Home » Netgear Manuals » Bridges & Routers » Netgear FVL328 » Manual Viewer

Netgear FVL328 FVL328 Reference Manual - Page 85

Certificate Revocation List (CRL), How to Use the VPN Wizard to Con a VPN Tunnel

UPC - 606449025811

Add to My Manuals
Save this manual to your list of manuals

Page 85 highlights

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 A CA is part of a trust chain. A CA has a public key which is signed. The combination of the signed public key and the private key enables the CA process to eliminate 'man in the middle' security threats. A 'self' certificate has your public key and the name of your CA, and relies on the CA's certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added to the FVL328 and can then be used to form IKE policies for the user. Once a CA certificate is added to the FVL328 and a certificate is created for a user, the corresponding IKE policy is added to the FVL328. Whenever the user tries to send traffic through the FVL328, the certificates are used in place of pre-shared keys during initial key exchange as the authentication and key generation mechanism. Once the keys are established and the tunnel is set up the connection proceeds according to the VPN policy. Certificate Revocation List (CRL) Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these revoked certificates is known as the Certificate Revocation List (CRL). Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the CRL on the FVL328 obtained from the corresponding CA. If the certificate is not present in the CRL it means that the certificate is not revoked. IKE can then use this certificate for authentication. If the certificate is present in the CRL it means that the certificate is revoked, and the IKE will not authenticate the client. You must manually update the FVL328 CRL regularly in order for the CA-based authentication process to remain valid. How to Use the VPN Wizard to Configure a VPN Tunnel Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first open UDP port 500 for inbound traffic as explained in "Example: Port Forwarding for VPN Tunnels when NAT is Off" on page 5-9. Follow this procedure to configure a VPN tunnel using the VPN Wizard. Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. Virtual Private Networking May 2004, 202-10030-02 6-15

Section	Page
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2	1
Trademarks	2
Statement of Conditions	2
EN 55 022 Declaration of Conformance	2
Certificate of the Manufacturer/Importer	2
Bestätigung des Herstellers/Importeurs	3
Voluntary Control Council for Interference (VCCI) Statement	3
Technical Support	3
World Wide Web	3
Contents	5
Chapter 1 About This Manual	13
Audience	13
Scope	13
Typographical Conventions	14
Special Message Formats	14
How to Use this Manual	15
How to Print this Manual	16
Chapter 2 Introduction	17
About the FVL328	17
Summary of New Features in the FVL328	17
Key Features	18
Virtual Private Networking	18
A Powerful, True Firewall	19
Content Filtering	19
Configurable Auto Uplink™ Ethernet Connection	19
Protocol Support	20
Easy Installation and Management	21
What’s in the Box?	22
The Firewall’s Front Panel	22
The Firewall’s Rear Panel	23
Chapter 3 Connecting the FVL328 to the Internet	25
Connecting the FVL328 to Your LAN	25
How to Connect the FVL328 to Your LAN	25
Configuring for a Wizard-Detected Login Account	30
Configuring for a Wizard-Detected Dynamic IP Account	32
Configuring for a Wizard-Detected Fixed IP (Static) Account	32
Testing Your Internet Connection	33
Manually Configuring Your Internet Connection	34
How to Complete a Manual Configuration	35
Chapter 4 WAN and LAN Configuration	37
Configuring LAN IP Settings	37
Using the Router as a DHCP Server	38
How to Configure LAN TCP/IP Settings and View the DHCP Log	39
How to Configure Reserved IP Addresses	40
Configuring WAN Settings	41
Connect Automatically, as Required	42
Setting Up a Default DMZ Server	43
How to Assign a Default DMZ Server	43
Multi-DMZ Servers	43
Responding to Ping on Internet WAN Port	44
MTU Size	44
Port Speed	44
Port Triggering	45
Port Triggering Rules	46
Adding a new Rule	46
Checking Operation and Status	47
Configuring Dynamic DNS	47
How to Configure Dynamic DNS	48
Using Static Routes	48
Static Route Example	48
How to Configure Static Routes	49
Chapter 5 Protecting Your Network	51
Firewall Protection and Content Filtering Overview	51
Using the Block Sites Menu to Screen Content	51
Apply Keyword Blocking to Groups	53
Services and Rules Regulate Inbound and Outbound Traffic	53
Defining a Service	54
Using Inbound/Outbound Rules to Block or Allow Services	55
Examples of Using Services and Rules to Regulate Traffic	57
Inbound Rules (Port Forwarding)	57
Example: Port Forwarding to a Local Public Web Server	58
Example: Port Forwarding for Videoconferencing	58
Example: Port Forwarding for VPN Tunnels when NAT is Off	59
Outbound Rules (Service Blocking or Port Filtering)	60
Outbound Rule Example: Blocking Instant Messaging	60
Other Rules Considerations	61
Order of Precedence for Rules	61
Rules Menu Options	62
Using a Schedule to Block or Allow Content or Traffic	63
Setting the Time Zone	64
Set Clock	64
Enable NTP (Network Time Protocol)	64
User-defined NTP Server	65
Getting E-Mail Notifications of Event Logs and Alerts	65
Viewing Logs of Web Access or Attempted Web Access	67
What to Include in the Event Log	69
Chapter 6 Virtual Private Networking	71
Overview of FVL328 Policy-Based VPN Configuration	71
Using Policies to Manage VPN Traffic	71
Using Automatic Key Management	72
IKE Policies’ Automatic Key and Authentication Management	73
VPN Policy Configuration for Auto Key Negotiation	76
VPN Policy Configuration for Manual Key Exchange	79
Using Digital Certificates for IKE Auto-Policy Authentication	84
Certificate Revocation List (CRL)	85
How to Use the VPN Wizard to Configure a VPN Tunnel	85
Walk-Through of Configuration Scenarios	88
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets	89
FVL328 Scenario 1: How to Configure the IKE and VPN Policies	91
How to Check VPN Connections	96
FVL328 Scenario 2: Authenticating with RSA Certificates	97
Chapter 7 Managing Your Network	105
Protecting Access to Your FVL328 Firewall	105
How to Change the Built-In Password	105
How to Change the Administrator Login Timeout	106
Internet Traffic	107
Internet Traffic Limit	107
Enable Monthly Limit	108
Internet Traffic Statistics	108
Traffic by Protocol	109
Network Database	109
Advantages of the Network Database	110
Known PCs and Devices	111
Operations	111
Network Management	112
How to Configure Remote Management	112
Viewing Router Status and Usage Statistics	113
Viewing Attached Devices	116
Viewing, Selecting, and Saving Logged Information	117
Changing the Include in Log Settings	118
Enabling the Syslog Feature	119
Enabling Security Event E-mail Notification	119
Backing Up, Restoring, or Erasing Your Settings	121
How to Back Up the FVL328 Configuration to a File	121
How to Restore a Configuration from a File	122
How to Erase the Configuration	122
Running Diagnostic Utilities and Rebooting the Router	123
Upgrading the Router’s Firmware	124
How to Upgrade the Router	124
Chapter 8 Troubleshooting	127
Basic Functions	127
Power LED Not On	128
Test LED Never Turns On or Test LED Stays On	128
Local or Internet Port Link LEDs Not On	129
Troubleshooting the Web Configuration Interface	129
Troubleshooting the ISP Connection	130
Troubleshooting a TCP/IP Network Using a Ping Utility	131
How to Test the LAN Path to Your Firewall	132
How to Test the Path from Your PC to a Remote Device	132
Restoring the Default Configuration and Password	133
How to Use the Default Reset Button	133
Problems with Date and Time	134
Appendix A Technical Specifications	135
Appendix B Networks, Routing, and Firewall Basics	137
Related Publications	137
Basic Router Concepts	137
What is a Router?	137
Routing Information Protocol	138
IP Addresses and the Internet	138
Netmask	140
Subnet Addressing	140
Private IP Addresses	143
Single IP Address Operation Using NAT	143
MAC Addresses and Address Resolution Protocol	144
Related Documents	145
Domain Name Server	145
IP Configuration by DHCP	145
Internet Security and Firewalls	146
What is a Firewall?	146
Stateful Packet Inspection	146
Denial of Service Attack	147
Ethernet Cabling	147
Category 5 Cable Quality	147
Inside Twisted Pair Cables	148
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	149
Appendix C Preparing Your Network	151
What You Will Need Before You Begin	151
LAN Hardware Requirements	151
LAN Configuration Requirements	152
Internet Configuration Requirements	152
Where Do I Get the Internet Configuration Parameters?	152
Worksheet for Recording Your Internet Connection Information	153
Preparing Your Computers for TCP/IP Networking	154
Configuring Windows 95, 98, and Me for TCP/IP Networking	155
Install or Verify Windows Networking Components	155
Enabling DHCP to Automatically Configure TCP/IP Settings	156
Selecting Windows’ Internet Access Method	157
Verifying TCP/IP Properties	157
Configuring Windows NT, 2000 or XP for IP Networking	158
Installing or Verifying Windows Networking Components	158
Verifying TCP/IP Properties	158
Configuring the Macintosh for TCP/IP Networking	159
MacOS 8.6 or 9.x	159
MacOS X	160
Verifying TCP/IP Properties for Macintosh Computers	160
Restarting the Network	161
Appendix D Firewall Log Formats	163
Action List	163
Field List	163
Outbound Log	163
Inbound Log	164
Other IP Traffic	164
Router Operation	165
Other Connections and Traffic to this Router	166
DoS Attack/Scan	166
Access Block Site	168
All Web Sites and News Groups Visited	168
System Admin Sessions	168
Policy Administration LOG	169
Appendix E Virtual Private Networking	171
What is a VPN?	171
What is IPSec and How Does It Work?	172
IPSec Security Features	172
IPSec Components	172
Encapsulating Security Payload (ESP)	173
Authentication Header (AH)	174
IKE Security Association	174
Mode	175
Key Management	176
Understand the Process Before You Begin	176
VPN Process Overview	177
Network Interfaces and Addresses	177
Interface Addressing	177
Firewalls	178
Setting Up a VPN Tunnel Between Gateways	178
VPNC IKE Security Parameters	180
VPNC IKE Phase I Parameters	180
VPNC IKE Phase II Parameters	181
Testing and Troubleshooting	181
Additional Reading	181
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVL328	183
Configuration Template	183
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	184
Step-By-Step Configuration of FVL328 Gateway B	187
Test the VPN Connection	192
Appendix G NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router	195
Configuration Profile	195
Step-By-Step Configuration of FVL328 or FWAG114 Gateway	196
Step-By-Step Configuration of the FVL328 Firewall B	201
Testing the VPN Connection	208
From the Client PC to the FVL328	208
From the FVL328 to the Client PC	209
Monitoring the PC VPN Connection	209
Viewing the FVL328 VPN Status and Log Information	211
Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328	213
Configuration Template	213
Using DDNS and Fully Qualified Domain Names (FQDN)	214
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	215
Step-By-Step Configuration of FVL328 Gateway B	219
Test the VPN Connection	224
Glossary	225

Match case Limit results 1 per page

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Virtual Private Networking

6-15

May 2004, 202-10030-02

A CA is part of a trust chain. A CA has a public key which is signed. The combination of the

signed public key and the private key enables the CA process to eliminate ‘man in the middle’

security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the

CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added

to the FVL328 and can then be used to form IKE policies for the user. Once a CA certificate is

added to the FVL328 and a certificate is created for a user, the corresponding IKE policy is added

to the FVL328. Whenever the user tries to send traffic through the FVL328, the certificates are

used in place of pre-shared keys during initial key exchange as the authentication and key

generation mechanism. Once the keys are established and the tunnel is set up the connection

proceeds according to the VPN policy.

Certificate Revocation List (CRL)

Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these

revoked certificates is known as the Certificate Revocation List (CRL).

Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the

CRL on the FVL328 obtained from the corresponding CA. If the certificate is not present in the

CRL it means that the certificate is not revoked. IKE can then use this certificate for

authentication. If the certificate is present in the CRL it means that the certificate is revoked, and

the IKE will not authenticate the client.

You must manually update the FVL328 CRL regularly in order for the CA-based authentication

process to remain valid.

How to Use the VPN Wizard to Configure a VPN Tunnel

Follow this procedure to configure a VPN tunnel using the VPN Wizard.

Note:

The LAN IP address ranges of each VPN endpoint must be different. The connection will

fail if both are using the NETGEAR default address range of 192.168.0.x.

Note:

If you have turned NAT off, before configuring VPN IPSec tunnels you must first

open UDP port 500 for inbound traffic as explained in

“Example: Port Forwarding for

VPN Tunnels when NAT is Off” on page 5-9