Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking With IPSec Connections 359 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 11. Specify the settings that are described in the following table. 12. Click the Save button. Your settings are saved. Continue the manual configuration of the VPN client with the global parameters. 13. In the tree list pane of the Configuration Panel screen, click Global Parameters. SettingDescription VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that the VPN client uses in the VPN firewall’s LAN. The computer for which the VPN client opens a tunnel appears in the LAN with this IP address. Address Type From the menu, select Subnet address. This selection defines which addresses the VPN client can communicate with after the VPN tunnel is established. Remote LAN address Enter 192.168.1.0 as the remote IP address (that is, LAN network address) of the gateway that opens the VPN tunnel. Subnet mask Enter 255.255.255.0 as the remote subnet mask of the gateway that opens the VPN tunnel. Encryption From the menu, select 3DES as the encryption algorithm. Authentication From the menu, select SHA-1 as the authentication algorithm. Mode From the menu, select Tunnel as the encapsulation mode. PFS and Group Select the PFS check box and from the menu, select the DH2 (1024) key group. Note:On the VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit).
Set Up Virtual Private Networking With IPSec Connections 360 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 14. Specify the default lifetimes in seconds: •Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the VPN firewall. •Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the VPN firewall. 15. Click the Save button. Your settings are saved. The manual configuration of the VPN firewall is now complete. For information about testing the new VPN tunnel connection, see Test the Connection and View Connection and Status Information on page 360. Test the Connection and View Connection and Status Information The following sections provide information about how to test VPN tunnel connections and view connection and status information: •Test the NETGEAR ProSAFE VPN Client VPN Tunnel Connection •NETGEAR ProSAFE VPN Client Status and Log Information •View the VPN Firewall IPSec VPN Connection Status and Terminate or Establish Tunnels •View the VPN Firewall IPSec VPN Log
Set Up Virtual Private Networking With IPSec Connections 361 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Test the NETGEAR ProSAFE VPN Client VPN Tunnel Connection Note:In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. After you configure the IPSec VPN connection on the VPN firewall and the VPN client, you can test the VPN tunnel connection. The following procedure assumes that you use the default authentication phase name Gateway and the default IPSec configuration name Tunnel. If you configured the connection manually and changed the names, use vpn_client (or any other name that you configured) as the authentication phase name and netgear_platform (or any other name that you configured) as the IPSec configuration name. To initiate a VPN tunnel connection on the VPN client: On the computer that has the VPN client installed, right-click the system tray icon, and select Open tunnel ‘Tunnel’. When the tunnel opens successfully, the Tunnel opened message displays above the system tray. After the VPN client is launched, it displays an icon in the system tray that indicates whether a tunnel is opened, using a color code.
Set Up Virtual Private Networking With IPSec Connections 362 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 11. VPN client system tray color codes Both the NETGEAR ProSAFE VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. For more information, see the following sections: •NETGEAR ProSAFE VPN Client Status and Log Information on page 362 •View the VPN Firewall IPSec VPN Connection Status and Terminate or Establish Tunnels on page 363 •View the VPN Firewall IPSec VPN Log on page 364 NETGEAR ProSAFE VPN Client Status and Log Information Note:In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. The VPN console on the VPN client displays notifications and, if errors occur, error messages that are detected on the client side. If problems occur during the VPN tunnel establishment process, these error messages can help you to determine what the problem is. (Misconfigration is the most common problem.) For more information about notifications and error messages, see the NETGEAR ProSafe VPN Client User Manual, which you can download from downloadcenter.netgear.com. To view detailed negotiation and error information on the VPN client: On the computer that has the VPN client installed, right-click the VPN client icon in the system tray and select Console. The VPN Console ACTIVE screen displays. Purple icon: no VPN tunnel opened Green icon: at least one VPN tunnel opened
Set Up Virtual Private Networking With IPSec Connections 363 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the VPN Firewall IPSec VPN Connection Status and Terminate or Establish Tunnels You can view the connection status of all IPSec VPN tunnel sessions on the VPN firewall. For a gateway-to-gateway connection, you can terminate or establish a tunnel. For a client-to-gateway connection, you can terminate a tunnel. To view the status of IPSec VPN tunnels on the VPN firewall and terminate or establish tunnels: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Connection Status.
Set Up Virtual Private Networking With IPSec Connections 364 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view. The following figure shows an IPSec security association (SA) as an example. The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. 7. To disable an active gateway-to-gateway or client-to-gateway VPN IPsec tunnel, in the Active IPSec SA(s) table, click the corresponding Disconnect button for policy name. 8. To disable another tunnel, repeat Step 7. 9. To establish a gateway-to-gateway VPN IPsec tunnel, in the Active IPSec SA(s) table, click the corresponding Connect button for the policy name. 10. To establish another tunnel, repeat Step 9. View the VPN Firewall IPSec VPN Log The IPSec VPN log on the VPN firewall displays notifications and, if errors occur, error messages that are detected on the VPN firewall side. If problems occur during the VPN tunnel establishment process, these error messages can help you to determine what the problem is. (Misconfigration is the most common problem.) ItemDescription Policy Name The name of the VPN policy that is associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data that is transmitted over this SA. Tx (Packets) The number of IP packets that are transmitted over this SA. State The status of the SA. Phase 1 is the authentication phase and Phase 2 is key exchange phase. If no connection is established, the status is IPSec SA Not Established. Action The Connect button lets you initiate the VPN tunnel connection. The Disconnect button lets you terminate the VPN tunnel connection.
Set Up Virtual Private Networking With IPSec Connections 365 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To display the IPSec VPN log on the VPN firewall: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Monitoring > VPN Logs > IPSec VPN Logs. The IPSec VPN Logs screen displays. Manage IPSec VPN Policies Manually After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
Set Up Virtual Private Networking With IPSec Connections 366 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You can change existing policies or manually add new VPN and IKE policies directly in the policy tables. The following sections provide information about managing IPSec VPN policies manually: •Manage IKE Policies •Manage VPN Policies Manage IKE Policies The following sections provide information about managing IKE policies: •IKE Policies •View the IKE Policies •Manually Add an IKE Policy •Associate a Manually added IKE policy with an Existing VPN Policy •Change an IKE Policy •Remove One or More IKE Policies IKE Policies The Internet Key Exchange (IKE) protocol performs negotiations between two VPN devices and provides automatic management of the keys that are used for IPSec connections. An automatically generated VPN policy (auto policy) must use the IKE negotiation protocol. However, a manually generated VPN policy (manual policy) cannot use the IKE negotiation protocol. An IKE policy is activated when the following sequence of events occurs: 1. The VPN policy selector determines that some traffic matches an existing VPN policy of an auto policy type. 2. The IKE policy that is specified for the VPN auto policy is used to start negotiations with the remote VPN gateway. 3. An IKE session is established, using the security association (SA) settings that are specified in a matching IKE policy: •Keys and other settings are exchanged. •An IPSec SA is established, using the settings that are specified in the VPN policy. The VPN tunnel is then available for data transfer. When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is also added automatically and is given the same name as the new VPN connection name. You can change existing IKE policies manually and add new IKE policies.
Set Up Virtual Private Networking With IPSec Connections 367 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the IKE Policies The following procedure describes how to view the IKE policies that were automatically added and that you manually added. To view the IKE policies: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view, displaying the IPv4 settings. 7. To display the IPv6 settings instead of the IPv4 settings, in the upper right, select the IPv6 radio button. The IKE Policies screen displays the IPv6 settings.
Set Up Virtual Private Networking With IPSec Connections 368 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Each policy contains the settings that are described in the following table. These settings apply to both IPv4 and IPv6 IKE policies. For more information about these settings, see Manually Add an IKE Policy on page 368. Manually Add an IKE Policy The following procedure describes how to add an IKE policy manually. To manually add an IKE policy for IPv4 or IPv6: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. ItemDescription Name The name that identifies the IKE policy. When you use the VPN Wizard to set up a VPN policy, an accompanying IKE policy is automatically created with the same name that you select for the VPN policy. Note:The name is not supplied to the remote VPN endpoint. Mode The exchange mode: Main or Aggressive. Local ID The IKE/ISAKMP identifier of the VPN firewall. The remote endpoint must have this value as its remote ID. Remote ID The IKE/ISAKMP identifier of the remote endpoint, which must have this value as its local ID. Encr The encryption algorithm that is used for the IKE security association (SA). This setting must match the setting on the remote endpoint. Auth The authentication algorithm that is used for the IKE SA. This setting must match the setting on the remote endpoint. DH The Diffie-Hellman (DH) group that is used when keys are exchanged. This setting must match the setting on the remote endpoint.