Home » Netgear Manuals » Network Security & Firewall Devices » Netgear FVS336G-100NAS » Manual Viewer

Netgear FVS336G-100NAS Reference Manual - Page 113

Extended Authentication (XAUTH) Configuration, Edge Device.

View all Netgear FVS336G-100NAS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 113 highlights

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter the Authentication values to match those in the VPN firewall ModeConfig Record menu. 5. Click on Key Exchange (Phase 2) on the left-side of the menu and choose Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours [28800 seconds] 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection policy you configured will appear; in this case "My Connections\modecfg_test". 2. Click on the connection. Within 30 seconds the message "Successfully connected to MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read "On". 3. From the client PC, ping a computer on the VPN firewall LAN. Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN firewall, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although the administrator could configure a unique VPN policy for each user, it is more convenient for the VPN firewall to authenticate users from a stored list of user accounts. XAUTH provides the mechanism for requesting individual authentication information from the user, and a local User Database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are available: • Edge Device. If this is selected, the VPN firewall is used as a VPN concentrator where one or more gateway tunnels terminate. If this option is chosen, you must specify the authentication type to be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP, or RADIUS-CHAP. Virtual Private Networking Using IPsec v1.0, October 2007 5-25

Section	Page
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats, and Scope	13
How to Use This Manual	14
How to Print this Manual	14
Revision History	15
Chapter 1 Introduction	17
Key Features	17
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	18
Advanced VPN Support for Both IPsec and SSL	18
A Powerful, True Firewall with Content Filtering	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	20
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
Front Panel Features	22
Rear Panel Features	23
Default IP Address, Login Name, and Password Location	24
Qualified Web Browsers	24
Chapter 2 Connecting the FVS336G to the Internet	27
Understanding the Connection Steps	27
Logging into the VPN Firewall Router	28
Navigating the Menus	30
Configuring the Internet Connections	31
Automatically Detecting and Connecting	31
Manually Configuring the Internet Connection	35
Configuring the WAN Mode (Required for Dual WAN)	38
Network Address Translation	39
Classical Routing	39
Configuring Auto-Rollover Mode	40
Configuring Load Balancing	42
Configuring Dynamic DNS (Optional)	44
Configuring the Advanced WAN Options (Optional)	46
Additional WAN Related Configuration	48
Chapter 3 LAN Configuration	49
Using the VPN Firewall as a DHCP server	49
Configuring the LAN Setup Options	50
Managing Groups and Hosts (LAN Groups)	53
Viewing the LAN Groups Database	54
Changing Group Names in the LAN Groups Database	55
Configuring DHCP Address Reservation	56
Configuring Multi Home LAN IP Addresses	57
Configuring Static Routes	58
Configuring Static Routes	58
Configuring Routing Information Protocol (RIP)	60
Chapter 4 Firewall Protection and Content Filtering	63
About Firewall Protection and Content Filtering	63
Using Rules to Block or Allow Specific Kinds of Traffic	64
Services-Based Rules	64
Order of Precedence for Rules	69
Setting the Default Outbound Policy	69
Creating a LAN WAN Outbound Services Rule	70
Creating a LAN WAN Inbound Services Rule	71
Attack Checks	72
Inbound Rules Examples	74
Outbound Rules Example	78
Adding Customized Services	78
Setting Quality of Service (QoS) Priorities	79
Setting a Schedule to Block or Allow Specific Traffic	80
Setting Block Sites (Content Filtering)	81
Enabling Source MAC Filtering	84
Port Triggering	85
E-Mail Notifications of Event Logs and Alerts	87
Administrator Tips	87
Chapter 5 Virtual Private Networking Using IPsec	89
Considerations for Dual WAN Port Systems	89
Configuring an IPsec VPN Connection using the VPN Wizard	92
Creating a VPN Tunnel to a Gateway	93
Creating a VPN Tunnel Connection to a VPN Client	96
Managing VPN Tunnel Policies	101
About IKE	102
Managing IKE Policies	102
About the IKE Policy Table	102
VPN Policy	103
VPN Tunnel Connection Status	105
Creating a VPN Client Connection: VPN Client to FVS336G	105
Configuring the FVS336G	105
Configuring the VPN Client	106
Testing the Connection	107
Manually Assigning IP Addresses to Remote Users (ModeConfig)	108
Mode Config Operation	108
Configuring the VPN Firewall	108
Configuring the ProSafe VPN Client for ModeConfig	112
Extended Authentication (XAUTH) Configuration	113
Configuring XAUTH for VPN Clients	114
User Database Configuration	115
RADIUS Client Configuration	115
Chapter 6 Virtual Private Networking Using SSL Connections	119
Understanding the Portal Options	119
Planning for SSL VPN	120
Creating the Portal Layout	121
Configuring Domains, Groups, and Users	125
Configuring Applications for Port Forwarding	125
Adding Servers	126
Adding A New Host Name	127
Configuring the SSL VPN Client	128
Configuring the Client IP Address Range	129
Adding Routes for VPN Tunnel Clients	130
Replacing and Deleting Client Routes	130
Using Network Resource Objects to Simplify Policies	131
Adding New Network Resources	131
Configuring User, Group, and Global Policies	133
Viewing Policies	134
Adding a Policy	135
Chapter 7 Managing Users, Authentication, and Certificates	139
Adding Authentication Domains, Groups, and Users	139
Creating a Domain	139
Creating a Group	141
Creating a New User Account	142
Setting User Login Policies	144
Managing Certificates	147
Viewing and Loading CA Certificates	147
Viewing Active Self Certificates	148
Obtaining a Self Certificate from a Certificate Authority	149
Managing your Certificate Revocation List (CRL)	152
Chapter 8 Router and Network Management	155
Performance Management	155
Bandwidth Capacity	155
Features That Reduce Traffic	156
Features That Increase Traffic	159
Using QoS to Shift the Traffic Mix	162
Tools for Traffic Management	162
Changing Passwords and Administrator Settings	162
Enabling Remote Management Access	164
Using an SNMP Manager	166
Settings Backup and Firmware Upgrade	168
Configuring Date and Time Service	170
Chapter 9 Monitoring System Performance	173
Enabling the Traffic Meter	173
Activating Notification of Events and Alerts	176
Viewing Firewall Logs	178
Viewing Router Configuration and System Status	179
Monitoring the Status of WAN Ports	181
Monitoring Attached Devices	182
Reviewing the DHCP Log	184
Monitoring Active Users	185
Viewing Port Triggering Status	185
Monitoring VPN Tunnel Connection Status	187
Reviewing the VPN Logs	188
Chapter 10 Troubleshooting	189
Basic Functions	189
Power LED Not On	190
LEDs Never Turn Off	190
LAN or WAN Port LEDs Not On	190
Troubleshooting the Web Configuration Interface	191
Troubleshooting the ISP Connection	192
Troubleshooting a TCP/IP Network Using a Ping Utility	193
Testing the LAN Path to Your VPN Firewall	193
Testing the Path from Your PC to a Remote Device	194
Restoring the Default Configuration and Password	195
Problems with Date and Time	195
Diagnostics Functions	196
Appendix A Default Settings and Technical Specifications	199
Appendix B Related Documents	203
Appendix C Network Planning for Dual WAN Ports	205
What You Will Need to Do Before You Begin	205
Cabling and Computer Hardware Requirements	207
Computer Network Configuration Requirements	207
Internet Configuration Requirements	208
Where Do I Get the Internet Configuration Parameters?	208
Internet Connection Information Form	209
Overview of the Planning Process	210
Inbound Traffic	210
Virtual Private Networks (VPNs)	210
The Roll-over Case for Firewalls With Dual WAN Ports	211
The Load Balancing Case for Firewalls With Dual WAN Ports	211
Inbound Traffic	212
Inbound Traffic to Single WAN Port (Reference Case)	212
Inbound Traffic to Dual WAN Port Systems	212
Virtual Private Networks (VPNs)	214
VPN Road Warrior (Client-to-Gateway)	215
VPN Gateway-to-Gateway	218
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	221

Match case Limit results 1 per page

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

Virtual Private Networking Using IPsec

5-25

v1.0, October 2007

Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio

button.

Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the Diffie-

Hellman Group 2 from the PFS Key Group pull-down menu.

Enable Replay Detection should be checked.

Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter

the Authentication values to match those in the VPN firewall ModeConfig Record menu.

Click on Key Exchange (Phase 2) on the left-side of the menu and choose Proposal 1. Enter

the values to match your configuration of the VPN firewall ModeConfig Record menu. (The

SA Lifetime can be longer, such as 8 hours [28800 seconds]

Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.

To test the connection:

Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection

policy you configured will appear; in this case “My Connections\modecfg_test”.

Click on the connection. Within 30 seconds the message “Successfully connected to

MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read

“On”.

From the client PC, ping a computer on the VPN firewall LAN.

Extended Authentication (XAUTH) Configuration

When connecting many VPN clients to a VPN firewall, an administrator may want a unique user

authentication method beyond relying on a single common preshared key for all clients. Although

the administrator could configure a unique VPN policy for each user, it is more convenient for the

VPN firewall to authenticate users from a stored list of user accounts. XAUTH provides the

mechanism for requesting individual authentication information from the user, and a local User

Database or an external authentication server, such as a RADIUS server, provides a method for

storing the authentication information centrally in the local network.

XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are

available:

•

Edge Device.

If this is selected, the VPN firewall is used as a VPN concentrator where one or

more gateway tunnels terminate. If this option is chosen, you must specify the authentication

type to be used in verifying credentials of the remote VPN gateways: User Database,

RADIUS-PAP, or RADIUS-CHAP.