Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking with SSL Connections 459 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the List of Configured Applications for Port Forwarding table, to the right of the host name that you want to remove, click the corresponding Delete button. The IP address and port number are removed from the List of Configured Applications for Port Forwarding table. Configure the SSL VPN Client The following sections provide information about configuring SSL VPN clients: •SSL VPN Clients Overview •Configure the Client IPv4 Address Range •Add an IPv4 Route for VPN Tunnel Clients •Configure the Client IPv6 Address Range •Add an IPv6 Route for VPN Tunnel Clients •Remove an IPv4 or IPv6 Client Route SSL VPN Clients Overview Note:The SSL VPN client does not apply if you configure port forwarding capability for an SSL portal. The SSL VPN client applies only for VPN tunnel capability. The SSL VPN client on the VPN firewall assigns IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the local subnet to the remote VPN tunnel clients. The following are some additional considerations for the SSL VPN client: •To prevent the virtual (PPP) interface address of a VPN tunnel client from conflicting with addresses on the local network, configure an IP address range that does not directly overlap with addresses on your local network. For example, if 192.168.1.1 through 192.168.1.100 are assigned to devices on the local network, start the client address range at 192.168.1.101, or choose an entirely different subnet altogether. •The VPN tunnel client cannot contact a server on the local network if the VPN tunnel client’s Ethernet interface shares the same IP address as the server or the VPN firewall. (For example, if your computer has a network interface IP address of 10.0.0.45, you cannot contact a server on the remote network that also has the IP address 10.0.0.45.) •Select whether you want to enable full-tunnel or split-tunnel support based on your bandwidth: -A full tunnel sends all of the client’s traffic across the VPN tunnel. -A split tunnel sends only traffic that is destined for the local network based on the specified client routes. All other traffic is sent to the Internet. A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only.
Set Up Virtual Private Networking with SSL Connections 460 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •If you enable split-tunnel support and you assign an entirely different subnet to the VPN tunnel clients from the subnet that is used by the local network, you must add a client route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel. Configure the Client IPv4 Address Range The following procedure describes how to define the client IPv4 address range. To define the client IPv4 address range: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the IPv4 settings. The following figure shows an example.
Set Up Virtual Private Networking with SSL Connections 461 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the Client IP Address Range section, enter the settings as described in the following table. 8. Click the Apply button. SettingDescription Enable Full Tunnel Support Select this check box to enable full-tunnel support. Full tunnel support provides clients access to the entire LAN network. If you leave this check box cleared (which is the default setting), full-tunnel support is disabled but split-tunnel support is enabled. You must add one or more IPv4 client routes to provide clients access to specific networks (see Add an IPv4 Route for VPN Tunnel Clients on page 462). Note:When full-tunnel support is enabled, client routes are not operable. DNS Suffix A DNS suffix to be appended to incomplete DNS search strings. This setting is optional. Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Note:If you do not assign a DNS server, the DNS settings remain unchanged in the SSL VPN client after a VPN tunnel is established. Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Client Address Range Begin The first IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the first IPv4 address is 192.168.251.1. Client Address Range End The last IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the last IPv4 address is 192.168.251.254.
Set Up Virtual Private Networking with SSL Connections 462 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IPv4 address in the client address range. Add an IPv4 Route for VPN Tunnel Clients If the assigned client IPv4 address range is in a different subnet from the local network, or if the local network has multiple subnets, or if you select split-tunnel operation, you must define client routes. To add an IPv4 route for SSL VPN tunnel clients: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the IPv4 settings. The following figure shows an example.
Set Up Virtual Private Networking with SSL Connections 463 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the Add Routes for VPN Tunnel Clients section, complete the following fields: •Destination Network. The IPv4 address of the local destination network or subnet that provides access to one or more port forwarding applications and services. •Subnet Mask. The subnet mask for the local destination or subnet. 8. Click the Add button. The new client route is added to the Configured Client Routes table. Note:If VPN tunnel clients are already connected, you can disconnect the clients (see View the VPN Firewall SSL VPN Connection Status and Disconnect Active Users on page 444) to allow them to receive new addresses and routes when they reconnect. Configure the Client IPv6 Address Range If you enabled IPv6 (see Manage the IPv6 Routing Mode on page 88), you can define the IPv6 address range to be assigned to VPN tunnel clients. To define the client IPv6 address range: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Set Up Virtual Private Networking with SSL Connections 464 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings. The following figure shows an example.
Set Up Virtual Private Networking with SSL Connections 465 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. In the Client IP Address Range section, enter the settings as described in the following table. 9. Click the Apply button. Your settings are saved. VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IPv6 address in the client address range. Add an IPv6 Route for VPN Tunnel Clients If the assigned client IPv6 address range is different from the local network address range, or if the local network uses multiple address ranges, or if you select split-tunnel operation, you must define IPv6 client routes. To add an IPv6 route for SSL VPN tunnel clients: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the IPv4 settings. SettingDescription Enable Full Tunnel Support Select this check box to enable full-tunnel support. If you leave this check box cleared (which is the default setting), full-tunnel support is disabled but split-tunnel support is enabled and you must add an IPv6 client route (see Add an IPv6 Route for VPN Tunnel Clients on page 465). Note:When full-tunnel support is enabled, client routes are not operable. Client IPv6 Address Range BeginThe first IP address of the IPv6 address range that you want to assign to the VPN tunnel clients. By default, the first IPv6 address is 4000::1. Client IPv6 Address Range EndThe last IP address of the IPv6 address range that you want to assign to the VPN tunnel clients. By default, the last IPv6 address is 4000::200.
Set Up Virtual Private Networking with SSL Connections 466 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the upper right, select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings. The following figure shows examples. 8. In the Add Routes for VPN Tunnel Clients section, complete the following fields: •Destination Network. The IPv6 address of the local destination network that provides access to one or more port forwarding applications and services. •Prefix Length. The prefix length for the local destination network. 9. Click the Add button. The new client route is added to the Configured Client Routes table. Note:If VPN tunnel clients are already connected, you can disconnect the clients (see View the VPN Firewall SSL VPN Connection Status and Disconnect Active Users on page 444) to allow them to receive new addresses and routes when they reconnect. Remove an IPv4 or IPv6 Client Route The following procedure describes how to remove a client route that you no longer need. To remove an IPv4 or IPv6 client route: 1. On your computer, launch an Internet browser.
Set Up Virtual Private Networking with SSL Connections 467 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the IPv4 settings. 7. To remove an IPv6 client route instead of an IPv4 client route, in the upper right, select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings. 8. In the Configured Client Routes table, to the right of the route that you want to remove, click the corresponding Delete button. The route is removed from the Configured Client Routes table. Manage Network Resource Objects to Simplify Policies The following sections provide information about managing network resource objects for SSL port forwarding: •Network Objects Overview •Add an SSL Network Resource •Define or Change an IPv4 or IPv6 Network Resource and Resource Address •Remove One or More SSL Network Resources •Remove an IPv4 or IPv6 SSL Resource Address Configuration Network Objects Overview Network resources are groups of IP addresses, IP address ranges, and applications and services. By defining resource objects, you can more quickly create and configure network policies. You do not need to redefine the same set of IP addresses or address ranges when you configure the same access policies for multiple users.
Set Up Virtual Private Networking with SSL Connections 468 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies. Add an SSL Network Resource The resource name and service are independent of the IP version. However, the resource definition (see Define or Change an IPv4 or IPv6 Network Resource and Resource Address on page 469) depends on the IP version because you can assign either an IPv4 or an IPv6 address or network. To add an IPv4 or IPv6 SSL network resource: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > Resources. The Resources screen displays. The following figure shows some resources in the List of Resources table as an example.