Home » Netgear Manuals » Network Security & Firewall Devices » Netgear FVS318N » Manual Viewer

Netgear FVS318N FVS318 Reference Manual - Page 66

Understanding How FVS318 VPN Tunnels Are Con d, Connection., Security Association SA. - cannot open tunnel

Add to My Manuals
Save this manual to your list of manuals

Page 66 highlights

Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPN client access allows a remote PC to connect to your network from any location on the Internet. In this case, the remote PC is one tunnel endpoint, running VPN client software. The FVS318 VPN Firewall router on your network is the other tunnel endpoint • The FVS318 VPN Firewall supports up to eight concurrent tunnels. These scenarios are described below. Note: The FVS318 VPN Firewall uses industry standard VPN protocols. However, due to variations in how manufacturers interpret these standards, many VPN products do not interoperate. NETGEAR provides support for connections between NETGEAR VPN Firewalls, and between an FVS318 VPN Firewall and the SafeNet SoftRemote VPN Client for Windows. This manual is written based on tests with the FVS318 and versions 8 and 9 of the SafeNet client. Although the FVS318 can interoperate with many other VPN products, it is not possible for NETGEAR to provide specific technical support for every other interconnection. Please see NETGEAR's web site for additional VPN information. Understanding How FVS318 VPN Tunnels Are Configured You create VPN tunnels definitions via the VPN Settings link under the Setup section of the main menu on the FVS318. The VPN tunnel configuration consists of these two kinds of information: • Connection. Identifies the VPN endpoints by IPSec ID, IP address, or a fully qualified domain name (FQDN). Note: A FQDN is the complete URL of the router. Using a dynamic DNS service for a FVS318 with a dynamically-assigned IP address enables that FVS318 to both initiate and respond to requests to open a VPN tunnel. Otherwise, a FVS318 with a dynamically-assigned IP address can only initiate a request to open a VPN tunnel because no other initiators can know its IP address. • Security Association (SA). There are three kinds of SA key exchange modes: - IKE Main Mode: Uses the Internet Key Exchange (IKE) protocol to define the authentication scheme and automatically generate the encryption keys. Main Mode authentication is slightly slower than Aggressive Mode but more secure. - IKE Aggressive Mode: Uses the IKE protocol to define the authentication scheme and automatically generate the encryption keys. Aggressive Mode authentication is slightly faster than Main Mode but less secure. 6-2 Virtual Private Networking M-10146-01

Section	Page
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall	1
Contents	5
Chapter 1 About This Manual	13
Audience	13
Scope	13
Typographical Conventions	14
Special Message Formats	14
How to Use the HTML Version of this Manual	15
How to Print this Manual	16
Chapter 2 Introduction	17
About the FVS318	17
Key Features	17
Virtual Private Networking (VPN)	17
A Powerful, True Firewall	18
Content Filtering	18
Configurable Auto Uplink™ Ethernet Connection	18
Protocol Support	19
Easy Installation and Management	20
What’s in the Box?	21
The Firewall’s Front Panel	21
The Firewall’s Rear Panel	22
Chapter 3 Connecting the Firewall to the Internet	23
What You Will Need Before You Begin	23
LAN Hardware Requirements	23
Computer Requirements	23
Cable or DSL Modem Requirement	23
LAN Configuration Requirements	24
Internet Configuration Requirements	24
Where Do I Get the Internet Configuration Parameters?	24
Worksheet for Recording Your Internet Connection Information	25
How to Connect the FVS318 VPN Firewall	26
Wizard-Detected PPPoE Option	31
Wizard-Detected Dynamic IP Option	32
Wizard-Detected Fixed IP (Static) Option	33
Testing Your Internet Connection	34
How to Manually Configure Your Internet Connection	35
Chapter 4 Protecting Your Network	39
Protecting Access to Your FVS318 VPN Firewall	39
How to Change the Built-In Password	39
How to Change the Administrator Login Timeout	40
Using Basic Firewall Services	40
How to Block Keywords and Sites	41
How to Block or Allow Services	43
How to Add to the List of Services	45
Setting Times and Scheduling Firewall Services	48
How to Set Your Time Zone	48
How to Schedule Firewall Services	49
Chapter 5 Advanced WAN and LAN Configuration	51
Configuring Advanced WAN Settings	51
Setting Up A Default DMZ Server	51
Enabling Access to Local Servers Through a FVS318	52
How to Configure Port Forwarding to Local Servers	52
Respond to Ping on Internet WAN Port	53
How to Support Internet Services, Applications, or Games	53
How to Clear a Port Assignment	54
Local Web and FTP Server Example	54
How to Set Up Computers for Half Life, KALI or Quake III	54
Working with LAN IP Settings	55
What Does UPnP Support Do for Me?	55
How to Enable UPnP	56
Understanding LAN TCP/IP Setup Parameters	57
Setting the MTU Size	58
Using the Router as a DHCP Server	58
How to Specify Reserved IP Addresses	59
How to Configure LAN TCP/IP Settings	60
How to Configure Dynamic DNS	61
Using Static Routes	62
Static Route Example	62
How to Configure Static Routes	63
Chapter 6 Virtual Private Networking	65
Overview of VPN Configuration	65
Understanding How FVS318 VPN Tunnels Are Configured	66
Configuring VPN Network Connection Parameters	67
Configuring a SA Using IKE Main Mode	69
Configuring a SA Using IKE Aggressive Mode	70
Configuring a SA Using Manual Key Management	71
Planning a VPN	73
How to Configure a Network to Network VPN Tunnel	75
How to Configure a Remote PC to Network VPN	80
Monitoring the PC VPN Connection Using SafeNet Tools	90
How to Configure Manual Keys as an Alternative to IKE	92
How to Delete a Security Association	94
Blank VPN Tunnel Configuration Worksheets	95
Chapter 7 Managing Your Network	97
Network Management Information	97
Viewing Router Status and Usage Statistics	97
Viewing Attached Devices	100
Viewing, Selecting, and Saving Logged Information	101
Selecting What Information to Log	102
Saving Log Files on a Server	103
Examples of log messages	103
Activation and Administration	103
Dropped Packets	103
Enabling Security Event E-mail Notification	104
Backing Up, Restoring, or Erasing Your Settings	105
How to Back Up the Configuration to a File	105
How to Restore a Configuration from a File	106
How to Erase the Configuration	107
Running Diagnostic Utilities and Rebooting the Router	107
How to Enable Remote Management	108
How to Upgrade the Router’s Firmware	109
Chapter 8 Troubleshooting	111
Basic Functions	111
Power LED Not On	112
Test LED Never Turns On or Test LED Stays On	112
Local or Internet Port Link LEDs Not On	112
Troubleshooting the Web Configuration Interface	113
Troubleshooting the ISP Connection	114
Troubleshooting a TCP/IP Network Using a Ping Utility	115
Testing the LAN Path to Your Firewall	116
Testing the Path from Your PC to a Remote Device	116
Restoring the Default Configuration and Password	117
Problems with Date and Time	118
Appendix A Technical Specifications	119
Technical Specifications	119
Appendix B Networks, Routing, and Firewall Basics	121
Related Publications	121
Basic Router Concepts	121
What is a Router?	121
Routing Information Protocol	122
IP Addresses and the Internet	122
Netmask	124
Subnet Addressing	124
Private IP Addresses	127
Single IP Address Operation Using NAT	128
MAC Addresses and Address Resolution Protocol	129
Related Documents	129
Domain Name Server	129
IP Configuration by DHCP	130
Internet Security and Firewalls	130
What is a Firewall?	131
Stateful Packet Inspection	131
Denial of Service Attack	131
Ethernet Cabling	131
Category 5 Cable Quality	132
Inside Twisted Pair Cables	133
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	134
Appendix C Preparing Your Network	137
Preparing Your Computers for TCP/IP Networking	137
Configuring Windows 95, 98, and Me for TCP/IP Networking	138
Install or Verify Windows Networking Components	138
Enabling DHCP to Automatically Configure TCP/IP Settings	140
Selecting Windows’ Internet Access Method	142
Verifying TCP/IP Properties	142
Configuring Windows NT4, 2000 or XP for IP Networking	143
Install or Verify Windows Networking Components	143
DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4	144
DHCP Configuration of TCP/IP in Windows XP	144
DHCP Configuration of TCP/IP in Windows 2000	146
DHCP Configuration of TCP/IP in Windows NT4	149
Verifying TCP/IP Properties for Windows XP, 2000, and NT4	150
Configuring the Macintosh for TCP/IP Networking	151
MacOS 8.6 or 9.x	151
MacOS X	152
Verifying TCP/IP Properties for Macintosh Computers	153
Verifying the Readiness of Your Internet Account	154
Are Login Protocols Used?	154
What Is Your Configuration Information?	154
Obtaining ISP Configuration Information for Windows Computers	155
Obtaining ISP Configuration Information for Macintosh Computers	156
Restarting the Network	157
Appendix D Virtual Private Networking	159
What is a VPN?	159
What Is IPSec and How Does It Work?	160
IPSec Security Features	160
IPSec Components	160
Encapsulating Security Payload (ESP)	161
Authentication Header (AH)	162
IKE Security Association	162
Mode	163
Key Management	164
Understand the Process Before You Begin	164
VPN Process Overview	165
Network Interfaces and Addresses	165
Interface Addressing	165
Firewalls	166
Setting Up a VPN Tunnel Between Gateways	166
VPNC IKE Security Parameters	168
VPNC IKE Phase I Parameters	168
VPNC IKE Phase II Parameters	169
Testing and Troubleshooting	169
Additional Reading	169
Appendix E NETGEAR VPN Configuration of FVS318 or FVM318 to FVL328	171
Configuration Profile	171
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	172
Step-By-Step Configuration of FVL328 Gateway B	175
Test the VPN Connection	179
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to Cisco IOS	181
Configuration Profile	181
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	182
Step-By-Step Configuration of Cisco IOS Gateway B	185
Test the VPN Connection	188
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328	191
Configuration Profile	191
The Use of a Fully Qualified Domain Name (FQDN)	192
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	193
Step-By-Step Configuration of FVL328 Gateway B	197
Test the VPN Connection	202
Glossary	203
Numeric	203
A	203
B	204
C	205
D	206
E	207
F	207
G	208
H	208
I	208
L	210
M	210
N	211
O	212
P	212
Q	214
R	214
S	214
T	215
U	215
V	216
W	216

Match case Limit results 1 per page

Reference Manual for the Model FVS318 Broadband

ProSafe VPN Firewall

6-2

Virtual Private Networking

M-10146-01

VPN client access allows a remote PC to connect to your network from any location on the

Internet. In this case, the remote PC is one tunnel endpoint, running VPN client software. The

FVS318 VPN Firewall router on your network is the other tunnel endpoint

•

The FVS318 VPN Firewall supports up to eight concurrent tunnels.

These scenarios are described below.

Understanding How FVS318 VPN Tunnels Are Configured

You create VPN tunnels definitions via the VPN Settings link under the Setup section of the main

menu on the FVS318. The VPN tunnel configuration consists of these two kinds of information:

•

Connection.

Identifies the VPN endpoints by IPSec ID, IP address, or a fully qualified domain

name (FQDN).

Note:

A FQDN is the complete URL of the router. Using a dynamic DNS service for a

FVS318 with a dynamically-assigned IP address enables that FVS318 to both initiate and

respond to requests to open a VPN tunnel. Otherwise, a FVS318 with a dynamically-assigned

IP address can only initiate a request to open a VPN tunnel because no other initiators can

know its IP address.

•

Security Association (SA).

There are three kinds of SA key exchange modes:

—

IKE Main Mode

: Uses the Internet Key Exchange (IKE) protocol to define the

authentication scheme and automatically generate the encryption keys. Main Mode

authentication is slightly slower than Aggressive Mode but more secure.

—

IKE Aggressive Mode

: Uses the IKE protocol to define the authentication scheme and

automatically generate the encryption keys. Aggressive Mode authentication is slightly

faster than Main Mode but less secure.

Note:

The FVS318 VPN Firewall uses industry standard VPN protocols. However, due

to variations in how manufacturers interpret these standards, many VPN products do not

interoperate. NETGEAR provides support for connections between NETGEAR VPN

Firewalls, and between an FVS318 VPN Firewall and the SafeNet SoftRemote VPN

Client for Windows. This manual is written based on tests with the FVS318 and versions

8 and 9 of the SafeNet client. Although the FVS318 can interoperate with many other

VPN products, it is not possible for NETGEAR to provide specific technical support for

every other interconnection. Please see NETGEAR's web site for additional VPN

information.