1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 24
Page 116 / 218 Scroll up to view Page 111 - 115
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-14
Virtual Private Networking Using IPsec
v1.0, October 2008
Authentication Method. Select Pre-shared Key for a simple password based key. Selecting
RSA-Signature will disable the Pre-shared key text box and uses the Active Self
Certificate uploaded in the Certificates page. In that case, a certificate must be configured
in order for RSA-Signature to work.
Pre-shared Key
Diffie-Hellman (DH) Group. This method is used when exchanging keys. The DH group
sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must
match the remote VPN.)
SA-Lifetime (sec)
Enable Dead Peer Detection, if yes
Dead Peer Detection is used to detect whether the Peer is alive or not. If the peer is
detected as Dead, it deletes the IPSec and IKE Security Association.
Detection Period (Seconds): Detection Period is the interval between consecutive
DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the
IPSec traffic is idle.
Reconnect after failure count: Maximum number of DPD failures allowed before
tearing down the connection.
Extended Authentication
. The XAUTH Configuration
Edge Device: Select this option to use this router as a VPN concentrator where one or more
gateway tunnels terminate. The authentication modes are:
User Database: User accounts created in the router are used to authenticate users (under
the VPN Client menu on the User Database page).
RADIUS: The router will connect to a RADIUS server and pass on the credentials it
receives from the VPN Client. The connection between the router and the RADIUS server
can be secured with the authentication protocol supported by the server (PAP or CHAP).
RADIUS server settings are configured under the VPN Client menu on the RADIUS
Client page.
Note:
The “ (Double Quote) character is not supported for a Pre-shared Key.
Note:
If RADIUS – PAP is selected, the router will first check in the User
Database to see if the user credentials are available. If the user account is
not present, the router will then connect to the RADIUS server.
Page 117 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using IPsec
6-15
v1.0, October 2008
IPSec Host: The router is authenticated by a remote gateway with a username and password
combination. In this mode, the router acts as a VPN Client of the remote gateway.
VPN Policy
You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy,
only the Auto method is available.
Manual
. All settings (including the keys) for the VPN tunnel are manually input at each end
(both VPN Endpoints). No third party server or organization is involved.
Auto
. Some parameters for the VPN tunnel are generated automatically by using the IKE
(Internet Key Exchange) protocol to perform negotiations between the two VPN Endpoints
(the Local ID Endpoint and the Remote ID Endpoint).
In addition, a Certificate Authority (CA) can also be used to perform authentication (see
“Managing Certificates” on page 8-8
). To use a CA, each VPN gateway must have a certificate
from the CA. For each certificate, there is both a public key and a private key. The public key is
freely distributed, and is used to encrypt data. The receiver then uses its private key to decrypt the
data (without the private key, decryption is impossible). The use of certificates for authentication
reduces the amount of data entry required on each VPN endpoint.
Managing VPN Policies
The VPN Policies screen allows you to add additional policies—either Auto or Manual—and to
manage the VPN policies already created. You can edit policies, enable or disable policies, or
delete them entirely. The rules for VPN policy use are:
1.
Traffic covered by a policy will automatically be sent via a VPN tunnel.
2.
When traffic is covered by two or more policies, the first matching policy will be used. (In this
situation, the order of the policies is important. However, if you have only one policy for each
remote VPN Endpoint, then the policy order is not important.)
3.
The VPN tunnel is created according to the parameters in the SA (Security Association).
4.
The remote VPN Endpoint must have a matching SA, or it will refuse the connection.
VPN Policy Table
Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The
Policy Table contains the following fields:
! (Status)
. Indicates whether the policy is enabled (green circle) or disabled (grey circle). To
Enable or Disable a Policy, check the radio box adjacent to the circle and click
Enable
or
Disable
, as required.
Page 118 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-16
Virtual Private Networking Using IPsec
v1.0, October 2008
Name
. Each policy is given a unique name (the Connection Name when using the VPN
Wizard).
Type
. The Type is “Auto” or “Manual” as described previously (Auto is used during VPN
Wizard configuration).
Local
. IP address (either a single address, range of address or subnet address) on your local
LAN. Traffic must be from (or to) these addresses to be covered by this policy. (The Subnet
address is supplied as the default IP address when using the VPN Wizard).
Remote
. IP address or address range of the remote network. Traffic must be to (or from) these
addresses to be covered by this policy. (The VPN Wizard default requires the remote LAN IP
address and subnet mask).
Auth
. Authentication Algorithm used for the VPN tunnel. The default setting using the VPN
Wizard is SHA1. (This setting must match the Remote VPN.)
Encr
. Encryption algorithm used for the VPN tunnel. The default setting using the VPN
Wizard is 3DES. (This setting must match the Remote VPN.)
Action
. Allows you to access individual policies to make any changes or modifications.
VPN Tunnel Connection Status
Recent VPN tunnel activity is shown on the
IPsec Connection Status
screen (accessed by
selecting
VPN
from the main menu and
Connection Status
from the submenu).You can set a Poll
Interval (in seconds) to check the connection status of all active IKE Policies to obtain the latest
VPN tunnel activity. The Active IPsec (SA)s table also lists current data for each active IPsec SA
(Security Association):
Policy Name
. The name of the VPN policy associated with this SA.
Endpoint
. The IP address on the remote VPN Endpoint.
Tx (KBytes)
. The amount of data transmitted over this SA.
Tx (Packets)
. The number of packets transmitted over this SA.
State
. The current state of the SA. Phase 1 is “Authentication phase” and Phase 2 is “Key
Exchange phase”.
Action
. Allows you to terminate or build the SA (connection), if required.
Page 119 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using IPsec
6-17
v1.0, October 2008
Manually Assigning IP Addresses to Remote Users
(ModeConfig)
To simply the process of connecting remote VPN clients to the SRXN3205, the ModeConfig
module can be used to assign IP addresses to remote users, including a network access IP address,
subnet mask, and name server addresses from the firewall. Remote users are given IP addresses
available in secured network space so that remote users appear as seamless extensions of the
network.
In the following example, we configured the firewall using ModeConfig, and then configured a PC
running ProSafe VPN Client software using these IP addresses.
NETGEAR SRXN3205 ProSafe Wireless-N VPN Firewall
WAN IP address: 172.21.4.1
LAN IP address/subnet: 192.168.2.1/255.255.255.0
NETGEAR ProSafe VPN Client software IP address: 192.168.1.2
Mode Config Operation
After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP
configuration parameters such as IP address, subnet mask and name server addresses. The Mode
Config module will allocate an IP address from the configured IP address pool and will activate a
temporary IPsec policy using the template security proposal information configured in the Mode
Config record.
Configuring the VPN Firewall
Two menus must be configured—the Mode Config menu and the IKE Policies menu.
To configure the Mode Config menu:
1.
Click
VPN
in the main menu.
2.
Click
IPsec VPN
in the submenu.
Note:
After configuring a Mode Config record, you must go to the IKE Policies menu
and configure an IKE policy using the newly-created Mode Config record as the
Remote Host Configuration Record. The VPN Policies menu does not need to be
edited.
Page 120 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-18
Virtual Private Networking Using IPsec
v1.0, October 2008
3.
Click the
Mode Config
tab. The Mode Config tab is displayed.
4.
Click
Add.
The
Add Mode Config Record
screen is displayed
.
5.
Enter a descriptive
Record Name
such as “Sales”.
6.
Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN
clients.
7.
If you have a WINS Server on your local network, enter its IP address.
8.
Enter one or two DNS Server IP addresses to be used by remote VPN clients.
9.
If you enable Perfect Forward Secrecy (PFS), choose DH Group 1 or 2. This setting must
match exactly the configuration of the remote VPN client,
Figure 6-10
Figure 6-11
Note:
The IP Pool should not be within your local network IP addresses. Use a
different range of private IP addresses such as 172.20.xx.xx.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top