Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking With IPSec Connections 379 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 involved. A manual VPN policy cannot use the Internet Key Exchange (IKE) negotiation protocol. •Auto. Some settings for the VPN tunnel are generated automatically through the use of the IKE protocol to perform negotiations between the two VPN endpoints (the local ID endpoint and the remote ID endpoint). You still must manually enter all settings on the remote VPN endpoint (unless the remote VPN endpoint also has a VPN Wizard). Unlike a manual VPN policy, an automatically generated VPN policy must use the IKE negotiation protocol. When you use the VPN Wizard to create a VPN policy, only the Auto method is available. In addition, a certification authority (CA) can also be used to perform authentication (see Manage Digital Certificates for VPN Connections on page 512). For gateways to use a CA to perform authentication, each VPN gateway must have a certificate from the CA. Both a public key and a private key exist for each certificate. The public key is freely distributed and is used by any sender to encrypt data intended for the receiver (the key owner). The receiver then uses its private key to decrypt the data (without the private key, decryption is impossible). The use of certificates for authentication reduces the amount of data entry that is required on each VPN endpoint. These are the rules for VPN policy use: •Traffic covered by a policy is automatically sent through a VPN tunnel. •When traffic is covered by two or more policies, the first matching policy is used. (In this situation, the order of the policies is important. However, if you have only one policy for each remote VPN endpoint, the policy order is not important.) •The VPN tunnel is created according to the settings in the security association (SA). •The remote VPN endpoint must have a matching SA; otherwise, it refuses the connection. View the VPN Policies The following procedure describes how to view the VPN policies that were automatically added and that you manually added. To view the VPN policies: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Set Up Virtual Private Networking With IPSec Connections 380 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. The following figure shows some examples. 7. To display the IPv6 settings, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. Each policy contains the settings that are described in the following table. These settings apply to both IPv4 and IPv6 VPN policies. For more information about these settings, see Manually Add a VPN Policy on page 381. ItemDescription ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle). For information about enabling and disabling VPN policies, see Enable, Disable, or Remove One or More Existing VPN Policies on page 387. Name The name that identifies the VPN policy. When you use the VPN Wizard to create a VPN policy, the name of the VPN policy (and of the automatically created accompanying IKE policy) is the connection name. Type Auto or Manual as described in VPN Policies Overview on page 378. (Auto is used during VPN Wizard configuration). Local The IP address (either a single address, range of address, or subnet address) on your LAN. Traffic must be from (or to) these addresses to be covered by this policy. (The subnet address is supplied as the default IP address when you are using the VPN Wizard.) Remote The IP address or address range of the remote network. Traffic must be to (or from) these addresses to be covered by this policy. (The VPN Wizard default requires the remote LAN IP address and subnet mask.)
Set Up Virtual Private Networking With IPSec Connections 381 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manually Add a VPN Policy The following procedure describes how to add a VPN policy manually. To manually add a VPN policy: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPV4 settings. 7. To add a VPN policy for IPv6, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPV6 settings. Auth The authentication algorithm that is used for the VPN tunnel. This setting must match the setting on the remote endpoint. Encr The encryption algorithm that is used for the VPN tunnel. This setting must match the setting on the remote endpoint. ItemDescription
Set Up Virtual Private Networking With IPSec Connections 382 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Under the List of VPN Policies table, click the Add button. The Add New VPN Policy screen displays. The Add New VPN Policy screen for IPv4 and the Add New VPN Policy screen for IPv6 are almost identical. 9. Enter the settings as described in the following table.
Set Up Virtual Private Networking With IPSec Connections 383 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Other than the nature of the IP addresses, the settings that you must enter for IPv4 and IPv6 are identical with one exception. The IPv4 settings require a subnet mask but the IPv6 settings require a prefix length. SettingDescription General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note:The name is not supplied to the remote VPN endpoint. Policy Type From the menu, select a policy type: • Auto Policy. Some settings (the ones in the Manual Policy Parameters section) for the VPN tunnel are generated automatically. • Manual Policy. All settings must be specified manually, including the ones in the Manual Policy Parameters section. Select Local Gateway Select a WAN interface from the menu to specify the WAN interface for the local gateway. Remote Endpoint Select a radio button to specify how the remote endpoint is defined: • IP Address. Enter the IP address of the remote endpoint in the corresponding field to the right of the radio button. • FQDN. Enter the FQDN of the remote endpoint in the corresponding field to the right of the radio button. Enable NetBIOS? Select this check box to enable NetBIOS broadcasts to travel over the VPN tunnel. This feature is disabled by default. For more information about NetBIOS, see Configure NetBIOS Bridging with IPSec VPN on page 416. Enable RollOver? Select this check box to allow the VPN tunnel to roll over to the other WAN interface when the WAN mode is set to Auto-Rollover and an actual rollover occurs. This feature is disabled by default. Select a WAN interface from the menu. Enable Auto Initiate Select this check box to enable the VPN tunnel to autoestablish itself without the presence of any traffic. Note:For autoinitiation, the direction and type of the IKE policy that is associated with this VPN policy must be either Initiator or Both but cannot be Responder. For more information, see Manually Add an IKE Policy on page 368.
Set Up Virtual Private Networking With IPSec Connections 384 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enable Keepalive Select a radio button to specify if keep-alive is enabled: • No. Keep-alive requests are disabled for the VPN tunnel. This is the default setting. • Ye s. Keep-alive requests are enabled for the VPN tunnel. Periodically, the VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive. You must specify the information in the following fields: - Ping IP Address. The IP address that the VPN firewall pings. The address must be of a host that can respond to ICMP ping requests. - Detection Period. The period in seconds between the keep-alive requests. The default setting is 10 seconds. - Reconnect after failure counts. The maximum number of keep-alive requests before the VPN firewall tears down the connection and then attempts to reconnect to the remote endpoint. The default setting is 3 keep-alive requests. Note:For more information, see Manage Keep-Alives and Dead Peer Detection on page 411. Traffic Selection Local IP From the menu, select the address or addresses that are part of the VPN tunnel on the VPN firewall: • Any. All computers and devices on the network. You cannot select Any for both the VPN firewall and the remote endpoint. • Single. A single IP address on the network. Enter the IP address in the Start IP Address field. • Range. A range of IP addresses on the network. Enter the starting IP address in the Start IP Address field and the ending IP address in the End IP Address field. • Subnet. A subnet on the network. Enter the starting IP address in the Start IP Address field. In addition, specify the following: - Subnet Mask. For IPv4 addresses on the IPv4 screen only, enter the subnet mask. - IPv6 Prefix Length. For IPv6 addresses on the IPv6 screen only, enter the prefix length. Remote IP From the menu, select the address or addresses that are part of the VPN tunnel on the remote endpoint. The selections for the Remote IP menu are the same as for the Local IP menu (see the previous row in this table). Manual Policy Parameters Note:These fields apply only when you select Manual Policy from the Policy Type menu. When you specify the settings for the fields in this section, a security association (SA) is created. SPI-Incoming The security parameters index (SPI) for the inbound policy. Enter a hexadecimal value between 3 and 8 characters (for example, 0x1234). SettingDescription
Set Up Virtual Private Networking With IPSec Connections 385 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Encryption Algorithm From the menu, select the algorithm to negotiate the security association (SA): • 3DES. Triple DES. This is the default algorithm. • None. No encryption algorithm. • DES. Data Encryption Standard (DES). • AES-128. Advanced Encryption Standard (AES) with a 128-bit key size. • AES-192. AES with a 192-bit key size. • AES-256. AES with a 256-bit key size. Key-In The encryption key for the inbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter 24 characters. • None. Key does not apply. • DES. Enter 8 characters. • AES-128. Enter 16 characters. • AES-192. Enter 24 characters. • AES-256. Enter 32 characters. Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter 24 characters. • DES. Enter 8 characters. • AES-128. Enter 16 characters. • AES-192. Enter 24 characters. • AES-256. Enter 32 characters. SPI-Outgoing The security parameters index (SPI) for the outbound policy. Enter a hexadecimal value between 3 and 8 characters (for example, 0x1234). Integrity Algorithm From the menu, select the algorithm to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Key-In The integrity key for the inbound policy. The length of the key depends on the selected integrity algorithm: • MD5. Enter 16 characters. • SHA-1. Enter 20 characters. Key-Out The integrity key for the outbound policy. The length of the key depends on the selected integrity algorithm: • MD5. Enter 16 characters. • SHA-1. Enter 20 characters. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 386 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 10. Click the Apply button. Your settings are saved. The VPN policy is added to the List of VPN Policies table. Change a VPN Policy The following procedure describes how to change an existing VPN policy that was added either automatically or manually. To change a VPN policy: 1. On your computer, launch an Internet browser. Auto Policy Parameters Note:These fields apply only when you select Manual Policy from the Policy Type menu. SA Lifetime The lifetime of the security association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated. From the SA Lifetime menu on the right, select how you must specify the SA lifetime in the SA Lifetime field on the left: • Seconds. In the SA Lifetime field, enter a period in seconds. The minimum value is 300 seconds. The default setting is 3600 seconds. • KBytes. In the SA Lifetime field, enter a number of kilobytes. The minimum value is 1920000 KB. Encryption Algorithm From the menu, select one algorithm to negotiate the security association (SA): • 3DES. Triple DES. This is the default algorithm. • None. No encryption algorithm. • DES. Data Encryption Standard (DES). • AES-128. Advanced Encryption Standard (AES) with a 128-bit key size. • AES-192. AES with a 192-bit key size. • AES-256. AES with a 256-bit key size. Integrity Algorithm From the menu, select the algorithm to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. PFS Key Group Select the PFS Key Group check box on the left to enable Perfect Forward Secrecy (PFS and select a Diffie-Hellman (DH) group from the corresponding menu on the right. The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the menu, select the strength: • Group 1 (768 bit). • Group 2 (1024 bit). This is the default setting. • Group 5 (1536 bit). Select IKE Policy Select an existing IKE policy that defines the characteristics of the Phase-1 negotiation. To display the selected IKE policy, click the View Selected button. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 387 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. 7. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. 8. In the List of VPN Policies table, click the Edit button for the VPN policy that you want to change. The Edit VPN Policy screen displays. 9. Change the settings. For information about the settings, see Manually Add a VPN Policy on page 381. 10. Click the Apply button. Your settings are saved. The modified VPN policy displays in the List of VPN Policies table on the VPN Policies screen. Enable, Disable, or Remove One or More Existing VPN Policies The following procedure describes how to enable or disable one or more existing VPN policies or remove one or more VPN policies that you no longer need. To enable, disable, or remove one or more VPN polices: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Set Up Virtual Private Networking With IPSec Connections 388 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. 7. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. 8. In the List of VPN Policies table, select the check box to the left of each policy that you want to either enable, disable, or remove or click the Select All button to select all VPN policies. 9. Take one of the following actions: •Click the Enable button. The selected VPN policies are enabled. The green circle to the left of each selected VPN policy turns green. •Click the Disable button. The selected VPN policies are disabled. The green circle to the left of each selected VPN policy turns gray. •Click the Delete button. The selected VPN policies are removed from the List of VPN Policies table. Configure Extended Authentication (XAUTH) The following sections provide information about how to configure extended authentication (XAUTH): •Extended Authentication Overview •Enable and Configure Extended Authentication for VPN Clients •RADIUS •Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client