Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking With IPSec Connections 399 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 13. Enter the settings as described in the following table. Note:The IKE policy settings that are described in the following table are specifically for a Mode Config configuration. For information about general IKE policy settings, see Manually Add an IKE Policy on page 368. SettingDescription Mode Config Record Do you want to use Mode Config Record?Select the Ye s radio button. Note:Because Mode Config functions only in Aggressive mode, selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode. Mode Config also requires that both the local and remote endpoints are defined by their FQDNs. Select Mode Config RecordFrom the menu, select the Mode Config record that you created in Step 9. This example uses NA Sales.
Set Up Virtual Private Networking With IPSec Connections 400 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 General Policy Name A descriptive name of the IKE policy for identification and management purposes. This example uses ModeConfigAME_Sales. Note:The name is not supplied to the remote VPN endpoint. Direction / Type Responder is automatically selected when you select the Mode Config record in the Mode Config Record section. This ensures that the VPN firewall responds to an IKE request from the remote endpoint but does not initiate one. Exchange Mode Aggressive mode is automatically selected when you select the Mode Config record in the Mode Config Record section. Local Select Local Gateway Select a WAN interface from the menu to specify the WAN interface for the local gateway. Identifier Type From the menu, select FQDN. Note:Mode Config requires that the VPN firewall (that is, the local endpoint) is defined by an FQDN. Identifier Enter an FQDN for the VPN firewall. This example uses router.com. Remote Identifier Type From the menu, select FQDN. Note:Mode Config requires that the remote endpoint is defined by an FQDN. Identifier Enter the FQDN for the remote endpoint. This must be an FQDN that is not used in any other IKE policy. This example uses client.com. IKE SA Parameters Encryption Algorithm To negotiate the security association (SA), from the menu, select the 3DES algorithm. Authentication AlgorithmFrom the menu, select the SHA-1 algorithm to be used in the VPN header for the authentication process. Authentication Method Select Pre-shared key as the authentication method, and enter a key in the Pre-shared key field. Pre-shared key A key with a minimum length of 8 characters and no more than 49 characters. Do not use a double quote (), single quote (), or space in the key. This example uses H8!spsf3#JYK2!. Diffie-Hellman (DH) GroupThe DH Group sets the strength of the algorithm in bits. From the menu, select Group 2 (1024 bit). SA-Lifetime (sec) The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying occurs. The default setting is 28800 seconds (eight hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (one hour). SettingDescription
Set Up Virtual Private Networking With IPSec Connections 401 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 14. Click the Apply button. Your settings are saved. The IKE policy that includes the Mode Config record is added to the List of IKE Policies table. You can associate the IKE policy with a VPN policy. Enable Dead Peer DetectionSelect a radio button to specify whether Dead Peer Detection (DPD) is enabled: • No. This feature is disabled. This is the default setting. • Ye s. This feature is enabled. When the VPN firewall detects an IKE connection failure, it removes the IPSec and IKE SA and forces a reestablishment of the connection. You must specify the detection period in the Detection Period field and the maximum number of times that the VPN firewall attempts to reconnect in the Reconnect after failure count field. Note:For more information, see Manage Keep-Alives and Dead Peer Detection on page 411. Detection Period The period in seconds between consecutive DPD R-U-THERE messages, which are sent only when the IPSec traffic is idle. Reconnect after failure countThe maximum number of DPD failures before the VPN firewall tears down the connection and then attempts to reconnect to the peer. The default is 3 failures. Extended Authentication XAUTH Configuration Select a radio button to specify whether Extended Authentication (XAUTH) is enabled and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate. The authentication modes that are available for this configuration are User Database, RADIUS PAP, and RADIUS CHAP. • IPSec Host. The VPN firewall functions as a VPN client of the remote gateway. In this configuration, the VPN firewall is authenticated by a remote gateway with a user name and password combination. Note:For more information about XAUTH and its authentication modes, see Enable and Configure Extended Authentication for VPN Clients on page 389. Authentication Type If you select Edge Device from the AUTH Configuration menu, you must select an authentication type from the Authentication Type menu: • User Database. XAUTH occurs through the VPN firewall’s user database. For information about adding users, see Manage User Accounts on page 498. • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP). The local user database is first checked. If the user account is not present in the local user database, the VPN firewall connects to a RADIUS server. For more information, see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392. • Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol (CHAP). For more information, see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392. Username The user name for XAUTH. Password The password for XAUTH. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 402 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure the NETGEAR ProSAFE VPN Client for Mode Config Operation Note:In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. When the Mode Config feature is enabled, the following information is negotiated between the VPN client and the VPN firewall during the authentication phase: •Virtual IP address of the VPN client •DNS server address (optional) •WINS server address (optional) The virtual IP address that is issued by the VPN firewall is displayed in the VPN Client Address field on the VPN client’s IPSec pane (see Test the Mode Config Connection on page 408). Note:An IP address that is allocated to a VPN client is released only after the VPN client has gracefully disconnected or after the SA liftetime for the connection has timed out. To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall with a Mode Config configuration: 1. On the computer that has the VPN client installed, right-click the VPN client icon in your Windows system tray, and select Configuration Panel.
Set Up Virtual Private Networking With IPSec Connections 403 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. 3. Change the name of the authentication phase (the default is Gateway): a.Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note:This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name must be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default.
Set Up Virtual Private Networking With IPSec Connections 404 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 4. Specify the settings that are described in the following table. 5. Click the Save button. Your settings are saved. 6. In the Authentication pane, click the Advanced tab. SettingDescription Interface From the menu, select Any. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175. Preshared Key Select the Preshared Key radio button and configure the following settings: 1.Enter the pre-shared key that you already specified on the VPN firewall. For example, enter H8!spsf3#JYK2!. 2.In the Confirm field, enter the pre-shared key again. Encryption From the menu, select the 3DES encryption algorithm. Authentication From the menu, select the SHA1 authentication algorithm. Key Group From the menu, select the DH2 (1024) key group. Note:On the VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit).
Set Up Virtual Private Networking With IPSec Connections 405 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. Specify the settings that are described in the following table. 8. Click the Save button. Your settings are saved. Continue the Mode Config configuration of the VPN client with the IPSec configuration. SettingDescription Advanced features Mode Config Select this check box to enable Mode Config. Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall. NAT-T From the menu, select Automatic to enable the VPN client and VPN firewall to negotiate NAT-T. Local and Remote ID Local ID From the Local ID menu, select DNS as the type of ID because you specified FQDN in the VPN firewall configuration. As the value of the ID, enter client.com as the local ID for the VPN client. Note:The remote ID on the VPN firewall is the local ID on the VPN client. Remote ID From the Remote ID menu, select DNS as the type of ID because you specified an FQDN in the VPN firewall configuration. As the value of the ID, enter router.com as the remote ID for the VPN firewall. Note:The local ID on the VPN firewall is the remote ID on the VPN client.
Set Up Virtual Private Networking With IPSec Connections 406 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. In the tree list pane of the Configuration Panel screen, right-click the GW_ModeConfig authentication phase name and select New Phase 2. 10. Change the name of the IPSec configuration (the default is Tunnel): a.Right-click the IPSec configuration name. b. Select Rename. c. Type Tunnel_ModeConfig. d. Click anywhere in the tree list pane. Note:This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name must be a unique name. The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected by default: 11. Specify the settings that are described in the following table. SettingDescription VPN Client address This field is masked out because Mode Config is selected. After an IPSec connection is established, the IP address that is issued by the VPN firewall displays in this field (see Test the Mode Config Connection on page 408). Address Type From the menu, select Subnet address.
Set Up Virtual Private Networking With IPSec Connections 407 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 12. Click the Save button. Your settings are saved. Continue the Mode Config configuration of the VPN client with the global parameters. 13. Click Global Parameters in the left column of the Configuration Panel screen. The Global Parameters pane displays in the Configuration Panel screen: Remote LAN address The address that you must enter depends on whether you specified a local IP address for the Mode Config record on the VPN firewall: • If you did not specify a local IP address for the Mode Config record, enter the VPN firewall’s default LAN IP address in the Remote LAN Address field as the remote host address that opens the VPN tunnel. For example, enter 192.168.1.1. • If you specified a local IP address for the Mode Config record, enter that address in the Remote LAN Address field as the remote host address that opens the VPN tunnel. For more information about the local LAN address for the Mode Config record, see Configure Mode Config Operation on the VPN Firewall on page 395, specifically the description of the Local IP Address field on the Add Mode Config Record screen. Subnet mask The address that you must enter depends on whether you specified a local subnet mask for the Mode Config record on the VPN firewall: • If you did not specify a local subnet mask for the Mode Config record, in the Subnet mask field, enter the VPN firewall’s default LAN subnet mask. For example, enter 255.255.255.0. • If you specified a local subnet mask for the Mode Config record, in the Subnet mask field, enter that subnet mask. For more information about the local subnet mask for the Mode Config record, see Configure Mode Config Operation on the VPN Firewall on page 395, specifically the description of the Local Subnet Mask field on the Add Mode Config Record screen. Encryption From the menu, select 3DES as the encryption algorithm. Authentication From the menu, select SHA-1 as the authentication algorithm. Mode From the menu, select Tunnel as the encapsulation mode. PFS and Group Select the PFS check box and from the menu, select the DH2 (1024) key group. Note:On the VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit). SettingDescription
Set Up Virtual Private Networking With IPSec Connections 408 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 14. Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: •Authentication (IKE), Default. Enter 3600 seconds. Note:The default setting is 28800 seconds (eight hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (one hour). •Encryption (IPSec), Default. Enter 3600 seconds. 15. Select the Dead Peer Detection (DPD) check box and configure the following DPD settings to match the configuration on the VPN firewall: •Check Interval. Enter 30 seconds. •Max. number of entries. Enter 3 retries. •Delay between entries. Leave the default delay setting of 15 seconds. 16. Click the Save button. Your settings are saved. The Mode Config configuration of the VPN client is now complete. Test the Mode Config Connection Note:In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client.