Home » Netgear Manuals » Wireless » Netgear FVM318 » Manual Viewer

Netgear FVM318 FVM318 Reference Manual - Page 148

Negotiating the SA - the Internet Key Exchange IKE

Add to My Manuals
Save this manual to your list of manuals

Page 148 highlights

Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall • Exchange keys • Keep track of the agreements Negotiating the SA - the Internet Key Exchange (IKE) IKE provides a way to: • Ensure that the key exchange and the IPSec communication occurs only between authenticated parties; • Negotiate the protocols, algorithms and keys to be used between the two IPSec hosts • Securely update and renegotiate SAs when they have expired. IKE functions in two phases: 1. Phase 1. The peers establish a secure channel. After Phase 1, all IKE packets are encrypted. 2. Phase 2. The peers negotiate a general purpose SA. IKE provides three modes of key exchange and setting up of SAs. Two of the modes are used in the first phase and one in the second. Authentication: Phase 1 Main mode or Aggressive mode can be chosen in the first phase. • Main mode. This mode accomplishes the first phase by establishing a secure channel before sending a user identity. Main mode secures an IKE SA in three two-way exchanges between the initiator and the responder. a. Both agree on basic algorithms and hashes. b. Both exchange Diffie-Hellman public keys and pass nonces. Nonce is a cryptographic term for a fresh random number that is used only once. c. Both parties verify each other's identity. This exchange is already encrypted. • Aggressive mode. Unlike Main mode, it does not protect identities because it establishes the secure channel after the information has been exchanged. Aggressive mode establishes a connection with two exchanges. Only one of these is a round-trip exchange. a. The initiator generates a Diffie-Hellman public value, sending it with the nonce. B-22 Network, Routing, Firewall, and Wireless Basics

Section	Page
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall	1
Contents	5
Preface About This Manual	5
Chapter 1 Introduction	5
Chapter 2 Connecting the Firewall to the Internet	5
Chapter 3 Wireless Configuration	5
Chapter 4 Protecting Your Network	6
Chapter 5 Virtual Private Networking	6
Chapter 6 Managing Your Network	6
Chapter 7 Advanced Configuration	7
Chapter 8 Troubleshooting	7
Appendix A Technical Specifications	8
Appendix B Network, Routing, Firewall, and Wireless Basics	8
Appendix C Preparing Your Network	8
Glossary	9
Index	9
List of Procedures	11
Preface About This Manual	13
Audience	13
Typographical Conventions	13
Special Message Formats	14
Chapter 1 Introduction	15
Key Features of the FVM318	15
Virtual Private Networking (VPN)	15
Enhanced Wireless Security Through IPSec	16
A Powerful, True Firewall with Content Filtering	16
Autosensing Ethernet Connections with Auto Uplink™	16
Extensive Protocol Support	17
Easy Installation and Management	18
What’s in the Box?	19
The Firewall’s Front Panel	19
Figure 11: FVM318 Front Panel	19
Table 11: LED Descriptions	20
The Firewall’s Rear Panel	21
Figure 12: FVM318 Rear Panel	21
Chapter 2 Connecting the Firewall to the Internet	23
What You Will Need Before You Begin	23
1. Have active Internet service such as that provided by an cable or DSL broadband account.	23
2. Locate the Internet Service Provider (ISP) configuration information for your account.	23
3. Connect the firewall to a cable or DSL modem and a computer as explained below.	23
Cabling and Computer Hardware Requirements	23
Network Configuration Requirements	23
Internet Configuration Requirements	24
Where Do I Get the Internet Configuration Parameters?	24
Procedure 2-1: Record Your Internet Connection Information	25
Connecting the FVM318 to Your LAN	26
Procedure 2-2: Connecting the Firewall to Your LAN	26
1. Connect the firewall to your network.	26
2. Log in to the firewall.	26
3. Connect to the Internet.	26
1. Connect the firewall.	26
a. Turn off your computer and cable or DSL Modem.	26
b. Disconnect the Ethernet cable (A) from your computer which connects to the modem.	26
Figure 21: Disconnect the cable or DSL Modem	26
c. Connect the Ethernet cable (A) from the modem to the FVM318’s Internet port.	27
Figure 22: Connect the cable or DSL Modem to the firewall	27
d. Connect the Ethernet cable (B) which came with the firewall from a local port on the router to your computer.	27
Figure 23: Connect the computers on your network to the firewall	27
e. Turn on the modem and wait about 30 seconds for the lights to stop blinking.	28
f. Turn on the firewall and wait for the Test light to stop blinking.	28
g. Now, turn on your computer. If you usually run software to log in to your Internet connection, do not run that software.	28
h. Now that the modem, firewall, and computer are turned on, verify the following:	28
2. Log in to the firewall.	28
a. Log in to the firewall at its default address of http://192.168.0.1 using a browser like Internet Explorer or Netscape® Navigator.	28
Figure 24: Log in to the firewall.	28
Figure 25: Login window	29
b. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters.	29
3. Connect to the Internet	29
Figure 26: Setup Wizard	29
a. You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu.	30
b. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet.	30
c. When the firewall successfully detects an active Internet service, the Setup Wizard reports which connection type it discovered, and displays the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted...	30
d. The Setup Wizard will report the type of connection it finds. The options are:	30
PPPoE Wizard-Detected Option	31
Figure 27: Setup Wizard menu for PPPoE accounts	31
Dynamic IP Wizard-Detected Option	32
Figure 28: Setup Wizard menu for Dynamic IP address accounts	32
Fixed IP Account Wizard-Detected Option	33
Figure 29: Setup Wizard menu for Fixed IP address accounts	33
Manually Configuring Your Internet Connection	34
Figure 210: Browser-based configuration Basic Settings menus	34
Procedure 2-3: Configuring the Internet Connection Manually	35
1. Log in to the firewall at its default address of http://192.168.0.1 using a browser like Internet Explorer or Netscape® Navigator.	35
2. Click the Basic Settings link under the Setup section of the main menu.	35
3. If your Internet connection does not require a login, click No at the top of the Basic Settings menu and fill in the settings according to the instructions below. If your Internet connection does require a login, click Yes, and skip to step 3.	35
a. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.	35
b. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use static IP address”. Enter the IP address that your ISP assigned. Also enter the netmask and the Gateway IP address. The Gatew...	35
c. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondar...	35
d. Gateway’s MAC Address: This section determines the Ethernet MAC address that will be used by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is ...	35
e. Click Apply to save your settings.	35
4. If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet.	36
a. Select your Internet service provider from the drop-down list.	36
Figure 211: Basic Settings ISP list	36
b. The screen will change according to the ISP settings requirements of the ISP you select.	36
c. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 29.	36
d. Click Apply to save your settings.	36
Chapter 3 Wireless Configuration	37
Considerations For A Wireless Network	37
Observe Performance, Placement and Range Guidelines	37
Implement Appropriate Wireless Security	38
Figure 31: FVM318 wireless data security options	38
Understanding Wireless Settings	39
Figure 32: Wireless Settings menu	39
Wireless Network Settings	39
Restricting Access Based on the Wireless Card Access List	40
Figure 33: Wireless Card Access List menu	40
Choosing Authentication and Security Encryption Methods	40
Figure 34: Encryption Strength	40
Automatic Authentication Scheme Selection	40
Encryption Strength Choices	41
Disable	41
IPSec	41
Figure 35: IPSec main or aggressive mode settings	41
Figure 36: IPSec encryption protocol	42
64 or 128 bit WEP	42
Figure 37: Encryption Strength	42
Figure 38: 64 or 128 bit WEP encryption strength	43
Procedure 3-1: Set Up and Test Basic Wireless Connectivity	43
1. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up.	44
2. Click the Wireless Settings link in the main menu of the FVM318 firewall.	44
Figure 39: Wireless Settings menu	44
3. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box, enter a value of up to 32 alphanumeric characters. The default SSID is Wireless.	44
4. Set the Region. Select the region in which the wireless interface will operate.	44
5. Set the Channel. The default channel is 6.	44
6. For initial configuration and test, leave the Wireless Card Access List set to “Everyone” and the Encryption Strength set to “Disabled.”	44
7. Click Apply to save your changes.	44
8. Configure and test your PCs for wireless connectivity.	45
Procedure 3-2: Restrict Wireless Access by MAC Address	45
1. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up.	45
2. Click the Wireless Settings link in the main menu of the FVM318 firewall.	45
3. From the Wireless Settings menu, click the Trusted PCs button to display the Wireless Access menu shown below.	45
Figure 310. Wireless Access menu	45
4. Enter the MAC address of the authorized PC. Enter a descriptive name for the PC in the Device Name field. The MAC address is usually printed on the wireless card, or it may appear in the firewall’s “Attached Devices” DHCP table.	46
5. Click Add to save your entry.	46
6. Click Back to return to the Wireless Settings menu	46
7. Be sure that the Trusted PCs only radio button is selected, then click Apply.	46
Procedure 3-3: Configure WEP	46
1. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up.	46
2. Click the Wireless Settings link in the main menu of the FVM318 firewall.	46
3. From the Security Encryption menu drop-down list, select the WEP encryption type you will use.	47
Figure 311. Wireless Settings encryption menu	47
4. You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network.	47
5. Click Apply to save your settings.	47
Configuring IPSec Wireless Connections	48
Figure 312. Configuring basic wireless IPSec VPN tunnel connections	48
Procedure 3-4: Configure Basic IPSec Wireless Connections	49
1. Configure the FVM318 settings.	49
a. Log in to the FVM318 at http://192.168.0.1 with its default user name of admin and default password of password, or using whatever user name, password you have set up.	49
b. Click the Wireless link in the main menu Setup section to display the menu shown below.	49
Figure 313. Wireless Settings menu, IPSec selected	49
c. Click the Encryption Strength drop-down list box and select IPSec. The Wireless Settings menu will change to display the list of IPSec connections, as shown in Figure 313:	49
d. Click Add to display the IPSec client setting menu, as shown below.	50
Figure 314. IPSec Client Settings menu	50
e. Enter a descriptive name for this PC in Connection Name. This name is for your convenience only, and is not used in the VPN negotiation.	50
f. Enter the user name. An email address is an easy to remember user name.	50
g. Enter a Pre-Shared Key value for this connection.	50
h. Use the default Aggressive Mode and AES - 256 settings.	50
2. Install the SafeNet SoftRemote Basic VPN client software.	50
a. Place the FVM318 Resource CD in your CD drive.	50
b. Install the SafeNet SoftRemote Basic VPN client.	50
Figure 315. SafeNet system tray icon with disabled indicator	50
3. Configure the SoftRemote Basic VPN Client.	51
a. In the taskbar tray, right-click on the SafeNet icon and select Edit Security Policy in the VPN client task menu, as shown below.	51
Figure 316. SafeNet system tray icon menu	51
Figure 317. SafeNet basic configuration menu	51
b. In most cases, you can leave the IPSec Gateway as “LAN Gateway”, which indicates the firewall. If you are not using the firewall as your network’s default gateway, change IPSec Gateway to indicate either the IP Address or the network name ...	52
c. Enter the User Name and the Pre-Shared Key value that you programmed for this PC in the firewall’s IPSec Client Settings menu.	52
d. Click OK.	52
e. In the taskbar tray, right-click on the SafeNet icon and select Activate Security Policy in the task menu. The SafeNet icon will now appear without the red bar, as shown below.	52
Figure 318. SafeNet system tray icon showing enabled condition	52
4. Test the SoftRemote Basic VPN Connection.	52
a. On the Windows taskbar, click the Start button, and then click Run.	52
b. Type ping -t 192.168.0.1 , and then click OK.	52
Figure 319. Run Ping from Windows Start Menu	52
Figure 320. Ping results	53
Figure 321. SafeNet system tray icon showing ON condition	53
c. Once the connection is established, you can open the browser of the PC and browse.	53
Using SoftRemoteLT Instead of SoftRemote Basic	53
Procedure 3-5: Configuring the SoftRemoteLT Full Client	54
1. Install the SafeNet SoftRemoteLT Full VPN Client	54
2. Open the Security Policy Editor.	54
Figure 322. SafeNet Security Policy Editor	54
3. Create a VPN Connection.	54
a. From the Edit menu at the top of the Security Policy Editor window, click Add, then Connection. A New Connection listing will appear in the list of policies.	55
Figure 323. SafeNet Security Policy Editor new connection menu	55
b. Click and rename the New Connection list item to indicate that this is the policy for your local wireless connection, such as Wireless.	55
c. Select Secure on the right side of the Security Policy Editor window in the Connection Security box.	55
d. Select IP Subnet in the ID Type menu.	55
e. Type 0.0.0.0 in the Subnet and Mask fields.	55
f. Select All in the Protocol menu to allow all traffic through the VPN tunnel.	55
g. Check Connect using Secure Gateway Tunnel.	55
h. Select Any in the ID Type menu below the checkbox.	55
i. Select Gateway IP Address in the box to the right of ID Type.	55
j. Enter the LAN IP Address of the FVM318 firewall in the lower right box (usually 192.168.0.1).	55
4. Configure the Security Policy.	56
a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the new connection by double clicking its name or clicking on the “+” symbol.	56
b. Click on the Security Policy subheading to show the Security Policy menu.	56
Figure 324. SafeNet Security Policy Editor edit security policy menu	56
c. Select Aggressive Mode in the Select Phase 1 Negotiation Mode box.	56
d. Check the Enable Perfect Forward Secrecy (PFS) checkbox.	56
e. Select Diffie-Helman Group 2 for PFS Key Group.	56
f. Check the Enable Replay Detection checkbox.	56
5. Configure the VPN Client Identity	56
a. Click on My Identity in the Network Security Policy list on the left side of the Security Policy Editor window.	57
Figure 325. SafeNet Security Policy Editor edit identity menu	57
b. Choose None in the Select Certificate menu.	57
c. Select Domain Name in the ID Type menu.	57
d. In the box below ID Type, enter the user name that you configured in the FVM318 firewall.	57
e. Select Disabled in the Virtual Adapter box.	57
f. In the Internet Interface box, select your wireless adapter or you may choose Any if you will be switching between adapters or if you have only one adapter.	57
g. Click the Pre-Shared Key button.	57
h. Click the Enter Key button in the Pre-Shared Key dialog box.	57
i. Enter the Pre-Shared Key that you configured in the FVM318 firewall and click OK. Note that this field is case sensitive.	57
6. Configure VPN Client Authentication Proposal	57
a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+” symbol.	57
b. Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication.	58
c. Select Pre-Shared key in the Authentication Method menu.	58
d. Select AES-256 in the Encrypt Alg menu. If your VPN client does not offer this selection, select Triple DES.	58
e. Select SHA-1 in the Hash Alg menu.	58
f. Select Seconds and enter 21600 in the SA Life menu.	58
g. Select Diffie-Hellman Group 2 in the Key Group menu.	58
7. Configure VPN Client Key Exchange Proposal.	58
a. Expand the Key Exchange subheading by double clicking its name or clicking on the “+” symbol.	58
b. Select Proposal 1 below Key Exchange.	58
c. In the SA Life menu, select Seconds and enter 21600.	58
d. Select None in the Compression menu.	58
e. Check the Encapsulation Protocol (ESP) checkbox.	58
f. Select AES-256 in the Encrypt Alg menu. If your VPN client does not offer this selection, select Triple DES.	58
g. Select SHA-1 in the Hash Alg menu.	58
h. Select Tunnel in the Encapsulation menu.	58
i. Leave the Authentication Protocol (AH) checkbox unchecked.	58
8. Save the VPN Client Settings.	58
Chapter 4 Protecting Your Network	59
Protecting Access to Your FVM318 firewall	59
Procedure 4-1: Changing the Administrator Password	59
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever password and LAN address you have chosen for the firewall.	59
2. From the main menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown below.	60
Figure 41: Set Password menu	60
3. To change the password, first enter the old password, and then enter the new password twice.	60
4. Click Apply to save your changes.	60
Procedure 4-2: Changing the Administrator Login Timeout	61
1. In the Set Password menu, type a number in ‘Administrator login times out’ field. The suggested default value is 5 minutes.	61
2. Click Apply to save your changes or click Cancel to keep the current period.	61
Configuring Basic Firewall Services	61
Blocking Functions, Keywords, Sites, and Services	61
Procedure 4-3: Blocking Functions, Keywords, and Sites	62
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	62
2. Click the Block Sites link of the Security section of the main menu to view the screen below.	62
Figure 42: Block Sites menu	62
3. To block ActiveX, Java, Cookies, or Web Proxy functions for all Internet sites, click the check box next to the function and then click Apply.	62
4. To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain in the Keyword box, click Add Keyword, then click Apply.	62
5. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.	63
6. To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.	63
Blocking Services	63
Procedure 4-4: Configuring Services Blocking	64
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	64
2. Click the Block Services link of the Security section of the main menu to display this screen.	64
Figure 43: Block Services menu	64
3. Modify the menu below to define or edit how a service is regulated.	64
Figure 44: Add Block Services menu	64
4. Click Apply to save your definition.	65
Setting Times and Scheduling Firewall Services	65
Procedure 4-5: Setting Your Time Zone	66
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	66
2. Click on the Schedule link of the Security menu to display the menu shown below.	66
Figure 45: Schedule Services menu	66
3. Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries.	67
4. The firewall has a list of publicly available NTP servers. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server.	67
5. Click Apply to save your settings.	67
Procedure 4-6: Scheduling Firewall Services	67
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	67
2. Click on the Schedule link of the Security menu.	67
3. To block Internet services based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, to limit access during certain times for the selected day...	67
4. Click Apply to save your changes.	67
Chapter 5 Virtual Private Networking	69
FVM318 VPN Overview	69
Figure 51: Secure access through VPN tunnels	69
FVM318 VPN Configuration Planning	71
Procedure 5-1: Configuring a Network to Network VPN Tunnel	72
Figure 52: LAN to LAN VPN access from an FVM318 to an FVM318	72
Network to Network VPN Tunnel Configuration Worksheet	72
1. Set up the two LANs to have different IP address ranges.	73
a. Log in to the FVM318 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the LAN IP Setup link in the main menu Advanced section to display the LAN TCP/IP Setup menu...	73
Figure 53: Configuring the Local LAN (A) via the LAN IP Setup Menu	73
b. For this example, configure the FVM318 settings on LANs A and B as follows:	73
Network Configuration Settings	73
c. Click Apply. Because you changed the firewall’s IP address, you are now disconnected.	73
d. Reboot all PCs on network A.	73
2. Configure the VPN settings on each FVM318.	74
a. From Setup section of the main menu of the FVM318, click the VPN Settings link. Click Add. The VPN Settings - Main Mode window opens as shown below:	74
Figure 54: VPN Settings - Main Mode IKE Edit menu	74
b. Fill in the Connection Name VPN settings as illustrated.	74
c. Under Secure Association, select Main Mode and fill in the settings below.	75
d. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.	75
e. Click Apply to save the Security Association tunnel settings into the table.	75
3. Check the VPN Connection	76
a. Using our example, from a PC attached to the FVM318 on LAN A, on the Windows taskbar click the Start button, and then click Run.	76
b. Type ping -t 192.168.0.1 , and then click OK.	76
Figure 55: Running a Ping test from Windows	76
c. This will cause a continuous ping to be sent to the first FVM318. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.”	76
Figure 56: Ping test results	76
Procedure 5-2: Configuring a Remote PC to Network VPN	76
Figure 57: PC to LAN VPN access from a PC to an FVM318	77
PC to Network VPN Tunnel Configuration Worksheet	77
1. Configure the VPN Tunnel on the FVM318 on LAN A.	78
a. From the Setup Menu, click the VPN Settings link, then click Add to configure a new VPN tunnel. The VPN Settings - IKE window opens as shown below:	78
Figure 58: VPN Edit menu for connecting with a VPN client	78
b. Fill in the Connection Name VPN settings as illustrated.	78
c. Under Secure Association, select Main Mode and fill in the settings below.	79
d. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.	79
e. Click Apply to save the Security Association tunnel settings into the table.	79
2. Install land Configure the SafeNet VPN Client Software on the PC.	79
a. Install the SafeNet Secure VPN Client.	79
Figure 59: Security Policy Editor New Connection	80
b. Add a new connection	80
c. Configure the Security Policy in the SafeNet VPN Client Software.	81
Figure 510: Security Policy Editor Security Policy	81
d. Configure the Global Policy Settings.	82
Figure 511: Security Policy Editor Global Policy Options	82
e. Configure the VPN Client Identity	82
Figure 512: Security Policy Editor My Identity	83
f. Configure the VPN Client Authentication Proposal.	83
g. Configure the VPN Client Key Exchange Proposal.	84
h. Save the VPN Client Settings.	84
3. Check the VPN Connection.	85
a. Establish an Internet connection from the PC.	85
b. On the Windows taskbar, click the Start button, and then click Run.	85
c. Type ping -t 192.168.3.1 , and then click OK.	85
Figure 513: Running a Ping test to the LAN from the PC	85
Figure 514: Ping test results	85
Monitoring the PC VPN Connection Using SafeNet Tools	86
Figure 515: Log Viewer screen	86
Figure 516: Connection Monitor screen	86
Procedure 5-3: Deleting a Security Association	87
1. Log in to the firewall.	87
1. Click the VPN Settings link.	87
2. In the VPN Settings Security Association table, select the radio button for the security association to be deleted.	87
3. Click the Delete button.	87
4. Click the Update button.	87
Manual Keying	87
Procedure 5-4: Using Manual Keying as an Alternative to IKE	87
1. When editing the VPN Settings, you may select manual keying. At that time, the edit menu changes to look like the screen below:	87
Figure 517: VPN Edit menu for Manual Keying	88
2. Incoming SPI - Enter a Security Parameter Index that the remote host will send to identify the Security Association (SA). This will be the remote host’s Outgoing SPI.	88
3. Outgoing SPI - Enter a Security Parameter Index that this firewall will send to identify the Security Association (SA). This will be the remote host’s Incoming SPI.	88
4. For Encryption Protocol, select one:	89
Figure 518: VPN encryption options	89
a. Null - Fastest, but no security.	89
b. DES - The Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. Faster but less secure than 3DES or AES.	89
c. 3DES - (Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys.	89
d. AES - 128, - 192, or - 256. Most secure. Advanced Encryption Standard, a symmetric 128-bit block data encryption technique. It is an iterated block cipher with a variable block length and a variable key length. The block length and the key...	89
e. Enter a hexadecimal Encryption Key	89
5. Select the Authentication Protocol	89
6. Enter 32 hexadecimal characters for the Authentication Key. The authentication key must match exactly the key used by the remote router or host.	89
7. Click the NETBIOS Enable check box to allow NETBIOS over the VPN tunnel.	89
8. Click Apply to enter the SA into the table.	89
Blank VPN Tunnel Configuration Worksheets	90
Table 5-1: Network to Network IKE VPN Tunnel Configuration Worksheet	90
Table 5-2: PC to Network IKE VPN Tunnel Settings Configuration Worksheet	91
Chapter 6 Managing Your Network	93
Network Management Information	93
Viewing Router Status and Usage Statistics	93
Figure 61: Router Status screen	93
Table 61. Router Status Fields	94
Figure 62. Router Statistics screen	95
Table 62. Router Statistics Fields	95
Viewing Attached Devices	96
Figure 63: Attached Devices menu	96
Viewing, Selecting, and Saving Logged Information	97
Figure 64: Security Logs menu	97
Table 6-5: Security Log entry descriptions	98
Table 6-6: Security Log action buttons	98
Selecting What Information to Include in the Log	98
Enabling SYSLOG	99
Examples of log messages	99
Activation and Administration	99
Dropped Packets	99
Enabling Security Event E-mail Notification	100
Figure 67: E-mail menu	100
Backing Up, Restoring, or Erasing Your Settings	101
Procedure 6-1: Backup the Configuration to a File	101
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	101
2. From the Maintenance heading of the main menu, select Backup to view the menu seen below.	102
Figure 68: Settings Backup menu	102
3. Click Backup to save a copy of the current settings.	102
4. Store the.cfg file on a computer on your network.	102
Procedure 6-2: Restore a Configuration from a File	102
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	102
2. From the Maintenance heading of the main menu, select the Settings Backup menu as seen in Figure 68.	102
3. Enter the full path to the file on your network or click the Browse button to browse to the file.	102
4. When you have located the .cfg file, click the Restore button to upload the file to the firewall.	102
5. The firewall will then reboot automatically.	102
Procedure 6-3: Erase the Configuration	102
1. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase button on the screen.	103
2. The firewall will then reboot automatically.	103
Running Diagnostic Utilities and Rebooting the Router	103
Figure 69: Diagnostics menu	104
Enabling Remote Management	104
Procedure 6-4: Configure Remote Management	104
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	104
2. Select the Allow Remote Management check box.	104
3. Specify what external addresses will be allowed to access the firewall’s remote management. For security, NETGEAR recommends that you restrict access to as few external IP addresses as practical.	105
a. To allow access from any IP address on the Internet, select Everyone.	105
b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range.	105
c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.	105
4. Specify the Port Number that will be used for accessing the management interface.	105
5. Click Apply to have your changes take effect.	105
Upgrading the Router’s Firmware	105
Procedure 6-5: Router Upgrade	106
1. Download and unzip the new software file from NETGEAR.	106
2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	106
3. From the main menu of the browser interface, under the Maintenance heading, click Router Upgrade to display the menu shown below.	106
Figure 610: Router Upgrade menu	106
4. In the Router Upgrade menu, click the Browse button to locate the binary (.BIN or .IMG) upgrade file.	106
5. Click Upload to load the firmware into the firewall.	106
Chapter 7 Advanced Configuration	107
Configuring Advanced Security	107
Setting Up A Default DMZ Server	107
1. Click Default DMZ Server.	108
2. Type the IP address for that server.	108
3. Click Apply.	108
Respond to Ping on Internet WAN Port	108
Configuring LAN IP Settings	108
LAN TCP/IP Setup	108
MTU Size	110
1. Under MTU Size, select Custom.	110
2. Enter a new size between 64 and 1500.	110
3. Click Apply to save the new configuration.	110
Using the Router as a DHCP Server	110
Procedure 7-1: Using Reserved IP Addresses	111
1. Click the Add button.	111
2. In the IP Address box, type the IP address to assign to the PC or server. Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.	111
3. Type the MAC Address of the PC or server.	111
4. Click Apply to enter the reserved address into the table.	111
1. Click the radio button next to the reserved address to select the entry you want to edit or delete.	111
2. Click Edit or Delete.	111
Procedure 7-2: Configuring LAN TCP/IP Settings	112
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	112
2. From the main menu, under Advanced, click the LAN IP Setup link to view the menu, shown below.	112
Figure 71: LAN IP Setup Menu	112
3. Enter the UPnP, TCP/IP, MTU, or DHCP parameters.	112
4. Click Apply to save your changes.	112
Configuring Dynamic DNS	113
Procedure 7-3: Configuring Dynamic DNS	113
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	113
2. From the main menu of the browser interface, under Advanced, click on Dynamic DNS.	113
3. Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’ box, and register for an account. For example, for dyndns.org, go to www.dyndns.org.	113
4. Select the “Use a dynamic DNS service” check box.	113
5. Select the name of your dynamic DNS Service Provider.	113
6. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. If your URL is myName.dyndns.org, then your Host Name is “myName.”	113
7. Type the user name for your dynamic DNS account.	113
8. Type the password (or key) for your dynamic DNS account.	113
9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the sa...	113
10. Click Apply to save your configuration.	113
Using Static Routes	114
Procedure 7-4: Configuring Static Routes	115
1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.	115
2. From the main menu of the browser interface, under Advanced, click on Static Routes to view the Static Routes table, shown below.	115
Figure 72: Static Routes Table	115
3. To add or edit a Static Route, follow these steps:	115
a. Click the Edit button to open the Edit Menu, shown in Figure 73.	115
Figure 73: Static Route Entry and Edit Menu	115
b. Type a route name for this static route in the Route Name box under the table. This is for identification purpose only.	116
c. Click the Active check box to make this route effective.	116
d. Click the Private check box if you want to limit access to the LAN only. The static route will not be reported in RIP.	116
e. Type the Destination IP Address of the final destination.	116
f. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255.	116
g. Type the Gateway IP Address, which must be a router on the same LAN segment as the firewall.	116
h. Type a number between 1 and 15 as the Metric value. This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.	116
4. Click Apply to have the static route entered into the table.	116
Chapter 8 Troubleshooting	117
Basic Functions	117
1. When power is first applied, verify that the Power LED is on.	117
2. Verify that the Test LED lights within a few seconds, indicating that the self-test procedure is running.	117
3. After approximately 10 seconds, verify that:	117
a. The Test LED is not lit.	117
b. The Local port Link LEDs are lit for any local ports that are connected.	117
c. The Internet Link port LED is lit.	117
Power LED Not On	118
Test LED Never Turns On or Test LED Stays On	118
Local or Internet Port Link LEDs Not On	118
Troubleshooting the Web Configuration Interface	119
Troubleshooting the ISP Connection	120
1. Launch your browser and select an external site such as www.netgear.com	120
2. Access the main menu of the firewall’s configuration at http://192.168.0.1	120
3. Under the Maintenance heading, select Router Status	120
4. Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.	120
1. Turn off power to the cable or DSL modem.	120
2. Turn off power to your firewall.	120
3. Wait five minutes and reapply power to the cable or DSL modem.	120
4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to your firewall.	120
Troubleshooting a TCP/IP Network Using a Ping Utility	121
Procedure 8-5: Testing the LAN Path to Your Firewall	122
1. From the Windows toolbar, click on the Start button and select Run.	122
2. In the field provided, type Ping followed by the IP address of the firewall, as in this example:	122
3. Click on OK.	122
Procedure 8-6: Testing the Path from Your PC to a Remote Device	123
Restoring the Default Configuration and Password	123
Procedure 8-7: Using the Default Reset button	124
1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).	124

Match case Limit results 1 per page

Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall

B-22

Network, Routing, Firewall, and Wireless Basics

•

Exchange keys

•

Keep track of the agreements

Negotiating the SA - the Internet Key Exchange (IKE)

IKE provides a way to:

•

Ensure that the key exchange and the IPSec communication occurs only between

authenticated parties;

•

Negotiate the protocols, algorithms and keys to be used between the two IPSec hosts

•

Securely update and renegotiate SAs when they have expired

IKE functions in two phases:

Phase 1. The peers establish a secure channel. After Phase 1, all IKE packets are encrypted.

Phase 2. The peers negotiate a general purpose SA.

IKE provides three modes of key exchange and setting up of SAs. Two of the modes are used in

the first phase and one in the second.

Authentication: Phase 1

Main mode or Aggressive mode can be chosen in the first phase.

•

Main mode. This mode accomplishes the first phase by establishing a secure channel before

sending a user identity.

Main mode secures an IKE SA in three two-way exchanges between the initiator and the

responder.

Both agree on basic algorithms and hashes.

Both exchange Diffie-Hellman public keys and pass nonces. Nonce is a cryptographic

term for a fresh random number that is used only once.

Both parties verify each other’s identity. This exchange is already encrypted.

•

Aggressive mode. Unlike Main mode, it does not protect identities because it establishes the

secure channel after the information has been exchanged.

Aggressive mode establishes a connection with two exchanges. Only one of these is a

round-trip exchange.

The initiator generates a Diffie-Hellman public value, sending it with the nonce.