Netgear FVS114NA FVS114 Reference Manual

Netgear FVS114NA Manual

Get Netgear FVS114NA PDF manuals and user guides View all Netgear FVS114NA manuals
Add to My Manuals
Save this manual to your list of manuals

Netgear FVS114NA manual content summary:

  • Netgear FVS114NA | FVS114 Reference Manual - Page 1
    Reference Manual for the ProSafe VPN Firewall FVS114 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10098-01 April 2005 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 2
    NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR off and on, the user is encouraged to try to is hereby certified that the FVS114 ProSafe VPN Firewall has been suppressed in accordance notes in the operating instructions. Federal Office for
  • Netgear FVS114NA | FVS114 Reference Manual - Page 3
    Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: FVS114 April 2005 Router FVS114 ProSafe VPN Firewall Business English iii 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 4
    iv 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 5
    2-6 NETGEAR-Related Products 2-7 NETGEAR Product Registration, Support, and Documentation 2-7 Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVS114 ProSafe VPN Firewall 3-1 First, Connect the FVS114 3-1 Now, Configure the FVS114 for Internet Access 3-4 Troubleshooting
  • Netgear FVS114NA | FVS114 Reference Manual - Page 6
    Smart Setup Wizard 3-10 How to Manually Configure Your Internet Connection 3-11 Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview 4-1 Block Sites ...4-2 Using Rules to Block or Allow Specific Kinds of Traffic 4-3 Inbound Rules (Port Forwarding
  • Netgear FVS114NA | FVS114 Reference Manual - Page 7
    LAN 6-21 FVS114 Scenario 2: FVS114 to FVS114 with RSA Certificates 6-22 Chapter 7 Maintenance Viewing VPN Firewall Status Information 7-1 Viewing a List of Attached Devices 7-5 Upgrading the Firewall Software 7-5 Configuration File Management 7-6 Backing Up the Configuration 7-7 Restoring the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 8
    the Web Configuration Interface 9-3 Troubleshooting the ISP Connection 9-4 Troubleshooting a TCP/IP Network Using a Ping Utility 9-5 Testing the LAN Path to Your Firewall 9-5 Testing the Path from Your PC to a Remote Device 9-6 Restoring the Default Configuration and Password 9-7 Problems with
  • Netgear FVS114NA | FVS114 Reference Manual - Page 9
    Addresses B-7 Single IP Address Operation Using NAT B-8 MAC Addresses and Address Resolution Protocol B-9 Related Documents B-9 Domain Name Server B-9 IP Configuration by DHCP B-10 Internet Security and Firewalls B-10 What is a Firewall B-11 Stateful Packet Inspection B-11 Denial of Service
  • Netgear FVS114NA | FVS114 Reference Manual - Page 10
    VPN Tunnel Between Gateways C-8 VPNC IKE Security Parameters C-10 VPNC IKE Phase I Parameters C-10 VPNC IKE Phase II Parameters C-11 Testing and Troubleshooting C-11 Additional Reading ...C-11 Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking D-1 Configuring
  • Netgear FVS114NA | FVS114 Reference Manual - Page 11
    B ...G-2 C ...G-3 D ...G-3 E ...G-4 G ...G-5 I ...G-5 L ...G-6 M ...G-7 P ...G-7 Q ...G-8 R ...G-9 S ...G-9 T ...G-9 U ...G-10 W ...G-10 Contents xi 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 12
    xii Contents 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 13
    URL names User input Screen text, file and server names, extensions, commands, IP addresses This guide uses the following formats to highlight special messages: Note: This format is used to highlight information of importance or special interest. This manual is written for the FVS114 VPN Firewall
  • Netgear FVS114NA | FVS114 Reference Manual - Page 14
    Reference Manual for the ProSafe VPN Firewall FVS114 How to Use This Manual The HTML version of this manual includes the following: • Buttons, and , for browsing forwards or backwards through the manual one page at a time •A button that displays the table of contents and an button. Double-
  • Netgear FVS114NA | FVS114 Reference Manual - Page 15
    Reference Manual for the ProSafe VPN Firewall FVS114 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 16
    Reference Manual for the ProSafe VPN Firewall FVS114 1-4 About This Manual 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 17
    2 Introduction This chapter describes the features of the NETGEAR FVS114 ProSafe VPN Firewall. Key Features of the VPN Firewall The FVS114 ProSafe VPN Firewall with four-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL
  • Netgear FVS114NA | FVS114 Reference Manual - Page 18
    preventing users outside the LAN from finding and directly accessing the PCs on the LAN. • Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number
  • Netgear FVS114NA | FVS114 Reference Manual - Page 19
    only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. • Automatic Configuration of Attached PCs by DHCP The FVS114 VPN Firewall dynamically assigns
  • Netgear FVS114NA | FVS114 Reference Manual - Page 20
    remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring The FVS114 VPN Firewall's front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following
  • Netgear FVS114NA | FVS114 Reference Manual - Page 21
    Reference Manual for the ProSafe VPN Firewall FVS114 The product package should contain the following items: • FVS114 ProSafe VPN Firewall. • AC power adapter. • Category 5 (Cat 5) Ethernet cable. • Installation Guide. • Resource CD (240-10207-01) for ProSafe VPN Firewall, including: - This guide
  • Netgear FVS114NA | FVS114 Reference Manual - Page 22
    . Data is being transmitted or received by the Local port. The FVS114 Rear Panel The rear panel of the FVS114 VPN Firewall contains the port connections listed below. FACTORY DEFAULTS Reset Button LOCAL Ports Figure 2-2: FVS114 rear panel INTERNET Port DC Power Viewed from left to right, the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 23
    Reference Manual for the ProSafe VPN Firewall FVS114 • DC power input • ON/OFF switch NETGEAR-Related Products NETGEAR products related to the FVS114 are listed in the following table: Table 2-2. NETGEAR-Related Products Category Notebooks Desktops VPN Firewalls PDAs Antennas and Accessories
  • Netgear FVS114NA | FVS114 Reference Manual - Page 24
    Reference Manual for the ProSafe VPN Firewall FVS114 Documentation is available on the Resource CD and at http://kbserver.netgear.com. When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information
  • Netgear FVS114NA | FVS114 Reference Manual - Page 25
    Install Your FVS114 ProSafe VPN Firewall • For Cable Modem Service: When you perform the VPN firewall router setup steps be sure to use the computer you first registered with your cable ISP. • For DSL Service: You may need information such as the DSL login name/e-mail address and password in order
  • Netgear FVS114NA | FVS114 Reference Manual - Page 26
    Reference Manual for the ProSafe VPN Firewall FVS114 c. Locate the Ethernet cable (Cable 1 in the diagram) that connects your PC to the modem. A &DEOH ,QWHUQHW &RPSXWHU 0RGHP Figure 3-1: Disconnect the Ethernet cable from the computer d. Disconnect the cable at the computer end only, point
  • Netgear FVS114NA | FVS114 Reference Manual - Page 27
    Reference Manual for the ProSafe VPN Firewall FVS114 f. Securely insert the blue cable that came with your VPN firewall router (the blue NETGEAR cable in the diagram below) into a LOCAL port on the firewall such as LOCAL port 4 (point C in the diagram), and the other end into the Ethernet port of
  • Netgear FVS114NA | FVS114 Reference Manual - Page 28
    Reference Manual for the ProSafe VPN Firewall FVS114 Power Test Figure 3-4: Status lights Internet Local Port 4 d. Check the VPN firewall router status lights to verify the following: • PWR: The power light should turn solid green. If it does not, see "Troubleshooting Tips" on page 3-6. • TEST:
  • Netgear FVS114NA | FVS114 Reference Manual - Page 29
    to finish. If you have trouble connecting to the Internet, see "Troubleshooting Tips" on page 3-6 to correct basic problems. Note: The Smart Wizard Configuration Assistant only appears when the firewall is in its factory default state. After you configure the VPN firewall router, it will not appear
  • Netgear FVS114NA | FVS114 Reference Manual - Page 30
    Reference Manual for the ProSafe VPN Firewall FVS114 Troubleshooting Tips Here are some tips for correcting simple problems you may have. Be sure to restart your network in this sequence: 1. Turn off the VPN firewall router, shut down the computer, and unplug and turn off the modem. 2. Turn on the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 31
    the browser address bar and pressing Enter. You will not be prompted for a user name or password. This will enable you to manually configure the VPN firewall router even when it is in the factory default state. When manually configuring the firewall, you must complete the configuration by clicking
  • Netgear FVS114NA | FVS114 Reference Manual - Page 32
    After Configuration Settings Have Been Applied 1. Connect to the VPN firewall router by typing http://www.routerlogin.net in the address field of your browser, then press Enter. Figure 3-6: Login URL 2. For security reasons, the firewall has its own user name and password. When prompted, enter admin
  • Netgear FVS114NA | FVS114 Reference Manual - Page 33
    Reference Manual for the ProSafe VPN Firewall FVS114 Once you have entered your user name and password, your Web browser should find the FVS114 VPN Firewall and display the home page as shown below. Figure 3-8: Login result: FVS114 home page When the VPN firewall router is connected to the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 34
    in Figure 3-5) that only appears when the firewall is in its factory default state. After you configure the VPN firewall router, the Smart Wizard Configuration Assistant will not appear again. To use the Smart Setup Wizard to assist with manual configuration or to verify the Internet connection
  • Netgear FVS114NA | FVS114 Reference Manual - Page 35
    Reference Manual for the ProSafe VPN Firewall FVS114 How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login
  • Netgear FVS114NA | FVS114 Reference Manual - Page 36
    Reference Manual for the ProSafe VPN Firewall FVS114 a. Account: Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP's services such as mail or news servers. b. Internet IP Address: If your ISP has assigned you a permanent,
  • Netgear FVS114NA | FVS114 Reference Manual - Page 37
    Reference Manual for the ProSafe VPN Firewall FVS114 a. For connections that require a login using protocols such as PPPoE, PPTP, Telstra Bigpond Cable broadband connections, select your Internet service provider from the drop-down list. Figure 3-10: Basic Settings ISP list b. The screen will change
  • Netgear FVS114NA | FVS114 Reference Manual - Page 38
    Reference Manual for the ProSafe VPN Firewall FVS114 3-14 Connecting the Firewall to the Internet 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 39
    Overview The FVS114 ProSafe VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses and Web address keywords. You
  • Netgear FVS114NA | FVS114 Reference Manual - Page 40
    Manual for the ProSafe VPN Firewall FVS114 Block Sites The FVS114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported name or address of the site which your LAN users are connecting to. By enabling this option, you force LAN users to connect
  • Netgear FVS114NA | FVS114 Reference Manual - Page 41
    Reference Manual for the ProSafe VPN Firewall FVS114 • Turn Cookies filtering on: Block all cookies. Note: the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are
  • Netgear FVS114NA | FVS114 Reference Manual - Page 42
    for the ProSafe VPN Firewall FVS114 These default rules are shown in the Rules table of the Rules menu in Figure 4-2: Figure 4-2: Rules menu You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or
  • Netgear FVS114NA | FVS114 Reference Manual - Page 43
    Reference Manual for the ProSafe VPN Firewall FVS114 An example of the menu for defining or editing a rule is shown in Figure 4-3. The parameters are: • Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are
  • Netgear FVS114NA | FVS114 Reference Manual - Page 44
    Router will ignore DNS queries it receives. PCs will then need to contact the DNS directly. This setting should normally be enabled. Inbound Rules (Port Forwarding) Because the FVS114 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users
  • Netgear FVS114NA | FVS114 Reference Manual - Page 45
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 4-3: Rule example: a local public Web server Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such
  • Netgear FVS114NA | FVS114 Reference Manual - Page 46
    Manual for the ProSafe VPN Firewall FVS114 Considerations for Inbound Rules • If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users
  • Netgear FVS114NA | FVS114 Reference Manual - Page 47
    Reference Manual for the ProSafe VPN Firewall FVS114 Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 48
    Reference Manual for the ProSafe VPN Firewall FVS114 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules table, as shown below: Figure 4-6: Rules table For any traffic attempting to pass through the firewall, the packet information is subjected to the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 49
    Services Reference Manual for the ProSafe VPN Firewall FVS114 Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players' moves. When
  • Netgear FVS114NA | FVS114 Reference Manual - Page 50
    Reference Manual for the ProSafe VPN Firewall FVS114 To add a service: 1. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears as shown in Figure 4-8: Figure 4-8: Add Custom Service menu 2. Enter a descriptive name
  • Netgear FVS114NA | FVS114 Reference Manual - Page 51
    Manual for the ProSafe VPN Firewall FVS114 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall
  • Netgear FVS114NA | FVS114 Reference Manual - Page 52
    Reference Manual for the ProSafe VPN Firewall FVS114 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for
  • Netgear FVS114NA | FVS114 Reference Manual - Page 53
    Reference Manual for the ProSafe VPN Firewall FVS114 Getting E-Mail Notifications of Event Logs and Alerts to the specified e-mail address when any of the following events occur: - If a Denial of Service attack is detected. - If a Port Scan is detected. Firewall Protection and Content Filtering 202
  • Netgear FVS114NA | FVS114 Reference Manual - Page 54
    Reference Manual for the ProSafe VPN Firewall FVS114 - If a user on your LAN attempts to access a Web site that you is automatically e-mailed to the specified e-mail address. After the log is sent, the log is cleared from the firewall's memory. If the firewall cannot e-mail the log file, the log
  • Netgear FVS114NA | FVS114 Reference Manual - Page 55
    Reference Manual for the ProSafe VPN Firewall FVS114 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu,
  • Netgear FVS114NA | FVS114 Reference Manual - Page 56
    for the ProSafe VPN Firewall FVS114 Log entries are described in Table 4-1 Table 4-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of
  • Netgear FVS114NA | FVS114 Reference Manual - Page 57
    "How to Set Up a Client-to-Gateway VPN Configuration" on page 5-5 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client. • "How to Set Up a Gateway-to-Gateway VPN Configuration" on page 5-20 provides the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 58
    between two or more network gateways. The FVS114 supports both of these types of VPN configurations. The FVS114 VPN Firewall supports up to eight concurrent tunnels. Client-to-Gateway VPN Tunnels Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a telecommuter connecting
  • Netgear FVS114NA | FVS114 Reference Manual - Page 59
    ProSafe VPN Firewall FVS114 VPN Gateway A VPN Tunnel VPN Gateway B PCs PCs Figure 5-2: Gateway-to-gateway VPN tunnel A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access
  • Netgear FVS114NA | FVS114 Reference Manual - Page 60
    Manual for the ProSafe VPN Firewall FVS114 FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP address must always be the initiator. • What method will you use to configure
  • Netgear FVS114NA | FVS114 Reference Manual - Page 61
    Reference Manual for the ProSafe VPN Firewall FVS114 VPN Tunnel Configuration There are two tunnel configurations and three ways to configure them: • Use the VPN Wizard to configure a VPN tunnel (recommended for most situations): - See "How to Set Up a Client-to-Gateway VPN Configuration" on page
  • Netgear FVS114NA | FVS114 Reference Manual - Page 62
    Networking" to set up the VPN tunnel. Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard. 1. Log in to the FVS114 at its LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the VPN Wizard link in the main menu
  • Netgear FVS114NA | FVS114 Reference Manual - Page 63
    Reference Manual for the ProSafe VPN Firewall FVS114 Enter the new Connection Name: (RoadWarrior in this example) Enter the pre-shared key: (12345678 in this example) Select the radio button: A remote VPN client (single PC) Figure 5-5: Connection Name and Remote IP Type The Summary screen below
  • Netgear FVS114NA | FVS114 Reference Manual - Page 64
    Reference Manual for the ProSafe VPN Firewall FVS114 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-6). Click Back to return to the Summary screen. Figure 5-7: VPNC Recommended Settings 3. Click Done on the Summary
  • Netgear FVS114NA | FVS114 Reference Manual - Page 65
    Manual for the ProSafe VPN Firewall FVS114 Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC This procedure describes how to configure the NETGEAR ProSafe VPN Client. This example assumes the PC running the client has a dynamically assigned IP address. The PC must have the NETGEAR
  • Netgear FVS114NA | FVS114 Reference Manual - Page 66
    Reference Manual for the ProSafe VPN Firewall FVS114 Note: In this example, the Connection Name used on the client side of the VPN tunnel is NETGEAR_VPN_router and it does not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel (see Figure 5-5) because Connection
  • Netgear FVS114NA | FVS114 Reference Manual - Page 67
    Enter the public WAN IP Address of the FVS114 in the field directly below the ID Type menu. In this example, 22.23.24.25 would be used. The resulting Connection Settings are shown in Figure 5-10. 3. Configure the Security Policy in the NETGEAR ProSafe VPN Client software. a. In the Network Security
  • Netgear FVS114NA | FVS114 Reference Manual - Page 68
    Reference Manual for the ProSafe VPN Firewall FVS114 In this step, you will provide information about the remote VPN client PC. You will need to provide: - The Pre-Shared Key that you configured in the FVS114. - Either a fixed IP address or a "fixed virtual" IP address of the VPN client PC. a. In
  • Netgear FVS114NA | FVS114 Reference Manual - Page 69
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-13: Security Policy Editor Pre-Shared Key 5. Configure the VPN Client Authentication Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match
  • Netgear FVS114NA | FVS114 Reference Manual - Page 70
    Reference Manual for the ProSafe VPN Firewall FVS114 f. In the SA Life menu, select Unspecified. g. In the Key Group menu, select Diffie-Hellman Group 2. 6. Configure the VPN Client Key Exchange Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this
  • Netgear FVS114NA | FVS114 Reference Manual - Page 71
    Manual for the ProSafe VPN Firewall FVS114 After you have configured and saved the VPN client information, your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN firewall's LAN. 8. Check the VPN Connection. To check the VPN
  • Netgear FVS114NA | FVS114 Reference Manual - Page 72
    Reference Manual for the ProSafe VPN Firewall FVS114 Once the connection is established, you can open the browser of the PC and enter the LAN IP address of the remote FVS114. After a short wait, you should see the login screen of the VPN Firewall (unless another PC already has the FVS114 management
  • Netgear FVS114NA | FVS114 Reference Manual - Page 73
    Reference Manual for the ProSafe VPN Firewall FVS114 2. The Connection Monitor screen for a similar connection is shown below: Figure 5-19: Connection Monitor screen In this example you can see the following: • The FVS114 has a public IP WAN address of 22.23.24.25. • The FVS114 has a LAN IP address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 74
    Reference Manual for the ProSafe VPN Firewall FVS114 Step 1: Select Export Security Policy from the File pulldown. Step 2: Click Export once you decide the name of the file and directory where you want to store the client policy. In this example, the exported policy is named policy.spd and is being
  • Netgear FVS114NA | FVS114 Reference Manual - Page 75
    Reference Manual for the ProSafe VPN Firewall FVS114 Step 1: Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown. Step 2: Select the security policy to import. In this example, the security policy file is named
  • Netgear FVS114NA | FVS114 Reference Manual - Page 76
    the procedure below to set the LAN IPs on each FVS114 to different subnets and configure each properly for the Internet. The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. In this example
  • Netgear FVS114NA | FVS114 Reference Manual - Page 77
    the ProSafe VPN Firewall FVS114 Procedure to Configure a Gateway-to-Gateway VPN Tunnel Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard. 1. Log in to the FVS114 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and
  • Netgear FVS114NA | FVS114 Reference Manual - Page 78
    Reference Manual for the ProSafe VPN Firewall FVS114 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Enter the WAN IP address of the remote VPN gateway: (22.23.24.25 in this example) Figure 5-25: Remote IP 4. Identify the IP addresses at the target
  • Netgear FVS114NA | FVS114 Reference Manual - Page 79
    Reference Manual for the ProSafe VPN Firewall FVS114 The Summary screen below displays. Figure 5-27: VPN Wizard Summary Basic Virtual Private Networking 202-10098-01, April 2005 5-23
  • Netgear FVS114NA | FVS114 Reference Manual - Page 80
    Reference Manual for the ProSafe VPN Firewall FVS114 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-27). Click Back to return to the Summary screen. Figure 5-28: VPN Recommended Settings 5. Click Done on the Summary
  • Netgear FVS114NA | FVS114 Reference Manual - Page 81
    Reference Manual for the ProSafe VPN Firewall FVS114 6. Repeat for the FVS114 on LAN B. Pay special attention and use the following network settings as appropriate. • WAN IP of the remote VPN gateway (e.g., 14.15.16.17) • LAN IP settings of the remote VPN gateway: - IP Address (e.g, 192.168.0.1) -
  • Netgear FVS114NA | FVS114 Reference Manual - Page 82
    go to a URL whose IP address or range is covered by the policy for that VPN tunnel. Using the VPN Status Page to Activate a VPN Tunnel To use the VPN Status screen to activate a VPN tunnel, perform the following steps: 1. Log in to the VPN Firewall. 2. Open the FVS114 management interface and click
  • Netgear FVS114NA | FVS114 Reference Manual - Page 83
    the VPN Connection, you can initiate a request from the remote PC to the FVS114's network by using the "Connect" option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect. Since the remote PC has a dynamically assigned WAN IP address, it
  • Netgear FVS114NA | FVS114 Reference Manual - Page 84
    Reference Manual for the ProSafe VPN Firewall FVS114 a. Establish an Internet IP address of the remote FVS114. After a short wait, you should see the login screen of the VPN Firewall (unless another PC already has the FVS114 management interface open). • Gateway-to-Gateway Configuration-test the VPN
  • Netgear FVS114NA | FVS114 Reference Manual - Page 85
    VPN Firewall. 2. Open the FVS114 management interface and click VPN Status under VPN to get the VPN Status/Log screen (Figure 5-37). Figure 5-37: VPN Status/Log screen Log-this log shows the details of recent VPN activity, including the building of the VPN tunnel. If there is a problem with the VPN
  • Netgear FVS114NA | FVS114 Reference Manual - Page 86
    Reference Manual for the ProSafe VPN Firewall FVS114 • Click Clear Log to delete all log entries. 3. Click VPN Status (Figure 5-37) to get the Current VPN Tunnels (SAs) screen (Figure 5-38). Figure 5-38: Current VPN Tunnels (SAs) screen This page lists the following data for each active VPN Tunnel.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 87
    Manual for the ProSafe VPN Firewall FVS114 Figure 5-39: VPN Policies 3. Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply. (To reactivate the tunnel, check the Enable box and click Apply.) Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN
  • Netgear FVS114NA | FVS114 Reference Manual - Page 88
    Manual for the ProSafe VPN Firewall FVS114 3. Click VPN Status (Figure 5-40) to get the Current VPN Tunnels (SAs) screen (Figure 5-41). Click Drop for the VPN tunnel you want to deactivate. Figure 5-41: Current VPN Tunnels (SAs) screen Note: When NETBIOS is enabled (which it is in the VPNC defaults
  • Netgear FVS114NA | FVS114 Reference Manual - Page 89
    and actively monitored VPN connectivity. Since the FVS114 strictly conforms to IETF standards, it is interoperable with devices from major network equipment vendors. FVS114 VPN Firewall FVS114 VPN Firewall PCs PCs Figure 6-1: Secure access through FVS114 VPN firewalls Advanced Virtual Private
  • Netgear FVS114NA | FVS114 Reference Manual - Page 90
    Manual for the ProSafe VPN Firewall FVS114 Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVS114 by a VPN policy, then the IPSec authentication and encryption rules are applied to it as defined in the VPN policy. By default, a new VPN policy is added
  • Netgear FVS114NA | FVS114 Reference Manual - Page 91
    Reference Manual for the ProSafe VPN Firewall FVS114 IKE Policies' Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 92
    to the Local FVS114 VPN Firewall. Use this field to identify the local FVS114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) - your domain name. • By a Fully Qualified User Name - your
  • Netgear FVS114NA | FVS114 Reference Manual - Page 93
    , or VPN client. Remote Identity Type Use this field to identify the remote FVS114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) - your domain name. • By a Fully Qualified User Name
  • Netgear FVS114NA | FVS114 Reference Manual - Page 94
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 6-3: VPN - Auto Policy menu 6-6 Advanced Virtual Private Networking 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 95
    you wish to connect. The remote VPN endpoint must have this FVS114's Local IP values entered as its Remote VPN Endpoint. • By its Fully Qualified Domain Name (FQDN) - your domain name. • By its IP Address. The address type used to locate the remote VPN firewall or client to which you wish to connect
  • Netgear FVS114NA | FVS114 Reference Manual - Page 96
    Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN - Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP
  • Netgear FVS114NA | FVS114 Reference Manual - Page 97
    Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN - Auto Policy Configuration Fields Field Authentication Algorithm NETBIOS Enable Description If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: • MD5 - the default •
  • Netgear FVS114NA | FVS114 Reference Manual - Page 98
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 6-4: VPN - Manual Policy menu 6-10 Advanced Virtual Private Networking 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 99
    supplied to the remote VPN Endpoint. It is used to help you identify VPN policies. The WAN Internet IP address of the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVS114's WAN Internet IP address entered as its Remote VPN Endpoint. These settings
  • Netgear FVS114NA | FVS114 Reference Manual - Page 100
    Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then select the authentication algorithm: • MD5 - the default • SHA1 - more secure Enter the keys in the fields provided. For MD5,
  • Netgear FVS114NA | FVS114 Reference Manual - Page 101
    Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN Manual Policy Configuration Fields Field Enable Authentication Authentication Algorithm Key - In Key - Out NETBIOS Enable Description Use this check box to enable or disable ESP authentication for this VPN policy. If you enable
  • Netgear FVS114NA | FVS114 Reference Manual - Page 102
    Reference Manual for the ProSafe VPN Firewall FVS114 Each CA has its own certificate. The certificates of a CA are added to the FVS114 and then can be used to form IKE policies for the user. Once a CA certificate is added to the FVS114 and a certificate is created for a user, the corresponding IKE
  • Netgear FVS114NA | FVS114 Reference Manual - Page 103
    Manual for the ProSafe VPN Firewall FVS114 The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR
  • Netgear FVS114NA | FVS114 Reference Manual - Page 104
    http://192.168.0.1 with the default user name of admin and default password of password, or using whatever password and LAN address you have chosen. 2. Configure the WAN (Internet) and LAN IP addresses of the FVS114. a. From the main menu Setup section, click the Basic Setup link to go back to the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 105
    Reference Manual for the ProSafe VPN Firewall FVS114 WAN IP addresses ISP provides these addresses Figure 6-7: FVS114 Internet IP Address menu b. Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP
  • Netgear FVS114NA | FVS114 Reference Manual - Page 106
    Reference Manual for the ProSafe VPN Firewall FVS114 c. From the main menu Advanced section, click the LAN IP Setup link. The following menu appears Figure 6-8: LAN IP Setup menu d. Configure the LAN IP address according to the settings above and click Apply to save your settings. For more
  • Netgear FVS114NA | FVS114 Reference Manual - Page 107
    Reference Manual for the ProSafe VPN Firewall FVS114 3. Set up the IKE Policy illustrated below on the FVS114. a. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 6-9: Scenario 1 IKE Policy b. Configure the IKE Policy
  • Netgear FVS114NA | FVS114 Reference Manual - Page 108
    Manual for the ProSafe VPN Firewall FVS114 4. Set up the FVS114 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click on the VPN Policies link, and then click on the Add Auto Policy button. WAN IP address LAN IP addresses Figure 6-10: Scenario 1 VPN - Auto Policy b. Configure
  • Netgear FVS114NA | FVS114 Reference Manual - Page 109
    Manual for the ProSafe VPN Firewall FVS114 How to Check VPN Connections You can test connectivity and view VPN status information on the FVS114 (see also "VPN Tunnel Control" on page 5-26). Testing the Gateway A FVS114 LAN and the Gateway B LAN 1. Using our example, from a PC attached to the FVS114
  • Netgear FVS114NA | FVS114 Reference Manual - Page 110
    Reference Manual for the ProSafe VPN Firewall FVS114 FVS114 Scenario 2: FVS114 to FVS114 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in
  • Netgear FVS114NA | FVS114 Reference Manual - Page 111
    Manual for the ProSafe VPN Firewall FVS114 b. Click the Generate Request button to display the screen illustrated in Figure 6-11 below. . FVS114 Figure , or 2048. • Optional - IP Address. If you use "IP type" in the IKE policy, you should input the IP Address here. Otherwise, you should leave this
  • Netgear FVS114NA | FVS114 Reference Manual - Page 112
    Reference Manual for the ProSafe VPN Firewall FVS114 - Domain Name. If you have a domain name, you can enter it here. Otherwise, you should leave this blank. - E-mail Address. You can enter you e-mail address here. d. Click the Next button to continue. The FVS114 generates a Self Certificate Request
  • Netgear FVS114NA | FVS114 Reference Manual - Page 113
    Manual for the ProSafe VPN Firewall FVS114 c. When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending "FVS114" Self Certificate Request will be listed, as illustrated in Figure 6-13 below. FVS114 VPN
  • Netgear FVS114NA | FVS114 Reference Manual - Page 114
    Reference Manual for the ProSafe VPN Firewall FVS114 f. You will now see the "FVS114" entry in the Active Self Certificates table and the pending "FVS114" Self Certificate Request is gone, as illustrated below. FVS114 Figure 6-14: Self Certificates table 7. Associate the new certificate and the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 115
    Reference Manual for the ProSafe VPN Firewall FVS114 Now, the traffic from devices within the range of the LAN subnet addresses on FVS114 A and Gateway B will be authenticated using the certificates rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. a. Get a copy of
  • Netgear FVS114NA | FVS114 Reference Manual - Page 116
    Reference Manual for the ProSafe VPN Firewall FVS114 6-28 Advanced Virtual Private Networking 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 117
    describes how to use the maintenance features of your FVS114 ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information. From
  • Netgear FVS114NA | FVS114 Reference Manual - Page 118
    Reference Manual for the ProSafe VPN Firewall FVS114 This screen shows the following parameters: Table 7-1. FVS114 Status fields Field System Name Firmware Version WAN Port MAC Address IP Address IP Subnet Mask DHCP LAN Port MAC Address IP Address IP Subnet Mask DHCP Description The System Name
  • Netgear FVS114NA | FVS114 Reference Manual - Page 119
    used to obtain an IP address from your Internet service provider. IP Address The WAN (Internet) IP address assigned to the firewall. Network Mask The WAN (Internet) subnet mask assigned to the firewall. Default Gateway The WAN (Internet) default gateway the firewall communicates with. Log
  • Netgear FVS114NA | FVS114 Reference Manual - Page 120
    Reference Manual for the ProSafe VPN Firewall FVS114 Click Show Statistics to display firewall usage statistics. Figure 7-3: Router Statistics screen This screen shows the following statistics: Table 7-1. Field Interface Status TxPkts RxPkts Collisions Tx B/s Rx B/s Up Time Poll Interval Router
  • Netgear FVS114NA | FVS114 Reference Manual - Page 121
    used to upload new firmware into the FVS114 VPN Firewall must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape Navigator 5.0 or above. From the main menu of the browser interface, under the Maintenance heading, select the Router Upgrade heading to display the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 122
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 7-5: Router Upgrade menu To upload new firmware: 1. Download and unzip the new software file from NETGEAR. 2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary (.BIN) upgrade file 3. Click Upload.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 123
    this, see the Erase function, which will restore all factory settings. After an erase, the firewall's password will be password, the LAN IP address will be 192.168.0.1, and the firewall's DHCP client will be enabled. To erase the configuration, click the Erase button. Maintenance 7-7 202-10098-01
  • Netgear FVS114NA | FVS114 Reference Manual - Page 124
    Reference Manual for the ProSafe VPN Firewall FVS114 To restore the factory default configuration settings without knowing the login password or IP address, you must use the reset button on the rear panel of the firewall. See "Restoring the Default Configuration and Password" on page 9-7. Changing
  • Netgear FVS114NA | FVS114 Reference Manual - Page 125
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 7-8: Diagnostics menu • Ping or Trace an IP address - Ping: Use this to send a "ping" packet request to the specified IP address. This is often used to test a connection. If the request "times out" (no reply is received), this usually
  • Netgear FVS114NA | FVS114 Reference Manual - Page 126
    Reference Manual for the ProSafe VPN Firewall FVS114 Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be re-established when
  • Netgear FVS114NA | FVS114 Reference Manual - Page 127
    chapter describes how to configure the advanced features of your FVS114 ProSafe VPN Firewall. These features can be found under the Advanced heading in the main menu of the browser interface. WAN Setup Using the WAN Setup page, you can set up a Default DMZ Server and allow the router to respond to
  • Netgear FVS114NA | FVS114 Reference Manual - Page 128
    if you're willing to risk open access. If you do not assign a Default DMZ Server, the router discards any incoming service requests which are undefined. To assign a computer or server to be a DMZ server: a. Click the Default DMZ Server checkbox b. Type the IP address for that server. c. Click Apply
  • Netgear FVS114NA | FVS114 Reference Manual - Page 129
    Reference Manual for the ProSafe VPN Firewall FVS114 Note: For security, NETGEAR strongly recommends that you avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall, and is exposed to many exploits from the
  • Netgear FVS114NA | FVS114 Reference Manual - Page 130
    your dynamic DNS service provider, log in to your account, and register your new IP address. 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen
  • Netgear FVS114NA | FVS114 Reference Manual - Page 131
    Manual for the ProSafe VPN Firewall FVS114 Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Using the LAN IP Setup Options The LAN IP Setup menu allows configuration
  • Netgear FVS114NA | FVS114 Reference Manual - Page 132
    Reference Manual for the ProSafe VPN Firewall FVS114 These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications. If your network has a requirement to use a different IP addressing scheme, you can make those changes
  • Netgear FVS114NA | FVS114 Reference Manual - Page 133
    Reference Manual for the ProSafe VPN Firewall FVS114 Using the Firewall as a DHCP server By default, the firewall functions as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the firewall's LAN.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 134
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 8-4: Reserved IP Address menu 2. In the IP Address box, type the IP address to assign to the PC or server. (Choose an IP address from the firewall's LAN subnet, such as 192.168.0.X.) 3. Type the MAC Address of the PC or server. (Tip: If
  • Netgear FVS114NA | FVS114 Reference Manual - Page 135
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 8-5: Static Routes table To add or edit a Static Route: 1. Click the Add button to open the Add/Edit menu, shown below. Figure 8-6: Static Route Entry and Edit menu 2. Type a route name for this static route in the Route Name box. (
  • Netgear FVS114NA | FVS114 Reference Manual - Page 136
    only as a precautionary security measure in case RIP is activated. Enabling Remote Management Access Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVS114 VPN Firewall. 8-10 202-10098-01, April 2005 Advanced
  • Netgear FVS114NA | FVS114 Reference Manual - Page 137
    Reference Manual for the ProSafe VPN Firewall FVS114 Note: Be sure to change the firewall's default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and
  • Netgear FVS114NA | FVS114 Reference Manual - Page 138
    Reference Manual for the ProSafe VPN Firewall FVS114 Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but
  • Netgear FVS114NA | FVS114 Reference Manual - Page 139
    of each UPnP device that is currently accessing the router and which ports (Internal and External) that device has opened. The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address. Advanced Configuration 202-10098-01, April 2005 8-13
  • Netgear FVS114NA | FVS114 Reference Manual - Page 140
    Reference Manual for the ProSafe VPN Firewall FVS114 Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP devices. 8-14 202-10098-01, April 2005 Advanced Configuration
  • Netgear FVS114NA | FVS114 Reference Manual - Page 141
    This chapter gives information about troubleshooting your FVS114 ProSafe VPN Firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functioning After you turn on power to the firewall, the following sequence of events should
  • Netgear FVS114NA | FVS114 Reference Manual - Page 142
    to factory defaults. This will set the firewall's IP address to 192.168.0.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 9-7. If the error persists, you might have a hardware problem and should contact technical support. LAN or Internet Port LEDs
  • Netgear FVS114NA | FVS114 Reference Manual - Page 143
    sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information. If the firewall does not save changes you have made in the Web Configuration Interface, check the following: • When
  • Netgear FVS114NA | FVS114 Reference Manual - Page 144
    Manual for the ProSafe VPN Firewall FVS114 Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall
  • Netgear FVS114NA | FVS114 Reference Manual - Page 145
    Reference Manual for the ProSafe VPN Firewall FVS114 OR Configure your firewall to spoof your PC's MAC address. This can be done in the Basic Settings menu. Refer to "How to Manually Configure Your Internet Connection" on page 3-11. If your firewall can obtain an IP address, but your PC is unable to
  • Netgear FVS114NA | FVS114 Reference Manual - Page 146
    Manual for the ProSafe VPN Firewall FVS114 If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems
  • Netgear FVS114NA | FVS114 Reference Manual - Page 147
    to "How to Manually Configure Your Internet Connection" on page 3-11. Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall's administration password to password and the IP address to 192.168.0.1. You
  • Netgear FVS114NA | FVS114 Reference Manual - Page 148
    Reference Manual for the ProSafe VPN Firewall FVS114 9-8 Troubleshooting 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 149
    Appendix A Technical Specifications This appendix provides technical specifications for the FVS114 ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz,
  • Netgear FVS114NA | FVS114 Reference Manual - Page 150
    Reference Manual for the ProSafe VPN Firewall FVS114 Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx,
  • Netgear FVS114NA | FVS114 Reference Manual - Page 151
    ). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by of selecting and forwarding this data is performed by a router. Network, Routing, and Firewall Basics B-1 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 152
    path for forwarding network traffic. Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The FVS114 ProSafe VPN Firewall is a small office router that routes the IP protocol over a single-user broadband connection. Routing
  • Netgear FVS114NA | FVS114 Reference Manual - Page 153
    Reference Manual for the ProSafe VPN Firewall FVS114 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host
  • Netgear FVS114NA | FVS114 Reference Manual - Page 154
    Reference Manual for the ProSafe VPN Firewall FVS114 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts
  • Netgear FVS114NA | FVS114 Reference Manual - Page 155
    Reference Manual for the ProSafe VPN Firewall FVS114 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as "/n." In the example, the address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 156
    Manual for the ProSafe VPN Firewall FVS114 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 157
    problems. However, the IANA has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Choose your private network number from this range. The DHCP server of the FVS114 VPN Firewall
  • Netgear FVS114NA | FVS114 Reference Manual - Page 158
    Reference Manual for the ProSafe VPN Firewall FVS114 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 159
    Reference Manual for the ProSafe VPN Firewall FVS114 MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access
  • Netgear FVS114NA | FVS114 Reference Manual - Page 160
    Reference Manual for the ProSafe VPN Firewall FVS114 When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS
  • Netgear FVS114NA | FVS114 Reference Manual - Page 161
    Reference Manual for the ProSafe VPN Firewall FVS114 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or
  • Netgear FVS114NA | FVS114 Reference Manual - Page 162
    Reference Manual for the ProSafe VPN Firewall FVS114 Table B-3. Pin 1 2 3 4 5 6 7 8 UTP Ethernet cable wiring, Only 0.5 inch (1.5 cm) of untwist in the wire pair is allowed at any termination point. A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low
  • Netgear FVS114NA | FVS114 Reference Manual - Page 163
    Reference Manual for the ProSafe VPN Firewall FVS114 Inside Twisted Pair Cables For two devices to communicate, the transmitter ports, called MDI or uplink ports. Most repeaters and switch ports are configured as media-dependent interfaces with built-in crossover ports, called MDI-X or normal ports.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 164
    Reference Manual for the ProSafe VPN Firewall FVS114 Figure B-6: Category 5 UTP cable with male RJ-45 plug at each end Note: Flat "silver satin" telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned
  • Netgear FVS114NA | FVS114 Reference Manual - Page 165
    Reference Manual for the ProSafe VPN Firewall FVS114 The FVS114 VPN Firewall incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or
  • Netgear FVS114NA | FVS114 Reference Manual - Page 166
    Reference Manual for the ProSafe VPN Firewall FVS114 B-16 Network, Routing, and Firewall Basics 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 167
    however, VPN is also used to describe private networks, such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS limits connectivity. The cost of connecting home users is also very expensive compared to Internet-access technologies, such as DSL or cable. Because
  • Netgear FVS114NA | FVS114 Reference Manual - Page 168
    Manual for the ProSafe VPN Firewall FVS114 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization's modem pool is one method of access points across IP networks. IPSec provides data security at the IP
  • Netgear FVS114NA | FVS114 Reference Manual - Page 169
    Reference Manual for the ProSafe VPN Firewall FVS114 • content protection. IPSec provides an open framework for implementing industry standard receiver. ESP also provides all encryption services in IPSec. Encryption translates a readable payload and not for the IP header. Figure C-1: Original packet
  • Netgear FVS114NA | FVS114 Reference Manual - Page 170
    Manual for the ProSafe VPN Firewall FVS114 The ESP header is inserted into the packet between the IP table, IP HDR represents the IP header and includes both source and destination IP addresses. enable multiple secure VPNs, as well as define SAs within the VPN to support different departments and
  • Netgear FVS114NA | FVS114 Reference Manual - Page 171
    Reference Manual for the ProSafe VPN Firewall FVS114 Mode SAs operate using modes. A mode is the method in which payload. The IP header is not changed. After the packet is processed with IPSec, the new IP packet contains the old IP header (with the source and destination IP addresses unchanged) and
  • Netgear FVS114NA | FVS114 Reference Manual - Page 172
    Reference Manual for the ProSafe VPN Firewall FVS114 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 173
    Reference Manual for the ProSafe VPN Firewall FVS114 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic
  • Netgear FVS114NA | FVS114 Reference Manual - Page 174
    to the firewall instructions for both gateways to understand how to open specific protocols, ports, and addresses that you intend to allow. VPN Tunnel Between Gateways A Security Association (SA), frequently called a tunnel, is the set of information that allows two entities (networks, PCs, routers
  • Netgear FVS114NA | FVS114 Reference Manual - Page 175
    Reference Manual for the ProSafe VPN Firewall FVS114 VPN Gateway A VPN Tunnel VPN Gateway B PCs PCs Figure C-5: VPN tunnel Security Associaton ( can configure your gateways using manual key exchange, which involves manually configuring each paramter on both gateways. 1. The IPSec software on
  • Netgear FVS114NA | FVS114 Reference Manual - Page 176
    Reference Manual for the ProSafe VPN Firewall FVS114 2. IKE Phase I. a. The two parties negotiate the Once the SA keys are created and exchanged, the IPSec SAs are ready to protect user data between the two VPN gateways. 4. Data transfer. Data is transferred between IPSec peers based on the IPSec
  • Netgear FVS114NA | FVS114 Reference Manual - Page 177
    Reference Manual for the ProSafe VPN Firewall FVS114 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • TripleDES • SHA-1 • ESP tunnel mode • MODP group 1 • Perfect forward secrecy for rekeying • SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once
  • Netgear FVS114NA | FVS114 Reference Manual - Page 178
    Reference Manual for the ProSafe VPN Firewall FVS114 Relevant RFCs listed numerically: • [RFC 791] IP Security Domain of Interpretation for ISAKMP, November 1998. • [RFC 2474] K. Nichols, S. Blake, F. Baker, D. Black, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6
  • Netgear FVS114NA | FVS114 Reference Manual - Page 179
    through the FVS114 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by
  • Netgear FVS114NA | FVS114 Reference Manual - Page 180
    Manual for the ProSafe VPN Firewall FVS114 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 181
    Reference Manual for the ProSafe VPN Firewall FVS114 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for
  • Netgear FVS114NA | FVS114 Reference Manual - Page 182
    Manual for the ProSafe VPN Firewall FVS114 If you need Client for Microsoft Networks: a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each
  • Netgear FVS114NA | FVS114 Reference Manual - Page 183
    Reference Manual for the ProSafe VPN Firewall FVS114 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window
  • Netgear FVS114NA | FVS114 Reference Manual - Page 184
    Reference Manual for the ProSafe VPN Firewall FVS114 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable
  • Netgear FVS114NA | FVS114 Reference Manual - Page 185
    Reference Manual for the ProSafe VPN Firewall FVS114 1. On the Windows taskbar, click the Start button, and then click Run. 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-
  • Netgear FVS114NA | FVS114 Reference Manual - Page 186
    Reference Manual for the ProSafe VPN Firewall FVS114 8. Then, restart your PC. Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you
  • Netgear FVS114NA | FVS114 Reference Manual - Page 187
    Reference Manual for the ProSafe VPN Firewall FVS114 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties
  • Netgear FVS114NA | FVS114 Reference Manual - Page 188
    Reference Manual for the ProSafe VPN Firewall FVS114 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 189
    Reference Manual for the ProSafe VPN Firewall FVS114 • Click on the My Network Places icon on the Windows box of "Components checked are used by this connection:" • Client for Microsoft Networks and • Internet Protocol (TCP/IP) • Click OK. Preparing Your Network 202-10098-01, April 2005 D-11
  • Netgear FVS114NA | FVS114 Reference Manual - Page 190
    Reference Manual for the ProSafe VPN Firewall FVS114 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected.
  • Netgear FVS114NA | FVS114 Reference Manual - Page 191
    Reference Manual for the ProSafe VPN Firewall FVS114 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from
  • Netgear FVS114NA | FVS114 Reference Manual - Page 192
    Reference Manual for the ProSafe VPN Firewall FVS114 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. D-14 202-10098-01, April 2005 Preparing Your Network
  • Netgear FVS114NA | FVS114 Reference Manual - Page 193
    then click OK. A command window opens 3. Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and
  • Netgear FVS114NA | FVS114 Reference Manual - Page 194
    Manual for the ProSafe VPN Firewall FVS114 • The default gateway is 192.168.0.1 4. Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP
  • Netgear FVS114NA | FVS114 Reference Manual - Page 195
    default TCP/IP settings that NETGEAR recommends: • The IP Address is between 192.168.0.2 and 192.168.0.254 • The Subnet mask is 255.255.255.0 • The Router address is 192.168.0.1 If you do not see these values, you may need to restart your Macintosh or you may need to switch the "Configure" setting
  • Netgear FVS114NA | FVS114 Reference Manual - Page 196
    Reference Manual for the ProSafe VPN Firewall FVS114 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a
  • Netgear FVS114NA | FVS114 Reference Manual - Page 197
    Reference Manual for the ProSafe VPN Firewall FVS114 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP's router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account's full server names may look like this:
  • Netgear FVS114NA | FVS114 Reference Manual - Page 198
    Reference Manual for the ProSafe VPN Firewall FVS114 If an IP address appears under Installed Gateways, write down the address. This is the ISP's gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses
  • Netgear FVS114NA | FVS114 Reference Manual - Page 199
    Manual for the ProSafe VPN Firewall FVS114 Restarting the Network Once you've set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS114 VPN Firewall. After configuring
  • Netgear FVS114NA | FVS114 Reference Manual - Page 200
    Reference Manual for the ProSafe VPN Firewall FVS114 D-22 202-10098-01, April 2005 Preparing Your Network
  • Netgear FVS114NA | FVS114 Reference Manual - Page 201
    such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284. A Access Control List (ACL) An ACL is a database that an Operating System uses to track each user's access rights to system objects (such as file
  • Netgear FVS114NA | FVS114 Reference Manual - Page 202
    Manual for the ProSafe VPN Firewall FVS114 strengths: a 128-, 192-, or 256-bit encryption key (password). Each encryption key size causes the algorithm to behave slightly its IP address. In this case, the host broadcasts its physical address and a RARP server replies with the host's IP address. Auto
  • Netgear FVS114NA | FVS114 Reference Manual - Page 203
    who they claim to be. D DHCP An Ethernet protocol specifying how a centralized DHCP server can assign network configuration information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and gateway (router) addresses. DMZ Glossary 3 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 204
    Manual for the ProSafe VPN Firewall FVS114 Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing this, so only do this if you'll willing to risk open access
  • Netgear FVS114NA | FVS114 Reference Manual - Page 205
    Reference Manual for the ProSafe VPN Firewall FVS114 Ethernet A LAN specification developed jointly by Xerox, Intel and Digital Equipment Corporation. Ethernet networks transmit packets at a rate of 10 Mbps. G Gateway A local device, usually a router, that connects hosts on a local network to other
  • Netgear FVS114NA | FVS114 Reference Manual - Page 206
    Reference Manual for the ProSafe VPN Firewall FVS114 gateway then forwards the packet directly to the computer whose address is specified. users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets. IP See "Internet Protocol" IP Address
  • Netgear FVS114NA | FVS114 Reference Manual - Page 207
    Reference Manual for the ProSafe VPN Firewall FVS114 M MAC (1) Medium Access Control. In LANs, the sublayer of the data link control layer that supports medium-dependent functions and uses the services of the physical layer to provide services to the logical link control (LLC) sublayer. The MAC
  • Netgear FVS114NA | FVS114 Reference Manual - Page 208
    Reference Manual for the ProSafe VPN Firewall FVS114 PPP A protocol allowing a computer using TCP/IP to connect directly to the Public Switched Telephone Network. Q QoS See "Quality of Service" Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is
  • Netgear FVS114NA | FVS114 Reference Manual - Page 209
    Reference Manual for the ProSafe VPN Firewall FVS114 R RADIUS Short for Remote Authentication Dial-In User Service, RADIUS is an authentication system. Using RADIUS, you must enter your user name and password before gaining access to a network. This information is passed to a RADIUS server, which
  • Netgear FVS114NA | FVS114 Reference Manual - Page 210
    Reference Manual for the ProSafe VPN Firewall FVS114 U Universal Plug and Play UPnP. A networking architecture that provides compatibility among networking technology. UPnP compliant routers provide broadband users at home and small businesses with a seamless way to participate in online games,
  • Netgear FVS114NA | FVS114 Reference Manual - Page 211
    Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 11 202-10098-01, April 2005
  • Netgear FVS114NA | FVS114 Reference Manual - Page 212
    Reference Manual for the ProSafe VPN Firewall FVS114 12 Glossary 202-10098-01, April 2005
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
202-10098-01, April 2005
202-10098-01
April 2005
NETGEAR
, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Reference Manual for the
ProSafe VPN Firewall
FVS114