1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 25
Page 121 / 218 Scroll up to view Page 116 - 120
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using IPsec
6-19
v1.0, October 2008
10.
Specify the Local IP Subnet to which the remote client will have access. Typically, this is your
firewall’s LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it will default to
the LAN subnet of the firewall.)
11.
Specify the VPN policy settings. These settings must match the configuration of the remote
VPN client. Recommended settings are:
SA Lifetime: 3600 seconds
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
12.
Click
Apply
.
The new record should appear in the VPN > Mode Config Table.
Next, you must configure an IKE Policy:
1.
On the main menu, click
VPN
. The
IKE Policies
screen is displayed showing the current
policies in the
List of IKE Policies
Table. (See
Figure 6-3 on page 6-5
.)
2.
Click
Add
to configure a new IKE Policy. The
Add IKE Policy
screen displays.
3.
Enable
Mode Config
by checking the
Yes
radio box and selecting the Mode Config record
you just created from the pull-down menu. (You can view the parameters of the selected record
by clicking the
View selected
radio box.)
Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends
of the tunnel be defined by an FQDN.
4.
In the
General
section:
a.
Enter a descriptive name in the Policy Name Field such as “salesperson”. This name will
be used as part of the remote identifier in the VPN client configuration.
b.
Set Direction/Type to Responder.
c.
The Exchange Mode will automatically be set to Aggressive.
5.
For Local information:
a.
Select Fully Qualified Domain Name for the Local Identity Type.
b.
Enter an identifier in the Remote Identity Data field that is not used by any other IKE
policies. This identifier will be used as part of the local identifier in the VPN client
configuration.
6.
Specify the IKE SA parameters. These settings must be matched in the configuration of the
remote VPN client. Recommended settings are:
Encryption Algorithm: 3DES
Page 122 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-20
Virtual Private Networking Using IPsec
v1.0, October 2008
Authentication Algorithm: SHA-1
Diffie-Hellman: Group 2
SA Lifetime: 3600 seconds
7.
Enter a Pre-Shared Key that will also be configured in the VPN client.
8.
XAUTH is disabled by default. To enable XAUTH, choose one of the following:
Edge Device
to use this firewall as a VPN concentrator where one or more gateway
tunnels terminate. (If selected, you must specify the
Authentication Type
to be used in
verifying credentials of the remote VPN gateways.)
IPsec Host
if you want this gateway to be authenticated by the remote gateway. Enter a
Username and Password to be associated with the IKE policy. When this option is chosen,
you will need to specify the user name and password to be used in authenticating this
gateway (by the remote gateway).
9.
If Edge Device was enabled, choose the
Authentication Type
from the pull down menu
which will be used to verify account information: User Database, RADIUS-CHAP or
RADIUS-PAP. Users must be added through the User Database screen (see
“Creating a New
User Account” on page 8-4
or
“RADIUS Client Configuration” on page 6-24
).
10.
Click
Apply.
The new policy will appear in the IKE Policies Table.
Configuring the ProSafe VPN Client for ModeConfig
From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN
client connection.
To configure the client PC:
1.
Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor
window, click the New Policy editor icon.
a.
Give the connection a descriptive name such as “modecfg_test”. (This name will only be
used internally).
b.
From the ID Type pull-down menu, choose IP Subnet.
c.
Enter the IP Subnet and Mask of the firewall (this is the LAN network IP address of the
gateway).
Note:
If RADIUS-PAP is selected, the firewall will first check the User Database to
see if the user credentials are available. If the user account is not present, the
firewall will then connect to the RADIUS server.
Page 123 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using IPsec
6-21
v1.0, October 2008
d.
Check the Connect using radio button and choose Secure Gateway Tunnel from the pull-
down menu.
e.
From the ID Type pull-down menu, choose Domain name and enter the FQDN of the
firewall; in this example it is “local_id.com”.
f.
Choose Gateway IP Address from the second pull-down menu and enter the WAN IP
address of the firewall; in this example it is “172.21.4.1”.
2.
From the left side of the menu, click My Identity and enter the following information:
a.
Click
Pre-Shared Key
and enter the key you configured in the SRXN3205 IKE menu.
b.
From the Select Certificate pull-down menu, choose None.
c.
From the ID Type pull-down menu, choose Domain Name and create an identifier based
on the name of the IKE policy you created; for example “salesperson11.remote_id.com”.
d.
Under Virtual Adapter pull-down menu, choose Preferred. The Internal Network IP
Address should be 0.0.0.0.
e.
Select your Internet Interface adapter from the Name pull-down menu.
3.
On the left-side of the menu, choose Security Policy.
a.
Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio
button.
b.
Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the Diffie-
Hellman Group 2 from the PFS Key Group pull-down menu.
c.
Enable Replay Detection should be checked.
4.
Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter
the Authentication values to match those in the firewall ModeConfig Record menu.
5.
Click on Key Exchange (Phase 2) on the left-side of the menu and choose Proposal 1. Enter
the values to match your configuration of the firewall ModeConfig Record menu. (The SA
Lifetime can be longer, such as 8 hours [28800 seconds]
6.
Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.
To test the connection:
Note:
If no box is displayed for Internal Network IP Address, go to Options/
Global Policy Settings, and check the box for “Allow to Specify Internal
Network Address.”
Page 124 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
6-22
Virtual Private Networking Using IPsec
v1.0, October 2008
1.
Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection
policy you configured will appear; in this case “My Connections\modecfg_test”.
2.
Click on the connection. Within 30 seconds the message “Successfully connected to
MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read
“On”.
3.
From the client PC, ping a computer on the firewall LAN.
Extended Authentication (XAUTH) Configuration
When connecting many VPN clients to a firewall, an administrator may want a unique user
authentication method beyond relying on a single common preshared key for all clients. Although
the administrator could configure a unique VPN policy for each user, it is more convenient for the
firewall to authenticate users from a stored list of user accounts. XAUTH provides the mechanism
for requesting individual authentication information from the user, and a local User Database or an
external authentication server, such as a RADIUS server, provides a method for storing the
authentication information centrally in the local network.
XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are
available:
Edge Device.
If this is selected, the firewall is used as a VPN concentrator where one or more
gateway tunnels terminate. If this option is chosen, you must specify the authentication type to
be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP,
or RADIUS-CHAP.
IPsec Host.
If you want authentication by the remote gateway, enter a User Name and
Password to be associated with this IKE policy. If this option is chosen, the remote gateway
must specify the user name and password used for authenticating this gateway.
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the
local User Database for the user credentials. If the user account is not present, the
firewall will then connect to a RADIUS server.
Page 125 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Virtual Private Networking Using IPsec
6-23
v1.0, October 2008
Configuring XAUTH for VPN Clients
Once the XAUTH has been enabled, you must establish user accounts in the User Database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
To enable and configure XAUTH:
1.
Select
VPN > IPsec VPN
from the main/submenu.
2.
Click the
IKE Policies
tab and the IKE Policies
screen displays.
3.
You can add
XAUTH
to an existing IKE Policy by clicking
Edit
adjacent to the policy to be
modified or you can create a new IKE Policy incorporating
XAUTH
by clicking
Add.
4.
In the
Extended Authentication
section check the
Edge Device
radio box to use this firewall
as a VPN concentrator where one or more gateway tunnels terminate. You then must specify
the authentication type to be used in verifying credentials of the remote VPN gateways. (Either
the User Database or RADIUS Client must be configured when XAUTH is enabled.)
5.
In the
Extended Authentication
section, choose the
Authentication Type
from the pull-
down menu which will be used to verify user account information. Select
Edge Device
to use this firewall as a VPN concentrator where one or more gateway
tunnels terminate. When this option is chosen, you will need to specify the authentication
type to be used in verifying credentials of the remote VPN gateways.
User Database
to verify against the firewall’s user database. Users must be added
through the User Database screen (see
“User Database Configuration” on page 6-24
).
Note:
If you are modifying an existing IKE Policy to add
XAUTH
, if it is in use by a
VPN policy, the VPN policy must be disabled before you can modify the IKE
Policy.
Figure 6-12

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top