure 171.

3.

Specify the settings that are described in the following table.

Table 63.

VPN client IPSec configuration settings (Mode Config)

Setting

Description

VPN Client

address

This field is masked out because Mode Config is selected. After an IPSec connection is

established, the IP address that is issued by the VPN firewall displays in this field (see

Figure

176

on page

266).

Address Type

Select

Subnet address

from the drop-down list.

Remote host

address

The address that you need to enter depends on whether you have specified a LAN IP

network address in the Local IP Address field on the Add Mode Config Record screen of

the VPN firewall:

•

If you left the Local IP Address field blank, enter the VPN firewall’s default LAN IP

address as the remote host address that opens the VPN tunnel. For example, enter

192.168.1.1

.

•

If you specified a LAN IP network address in the Local IP Address field, enter the

address that you specified as the remote host address that opens the VPN tunnel.

Subnet mask

Enter

255.255.255.0

as the remote subnet mask of the VPN firewall that opens the VPN

tunnel. This is the LAN IP subnet mask that you specified in the Local Subnet Mask field

on the Add Mode Config Record screen of the VPN firewall. If you left the Local Subnet

Mask field blank, enter the VPN firewall’s default IP subnet mask.

Page 263 / 469

Virtual Private Networking Using IPSec

and

L2TP Connections

263

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

4.

Click

Apply

to use the new settings immediately, and click

Save

to keep the settings for

future use.

Configure the Mode Config Global Parameters



To specify the global parameters:

1.

Click

Global Parameters

in the left column

of the Configuration Panel screen.

The

Global Parameters pane displays in the

Configuration Panel screen:

Figure 172.

ESP

Encryption

Select

3DES

as the encryption algorithm from the drop-down list.

Authentication

Select

SHA-1

as the authentication algorithm from the drop-down list.

Mode

Select

Tunnel

as the encapsulation mode from the drop-down list.

PFS and Group

Select the

PFS

check box, and select the

DH2 (1024)

key group from the drop-down list.

Note:

On the VPN firewall, this key group is referred to as Diffie-Hellman Group

2 (1024

bit).

Table 63.

VPN client IPSec configuration settings (Mode Config) (continued)

Setting

Description

Page 264 / 469

Virtual Private Networking Using IPSec

and

L2TP Connections

264

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

2.

Specify the following default lifetimes in seconds to match the configuration on the VPN

firewall:

•

Authentication (IKE)

,

Default

. Enter

3600

seconds.

Note:

The default setting is 28800 seconds (8 hours). However, for a Mode

Config configuration, NETGEAR recommends 3600 seconds (1 hour).

•

Encryption (IPSec)

,

Default

. Enter

3600

seconds.

3.

Select the

Dead Peer Detection (DPD)

check box, and configure the following DPD settings

to match the configuration on the VPN firewall:

•

Check Interval

. Enter

30

seconds.

•

Max. number of entries

. Enter

3

retries.

•

Delay between entries

. Leave the default delay setting of 15 seconds.

4.

Click

Apply

to use the new settings immediately, and click

Save

to keep the settings for

future use.

The Mode Config configuration of the VPN client is now complete.

Test the Mode Config Connection



To test the Mode Config connection from the VPN client to the VPN firewall:

1.

Right-click the system tray icon, and select

Open tunnel ‘Tunnel_ModeConfig’

.

Figure 173.

When the tunnel opens successfully, the

Tunnel opened

message displays above the

system tray, and the VPN client displays a green icon in the system tray.

Figure 174.

Page 265 / 469

Virtual Private Networking Using IPSec

and

L2TP Connections

265

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

2.

Verify that the VPN firewall issued an IP address to the VPN client. This IP address

displays in the VPN Client address field on the IPSec pane of the VPN client. (The

following figure shows the upper part of the IPSec pane only.)

Figure 175.

3.

From the client computer, ping a computer on the VPN firewall LAN.

Modify or Delete a Mode Config Record

Note:

Before you modify or delete a Mode Config record, make sure that it

is not used in an IKE policy.



To edit a Mode Config record:

1.

On the Mode Config screen (see

Figure

164

on page

251), click the

Edit

button in the

Action column for the record that you want to modify. The Edit Mode Config Record

screen displays. This screen is identical to the Add Mode Config Record screen (see

Figure

165

on page

251).

2.

Modify the settings as described in

Table

59

on page

252.

3.

Click

Apply

to save your settings.



To delete one or more Mode Config records:

1.

On the Mode Config screen (see

Figure

164

on page

251), select the check box to the

left of each record that you want to delete, or click the

Select All

table button to select

all records.

2.

Click the

Delete

table button.

Configure Keep-Alives and Dead Peer Detection

•

Configure Keep-Alives

•

Configure Dead Peer Detection

In some cases, you might not want a VPN tunnel to be disconnected when traffic is idle, for

example, when client-server applications over the tunnel cannot tolerate the tunnel

establishment time. If you require a VPN tunnel to remain connected, you can use the

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share