Home » Netgear Manuals » Wireless » Netgear FWG114P » Manual Viewer

Netgear FWG114P FWG114P Reference Manual - Page 102

Using Policies to Manage VPN Traffic, Using Automatic Key Management, IKE Policies

UPC - 606449029819

Add to My Manuals
Save this manual to your list of manuals

Page 102 highlights

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FWG114P. There are two kinds of policies: • IKE Policies: Define the authentication scheme and automatically generate the encryption keys. As an alternative option, to further automate the process, you can create an IKE policy which uses a trusted certificate authority to provide the authentication while the IKE policy still handles the encryption. • VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you can create a VPN policy which does not use an IKE policy but in which you manually enter all the authentication and key parameters. Since the VPN policies use the IKE policies, you define the IKE policy first. The FWG114P also allows you to manually input the authentication scheme and encryption key values. In the case of manual key management there will not be any IKE policies. In order to establish secure communication over the Internet with the remote site you need to configure matching VPN policies on both the local and remote FWG114P Wireless Firewall/Print Servers. The outbound VPN policy on one end must match to the inbound VPN policy on other end, and vice versa. When the network traffic enters into the FWG114P from the LAN network interface, if there is no VPN policy found for a type of network traffic, then that traffic passes through without any change. However, if the traffic is selected by a VPN policy, then the IPSec authentication and encryption rules will be applied to it as defined in the VPN policy. By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy table. Using Automatic Key Management The most common configuration scenarios will use IKE policies to automatically manage the authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel are generated automatically. The IKE protocols perform negotiations between the two VPN endpoints to automatically generate required parameters. Some organizations will use an IKE policy with a Certificate Authority (CA) to perform authentication. Typically, CA authentication is used in large organizations which maintain their own internal CA server. This requires that each VPN gateway has a certificate from the CA. Using CAs reduces the amount of data entry required on each VPN endpoint. 8-2 Virtual Private Networking March 2004, 202-10027-01

Section	Page
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P	1
Contents	5
Chapter 1 About This Manual	15
Audience, Conventions, Scope	15
How to Use this Manual	16
How to Print this Manual	17
Chapter 2 Introduction	19
Key Features of the FWG114P	19
Full Routing on Both the Broadband and Serial Ports	20
802.11g and 802.11b Wireless Networking	20
Virtual Private Networking	21
A Powerful, True Firewall with Content Filtering	21
Security	22
Autosensing Ethernet Connections with Auto Uplink	22
Extensive Protocol Support	22
Easy Installation and Management	23
Package Contents	24
The FWG114P Front Panel	25
The FWG114P Rear Panel	26
Chapter 3 Connecting the FWG114P to the Internet	27
What You Will Need Before You Begin	27
Cabling and Computer Hardware Requirements	27
Computer Network Configuration Requirements	27
Internet Configuration Requirements	28
Where Do I Get the Internet Configuration Parameters?	28
Record Your Internet Connection Information	29
Connecting the FWG114P Wireless Firewall/Print Server	30
Verify That Basic Requirements Are Met	30
Basic Setup Troubleshooting Tips	35
FWG114P Setup Wizard Auto Detection	35
Wizard-Detected Login Account Setup	36
Wizard-Detected Dynamic IP Account Setup	38
Wizard-Detected Fixed IP Account Setup	39
How to Configure the Serial Port as the Primary Internet Connection	40
Testing Your Internet Connection	42
Manually Configuring Your Internet Connection	43
How to Manually Configure the Primary Internet Connection	44
Chapter 4 Wireless Configuration	47
Observing Performance, Placement, and Range Guidelines	47
Implementing Appropriate Wireless Security	48
Understanding Wireless Settings	49
Default Factory Settings	53
Before You Change the SSID and WEP Settings	54
How to Set Up and Test Basic Wireless Connectivity	55
How to Restrict Wireless Access by MAC Address	56
How to Configure WEP	57
How to Configure WPA	58
How to Configure WPA-PSK	59
Chapter 5 Serial Port Configuration	61
Configuring a Serial Port Modem	62
Basic Requirements for Serial Port Modem Configuration	62
How to Configure a Serial Port Modem	62
Configuring Auto-Rollover	63
Basic Requirements for Auto-Rollover	63
How to Configure Auto-Rollover	63
Configuring Dial-in on the Serial Port	64
Basic Requirements for Dial-in	65
How to Configure Dial-in	65
Configuring LAN-to-LAN Settings	66
Basic Requirements for LAN-to-LAN Connections	66
How to Configure LAN-to-LAN Connections	66
Chapter 6 Firewall Protection and Content Filtering	69
Firewall Protection and Content Filtering Overview	69
Using the Block Sites Menu to Screen Content	69
Services and Rules Regulate Inbound and Outbound Traffic	71
Defining a Service	71
Using Inbound/Outbound Rules to Block or Allow Services	72
Examples of Using Services and Rules to Regulate Traffic	74
Inbound Rules (Port Forwarding)	74
Example: Port Forwarding to a Local Public Web Server	75
Example: Port Forwarding for Videoconferencing	76
Example: Port Forwarding for VPN Tunnels when NAT is Off	76
Outbound Rules (Service Blocking or Port Filtering)	77
Outbound Rule Example: Blocking Instant Messaging	78
Other Rules Considerations	78
Order of Precedence for Rules	79
Rules Menu Options	79
Using a Schedule to Block or Allow Content or Traffic	80
Setting the Time Zone	81
Getting E-Mail Notifications of Event Logs and Alerts	81
Viewing Logs of Web Access or Attempted Web Access	84
What to Include in the Event Log	85
Chapter 7 Print Server	87
Printing Options	87
For Windows XP and 2000, Use TCP/IP LPR Printing	88
For Windows 95/98/Me, Use the Netgear Printer Port Driver	91
Printing from the Macintosh	94
Windows Printer Port Management	95
Troubleshooting the Print Server	97
Chapter 8 Virtual Private Networking	101
Overview of FWG114P Policy-Based VPN Configuration	101
Using Policies to Manage VPN Traffic	102
Using Automatic Key Management	102
IKE Policies’ Automatic Key and Authentication Management	103
VPN Policy Configuration for Auto Key Negotiation	106
VPN Policy Configuration for Manual Key Exchange	109
Using Digital Certificates for IKE Auto-Policy Authentication	114
Certificate Revocation List (CRL)	114
Walk-Through of Configuration Scenarios on the FWG114P	115
How to Use the VPN Wizard to Configure a VPN Tunnel	115
VPNC Scenario 1: Gateway to Gateway with Preshared Secrets	119
Scenario 1: FWG114P to FWG114P with Preshared Secrets	120
How to Check VPN Connections	124
VPNC Scenario 2: Gateway-to-Gateway with Certificates	125
Scenario 2: FWG114P to FWG114P with Certificates	126
Netgear VPN Client to FWG114P	132
Configuration Profile	132
Step-By-Step Configuration of FWG114P Gateway	133
Step-By-Step Configuration of the Netgear VPN Client	138
Testing the VPN Connection	145
From the Client PC to the FWG114P	145
From the FWG114P to the Client PC	146
Monitoring the PC VPN Connection	146
Viewing the FWG114P VPN Status and Log Information	147
Chapter 9 Maintenance	149
Viewing Wireless Firewall/Print Server Status Information	149
Viewing a List of Attached Devices	153
Upgrading the Router Software	154
Configuration File Management	154
Restoring and Backing Up the Configuration	155
Erasing the Configuration	156
Changing the Administrator Password	156
Chapter 10 Advanced Configuration	157
Using the WAN Setup Options	157
How to Configure Dynamic DNS	159
Using the LAN IP Setup Options	161
Configuring LAN TCP/IP Setup Parameters	161
Using the Router as a DHCP server	163
Using Address Reservation	163
Configuring Static Routes	164
Enabling Remote Management Access	166
Using Universal Plug and Play (UPnP)	167
Advanced Wireless Settings	168
Chapter 11 Troubleshooting	171
Basic Functioning	171
Power LED Not On	171
LEDs Never Turn Off	172
LAN or Internet Port LEDs Not On	172
Troubleshooting the Web Configuration Interface	173
Troubleshooting the ISP Connection	174
Troubleshooting a TCP/IP Network Using a Ping Utility	175
Testing the LAN Path to Your Router	175
Testing the Path from Your Computer to a Remote Device	176
Restoring the Default Configuration and Password	177
Problems with Date and Time	177
Appendix A Technical Specifications	179
Appendix B Networks, Routing, and Firewall Basics	181
Related Publications	181
Basic Router Concepts	181
What is a Router?	181
Routing Information Protocol	182
IP Addresses and the Internet	182
Netmask	184
Subnet Addressing	184
Private IP Addresses	187
Single IP Address Operation Using NAT	187
MAC Addresses and Address Resolution Protocol	189
Related Documents	189
Domain Name Server	189
IP Configuration by DHCP	190
Internet Security and Firewalls	190
What is a Firewall?	191
Stateful Packet Inspection	191
Denial of Service Attack	191
Ethernet Cabling	191
Category 5 Cable Quality	192
Inside Twisted Pair Cables	193
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	194
Appendix C Preparing Your Network	197
Preparing Your Computers for TCP/IP Networking	197
Configuring Windows 95, 98, and Me for TCP/IP Networking	198
Install or Verify Windows Networking Components	198
Enabling DHCP to Automatically Configure TCP/IP Settings	200
Selecting Windows’ Internet Access Method	200
Verifying TCP/IP Properties	201
Configuring Windows NT, 2000 or XP for IP Networking	201
Installing or Verifying Windows Networking Components	201
Verifying TCP/IP Properties	202
Configuring the Macintosh for TCP/IP Networking	202
MacOS 8.6 or 9.x	202
MacOS X	203
Verifying TCP/IP Properties for Macintosh Computers	204
Verifying the Readiness of Your Internet Account	205
Are Login Protocols Used?	205
What Is Your Configuration Information?	205
Obtaining ISP Configuration Information for Windows Computers	206
Obtaining ISP Configuration Information for Macintosh Computers	207
Restarting the Network	208
Appendix D Firewall Log Formats	209
Action List	209
Field List	209
Outbound Log	209
Inbound Log	210
Other IP Traffic	210
Router Operation	211
Other Connections and Traffic to this Router	212
DoS Attack/Scan	212
Access Block Site	214
All Web Sites and News Groups Visited	214
System Admin Sessions	214
Policy Administration LOG	215
Appendix E Wireless Networking Basics	217
Wireless Networking Overview	217
Infrastructure Mode	217
Ad Hoc Mode (Peer-to-Peer Workgroup)	218
Network Name: Extended Service Set Identification (ESSID)	218
Authentication and WEP Data Encryption	218
802.11 Authentication	219
Open System Authentication	219
Shared Key Authentication	220
Overview of WEP Parameters	221
Key Size	222
WEP Configuration Options	223
Wireless Channels	223
WPA Wireless Security	224
How Does WPA Compare to WEP?	225
How Does WPA Compare to IEEE 802.11i?	226
What are the Key Features of WPA Security?	226
WPA Authentication: Enterprise-level User Authentication via 802.1x/EAP and RADIUS	228
WPA Data Encryption Key Management	230
Is WPA Perfect?	232
Product Support for WPA	232
Supporting a Mixture of WPA and WEP Wireless Clients is Discouraged	232
Changes to Wireless Access Points	233
Changes to Wireless Network Adapters	233
Changes to Wireless Client Programs	234
Appendix F Virtual Private Networking	235
What is a VPN?	235
What is IPSec and How Does It Work?	236
IPSec Security Features	236
IPSec Components	236
Encapsulating Security Payload (ESP)	237
Authentication Header (AH)	238
IKE Security Association	238
Mode	239
Key Management	240
Understand the Process Before You Begin	240
VPN Process Overview	241
Network Interfaces and Addresses	241
Interface Addressing	241
Firewalls	242
Setting Up a VPN Tunnel Between Gateways	242
VPNC IKE Security Parameters	244
VPNC IKE Phase I Parameters	244
VPNC IKE Phase II Parameters	245
Testing and Troubleshooting	245
Additional Reading	245
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 to FWG114P	247
Configuration Template	247
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	248
Step-By-Step Configuration of FWG114P Gateway B	251
Test the VPN Connection	255
Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328	257
Configuration Template	257
Using DDNS and Fully Qualified Domain Names (FQDN)	258
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	259
Step-By-Step Configuration of FVS328 Gateway B	263
Test the VPN Connection	267
Glossary	269
List of Glossary Terms	269

Match case Limit results 1 per page

Reference Manual for the ProSafe Wireless 802.11g

Firewall/Print Server Model FWG114P

8-2

Virtual Private Networking

March 2004, 202-10027-01

Using Policies to Manage VPN Traffic

You create policy definitions to manage VPN traffic on the FWG114P. There are two kinds of

policies:

•

IKE Policies

: Define the authentication scheme and automatically generate the encryption

keys. As an alternative option, to further automate the process, you can create an IKE policy

which uses a trusted certificate authority to provide the authentication while the IKE policy

still handles the encryption.

•

VPN Policies

: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you

can create a VPN policy which does not use an IKE policy but in which you manually enter all

the authentication and key parameters.

Since the VPN policies use the IKE policies, you define the IKE policy first. The FWG114P also

allows you to manually input the authentication scheme and encryption key values. In the case of

manual key management there will not be any IKE policies.

In order to establish secure communication over the Internet with the remote site you need to

configure matching VPN policies on both the local and remote FWG114P Wireless Firewall/Print

Servers. The outbound VPN policy on one end must match to the inbound VPN policy on other

end, and vice versa.

When the network traffic enters into the FWG114P from the LAN network interface, if there is no

VPN policy found for a type of network traffic, then that traffic passes through without any

change. However, if the traffic is selected by a VPN policy, then the IPSec authentication and

encryption rules will be applied to it as defined in the VPN policy.

By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy

table.

Using Automatic Key Management

The most common configuration scenarios will use IKE policies to automatically manage the

authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel

are generated automatically. The IKE protocols perform negotiations between the two VPN

endpoints to automatically generate required parameters.

Some organizations will use an IKE policy with a Certificate Authority (CA) to perform

authentication. Typically, CA authentication is used in large organizations which maintain their

own internal CA server. This requires that each VPN gateway has a certificate from the CA. Using

CAs reduces the amount of data entry required on each VPN endpoint.