Home » Netgear Manuals » Modems » Netgear DG834Gv1 » Manual Viewer

Netgear DG834Gv1 DG834Gv2 Reference Manual - Page 226

Authentication Header (AH), IKE Security Association, E-2

Add to My Manuals
Save this manual to your list of manuals

Page 226 highlights

Reference Manual for the Model Wireless ADSL Firewall Router DG834G The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP. AH also provides optional anti-replay protection, which protects against unauthorized retransmission of packets. The authentication header is inserted into the packet between the IP header and any subsequent packet contents. The payload is not touched. Although AH protects the packet's origin, destination, and contents from being tampered with, the identity of the sender and receiver is known. In addition, AH does not protect the data's confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH and ESP can be used together. In the following table, IP HDR represents the IP header and includes both source and destination IP addresses. Figure E-2: Original packet and packet with IPSec Authentication Header IKE Security Association IPSec introduces the concept of the Security Association (SA). An SA is a logical connection between two devices transferring data. An SA provides data protection for unidirectional traffic by using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs, which together provide a protected, full-duplex data channel. The SAs allow an enterprise to control exactly what resources may communicate securely, according to security policy. To do this an enterprise can set up multiple SAs to enable multiple secure VPNs, as well as define SAs within the VPN to support different departments and business partners. E-4 Virtual Private Networking 202-10006-05, June 2005

Section	Page
Reference Manual for the Model Wireless ADSL Firewall Router DG834G	1
Product and Publication Details	3
Contents	5
Chapter 1 About This Manual	15
Audience, Scope, Conventions, and Formats	15
How to Use This Manual	16
How to Print this Manual	17
Chapter 2 Introduction	19
About the Router	19
Key Features	19
A Powerful, True Firewall	20
802.11 Standards-based Wireless Networking	20
Easy Installation and Management	21
Protocol Support	21
Virtual Private Networking (VPN)	23
Content Filtering	23
Auto Sensing and Auto Uplink™ LAN Ethernet Connections	23
What’s in the Box?	23
The Router’s Front Panel	24
The Router’s Rear Panel	25
Chapter 3 Connecting the Router to the Internet	27
What You Need Before You Begin	27
ADSL Microfilter Requirements	27
ADSL Microfilter	27
ADSL Microfilter with Built-In Splitter	28
Ethernet Cabling Requirements	28
Computer Hardware Requirements	28
LAN Configuration Requirements	28
Internet Configuration Requirements	29
Where Do I Get the Internet Configuration Parameters?	29
Record Your Internet Connection Information	29
Connecting the DG834G to Your LAN	31
How to Connect the Router	31
Auto-Detecting Your Internet Connection Type	35
Wizard-Detected PPPoE Login Account Setup	36
Wizard-Detected PPPoA Login Account Setup	37
Wizard-Detected Dynamic IP Account Setup	37
Wizard-Detected IP Over ATM Account Setup	38
Wizard-Detected Fixed IP (Static) Account Setup	39
Testing Your Internet Connection	40
Manually Configuring Your Internet Connection	40
How to Perform Manual Configuration	41
Internet Connection Requires Login and Uses PPPoE	42
Internet Connection Requires Login and Uses PPPoA	43
Internet Connection Does Note Require A Login	44
ADSL Settings	45
Chapter 4 Wireless Configuration	47
Considerations for a Wireless Network	47
Observe Performance, Placement, and Range Guidelines	47
Implement Appropriate Wireless Security	48
Understanding Wireless Settings	49
How to Set Up and Test Basic Wireless Connectivity	53
How to Restricting Wireless Access to Your Network	54
Restricting Access to Your Network by Turning Off Wireless Connectivity	55
Restricting Wireless Access Based on the Wireless Network Name (SSID)	55
Restricting Wireless Access Based on the Wireless Station Access List	55
Choosing WEP Authentication and Security Encryption Methods	57
Authentication Type Selection	57
Encryption Choices	58
How to Configure WEP	59
How to Configure WPA-PSK	60
Chapter 5 Protecting Your Network	61
Protecting Access to Your DG834G Wireless ADSL Firewall Router	61
How to Change the Built-In Password	61
Changing the Administrator Login Timeout	62
Configuring Basic Firewall Services	62
Blocking Keywords, Sites, and Services	63
How to Block Keywords and Sites	63
Firewall Rules	65
Inbound Rules (Port Forwarding)	66
Inbound Rule Example: A Local Public Web Server	66
Inbound Rule Example: Allowing Videoconferencing	68
Considerations for Inbound Rules	68
Outbound Rules (Service Blocking)	69
Outbound Rule Example: Blocking Instant Messenger	69
Order of Precedence for Rules	71
Services	72
How to Define Services	72
Setting Times and Scheduling Firewall Services	73
How to Set Your Time Zone	73
How to Schedule Firewall Services	74
Chapter 6 Managing Your Network	77
Backing Up, Restoring, or Erasing Your Settings	77
How to Back Up the Configuration to a File	77
How to Restore the Configuration from a File	78
How to Erase the Configuration	78
Upgrading the Router’s Firmware	78
How to Upgrade the Router Firmware	79
Network Management Information	80
Viewing Router Status and Usage Statistics	80
Viewing Attached Devices	85
Viewing, Selecting, and Saving Logged Information	85
Selecting What Information to Log	87
Saving Log Files on a Server	88
Examples of Log Messages	88
Activation and Administration	88
Dropped Packets	88
Enabling Security Event E-mail Notification	89
Running Diagnostic Utilities and Rebooting the Router	90
Enabling Remote Management	91
Configuring Remote Management	91
Chapter 7 Advanced Configuration	93
Configuring Advanced Security	93
Setting Up A Default DMZ Server	93
How to Configure a Default DMZ Server	94
Connect Automatically, as Required	95
Disable Port Scan and DOS Protection	95
Respond to Ping on Internet WAN Port	95
MTU Size	95
Configuring LAN IP Settings	95
DHCP	97
Use Router as DHCP server	97
Reserved IP addresses	98
How to Configure LAN TCP/IP Settings	99
Configuring Dynamic DNS	99
How to Configure Dynamic DNS	100
Using Static Routes	101
Static Route Example	101
How to Configure Static Routes	102
Universal Plug and Play (UPnP)	104
Chapter 8 Virtual Private Networking (Advanced Feature)	107
Overview of VPN Configuration	108
Client-to-Gateway VPN Tunnels	108
Gateway-to-Gateway VPN Tunnels	108
Planning a VPN	109
VPN Tunnel Configuration	112
How to Set Up a Client-to-Gateway VPN Configuration	112
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the DG834G	113
Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC	118
How to Set Up a Gateway-to-Gateway VPN Configuration	126
VPN Tunnel Control	133
Activating a VPN Tunnel	133
Using the VPN Status Page to Activate a VPN Tunnel	133
Activate the VPN Tunnel by Pinging the Remote Endpoint	134
Start Using a VPN Tunnel to Active It	136
Verifying the Status of a VPN Tunnel	136
Deactivating a VPN Tunnel	138
Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel	138
Using the VPN Status Page to Deactivate a VPN Tunnel	139
Deleting a VPN Tunnel	141
How to Set Up VPN Tunnels in Special Circumstances	141
Using Auto Policy to Configure VPN Tunnels	142
Configuring VPN Network Connection Parameters	142
Example of Using Auto Policy	147
Using Manual Policy to Configure VPN Tunnels	154
Chapter 9 Troubleshooting	157
Basic Functioning	157
Power LED Not On	158
Test LED Never Turns On or Test LED Stays On	158
LAN or WAN Port LEDs Not On	158
Troubleshooting the Web Configuration Interface	159
Troubleshooting the ISP Connection	160
ADSL link	160
WAN LED Blinking Yellow	160
WAN LED Off	160
Obtaining a WAN IP Address	161
Troubleshooting PPPoE or PPPoA	162
Troubleshooting Internet Browsing	162
Troubleshooting a TCP/IP Network Using the Ping Utility	163
Testing the LAN Path to Your Router	163
Testing the Path from Your Computer to a Remote Device	164
Restoring the Default Configuration and Password	165
Using the Reset button	165
Problems with Date and Time	165
Appendix A Technical Specifications	167
Appendix B Network and Routing Basics	169
Related Publications	169
Basic Router Concepts	169
What is a Router?	169
Routing Information Protocol	170
IP Addresses and the Internet	170
Netmask	172
Subnet Addressing	172
Private IP Addresses	175
Single IP Address Operation Using NAT	175
MAC Addresses and Address Resolution Protocol	176
Related Documents	177
Domain Name Server	177
IP Configuration by DHCP	177
Internet Security and Firewalls	178
What is a Firewall?	178
Stateful Packet Inspection	178
Denial of Service Attack	179
Ethernet Cabling	179
Category 5 Cable Quality	179
Inside Twisted Pair Cables	180
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	181
Appendix C Preparing Your Network	183
Preparing Your Computers for TCP/IP Networking	183
Configuring Windows 95, 98, and Me for TCP/IP Networking	184
Installing or Verifying Windows Networking Components	184
Enabling DHCP to Automatically Configure TCP/IP Settings in Windows 95B, 98, and Me	186
Selecting the Windows’ Internet Access Method	188
Verifying TCP/IP Properties	188
Configuring Windows NT4, 2000 or XP for IP Networking	189
Installing or Verifying Windows Networking Components	189
DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4	190
DHCP Configuration of TCP/IP in Windows XP	190
DHCP Configuration of TCP/IP in Windows 2000	192
DHCP Configuration of TCP/IP in Windows NT4	195
Verifying TCP/IP Properties for Windows XP, 2000, and NT4	197
Configuring the Macintosh for TCP/IP Networking	198
MacOS 8.6 or 9.x	198
MacOS X	198
Verifying TCP/IP Properties for Macintosh Computers	199
Verifying the Readiness of Your Internet Account	200
Are Login Protocols Used?	200
What Is Your Configuration Information?	200
Obtaining ISP Configuration Information for Windows Computers	201
Obtaining ISP Configuration Information for Macintosh Computers	202
Restarting the Network	203
Appendix D Wireless Networking Basics	205
Wireless Networking Overview	205
Infrastructure Mode	205
Ad Hoc Mode (Peer-to-Peer Workgroup)	206
Network Name: Extended Service Set Identification (ESSID)	206
Authentication and WEP Data Encryption	206
802.11 Authentication	207
Open System Authentication	207
Shared Key Authentication	208
Overview of WEP Parameters	209
Key Size	210
WEP Configuration Options	211
Wireless Channels	211
WPA Wireless Security	212
How Does WPA Compare to WEP?	213
How Does WPA Compare to IEEE 802.11i?	214
What are the Key Features of WPA Security?	214
WPA Authentication: Enterprise-level User Authentication via 802.1x/EAP and RADIUS	216
WPA Data Encryption Key Management	218
Is WPA Perfect?	220
Product Support for WPA	220
Supporting a Mixture of WPA and WEP Wireless Clients is Discouraged	220
Changes to Wireless Access Points	220
Changes to Wireless Network Adapters	221
Changes to Wireless Client Programs	222
Appendix E Virtual Private Networking	223
What is a VPN?	223
What Is IPSec and How Does It Work?	224
IPSec Security Features	224
IPSec Components	224
Encapsulating Security Payload (ESP)	225
Authentication Header (AH)	226
IKE Security Association	226
Mode	227
Key Management	228
Understand the Process Before You Begin	228
VPN Process Overview	229
Network Interfaces and Addresses	229
Interface Addressing	229
Firewalls	230
Setting Up a VPN Tunnel Between Gateways	230
VPNC IKE Security Parameters	232
VPNC IKE Phase I Parameters	232
VPNC IKE Phase II Parameters	233
Testing and Troubleshooting	233
Additional Reading	233
Appendix F NETGEAR VPN Configuration	235
DG834G to FVL328	235
Configuration Profile	235
Step-By-Step Configuration	236
DG834G with FQDN to FVL328	240
Configuration Profile	240
The Use of a Fully Qualified Domain Name (FQDN)	241
Step-By-Step Configuration	242
Configuration Summary (Telecommuter Example)	247
Setting Up the Client-to-Gateway VPN Configuration (Telecommuter Example)	248
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the VPN Router at the Employer’s Main Office	248
Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter’s Home Office	250
Monitoring the VPN Tunnel (Telecommuter Example)	259
Viewing the PC Client’s Connection Monitor and Log Viewer	259
Viewing the VPN Router’s VPN Status and Log Information	261

Match case Limit results 1 per page

Reference Manual for the Model Wireless ADSL Firewall Router DG834G

E-4

Virtual Private Networking

202-10006-05, June 2005

The ESP header is inserted into the packet between the IP header and any subsequent packet

contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt

the ESP header, nor does it encrypt the ESP authentication.

Authentication Header (AH)

AH provides authentication and integrity, which protect against data tampering, using the same

algorithms as ESP. AH also provides optional anti-replay protection, which protects against

unauthorized retransmission of packets. The authentication header is inserted into the packet

between the IP header and any subsequent packet contents. The payload is not touched.

Although AH protects the packet’s origin, destination, and contents from being tampered with, the

identity of the sender and receiver is known. In addition, AH does not protect the data’s

confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP

protects data confidentiality. For added protection in certain cases, AH and ESP can be used

together. In the following table, IP HDR represents the IP header and includes both source and

destination IP addresses.

Figure E-2:

Original packet and packet with IPSec Authentication Header

IKE Security Association

IPSec introduces the concept of the Security Association (SA). An SA is a logical connection

between two devices transferring data. An SA provides data protection for unidirectional traffic by

using the defined IPSec protocols. An IPSec tunnel typically consists of two unidirectional SAs,

which together provide a protected, full-duplex data channel.

The SAs allow an enterprise to control exactly what resources may communicate securely,

according to security policy. To do this an enterprise can set up multiple SAs to enable multiple

secure VPNs, as well as define SAs within the VPN to support different departments and business

partners.