Netgear FVS318 FVS318v3 Reference Manual
Netgear FVS318 - ProSafe VPN Firewall Router Manual
 |
UPC - 606449023381
View all Netgear FVS318 manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear FVS318 manual content summary:
- Netgear FVS318 | FVS318v3 Reference Manual - Page 1
Reference Manual for the ProSafe VPN Firewall FVS318v3 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10059-02 Version 3 January 2005 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 2
a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. EN 55 022 Declaration of Conformance This is to certify that the FVS318v3 ProSafe VPN Firewall is shielded against the generation of radio interference in accordance - Netgear FVS318 | FVS318v3 Reference Manual - Page 3
fen. Certificate of the Manufacturer/Importer It is hereby certified that the FVS318v3 ProSafe VPN Firewall has been suppressed in accordance with the conditions set out in the BMPT . When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct - Netgear FVS318 | FVS318v3 Reference Manual - Page 4
Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: FVS318v3 January 2005 Router FVS318v3 ProSafe VPN Firewall Business English iv January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 5
-Related Products 2-7 NETGEAR Product Registration, Support, and Documentation 2-7 Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVS318v3 ProSafe VPN Firewall 3-1 First, Connect the FVS318v3 3-1 Now, Configure the FVS318v3 for Internet Access 3-4 Troubleshooting Tips - Netgear FVS318 | FVS318v3 Reference Manual - Page 6
Smart Setup Wizard 3-11 How to Manually Configure Your Internet Connection 3-12 Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview 4-1 Block Sites ...4-2 Using Rules to Block or Allow Specific Kinds of Traffic 4-3 Inbound Rules (Port Forwarding - Netgear FVS318 | FVS318v3 Reference Manual - Page 7
Networking Overview of FVS318v3 Policy-Based VPN Configuration 6-1 Using Policies to Manage VPN Traffic 6-2 Using Automatic Key Management 6-2 IKE Policies' Automatic Key and Authentication Management 6-3 VPN Policy Configuration for Auto Key Negotiation 6-5 VPN Policy Configuration for Manual - Netgear FVS318 | FVS318v3 Reference Manual - Page 8
the Web Configuration Interface 9-3 Troubleshooting the ISP Connection 9-4 Troubleshooting a TCP/IP Network Using a Ping Utility 9-5 Testing the LAN Path to Your Firewall 9-5 Testing the Path from Your PC to a Remote Device 9-6 Restoring the Default Configuration and Password 9-7 Problems with - Netgear FVS318 | FVS318v3 Reference Manual - Page 9
Addresses B-7 Single IP Address Operation Using NAT B-8 MAC Addresses and Address Resolution Protocol B-9 Related Documents B-9 Domain Name Server B-9 IP Configuration by DHCP B-10 Internet Security and Firewalls B-10 What is a Firewall B-11 Stateful Packet Inspection B-11 Denial of Service - Netgear FVS318 | FVS318v3 Reference Manual - Page 10
18 Are Login Protocols Used D-18 What Is Your Configuration Information D-18 Obtaining ISP Configuration Information for Windows Computers D-19 Obtaining ISP Configuration Information for Macintosh Computers D-20 Restarting the Network D-21 Appendix E VPN Configuration of NETGEAR FVS318v3 Case - Netgear FVS318 | FVS318v3 Reference Manual - Page 11
the VPN Connections E-18 The FVS318v3-to-FVL328 Case E-20 Configuring the VPN Tunnel E-20 Viewing and Editing the VPN Parameters E-23 Initiating and Checking the VPN Connections E-25 The FVS318v3-to-VPN Client Case E-27 Client-to-Gateway VPN Tunnel Overview E-27 Configuring the VPN Tunnel - Netgear FVS318 | FVS318v3 Reference Manual - Page 12
xii Contents January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 13
. This manual is written for the FVS318v3 VPN Firewall according to these specifications.: Table 1-2. Manual Scope Product Version Manual Publication Date FVS318v3 ProSafe VPN Firewall January 2005 Note: Product updates are available on the NETGEAR, Inc. Web site at http://kbserver.netgear.com - Netgear FVS318 | FVS318v3 Reference Manual - Page 14
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Use This Manual The HTML version of this manual includes the following: • Buttons, and , for browsing forwards or backwards through the manual one page at a time •A button that displays the table of contents and an button. Double - Netgear FVS318 | FVS318v3 Reference Manual - Page 15
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the - Netgear FVS318 | FVS318v3 Reference Manual - Page 16
Reference Manual for the ProSafe VPN Firewall FVS318v3 1-4 About This Manual January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 17
This chapter describes the features of the NETGEAR FVS318v3 ProSafe VPN Firewall. Key Features of the VPN Firewall The FVS318v3 ProSafe VPN Firewall with eight-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL - Netgear FVS318 | FVS318v3 Reference Manual - Page 18
to your LAN. • Blocks access from your LAN to Internet locations or services that you specify as off-limits. • Logs security incidents. The FVS318v3 logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log - Netgear FVS318 | FVS318v3 Reference Manual - Page 19
by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. • Automatic Configuration of Attached PCs by DHCP The FVS318v3 VPN Firewall dynamically assigns network configuration information, including IP, gateway, and Domain - Netgear FVS318 | FVS318v3 Reference Manual - Page 20
and Support NETGEAR offers the following features to help you maximize your use of the FVS318v3 VPN Firewall: • Flash memory for firmware upgrade. • Free technical support seven days a week, 24 hours a day. Note: The FVS318v3 firmware is not backward compatible with earlier versions of the FVS318 - Netgear FVS318 | FVS318v3 Reference Manual - Page 21
you need to return the firewall for repair. The FVS318v3 Front Panel The front panel of the FVS318v3 VPN Firewall contains the status LEDs described below. PWR Test Internet Figure 2-1: FVS318v3 front panel LOCAL Ports You can use some of the LEDs to verify connections. Viewed from left to right - Netgear FVS318 | FVS318v3 Reference Manual - Page 22
transmitted or received by the Local port. The FVS318v3 Rear Panel The rear panel of the FVS318v3 VPN Firewall contains the port connections listed below. FACTORY DEFAULTS Reset Button LOCAL Ports Figure 2-2: FVS318v3 rear panel INTERNET Port DC Power ON/OFF Switch Viewed from left to right - Netgear FVS318 | FVS318v3 Reference Manual - Page 23
VPN01L and VPN05L ProSafe VPN Client Software NETGEAR Product Registration, Support, and Documentation Register your product at http://www.NETGEAR.com/register. Registration is required before you can use our telephone support service. Product updates and Web support are always available by - Netgear FVS318 | FVS318v3 Reference Manual - Page 24
Reference Manual for the ProSafe VPN Firewall FVS318v3 When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router. 2-8 Introduction January - Netgear FVS318 | FVS318v3 Reference Manual - Page 25
your FVS318v3 ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection. Follow these instructions to set up your firewall. Prepare to Install Your FVS318v3 ProSafe VPN Firewall • For Cable Modem Service: When you perform the VPN firewall router setup steps - Netgear FVS318 | FVS318v3 Reference Manual - Page 26
your modem (Cable 1 in the diagram below) into the Internet port of the VPN firewall router as shown in point B of the diagram. B Internet port Internet Firewall Cable 1 Figure 3-2: Connect the VPN firewall router to the modem Modem 3-2 Connecting the Firewall to the Internet January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 27
Reference Manual for the ProSafe VPN Firewall FVS318v3 f. Securely insert the blue cable that came with your VPN firewall router (the blue NETGEAR cable in the diagram below) into a LOCAL port on the firewall such as LOCAL port 8 (point C in the diagram), and the other end into the Ethernet port of - Netgear FVS318 | FVS318v3 Reference Manual - Page 28
Reference Manual for the ProSafe VPN Firewall FVS318v3 Power Test Figure 3-4: Status lights Internet Local Port 8 d. Check the VPN firewall router status lights to verify the following: • PWR: The power light should turn solid green. If it does not, see "Troubleshooting Tips" on page 3-6. • TEST - Netgear FVS318 | FVS318v3 Reference Manual - Page 29
Reference Manual for the ProSafe VPN Firewall FVS318v3 With the VPN firewall router in its factory default state, your browser will automatically display the NETGEAR Smart Wizard Configuration Assistant welcome page. Figure 3-5: NETGEAR Smart Wizard Configuration Assistant welcome screen Note: If - Netgear FVS318 | FVS318v3 Reference Manual - Page 30
Manual for the ProSafe VPN Firewall FVS318v3 3. Click Done to finish. If you have trouble connecting to the Internet, see "Troubleshooting Tips" on page 3-6 to correct basic problems. Figure 3-6: NETGEAR Smart Wizard Configuration Assistant success screen Note: The Smart Wizard Configuration - Netgear FVS318 | FVS318v3 Reference Manual - Page 31
be lit. The labels on the front and back of the VPN firewall router identify the number of each LOCAL port. Make sure the network settings of the computer are correct. • LAN connected computers must be configured to obtain an IP address automatically via DHCP. Please see Appendix D, "Preparing Your - Netgear FVS318 | FVS318v3 Reference Manual - Page 32
router. Table 3-1. Ways to access the firewall Firewall State Access Options Description Factory Default Note: The VPN firewall router is supplied in the factory default state. Also, the factory default state is restored when you use the factory reset button. See "Backing Up the Configuration - Netgear FVS318 | FVS318v3 Reference Manual - Page 33
are not the same as any user name or password you may use to log in to your Internet connection. A login window like the one shown below opens: Figure 3-8: Login window Once you have entered your user name and password, your Web browser should find the FVS318v3 VPN Firewall and display the home page - Netgear FVS318 | FVS318v3 Reference Manual - Page 34
press Enter. When the VPN firewall router is in the factory default state, a user name and password are not required. 2. The browser then displays the FVS318v3 settings home page shown in "Login result: FVS318v3 home page" on page 3-10. 3-10 January 2005 Connecting the Firewall to the Internet - Netgear FVS318 | FVS318v3 Reference Manual - Page 35
factory default state. After you configure the VPN firewall router, the Smart Wizard Configuration Assistant will not appear again. To use the Smart Setup Wizard to assist with manual configuration or to verify the Internet connection settings, follow this procedure. 1. Connect to the VPN firewall - Netgear FVS318 | FVS318v3 Reference Manual - Page 36
ProSafe VPN Firewall FVS318v3 How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login ISP Does Require Login - Netgear FVS318 | FVS318v3 Reference Manual - Page 37
steps: 1. Log in to the firewall at its default address of http://www.routerlogin.net using a browser like Internet Explorer or Netscape® Navigator. 2. Click the Basic Settings link under the Setup section of the main menu. 3. If your Internet connection does not require a login, click No at the top - Netgear FVS318 | FVS318v3 Reference Manual - Page 38
Reference Manual for the ProSafe VPN Firewall FVS318v3 4. If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet. Note: After you - Netgear FVS318 | FVS318v3 Reference Manual - Page 39
can establish restricted access policies based on time-of-day, Web addresses and Web address keywords. You can also block Internet access by applications and services, such as chat or games. A firewall is a special category of router that protects one network (the trusted network, such as your - Netgear FVS318 | FVS318v3 Reference Manual - Page 40
the ProSafe VPN Firewall FVS318v3 Block Sites The FVS318v3 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is shown in Figure 4-1: Figure 4-1: Block Sites menu To enable keyword blocking, check - Netgear FVS318 | FVS318v3 Reference Manual - Page 41
will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through - Netgear FVS318 | FVS318v3 Reference Manual - Page 42
Reference Manual for the ProSafe VPN Firewall FVS318v3 You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to - Netgear FVS318 | FVS318v3 Reference Manual - Page 43
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inbound Rules (Port Forwarding) Because the FVS318v3 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining - Netgear FVS318 | FVS318v3 Reference Manual - Page 44
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound - Netgear FVS318 | FVS318v3 Reference Manual - Page 45
the ProSafe VPN Firewall FVS318v3 Outbound Rules (Service Blocking) The FVS318v3 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on: • IP - Netgear FVS318 | FVS318v3 Reference Manual - Page 46
The Move button allows you to relocate a defined rule to a new position in the table. Default DMZ Server Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule - Netgear FVS318 | FVS318v3 Reference Manual - Page 47
Click Default DMZ Server. 2. Type the IP address for that server. 3. Click Apply. Note: In this application, the use of the term "DMZ" has become common, although it is a misnomer. In traditional firewalls, a DMZ is actually a separate physical network port. A true DMZ port is for connecting servers - Netgear FVS318 | FVS318v3 Reference Manual - Page 48
the application. Although the FVS318v3 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have - Netgear FVS318 | FVS318v3 Reference Manual - Page 49
the ProSafe VPN Firewall FVS318v3 To add a service: 1. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears as shown in Figure 4-8: Figure 4-8: Add Custom Service menu 2. Enter a descriptive name for the service so - Netgear FVS318 | FVS318v3 Reference Manual - Page 50
the ProSafe VPN Firewall FVS318v3 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows - Netgear FVS318 | FVS318v3 Reference Manual - Page 51
Reference Manual for the ProSafe VPN Firewall FVS318v3 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for - Netgear FVS318 | FVS318v3 Reference Manual - Page 52
name or IP address of your ISP's outgoing (SMTP) mail server (such as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program. Enter the e-mail address to which logs and alerts are sent. This e-mail address will also be used as the From address. If - Netgear FVS318 | FVS318v3 Reference Manual - Page 53
Reference Manual for the ProSafe VPN Firewall FVS318v3 - If a user on your LAN attempts to access a Web site that you blocked using the Block Sites menu. • Send logs according to this schedule. You can specify that logs are sent to you according to a schedule. Select whether you would like to - Netgear FVS318 | FVS318v3 Reference Manual - Page 54
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, - Netgear FVS318 | FVS318v3 Reference Manual - Page 55
number of the initiating device, and whether it originated from the LAN or WAN. Destination The name or IP address of the destination device or Web site. Destination port and The service port number of the destination device, and whether it's on interface the LAN or WAN. Log action buttons are - Netgear FVS318 | FVS318v3 Reference Manual - Page 56
Reference Manual for the ProSafe VPN Firewall FVS318v3 4-18 Firewall Protection and Content Filtering January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 57
to configure a VPN tunnel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client. • "How to Set Up a Gateway-to-Gateway VPN Configuration" on page 5-20 provides the steps needed to configure a VPN tunnel between two network gateways using the VPN Wizard - Netgear FVS318 | FVS318v3 Reference Manual - Page 58
types of VPN configurations. The FVS318v3 VPN Firewall supports up to eight concurrent tunnels. Client-to-Gateway VPN Tunnels Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a telecommuter connecting to an office network (see Figure 5-1). FVS318 24.0.0.1 VPN Tunnel - Netgear FVS318 | FVS318v3 Reference Manual - Page 59
5-2: Gateway-to-gateway VPN tunnel A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources across the Internet. In this case, use FVS318v3s on each end of - Netgear FVS318 | FVS318v3 Reference Manual - Page 60
ProSafe VPN Firewall FVS318v3 FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP address must always be the initiator. • What method will you use to configure your VPN tunnels - Netgear FVS318 | FVS318v3 Reference Manual - Page 61
VPN Configuration Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway (see Figure 5-3) involves the following two steps: • "Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS318v3" on page 5-6 uses the VPN Wizard to configure the VPN - Netgear FVS318 | FVS318v3 Reference Manual - Page 62
Virtual Private Networking" to set up the VPN tunnel. Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard. 1. Log in to the FVS318v3 at its LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the VPN Wizard link - Netgear FVS318 | FVS318v3 Reference Manual - Page 63
Reference Manual for the ProSafe VPN Firewall FVS318v3 Enter the new Connection Name: (RoadWarrior in this example) Enter the pre-shared key: (12345678 in this example) Select the radio button: A remote VPN client (single PC) Figure 5-5: Connection Name and Remote IP Type The Summary screen below - Netgear FVS318 | FVS318v3 Reference Manual - Page 64
Reference Manual for the ProSafe VPN Firewall FVS318v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, complete the configuration procedure. The VPN Policies menu below displays showing that the new tunnel is enabled. Figure 5-8: VPN Policies To view - Netgear FVS318 | FVS318v3 Reference Manual - Page 65
assigned IP address. The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop-down menu for information on how to purchase the NETGEAR ProSafe VPN Client. Note - Netgear FVS318 | FVS318v3 Reference Manual - Page 66
for the ProSafe VPN Firewall FVS318v3 b. From the Edit menu of the Security Policy Editor, click Add, then Connection. A "New Connection" listing appears in the list of policies. Rename the "New Connection" so that it matches the Connection Name you entered in the VPN Settings of the FVS318v3 on LAN - Netgear FVS318 | FVS318v3 Reference Manual - Page 67
WAN IP Address of the FVS318v3 in the field directly below the ID Type menu. In this example, 22.23.24.25 would be used. The resulting Connection Settings are shown in Figure 5-10. 3. Configure the Security Policy in the NETGEAR ProSafe VPN Client software. a. In the Network Security Policy list - Netgear FVS318 | FVS318v3 Reference Manual - Page 68
, you will provide information about the remote VPN client PC. You will need to provide: - The Pre-Shared Key that you configured in the FVS318v3. - Either a fixed IP address or a "fixed virtual" IP address of the VPN client PC. a. In the Network Security Policy list on the left side of the Security - Netgear FVS318 | FVS318v3 Reference Manual - Page 69
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-12: Security Policy Editor My Identity b. Choose None in the Select Certificate box. c. Select IP Address in the ID Type box. If you are using a virtual fixed IP address, enter this address in the Internal Network IP Address box. - Netgear FVS318 | FVS318v3 Reference Manual - Page 70
the ProSafe VPN Firewall FVS318v3 5. Configure the VPN Client Authentication Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS318v3 configuration. a. In the Network Security Policy list - Netgear FVS318 | FVS318v3 Reference Manual - Page 71
to access any IP addresses in the range of the remote VPN firewall's LAN. 8. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVS318v3's network by using the "Connect" option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will - Netgear FVS318 | FVS318v3 Reference Manual - Page 72
see the login screen of the VPN Firewall (unless another PC already has the FVS318v3 management interface open). Monitoring the Progress and Status of the VPN Client Connection Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer - Netgear FVS318 | FVS318v3 Reference Manual - Page 73
the ProSafe VPN Firewall FVS318v3 The Log Viewer screen for a similar successful connection is shown below: Figure 5-18: Log Viewer screen Note: Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel - Netgear FVS318 | FVS318v3 Reference Manual - Page 74
you will need to close the VPN connection in order to have normal Internet access. Transferring a Security Policy to Another Client This section explains how to export and import a security policy as an .spd file so that an existing NETGEAR ProSafe VPN Client configuration can be copied to other PCs - Netgear FVS318 | FVS318v3 Reference Manual - Page 75
for the ProSafe VPN Firewall FVS318v3 Importing a Security Policy The following procedure (Figure 5-21) enables you to import an existing security policy. Step 1: Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown. Step 2: Select the security policy to - Netgear FVS318 | FVS318v3 Reference Manual - Page 76
the procedure below to set the LAN IPs on each FVS318v3 to different subnets and configure each properly for the Internet. The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. In this example - Netgear FVS318 | FVS318v3 Reference Manual - Page 77
VPN Firewall FVS318v3 Procedure to Configure a Gateway-to-Gateway VPN Tunnel Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard. 1. Log in to the FVS318v3 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password - Netgear FVS318 | FVS318v3 Reference Manual - Page 78
ProSafe VPN Firewall FVS318v3 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Enter the WAN IP address of the remote VPN gateway: (22.23.24.25 in this example) Figure 5-25: Remote IP 4. Identify the IP addresses at the target endpoint that can use this - Netgear FVS318 | FVS318v3 Reference Manual - Page 79
Reference Manual for the ProSafe VPN Firewall FVS318v3 The Summary screen below displays. Figure 5-27: VPN Wizard Summary Basic Virtual Private Networking January 2005 5-23 - Netgear FVS318 | FVS318v3 Reference Manual - Page 80
Reference Manual for the ProSafe VPN Firewall FVS318v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-27). Click Back to return to the Summary screen. Figure 5-28: VPN Recommended Settings 5. Click Done on the Summary - Netgear FVS318 | FVS318v3 Reference Manual - Page 81
Reference Manual for the ProSafe VPN Firewall FVS318v3 6. Repeat for the FVS318v3 on LAN B. Pay special attention and use the following network settings as appropriate. • WAN IP of the remote VPN gateway (e.g., 14.15.16.17) • LAN IP settings of the remote VPN gateway: - IP Address (e.g, 192.168.0.1) - Netgear FVS318 | FVS318v3 Reference Manual - Page 82
ProSafe VPN Firewall FVS318v3 Figure 5-31: Current VPN Tunnels (SAs) Screen c. Look at the VPN Status/Log screen (Figure 5-30) to verify that the tunnel is connected. VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel: • Start using the VPN tunnel. • Use the VPN - Netgear FVS318 | FVS318v3 Reference Manual - Page 83
a request from the remote PC to the FVS318v3's network by using the "Connect" option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request. To perform - Netgear FVS318 | FVS318v3 Reference Manual - Page 84
and enter the LAN IP address of the remote FVS318v3. After a short wait, you should see the login screen of the VPN Firewall (unless another PC already has the FVS318v3 management interface open). • Gateway-to-Gateway Configuration-test the VPN tunnel by pinging the remote network from a PC attached - Netgear FVS318 | FVS318v3 Reference Manual - Page 85
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-36: Pinging test results Note: The pings may fail the first time. If so, then try the pings a second time. Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel, perform the following - Netgear FVS318 | FVS318v3 Reference Manual - Page 86
Policies Page to Deactivate a VPN Tunnel To use the VPN Policies page to deactivate a VPN tunnel, perform the following steps: 1. Log in to the VPN Firewall. 2. Click on VPN Policies under VPN to get the VPN Policies screen below (Figure 5-39). 5-30 January 2005 Basic Virtual Private Networking - Netgear FVS318 | FVS318v3 Reference Manual - Page 87
Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-39: VPN Policies 3. Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply. (To reactivate the tunnel, check the Enable box and click Apply.) Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN - Netgear FVS318 | FVS318v3 Reference Manual - Page 88
ProSafe VPN Firewall FVS318v3 3. Click VPN Status (Figure 5-40) to get the Current VPN Tunnels (SAs) screen (Figure 5-41). Click Drop for the VPN tunnel you want to deactivate. Figure 5-41: Current VPN Tunnels (SAs) screen Note: When NETBIOS is enabled (which it is in the VPNC defaults implemented - Netgear FVS318 | FVS318v3 Reference Manual - Page 89
Virtual Private Networking" for a description on how to use the basic VPN features. Overview of FVS318v3 Policy-Based VPN Configuration The FVS318v3 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity. Since the FVS318v3 strictly - Netgear FVS318 | FVS318v3 Reference Manual - Page 90
configure matching VPN policies on both the local and remote FVS318v3 VPN Firewalls. The outbound VPN policy on one end must match to the inbound VPN policy on other end, and vice versa. When the network traffic enters into the FVS318v3 from the LAN network interface, if there is no VPN policy found - Netgear FVS318 | FVS318v3 Reference Manual - Page 91
Reference Manual for the ProSafe VPN Firewall FVS318v3 IKE Policies' Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure - Netgear FVS318 | FVS318v3 Reference Manual - Page 92
name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies. This setting is used when determining if the IKE policy matches the current traffic. The drop-down menu includes the following: • Initiator - Outgoing connections are allowed, but incoming are blocked - Netgear FVS318 | FVS318v3 Reference Manual - Page 93
, or VPN client. Remote Identity Type Use this field to identify the remote FVS318v3. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) - your domain name. • By a Fully Qualified User Name - Netgear FVS318 | FVS318v3 Reference Manual - Page 94
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 6-3: VPN - Auto Policy menu 6-6 Advanced Virtual Private Networking January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 95
identify VPN policies. The existing IKE policies are presented in a drop-down list. Note: Create the IKE policy BEFORE creating a VPN - Auto policy. The address used to locate the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVS318v3's Local IP - Netgear FVS318 | FVS318v3 Reference Manual - Page 96
VPN Firewall FVS318v3 Table 6-1. VPN - Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP The drop-down menu allows - Netgear FVS318 | FVS318v3 Reference Manual - Page 97
are: • MD5 - the default • SHA1 - more secure Check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel. The NETBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood. VPN Policy Configuration for Manual Key Exchange With Manual Key Management, you - Netgear FVS318 | FVS318v3 Reference Manual - Page 98
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 6-4: VPN - Manual Policy menu 6-10 January 2005 Advanced Virtual Private Networking - Netgear FVS318 | FVS318v3 Reference Manual - Page 99
VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies. The WAN Internet IP address of the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 100
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then select the authentication algorithm: • MD5 - the default • SHA1 - more secure Enter the keys in the fields provided. For - Netgear FVS318 | FVS318v3 Reference Manual - Page 101
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN Manual Policy Configuration Fields Field Enable Authentication Authentication Algorithm Key - In Key - Out NETBIOS Enable Description Use this check box to enable or disable ESP authentication for this VPN policy. If you - Netgear FVS318 | FVS318v3 Reference Manual - Page 102
Reference Manual for the ProSafe VPN Firewall FVS318v3 Each CA has its own certificate. The certificates of a CA are added to the FVS318v3 and then can be used to form IKE policies for the user. Once a CA certificate is added to the FVS318v3 and a certificate is created for a user, the corresponding - Netgear FVS318 | FVS318v3 Reference Manual - Page 103
ProSafe VPN Firewall FVS318v3 The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client - Netgear FVS318 | FVS318v3 Reference Manual - Page 104
. Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password, or using whatever password and LAN address you have chosen. 2. Configure the WAN (Internet) and LAN IP addresses of the FVS318v3. a. From the main menu Setup section, click the - Netgear FVS318 | FVS318v3 Reference Manual - Page 105
6-7: FVS318v3 Internet IP Address menu b. Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Settings topics, please see "How to Manually Configure Your Internet Connection" on - Netgear FVS318 | FVS318v3 Reference Manual - Page 106
TCP/IP setup topics, please see "Configuring LAN TCP/IP Setup Parameters" on page 8-3. Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVS318v3. You will have to log on with http://10.5.6.1 which is now the address you use to connect - Netgear FVS318 | FVS318v3 Reference Manual - Page 107
Manual for the ProSafe VPN Firewall FVS318v3 3. Set up the IKE Policy illustrated below on the FVS318v3. a. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 6-9: Scenario 1 IKE Policy b. Configure the IKE Policy - Netgear FVS318 | FVS318v3 Reference Manual - Page 108
the ProSafe VPN Firewall FVS318v3 4. Set up the FVS318v3 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click on the VPN Policies link, and then click on the Add Auto Policy button. WAN IP address LAN IP addresses Figure 6-10: Scenario 1 VPN - Auto Policy b. Configure the - Netgear FVS318 | FVS318v3 Reference Manual - Page 109
the ProSafe VPN Firewall FVS318v3 How to Check VPN Connections You can test connectivity and view VPN status information on the FVS318v3 (see also "VPN Tunnel Control" on page 5-26). Testing the Gateway A FVS318v3 LAN and the Gateway B LAN 1. Using our example, from a PC attached to the FVS318v3 on - Netgear FVS318 | FVS318v3 Reference Manual - Page 110
Reference Manual for the ProSafe VPN Firewall FVS318v3 FVS318v3 Scenario 2: FVS318v3 to FVS318v3 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given - Netgear FVS318 | FVS318v3 Reference Manual - Page 111
Manual for the ProSafe VPN Firewall FVS318v3 b. Click the Generate Request button to display the screen illustrated in Figure 6-11 below. . FVS318v3 , or 2048. • Optional - IP Address. If you use "IP type" in the IKE policy, you should input the IP Address here. Otherwise, you should leave this - Netgear FVS318 | FVS318v3 Reference Manual - Page 112
Reference Manual for the ProSafe VPN Firewall FVS318v3 - Domain Name. If you have a domain name, you can enter it here. Otherwise, you should leave this blank. - E-mail Address. You can enter you e-mail address here. d. Click the Next button to continue. The FVS318v3 generates a Self Certificate - Netgear FVS318 | FVS318v3 Reference Manual - Page 113
Manual for the ProSafe VPN Firewall FVS318v3 c. When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending "FVS318v3" Self Certificate Request will be listed, as illustrated in Figure 6-13 below. FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 114
Reference Manual for the ProSafe VPN Firewall FVS318v3 f. You will now see the "FVS318v3" entry in the Active Self Certificates table and the pending "FVS318v3" Self Certificate Request is gone, as illustrated below. FVS318v Figure 6-14: Self Certificates table 7. Associate the new certificate and - Netgear FVS318 | FVS318v3 Reference Manual - Page 115
Reference Manual for the ProSafe VPN Firewall FVS318v3 b. Create a new VPN Auto Policy called scenario2a with all the same properties as scenario1a except that it uses the IKE policy called Scenario_2. Now, the traffic from devices within the range of the LAN subnet addresses on FVS318v3 A and - Netgear FVS318 | FVS318v3 Reference Manual - Page 116
Reference Manual for the ProSafe VPN Firewall FVS318v3 6-28 January 2005 Advanced Virtual Private Networking - Netgear FVS318 | FVS318v3 Reference Manual - Page 117
This chapter describes how to use the maintenance features of your FVS318v3 ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and - Netgear FVS318 | FVS318v3 Reference Manual - Page 118
firewall cannot connect to the Internet. The IP Subnet Mask being used by the Internet (WAN) port of the firewall. The protocol on the WAN port used to obtain the WAN IP address. This field can show DHCP Client, Fixed IP, PPPoE, BPA or PPTP. For example, if set to Client, the firewall is configured - Netgear FVS318 | FVS318v3 Reference Manual - Page 119
your Internet service provider's network. Connection Method The method used to obtain an IP address from your Internet service provider. IP Address The WAN (Internet) IP address assigned to the firewall. Network Mask The WAN (Internet) subnet mask assigned to the firewall. Default Gateway The - Netgear FVS318 | FVS318v3 Reference Manual - Page 120
on this interface since reset or manual clear. The current transmission (outbound) bandwidth used on the interfaces. The current reception (inbound) bandwidth used on the interfaces. The amount of time since the firewall was last restarted. The time elapsed since this port acquired the link - Netgear FVS318 | FVS318v3 Reference Manual - Page 121
firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button. Upgrading the Firewall Software Note: The FVS318v3 firmware is not backward compatible with earlier versions of the FVS318 firewall - Netgear FVS318 | FVS318v3 Reference Manual - Page 122
downloaded from NETGEAR's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN) file before sending it to the firewall. The upgrade file can be sent to the firewall using your browser. Note: The Web browser used to upload new firmware into the FVS318v3 VPN - Netgear FVS318 | FVS318v3 Reference Manual - Page 123
the ProSafe VPN Firewall FVS318v3 Configuration File Management The configuration settings of the FVS318v3 VPN Firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user's PC, retrieved (restored) from the user's PC, or cleared to factory default - Netgear FVS318 | FVS318v3 Reference Manual - Page 124
will be password, the LAN IP address will be 192.168.0.1, and the firewall's DHCP client will be enabled. To erase the configuration, click the Erase button. To restore the factory default configuration settings without knowing the login password or IP address, you must use the reset button on - Netgear FVS318 | FVS318v3 Reference Manual - Page 125
your dynamic DNS service provider, log in to your account, and register your new IP address. 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen - Netgear FVS318 | FVS318v3 Reference Manual - Page 126
: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. From - Netgear FVS318 | FVS318v3 Reference Manual - Page 127
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configuring LAN TCP/IP Setup Parameters The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The firewall's default LAN IP configuration is: • LAN IP addresses-192.168.0.1 • Subnet mask- - Netgear FVS318 | FVS318v3 Reference Manual - Page 128
a new connection to the new IP address and log in again. Using the Firewall as a DHCP server By default, the firewall functions as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the firewall's LAN - Netgear FVS318 | FVS318v3 Reference Manual - Page 129
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using Address Reservation When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall's DHCP server. Reserved IP addresses should be assigned to servers that - Netgear FVS318 | FVS318v3 Reference Manual - Page 130
to limit access to IP Address of the final destination. 6. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255. 7. Type the Gateway IP Address, which must be a firewall on the same LAN segment as the firewall. 8-6 Advanced Configuration - Netgear FVS318 | FVS318v3 Reference Manual - Page 131
only as a precautionary security measure in case RIP is activated. Enabling Remote Management Access Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVS318v3 VPN Firewall. Advanced Configuration 8-7 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 132
range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. 3. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For - Netgear FVS318 | FVS318v3 Reference Manual - Page 133
for the ProSafe VPN Firewall FVS318v3 Tip: If you are using a dynamic DNS service such as TZO, you can always identify the IP address of your FVS318v3 by running TRACERT from the Windows Start menu Run option. For example, type tracert yourFVS318v3.mynetgear.net and you will see the IP address your - Netgear FVS318 | FVS318v3 Reference Manual - Page 134
Reference Manual for the ProSafe VPN Firewall FVS318v3 8-10 January 2005 Advanced Configuration - Netgear FVS318 | FVS318v3 Reference Manual - Page 135
that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. Troubleshooting 9-1 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 136
the firewall's configuration to factory defaults. This will set the firewall's IP address to 192.168.0.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 9-7. If the error persists, you might have a hardware problem and should contact technical support. LAN - Netgear FVS318 | FVS318v3 Reference Manual - Page 137
Reference Manual for the ProSafe VPN Firewall FVS318v3 Troubleshooting the Web Configuration Interface If you are unable to access the firewall's Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as - Netgear FVS318 | FVS318v3 Reference Manual - Page 138
ProSafe VPN Firewall FVS318v3 Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP - Netgear FVS318 | FVS318v3 Reference Manual - Page 139
manually with DNS addresses, as explained in your operating system documentation. • Your PC may not have the firewall configured as its TCP/IP gateway. If your PC obtains its information from the firewall by DHCP, reboot the PC and verify the gateway address. Troubleshooting a TCP/IP Network Using - Netgear FVS318 | FVS318v3 Reference Manual - Page 140
and for the hub ports (if any) that are connected to your workstation and firewall. • Wrong network configuration - Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your PC or workstation. - Verify that the IP address for your firewall and your - Netgear FVS318 | FVS318v3 Reference Manual - Page 141
erase the current configuration and restore factory defaults in two ways: • Use the Erase function of the firewall (see "Erasing the Configuration" on page 7-8). • Use the Reset button on the rear panel of the firewall. Use this method for cases when the administration password or IP address are not - Netgear FVS318 | FVS318v3 Reference Manual - Page 142
Reference Manual for the ProSafe VPN Firewall FVS318v3 9-8 Troubleshooting January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 143
Technical Specifications This appendix provides technical specifications for the FVS318v3 ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United - Netgear FVS318 | FVS318v3 Reference Manual - Page 144
Reference Manual for the ProSafe VPN Firewall FVS318v3 Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx, - Netgear FVS318 | FVS318v3 Reference Manual - Page 145
. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router. Network, Routing, and Firewall Basics B-1 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 146
. Using this information, the router chooses the best path for forwarding network traffic. Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The FVS318v3 ProSafe VPN Firewall is a small office router that routes the IP - Netgear FVS318 | FVS318v3 Reference Manual - Page 147
five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the - Netgear FVS318 | FVS318v3 Reference Manual - Page 148
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for - Netgear FVS318 | FVS318v3 Reference Manual - Page 149
is unlikely that the smaller office LANs would have that many devices. You can resolve this problem by using a technique known as subnet addressing. Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are - Netgear FVS318 | FVS318v3 Reference Manual - Page 150
Manual for the ProSafe VPN Firewall FVS318v3 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address - Netgear FVS318 | FVS318v3 Reference Manual - Page 151
remote Private IP Addresses If your local network is isolated from the Internet (for example, when using NAT), you can assign any IP addresses to the hosts without problems. However, the IANA has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0 - 10 - Netgear FVS318 | FVS318v3 Reference Manual - Page 152
costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS318v3 VPN Firewall employs an address-sharing method called Network Address Translation (NAT). This method allows several networked PCs to share an Internet account using only a single IP - Netgear FVS318 | FVS318v3 Reference Manual - Page 153
for the ProSafe VPN Firewall FVS318v3 MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address - Netgear FVS318 | FVS318v3 Reference Manual - Page 154
the ProSafe VPN Firewall FVS318v3 When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow - Netgear FVS318 | FVS318v3 Reference Manual - Page 155
Reference Manual for the ProSafe VPN Firewall FVS318v3 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion - Netgear FVS318 | FVS318v3 Reference Manual - Page 156
Manual for the ProSafe VPN Firewall FVS318v3 hub and the patch panel (if used) 295 ft. (90 m) from connecting hardware must meet the requirements for 100 Mbps operation (Category 5). Only 0.5 inch (1.5 cm) of untwist in the wire pair is allowed at any termination point. A twisted pair Ethernet network - Netgear FVS318 | FVS318v3 Reference Manual - Page 157
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. - Netgear FVS318 | FVS318v3 Reference Manual - Page 158
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure B-6: Category 5 UTP cable with male RJ-45 plug at each end Note: Flat "silver satin" telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be - Netgear FVS318 | FVS318v3 Reference Manual - Page 159
connecting to a router, switch, or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto UplinkTM will accommodate either type of cable to make the right connection. Network, Routing, and Firewall - Netgear FVS318 | FVS318v3 Reference Manual - Page 160
Reference Manual for the ProSafe VPN Firewall FVS318v3 B-16 January 2005 Network, Routing, and Firewall Basics - Netgear FVS318 | FVS318v3 Reference Manual - Page 161
, the shortcomings of each limits connectivity. The cost of connecting home users is also very expensive compared to Internet-access technologies, such as DSL or cable. Because of this, organizations are moving their networks to the Internet, which is inexpensive, and using IPSec to create these - Netgear FVS318 | FVS318v3 Reference Manual - Page 162
-chain management, development partnerships, and subscription services. These undertakings can be difficult using legacy network technologies due to connection costs, time delays, and access availability. IPSec-based VPNs are ideal for extranet connections. IPSec-capable devices can be quickly and - Netgear FVS318 | FVS318v3 Reference Manual - Page 163
Reference Manual for the ProSafe VPN Firewall FVS318v3 • uses produce a unique and unforgeable identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint allows Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP - Netgear FVS318 | FVS318v3 Reference Manual - Page 164
Reference Manual for the ProSafe VPN Firewall FVS318v3 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does - Netgear FVS318 | FVS318v3 Reference Manual - Page 165
Reference Manual for the ProSafe VPN Firewall FVS318v3 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while - Netgear FVS318 | FVS318v3 Reference Manual - Page 166
Reference Manual for the ProSafe VPN Firewall FVS318v3 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access - Netgear FVS318 | FVS318v3 Reference Manual - Page 167
the ProSafe VPN Firewall FVS318v3 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting - Netgear FVS318 | FVS318v3 Reference Manual - Page 168
to understand how to open specific protocols, ports, and addresses that you intend to allow. VPN Tunnel Between Gateways A Security Association (SA), frequently called a tunnel, is the set of information that allows two entities (networks, PCs, routers, firewalls, gateways) to trust each other and - Netgear FVS318 | FVS318v3 Reference Manual - Page 169
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Gateway A VPN Tunnel VPN Gateway B PCs PCs Figure C-5: VPN tunnel Security Associaton be loaded onto every computer connected to the gateways. Each gateway must negotiate its SA with another gateway using the parameters and processes - Netgear FVS318 | FVS318v3 Reference Manual - Page 170
Reference Manual for the ProSafe VPN Firewall FVS318v3 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A - Netgear FVS318 | FVS318v3 Reference Manual - Page 171
the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems - Netgear FVS318 | FVS318v3 Reference Manual - Page 172
Manual for the ProSafe VPN Firewall FVS318v3 Relevant IP Security Domain of Interpretation for ISAKMP, November 1998. • [RFC 2474] K. Nichols, S. Blake, F. Baker, D. Black, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 12 January 2005 Virtual Private Networking - Netgear FVS318 | FVS318v3 Reference Manual - Page 173
through the FVS318v3 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by - Netgear FVS318 | FVS318v3 Reference Manual - Page 174
Manual for the ProSafe VPN Firewall FVS318v3 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address - Netgear FVS318 | FVS318v3 Reference Manual - Page 175
the ProSafe VPN Firewall FVS318v3 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If - Netgear FVS318 | FVS318v3 Reference Manual - Page 176
Reference Manual for the ProSafe VPN Firewall FVS318v3 If you need Client for Microsoft Networks: a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. 3. Restart your PC for the changes to take effect. - Netgear FVS318 | FVS318v3 Reference Manual - Page 177
Reference Manual for the ProSafe VPN Firewall FVS318v3 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties - Netgear FVS318 | FVS318v3 Reference Manual - Page 178
Reference Manual for the ProSafe VPN Firewall FVS318v3 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable - Netgear FVS318 | FVS318v3 Reference Manual - Page 179
are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 • The subnet mask is 255.255.255.0 • The default gateway is 192.168.0.1 Configuring Windows NT4, 2000 or XP for IP Networking As part - Netgear FVS318 | FVS318v3 Reference Manual - Page 180
Reference Manual for the ProSafe VPN Firewall FVS318v3 8. Then, restart your PC. Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you - Netgear FVS318 | FVS318v3 Reference Manual - Page 181
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties - Netgear FVS318 | FVS318v3 Reference Manual - Page 182
2000 Once again, after you have installed the network card, TCP/IP for Windows 2000 is configured. TCP/IP should be added by default and set to DHCP without your having to configure it. However, if there are problems, follow these steps to configure TCP/IP with DHCP for Windows 2000. D-10 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 183
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box - Netgear FVS318 | FVS318v3 Reference Manual - Page 184
Reference Manual for the ProSafe VPN Firewall FVS318v3 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected - Netgear FVS318 | FVS318v3 Reference Manual - Page 185
Reference Manual for the ProSafe VPN Firewall FVS318v3 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from - Netgear FVS318 | FVS318v3 Reference Manual - Page 186
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. D-14 January 2005 Preparing Your Network - Netgear FVS318 | FVS318v3 Reference Manual - Page 187
A command window opens 3. Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 - Netgear FVS318 | FVS318v3 Reference Manual - Page 188
the ProSafe VPN Firewall FVS318v3 • The default gateway is 192.168.0.1 4. Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP - Netgear FVS318 | FVS318v3 Reference Manual - Page 189
TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: • The IP Address is between - Netgear FVS318 | FVS318v3 Reference Manual - Page 190
a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer. Your firewall does not support a USB-connected broadband modem. For a single-user Internet account, your ISP supplies TCP/IP configuration information for one computer. With a typical - Netgear FVS318 | FVS318v3 Reference Manual - Page 191
PC so that you can use this information when you configure the FVS318v3 VPN Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information. To get the information you need to configure the firewall for Internet access: 1. On the Windows taskbar - Netgear FVS318 | FVS318v3 Reference Manual - Page 192
so that you can use this information when you configure the FVS318v3 VPN Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information. To get the information you need to configure the firewall for Internet access: 1. From the Apple menu - Netgear FVS318 | FVS318v3 Reference Manual - Page 193
that is connected to the FVS318v3 VPN Firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVS318v3 VPN Firewall, you are ready to access and configure the firewall. Preparing Your Network January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 194
Reference Manual for the ProSafe VPN Firewall FVS318v3 D-22 January 2005 Preparing Your Network - Netgear FVS318 | FVS318v3 Reference Manual - Page 195
20) • FVS318v3 to VPN Client (see page E-27) Note: Product updates are available on the NETGEAR, Inc. Web site at http://www.netgear.com/support/main.asp. Case Study Overview The procedure for configuring a VPN tunnel between two gateway endpoints is as follows: 1. Gather the network information - Netgear FVS318 | FVS318v3 Reference Manual - Page 196
Gateway B. a. Log in to the router at Gateway B. b. Use the VPN Wizard to configure this router. Enter the requested information as prompted by the VPN Wizard. Note: The WAN and LAN IP addresses must be unique at each end of the VPN tunnel. E-2 VPN Configuration of NETGEAR FVS318v3 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 197
"A remote VPN Gateway" Step 3: Enter the remote WAN's IP address Step 4: Enter the following: o Remote LAN IP Address o Remote LAN Subnet Mask to Figure E-3 Figure E-2: NETGEAR's VPN Wizard for the router at each gateway (part 1 of 2) VPN Configuration of NETGEAR FVS318v3 E-3 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 198
user name of admin and default password of password. The login address will change to the local LAN IP subnet address after you configure the router. The user name and password will also change to the ones you have chosen to use in your installation. E-4 VPN Configuration of NETGEAR FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 199
Flowchart Fix the VPN Tunnel and then Retest Test Step 3 View VPN Tunnel Status End All traffic from the range of LAN IP addresses specified on the router at Gateway A and the router at Gateway B will now flow over a secure VPN tunnel. VPN Configuration of NETGEAR FVS318v3 E-5 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 200
FVS318v3 labeled Gateway A as in the illustration (Figure E-5). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). E-6 VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 201
to the FVS318v3 labeled Gateway B as in the illustration (Figure E-5). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). Note: Based on the network addresses used in - Netgear FVS318 | FVS318v3 Reference Manual - Page 202
the VPN Connections" on page 11). Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure E-3 Continue as shown in Figure E-3 Figure E-6: VPN parameter entry at Gateway A (FVS318v3) and Gateway B (FVS318v3) E-8 VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 203
the ProSafe VPN Firewall FVS318v3 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic on the FVS318v3 are presented in Figure E-7 and Figure E-8. Gateway A VPN Policy - Netgear FVS318 | FVS318v3 Reference Manual - Page 204
VPN tunnel endpoints. The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints. E-10 VPN Configuration of NETGEAR FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 205
to the FVS318v3 main menu VPN section and click the VPN Status link. b. The log screen displays a history of the VPN connections, and the IPSec SA and IKE SA tables report the status and data transmission statistics of the VPN tunnels for each policy. VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 206
VPN Status at Gateway B (FVS318v3) 22.23.24.25 Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B Status of VPN tunnel from Gateway A Status of VPN tunnel to Gateway A Figure E-9: VPN Status for the FVS318v3 routers at Gateway A and Gateway B E-12 VPN Configuration of NETGEAR - Netgear FVS318 | FVS318v3 Reference Manual - Page 207
the FVS318v3 labeled Gateway A as in the illustration (Figure E-10). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 208
). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). Note: Based on the network addresses used in this example, you would log in to the LAN IP address of http://172.23 - Netgear FVS318 | FVS318v3 Reference Manual - Page 209
Checking the VPN Connections" on page 18). Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure E-3 Continue as shown in Figure E-3 Figure E-11: VPN parameter entry at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 210
Manual for the ProSafe VPN Firewall FVS318v3 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic are presented in Figure E-12. E-16 VPN Configuration of NETGEAR FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 211
Reference Manual for the ProSafe VPN Firewall FVS318v3 Gateway A VPN Parameters (FVS318v3) Gateway B VPN Parameters (FVS318v2) Figure E-12: VPN Parameters at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 January 2005 E-17 - Netgear FVS318 | FVS318v3 Reference Manual - Page 212
have to run this test several times before you get the reply message back from the target FVS318v2. d. At this point the gateway-to-gateway connection is verified. E-18 VPN Configuration of NETGEAR FVS318v3 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 213
Gateway B Status of VPN tunnel to Gateway B 22.23.24.25 IPSec Connection Status at Gateway B (FVS318v2) Status of VPN tunnel to and from Gateway A Figure E-13: VPN Status for the routers at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 January 2005 E-19 - Netgear FVS318 | FVS318v3 Reference Manual - Page 214
to the FVS318v3 labeled Gateway A as in the illustration (Figure E-14). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). E-20 VPN Configuration of NETGEAR FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 215
). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). Note: Based on the network addresses used in this example, you would log in to the LAN IP address of http://172.23 - Netgear FVS318 | FVS318v3 Reference Manual - Page 216
the VPN Connections" on page 25). Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure E-3 Continue as shown in Figure E-3 Figure E-15: VPN parameter entry at Gateway A (FVS318v3) and Gateway B (FVL328) E-22 VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 217
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic on the FVS318v3 and FVL328 are presented in Figure E-16 and - Netgear FVS318 | FVS318v3 Reference Manual - Page 218
VPN tunnel endpoints. The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints. E-24 VPN Configuration of NETGEAR FVS318v3 - Netgear FVS318 | FVS318v3 Reference Manual - Page 219
Reference Manual for the ProSafe VPN Firewall FVS318v3 Initiating and Checking the VPN Connections You can test connectivity and view VPN status information on the FVS318v3 and FVL328 according to the testing flowchart shown in Figure E-4. To test the VPN tunnel from the Gateway A LAN, do the - Netgear FVS318 | FVS318v3 Reference Manual - Page 220
IPSec Connection Status at Gateway B (FVL328) Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B Status of VPN tunnel to and from Gateway A Figure E-18: VPN Status for the routers at Gateway A (FVS318v3) and Gateway B (FVL328) E-26 VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 221
Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3-to-VPN Client Case Table E-4. Policy Summary VPN Consortium Scenario: Type of VPN Security Scheme: Date Tested: Model/Firmware Tested: NETGEAR-Gateway A NETGEAR-Client B IP Addressing: NETGEAR-Gateway A NETGEAR-Client B Scenario - Netgear FVS318 | FVS318v3 Reference Manual - Page 222
scenario assumes all ports are open on the FVS318v3. 10.5.6.0/24 Scenario 1 Client B Gateway A LAN IP 10.5.6.1 Router WAN IP 14.15.16.17 WAN IP 0.0.0.0 PC (running NETGEAR ProSafe VPN Client) Figure E-19: LAN to PC VPN access from an FVS318v3 to a VPN Client Use this scenario illustration - Netgear FVS318 | FVS318v3 Reference Manual - Page 223
Reference Manual for the ProSafe VPN Firewall FVS318v3 Pre-Shared Key must be the same at both ends of the VPN tunnel Select "A Remote VPN Client" Figure E-20: VPN Wizard at Gateway A (FVS318v3) VPN Configuration of NETGEAR FVS318v3 January 2005 E-29 - Netgear FVS318 | FVS318v3 Reference Manual - Page 224
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure E-21: VPN parameters at Gateway A (FVS318v3) E-30 VPN Configuration of NETGEAR FVS318v3 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 225
ProSafe VPN Firewall FVS318v3 3. Set up the VPN Client at Gateway B as in the illustration (Figure E-19). a. Right-mouse-click the ProSafe icon ( ) in the system tray and select the Security Policy Editor. If you need to install the NETGEAR ProSafe VPN Client on your PC, consult the documentation - Netgear FVS318 | FVS318v3 Reference Manual - Page 226
E-21 for the gateway router.) • Enable Connect Using Secure Gateway Tunnel; select Domain Name for ID_Type; enter fvs_local for Domain Name; and enter 14.15.16.17 for Gateway IP Address. (Domain Name must match the Local Identity Data parameter of the IKE Policy Configuration screen shown in Figure - Netgear FVS318 | FVS318v3 Reference Manual - Page 227
24). (The Select Phase 1 Negotiation Mode choice must match the Exchange Mode setting for the General IKE Policy Configuration parameters shown in Figure E-21 for the gateway router.) Figure E-24: Scenario_1 Security Policy screen parameters VPN Configuration of NETGEAR FVS318v3 January 2005 E-33 - Netgear FVS318 | FVS318v3 Reference Manual - Page 228
the Remote Identity Data parameter of the IKE Policy Configuration screen shown in Figure E-21 for the gateway router.) Figure E-25: Scenario_1 My Identity screen parameters Pre-Shared Key must be the same at both ends of the VPN tunnel E-34 VPN Configuration of NETGEAR FVS318v3 January 2005 - Netgear FVS318 | FVS318v3 Reference Manual - Page 229
, but you must do it from the client endpoint (see "Initiating and Checking the VPN Connections" on page 36). In the client-to-gateway scenario, the gateway router will not know the client's IP address until the client initiates the traffic. VPN Configuration of NETGEAR FVS318v3 January 2005 E-35 - Netgear FVS318 | FVS318v3 Reference Manual - Page 230
, you can initiate a request from the remote PC to the VPN router's network by using the Connect option in the VPN Client's menu bar (see Figure E-27). Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request. a. Open the popup menu by right-clicking on the - Netgear FVS318 | FVS318v3 Reference Manual - Page 231
Reference Manual for the ProSafe VPN Firewall FVS318v3 2. Test 2: Ping Remote WAN IP Address (if Test 1 fails): To test connectivity between the Gateway A and Gateway B WAN ports, follow these steps: a. From a Windows Client PC, click the Start button on the taskbar and then click Run. b. Type ping - Netgear FVS318 | FVS318v3 Reference Manual - Page 232
.25 Connection Monitor at Gateway B (remote VPN Client) Status of VPN tunnel to and from Gateway A Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B Figure E-28: VPN Status for Gateway A (FVS318v3) and Gateway B (VPN Client) E-38 VPN Configuration of NETGEAR FVS318v3 January - Netgear FVS318 | FVS318v3 Reference Manual - Page 233
.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.1x draft standard offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically - Netgear FVS318 | FVS318v3 Reference Manual - Page 234
Manual for the ProSafe VPN Firewall FVS318v3 ARP Address Resolution Protocol, a TCP/IP protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network - Netgear FVS318 | FVS318v3 Reference Manual - Page 235
network configuration information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and gateway (router) addresses. DMZ Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that - Netgear FVS318 | FVS318v3 Reference Manual - Page 236
server can assign network configuration information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and gateway (router) addresses. E EAP Extensible Authentication Protocol is a general protocol for authentication that supports multiple authentication methods - Netgear FVS318 | FVS318v3 Reference Manual - Page 237
in Layer 3, the Networking Layer. The most widely used version of IP today is IP version 4 (IPv4). However, IP version 6 (IPv6) is also beginning to be supported. IPv6 provides for much longer addresses and therefore for the possibility of many more Internet users. IPv6 includes the capabilities of - Netgear FVS318 | FVS318v3 Reference Manual - Page 238
but if modems and telephones connect two or more LANs, the larger network constitutes what is called a WAN or Wide Area Network. M MAC (1) Medium Access Control. In LANs, the sublayer of the data link control layer that supports medium-dependent functions and uses the services of the physical layer - Netgear FVS318 | FVS318v3 Reference Manual - Page 239
a source and destination network address, some protocol and length information, a block of data, and a checksum. Point-to-Point Protocol PPP. A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPP A protocol allowing a computer using TCP/IP to connect directly to the - Netgear FVS318 | FVS318v3 Reference Manual - Page 240
. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org. router A device that forwards data between networks. An IP router forwards data based on IP source and destination addresses - Netgear FVS318 | FVS318v3 Reference Manual - Page 241
Reference Manual for the ProSafe VPN Firewall FVS318v3 S Segment A section of a LAN that is connected to the rest of the network using a switch, bridge, or repeater. Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which - Netgear FVS318 | FVS318v3 Reference Manual - Page 242
the ProSafe VPN Firewall FVS318v3 A Web proxy server is a specialized HTTP server that allows clients access to the Internet from behind a firewall. The proxy server listens for requests from clients within the firewall and forwards these requests to remote Internet servers outside the firewall. The
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
 |
 |
January 2005
202-10059-02
Version 3
January 2005
NETGEAR
, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Reference Manual for the
ProSafe VPN Firewall
FVS318v3