Netgear N600 Wireless Router User Manual

							Virtual Private Networking111
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
3. 
Click  VPN Status. The Current VPN Tunnels (SAs) screen displays:
4. Click  Drop for the VPN tunnel that you want to deactivate.
Delete a VPN Tunnel
To delete a VPN tunnel:
1. On the main menu, select VPN Policies to display the VPN Policies screen. In the 
Policy Table, select the radio button for the VPN tunnel to be deleted, \
and then click 
Delete.
Set Up VPN Tunnels in Special Circumstances
When the VPN Wizard and its VPNC defaults (see Table  16 on page  89) are not appropriate 
for your circumstances, use one of these alternatives:
•     Auto Policy . For a typical automated Internet Key Exchange (IKE) setup, see  Use Auto 
Policy to Configure VPN Tunnels  on page  112. Auto Policy uses the IKE protocol to 
define the authentication scheme and automatically generate the encrypti\
on keys.
•     Manual Policy . For a manual keying setup in which you have to specify each phase of 
the connection, see Use Manual Policy to Configure VPN Tunnels  on page
 119. Manual 
Policy does not use IKE. Rather, you manually enter all the authenticati\
on and key  
						

							Virtual Private Networking112
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
parameters. You have more control over the process; however, the process\
 is more 
complex, and there are more opportunities for errors or configuration mi\
smatches 
between your N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND370\
0 and 
the corresponding VPN endpoint gateway or client workstation.
Use Auto Policy to Configure VPN Tunnels
You need to configure matching VPN settings on both VPN endpoints. The o\
utbound VPN 
settings on one end has to match to the inbound VPN settings on other en\
d, and vice versa.
For an example of using Auto Policy, see 
Example of Using Auto Policy on page  116.
Configure VPN Network Connection Parameters
All VPN tunnels on the wireless modem router require that you configure \
several network 
parameters. This section describes those parameters and how to access th\
em. 
The most common configuration scenarios use IKE to manage the authentica\
tion and 
encryption keys. The IKE protocol performs negotiations between the two \
VPN endpoints to 
automatically generate and update the required encryption parameters.
From the main menu, select VPN Policies, and then click the Add Auto Policy button to 
display the VPN - Auto Policy screen:  
						

							Virtual Private Networking113
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
The DGND3700 VPN tunnel network connection fields are defined in the fol\
lowing table.
Table 19.  VPN - Auto Policy screen settings 
 
Fields and SettingsDescription
General Policy NameEnter a unique name. This name is not supplied to the remote VPN 
endpoint. It is used only to help you manage the policies.
Remote VPN 
Endpoint • 
The remote VPN endpoint has to have this VPN’s gateway address 
entered as its remote VPN endpoint.
•  If the remote endpoint has a dynamic IP address, select  Dynamic 
IP Address. No address data input is required. You can set up 
multiple remote dynamic IP policies, but only one such policy can be 
enabled at a time. Otherwise, select an option ( IP address or 
domain name) and enter the address of the remote VPN endpoint to 
which you want to connect. 
IKE Keep Alive • If you want to ensure that a connection is kept open, or, if that is not\
 
possible, that it is quickly reestablished when disconnected, select 
this check box. 
•  The ping IP address has to be associated with the remote endpoint. 
The remote LAN address has to be used. This IP address will be 
pinged periodically to generate traffic for the VPN tunnel. The remote 
keep-alive IP address has to be covered by the remote LAN IP range 
and has to correspond to a device that can respond to ping. The 
range should be made as narrow as possible to meet this objective.
Local LAN
 
The remote VPN 
endpoint has to 
have these IP 
addresses entered 
as its remote 
addresses. Subnet Mask
The network mask.
Single/Start IP 
Address •  
Enter the IP address for a single address, or the starting address 
for an address range. A single address setting is used when you 
want to make a single server on your LAN available to remote users. 
A range must be an address range used on your LAN. 
•  Any . The remote VPN endpoint can be at any IP address.
Finish IP Address For an address range, enter the finish IP address. This must be an 
address range used on your LAN. 
Remote LAN
 
The remote VPN 
endpoint has to 
have these IP 
addresses entered 
as its local 
addresses. IP Address
Single PC - no Subnet . Select this option if there is no LAN (only a 
single PC) at the remote endpoint. If this option is selected, no 
additional data is required. The typical application is a PC running the\
 
VPN client at the remote end.
Single/Start IP 
Address • 
Enter an IP address that is on the remote LAN. You can use this 
setting when you want to access a server on the remote LAN. 
•  For a range of addresses, enter the starting IP address. This has to 
be an address range used on the remote LAN. 
•  Any . Any outgoing traffic from the computers in the Local IP  fields 
triggers an attempted VPN connection to the remote VPN endpoint. 
Be sure you want this option before selecting it.
Finish IP Address Enter the finish IP address for a range of addresses. This has to be an \
address range used on the remote LAN. 
Subnet Mask Enter the network mask.  
						

							Virtual Private Networking114
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
IKE
DirectionThis setting is used when the router determines if the IKE policy 
matches the current traffic. Select an option. 
• Responder only . Incoming connections are allowed, but outgoing 
connections are blocked. 
•  Initiator and Responder . Both incoming and outgoing connections 
are allowed. 
Exchange Mode Ensure that the remote VPN endpoint is set to use Main Mode.
Diffie-Hellman 
(DH) Group The Diffie-Hellman algorithm is used when keys are exchanged. The 
DH Group setting determines the bit size used in the exchange. This 
value has to match the value used on the remote VPN gateway.
Local Identity Type Select an option to match the Remote Identity Type setting on the 
remote VPN endpoint. 
• WAN IP Address . Your Internet IP address. 
•  Fully Qualified Domain Name . Your domain name. 
•  Fully Qualified User Name . Your name, email address, or other ID. 
Local Identity Data Enter the data for the local identity type that you selected. (If WAN I\
P 
Address is selected, no input is required.)
Remote Identity 
Type Select the option that matches the Local Identity Type setting on the 
remote VPN endpoint. 
• 
IP Address. The Internet IP address of the remote VPN endpoint. 
•  Fully Qualified Domain Nam e. The domain name of the remote 
VPN endpoint. 
•  Fully Qualified User Name . The name, email address, or other ID 
of the remote VPN endpoint. 
Remote Identity 
Data Enter the data for the remote identity type that you selected. If IP 
Address is selected, no input is required. 
Parameters Encryption 
Algorithm The encryption algorithm used for both IKE and IPSec. This setting has 
to match the setting used on the remote VPN gateway. DES and 3DES 
are supported.
• 
DES . The Data Encryption Standard (DES) processes input data 
that is 64 bits wide, encrypting these values using a 56-bit key. Faster\
 
but less secure than 3DES. 
•  3DES . (Triple DES) achieves a higher level of security by encrypting 
the data three times using DES with three different, unrelated keys. 
Authentication 
Algorithm The authentication algorithm used for both IKE and IPSec. This setting 
must match the setting used on the remote VPN gateway. Auto, MD5, 
and SHA-1 are supported. Auto negotiates with the remote VPN 
endpoint and is not available in responder-only mode.
• 
MD5. 128 bits, faster but less secure.
•  SHA-1. 160 bits, slower but more secure. This is the default.
Pre-shared Key The key has to be entered both here and on the remote VPN gateway.
Table 19.  VPN - Auto Policy screen settings  (Continued)
Fields and SettingsDescription 
						

							Virtual Private Networking115
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Parameters 
(Continued)
SA Life Time
The time interval before the SA (security association) expires. (It i\
s 
automatically reestablished as required.) While using a short time 
period (or data amount) increases security, it also degrades 
performance. It is common to use periods over an hour (3600 seconds) 
for the SA life-time. This setting applies to both IKE and IPSec SAs. 
Enable IPSec PFS 
(Perfect Forward 
Secrecy) • 
If this check box is selected, security is enhanced by ensuring that 
the key is changed at regular intervals. Also, even if one key is 
broken, subsequent keys are no easier to break. (Each key has no 
relationship to the previous key.) 
•  This setting applies to both IKE and IPSec SAs. When configuring 
the remote endpoint to match this setting, you might have to specify 
the key group used. For this device, the key group is the same as the 
DH Group setting in the IKE section. 
General Policy NameEnter a unique name to identify this policy. This name is not supplied t\
o 
the remote VPN endpoint. It is used only to help you manage the 
policies.
Remote VPN 
Endpoint • 
The remote VPN endpoint has to have this VPN gateway’s address 
entered as its remote VPN endpoint.
•  If the remote endpoint has a dynamic IP address, select  Dynamic 
IP address. No address data input is required. You can set up 
multiple remote dynamic IP policies, but only one such policy can be 
enabled at a time. Otherwise, select an option ( IP address or 
domain name) and enter the address of the remote VPN endpoint to 
which you want to connect. 
IKE Keep Alive • If you want to ensure that a connection is kept open, or, if that is not\
 
possible, that it is quickly reestablished when disconnected, select 
this check box. 
•  The ping IP address has to be associated with the remote endpoint. 
The remote LAN address has to be used. This IP address will be 
pinged periodically to generate traffic for the VPN tunnel. The remote 
keep-alive IP address has to be covered by the remote LAN IP range 
and has to correspond to a device that can respond to ping. The 
range should be made as narrow as possible to meet this objective.
Local LAN 
The remote VPN 
endpoint has to 
have these IP 
addresses entered 
as its remote 
addresses. Subnet Mask
Enter the network mask.
Single/Start IP 
Address •  
Enter the IP address for a single address, or the starting address 
for an address range. A single address setting is used when you 
want to make a single server on your LAN available to remote users. 
A range has to be an address range used on your LAN. 
•  Any . The remote VPN endpoint might be at any IP address.
Table 19.  VPN - Auto Policy screen settings  (Continued)
Fields and SettingsDescription 
						

							Virtual Private Networking116
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
Example of Using Auto Policy
VPN Tunnel
Internet
Gateway A Gateway B
22.23.24.25
14.15.16.17
IP: 192.168.0.1
IP:192.168.3.1
Figure 46. 
The following settings are assumed for this example:
Table 20.  Gateway-to-gateway VPN tunnel configuration worksheet  
ParameterValue to Be EnteredField Selection
Connection Name GtoGN/A
Pre-Shared Key 12345678N/A
Secure Association N/AMain ModeManual Keys
Perfect Forward secrecy N/AEnabledDisabled
Encryption Protocol N/ADES3DES
Authentication Protocol N/AMD5SHA-1
Diffie-Hellman (DH) Group N/AGroup 1Group 2
Key Life in seconds 28800 (8 hours)N/A
IKE Life Time in seconds 3600 (1 hour)N/A
VPN Endpoint Local IPSecIDLAN IP AddressSubnet MaskFQDN or Gateway 
IP (WAN IP Address
Gateway_A GW_A192.168.0.1255.255.255.014.15.16.17
Gateway_B GW_B192.168.3.1255.255.255.022.23.24.25
1. Set the LAN IPs on each wireless modem router to different subnets and c\
onfigure each 
correctly for the Internet. On the main menu, select VPN Policies and click the Add 
Auto Policy button.  
						

							Virtual Private Networking117
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
The VPN - Auto Policy screen displays:
2. 
Enter these policy settings:
Auto Policy FieldDescription
General Policy Name GtoG
Remote VPN Endpoint 
Address Type Fixed
Remote VPN Endpoint 
Address Data 22.23.24.25
Local LAN Use the default settings.
Remote LAN IP Address Select Subnet address from the drop-down list.
Start IP Address 192.168.3.1
Subnet Mask 255.255.255.0 
						

							Virtual Private Networking118
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
3. 
Click  Apply . The VPN Policies screen displays:
4. Repeat these steps for the N600 Wireless Dual Band Gigabit ADSL2+ Modem \
Router 
DGND3700 on LAN B. Pay special attention to the following network settin\
gs:
•     General, Remote Address Data (for example, 14.15.16.17)
•     Remote LAN, Start IP Address
-     IP Address (for example, 192.168.0.1)
-     Subnet Mask (for example, 255.255.255.0)
-     Pre-shared Key (for example, 12345678)
5.  Use the VPN Status screen to activate the VPN tunnel:
Note:  The VPN Status screen is only one of three ways to active a VPN 
tunnel. See Activate a VPN Tunnel  on page  105 for information 
about the other ways.
IKE Direction Initiator and Responder
Exchange Mode Main Mode
Diffie-Hellman (DH) Group Group 2 (1024 Bit)
Local Identity Type Use the default setting.
Remote Identity Type Use the default setting.
Parameters Encryption Algorithm 3DES
Authentication Algorithm MD5
Pre-shared Key
12345678
Auto Policy FieldDescription 
						

							Virtual Private Networking119
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
a.
From the main menu, select VPN Status to display the VPN Status/Log screen. Then 
click  VPN Status to display the Current VPN Tunnels (SAs) screen:
b. Click  Connect  for the VPN tunnel that you want to activate. Review the VPN 
Status/Log screen (Figure  a on page  104) to verify that the tunnel is connected.
Use Manual Policy to Configure VPN Tunnels
As an alternative to IKE, you can use manual keying, in which you have t\
o specify each 
phase of the connection. A manual VPN policy requires all settings for t\
he VPN tunnel to be 
manually input at each end (both VPN endpoints).  
						

							Virtual Private Networking120
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
On the main menu, select 
VPN Policies, and then click the  Add Manual Policy radio button 
to display the VPN - Manual Policy screen:
The following table explains the fields in the VPN - Manual Policy scree\
n.
Table 21.  VPN Manual Policy fields and settings   
Fields and SettingsDescription
General
 
The N600 Wireless Dual 
Band Gigabit ADSL2+ 
Modem Router 
DGND3700 VPN tunnel 
network connection 
fields. Policy Name
Enter a unique name to identify this policy. This name is not 
supplied to the remote VPN endpoint. It is used only to help you 
manage the policies.
Remote VPN 
Endpoint • 
The remote VPN endpoint has to have this VPN’s gateway 
address entered as its remote VPN endpoint.
•  If the remote endpoint has a dynamic IP address, select 
Dynamic IP Address. No address data input is required. You 
can set up multiple remote dynamic IP policies, but only one 
such policy can be enabled at a time. Otherwise, select an 
option (IP address  or domain name) and enter the address of 
the remote VPN endpoint to which you want to connect.