Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Protect Your Network 330 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Port Triggering. The Port Triggering screen displays. 7. Click the Status option arrow in the upper right. The Port Triggering Status pop-up screen displays. The pop-up screen displays the status of the port triggering rules. Enable Universal Plug and Play The Universal Plug and Play (UPnP) feature enables the VPN firewall to automatically discover and configure devices when it searches the LAN and WAN. Note:UPnP is supported for IPv4 devices only and is disabled by default. To enable UPnP: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Protect Your Network 331 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > UPnP. The UPnP screen displays. The UPnP Portmap Table shows the IP addresses and other settings of UPnP devices that accessed the VPN firewall and that were automatically detected by the VPN firewall: •Active. A Yes or No indicates if the UPnP device port that established a connection is active. •Protocol. Indicates the network protocol such as HTTP or FTP that is used by the device to connect to the VPN firewall. •Int. Port. Indicates if any internal ports are opened by the UPnP device. •Ext. Port. Indicates if any external ports are opened by the UPnP device. •IP Address. Lists the IP address of the UPnP device accessing the VPN firewall. 7. To enable the UPnP feature, select the Ye s radio button. By default, the No radio button is selected and the feature is disabled. 8. Complete the following fields: •Advertisement Period. Enter the period in seconds that specifies how often the VPN firewall must broadcast its UPnP information to all devices within its range. The default setting is 30 seconds. •Advertisement Time to Live. Enter a number that specifies how many steps (hops) each UPnP packet is allowed to propagate before being discarded. Small values limit the UPnP broadcast range. The default setting is 4 hops. 9. Click the Apply button. Your settings are saved.
Protect Your Network 332 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Refresh button. The content of the UPnP Portmap Table refreshes. Any UPnP devices that accessed the VPN firewall and that were automatically detected by the VPN firewall display in the UPnP Portmap Table.
332 8 8. Set Up Virtual Private Networking With IPSec Connections This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. The chapter contains the following sections: •Dual WAN Port Systems •Use the IPSec VPN Wizard for Client and Gateway Configurations •Test the Connection and View Connection and Status Information •Manage IPSec VPN Policies Manually •Configure Extended Authentication (XAUTH) •Assign IPv4 Addresses to Remote Users •Manage Keep-Alives and Dead Peer Detection •Configure NetBIOS Bridging with IPSec VPN •Manage the PPTP Server •Manage the L2TP Server
Set Up Virtual Private Networking With IPSec Connections 333 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Dual WAN Port Systems If two WAN ports are configured for either IPv4 or IPv6, you can enable either auto-rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency. The selection of the WAN mode determines how you must configure the VPN features. If the WAN ports function in auto-rollover mode, you must use fully qualified domain names (FQDNs) in VPN policies. FQDNs are also required for VPN tunnel failover. If the WAN ports function in load balancing mode, you cannot configure VPN tunnel failover. In load balancing mode, FQDNs are optional if the WAN IP addresses are static but mandatory if the WAN IP addresses are dynamic. For more information about the IP addressing requirements for VPNs in the dual WAN modes, see Planning for Virtual Private Networks on page 632. For information about how to select and configure a Dynamic DNS service for resolving FQDNs, see Manage Dynamic DNS Connections on page 63. For information about configuring auto-rollover and load balancing, see the following sections: •Configure Load Balancing or Auto-Rollover for IPv4 Interfaces on page 48 •Configure Auto-Rollover for IPv6 Interfaces on page 109 (load balancing is not supported for IPv6 interfaces) The following diagrams and table show how the WAN mode selection relates to VPN configuration. Figure 6. WAN auto-rollover: FQDN required for VPN Figure 7. WAN load balancing: FQDN required or optional for VPN Rest of VPN firewall functionsVPN firewall WAN port functionsVPN firewall rollover control Multiple WAN port model WAN 1 port WAN 2 portInternet Same FQDN required for both WAN ports WAN auto-rollover: FQDN required for VPN Rest of VPN firewall functionsVPN firewall WAN port functionsLoad balancing control Multiple WAN port model WAN 1 port WAN 2 portInternet FQDN required for dynamic IP addresses WAN load balancing: FQDN required or optional for VPN FQDN optional for static IP addresses
Set Up Virtual Private Networking With IPSec Connections 334 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table summarizes the WAN addressing requirements (FQDN or IP address) for a VPN tunnel in either dual WAN mode. Use the IPSec VPN Wizard for Client and Gateway Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following sections provide information about how to create IPSec VPN connections with the IPSec VPN Wizard and NETGEAR ProSAFE VPN Client software: •IPSec VPN Wizard Overview •View the IPSec VPN Wizard Default Values •Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard •Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard •Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard Note:Although the VPN firewall supports IPv6, the NETGEAR ProSAFE VPN Client supports IPv4 only; a future release of the VPN Client might support IPv6. IPSec VPN Wizard Overview Configuring a VPN tunnel connection requires that you specify all settings on both sides of the VPN tunnel to match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPSec keys and VPN policies it sets up. The VPN Wizard also configures the settings for the network connection: security association (SA), traffic selectors, authentication Table 7. IP addressing for VPNs in dual WAN port systems Configuration and WAN IP AddressRollover Modea a. After a rollover, all tunnels must be reestablished using the new WAN IP address. Load Balancing Mode VPN Telecommuter (client to gateway)Fixed FQDN required FQDN allowed (optional) Dynamic FQDN required FQDN required VPN Gateway-to-Gateway (gateway to gateway)Fixed FQDN required FQDN allowed (optional) Dynamic FQDN required FQDN required VPN Telecommuter (client to gateway through a NAT router)Fixed FQDN required FQDN allowed (optional) Dynamic FQDN required FQDN required
Set Up Virtual Private Networking With IPSec Connections 335 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 algorithm, and encryption. The settings that the VPN Wizard uses are based on the recommendations of the VPN Consortium (VPNC), an organization that promotes multivendor VPN interoperability. Tip:To ensure that VPN tunnels stay active, after completing the wizard, manually change the VPN policy to enable keep-alives. The VPN firewall periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive. For more information, see Configure Keep-Alives on page 412. Tip:For DHCP WAN configurations, first set up the tunnel with IP addresses. After you validate the connection, you can use the wizard to create new policies using the FQDN for the WAN addresses. View the IPSec VPN Wizard Default Values The IPSec VPN Wizard default values are the settings that the IPSec VPN Wizard uses when you set up a VPN connection. Except for the local WAN ID and remote WAN ID, you cannot change the default settings when you use the IPSec VPN Wizard. However, these values work for most configurations. If you must use other values, configure the IPSec VPN connection manually (see Manage IPSec VPN Policies Manually on page 365). In such a situation, you can also first configure the IPSec VPN connection with the IPSec VPN Wizard and the default values. The IPSec VPN Wizard generates a VPN policy and an IKE policy automatically. Then, you can adjust the VPN policy, IKE policy, or both with your custom values. To view the IPSec VPN Wizard default values: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button.
Set Up Virtual Private Networking With IPSec Connections 336 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays the IPv4 settings. 7. Click the VPN Wizard default values option arrow in the upper right. The VPN Wizard default values pop-up screen displays. The default values are the same for IPv4 and IPv6. Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard The following figure shows an example of an IPv4 gateway-to-gateway IPSec VPN connection and the following procedure describes how to set up an IPv4 gateway-to-gateway VPN tunnel using the VPN Wizard.
Set Up Virtual Private Networking With IPSec Connections 337 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 8. Example of an IPv4 gateway-to-gateway IPSec VPN connection To set up an IPv4 gateway-to-gateway VPN tunnel using the VPN Wizard: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays the IPv4 settings. The following figure shows an example that does not relate to other examples in this manual.
Set Up Virtual Private Networking With IPSec Connections 338 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. Enter the settings as described in the following table. SettingDescription About VPN Wizard This VPN tunnel will connect to the following peersSelect the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section. Connection Name and Remote IP Type What is the new Connection Name?Enter a descriptive name for the connection. This name helps you to manage the VPN settings; the name is not supplied to the remote VPN endpoint. What is the pre-shared key? Enter a pre-shared key. This key must also be entered on the remote VPN gateway. The key must have a minimum length of 8 characters and must not exceed 49 characters.