Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking With IPSec Connections 369 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. 6. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view. 7. To add an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen displays the IPv6 settings. 8. Under the List of IKE Policies table, click the Add button. The Add IKE Policy screen displays. The Add IKE Policy screen for IPv4 is identical to the Add IKE Policy screen for IPv6.
Set Up Virtual Private Networking With IPSec Connections 370 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Enter the settings as described in the following table. Other than the nature of the IP addresses, the settings that you must enter for IPv4 and IPv6 settings are identical.
Set Up Virtual Private Networking With IPSec Connections 371 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SettingDescription Mode Config Record Do you want to use Mode Config Record?Specify whether the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Overview on page 394. Select a radio button: • No. If you did not define a Mode Config record, leave the No radio button selected, which disables Mode Config for this IKE policy. This is the default setting. • Ye s. If you defined a Mode Config record and want to use it for this IKE policy, select the Ye s radio button. From the Select Mode Config Record menu, select a Mode Config record, which allows the VPN firewall to assign IP addresses to remote VPN clients. Because Mode Config functions only in Aggressive mode, selecting the Ye s radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode. Mode Config also requires that both the local and remote endpoints are defined by their FQDNs. Note:You can use an IPv6 IKE policy to assign IPv4 addresses to clients through a Mode Config record but you cannot assign IPv6 addresses to clients. Select Mode Config RecordFrom the menu, select one of the Mode Config records that you defined (see Configure Mode Config Operation on the VPN Firewall on page 395). Note:Click the View Selected button to open the Selected Mode Config Record Details pop-up screen. General Policy Name A descriptive name of the IKE policy for identification and management purposes. Note:The name is not supplied to the remote VPN endpoint. Direction / Type From the menu, select the connection method for the VPN firewall: • Initiator. The VPN firewall initiates the connection to the remote endpoint. • Responder. The VPN firewall responds only to an IKE request from the remote endpoint. • Both. The VPN firewall can both initiate a connection to the remote endpoint and respond to an IKE request from the remote endpoint. Exchange Mode From the menu, select the mode of exchange between the VPN firewall and the remote VPN endpoint: • Main. This mode is slower than the Aggressive mode but more secure. • Aggressive. This mode is faster than the Main mode but less secure. Local Select Local Gateway Select a WAN interface from the menu to specify the WAN interface for the local gateway.
Set Up Virtual Private Networking With IPSec Connections 372 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Identifier Type From the menu, select an ISAKMP identifier to be used by the VPN firewall and specify the identifier in the Identifier field: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN. The Internet address for the VPN firewall. • User FQDN. The email address for a local VPN client or the VPN firewall. • DER ASN1 DN. A distinguished name (DN) that identifies the VPN firewall in the DER encoding and ASN.1 format. Identifier Depending on the selection from the Identifier Type menu, enter the IP address, email address, FQDN, or distinguished name. Remote Identifier Type From the menu, select an ISAKMP identifier to be used by the remote endpoint and specify the identifier in the Identifier field: • Remote Wan IP. The WAN IP address of the remote endpoint. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN. The FQDN for a remote gateway. • User FQDN. The email address for a remote VPN client or gateway. • DER ASN1 DN. A distinguished name (DN) that identifies the remote endpoint in the DER encoding and ASN.1 format. Identifier Depending on the selection of the Identifier Type menu, enter the IP address, email address, FQDN, or distinguished name. IKE SA Parameters Encryption Algorithm From the menu, select an algorithm to negotiate the security association (SA): • DES. Data Encryption Standard (DES). • 3DES. Triple DES. This is the default algorithm. • AES-128. Advanced Encryption Standard (AES) with a 128-bit key size. • AES-192. AES with a 192-bit key size. • AES-256. AES with a 256-bit key size. Authentication AlgorithmFrom the menu, select an algorithm to use in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Authentication Method Select the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you must have uploaded (see Manage VPN Self-Signed Certificates on page 516). When you select RSA-Signature, the Pre-shared key field is masked out. Pre-shared key A key with a minimum length of 8 characters and no more than 49 characters. Do not use a double quote (), single quote (), or space in the key. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 373 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Diffie-Hellman (DH) GroupThe DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the menu, select the strength: • Group 1 (768 bit). • Group 2 (1024 bit). This is the default setting. • Group 5 (1536 bit). Note:Ensure that the DH group is configured identically on both sides. SA-Lifetime (sec) The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying occurs. The default is 28800 seconds (eight hours). Enable Dead Peer DetectionSelect a radio button to specify whether Dead Peer Detection (DPD) is enabled: • No. This feature is disabled. This is the default setting. • Ye s. This feature is enabled. When the VPN firewall detects an IKE connection failure, it removes the IPSec and IKE SA and forces a reestablishment of the connection. You must specify the detection period in the Detection Period field and the maximum number of times that the VPN firewall attempts to reconnect in the Reconnect after failure count field. Note:For more information, see Manage Keep-Alives and Dead Peer Detection on page 411. Detection Period The period in seconds between consecutive DPD R-U-THERE messages, which are sent only when the IPSec traffic is idle. Reconnect after failure countThe maximum number of DPD failures before the VPN firewall tears down the connection and then attempts to reconnect to the peer. The default is 3 failures. Extended Authentication XAUTH Configuration Select a radio button to specify whether Extended Authentication (XAUTH) is enabled and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate. The authentication modes that are available for this configuration are User Database, RADIUS PAP, or RADIUS CHAP. • IPSec Host. The VPN firewall functions as a VPN client of the remote gateway. In this configuration, the VPN firewall is authenticated by a remote gateway with a user name and password combination. Note:For more information about XAUTH and its authentication modes, see Enable and Configure Extended Authentication for VPN Clients on page 389. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 374 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 10. Click the Apply button. Your settings are saved. The IKE policy is added to the List of IKE Policies table. Associate a Manually added IKE policy with an Existing VPN Policy The following procedure describes you can add an IKE policy that you added manually with an existing VPN policy. An IKE policy that is not associated with a VPN policy is inactive. To associate a manually added IKE policy with an existing VPN policy: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies. Authentication Type If you select Edge Device from the AUTH Configuration menu, you must select an authentication type from the Authentication Type menu: • User Database. XAUTH occurs through the VPN firewall’s user database. For information about adding users, see Manage User Accounts on page 498. • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP). The local user database is first checked. If the user account is not present in the local user database, the VPN firewall connects to a RADIUS server. For more information, see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392. • Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol (CHAP). For more information, see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392. Username The user name for XAUTH. Password The password for XAUTH. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 375 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN Policies screen displays the IPV4 settings. 7. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. Note:You can associate an IKE policy only with an Auto policy. 8. In the List of VPN Policies table, click the Edit button for the VPN policy with which you want to associate the IKE policy. The Edit VPN Policy screen displays. 9. In the Auto Policy Parameters section, from the Select IKE Policy menu, select the IKE policy. 10. Click the Apply button. Your settings are saved. The IKE policy is now associated with the VPN policy. Change an IKE Policy The following procedure describes how you can change an existing IKE policy that was added either automatically or manually. To change an IKE policy: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. Note:You cannot change an IKE policy for which the associated VPN policy is active.
Set Up Virtual Private Networking With IPSec Connections 376 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 6. If the IKE policy that you want to change is associated with a VPN policy, first disable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To disable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you want to change. Note:When you use the VPN IPsec Wizard, the VPN and IKE policies that are added automatically have the same name. d. Click the Disable button. The VPN policy is disabled. The green circle to the left of the VPN policy turns gray. 7. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view. 8. To change an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. 9. In the List of IKE Policies table, click the Edit button for the IKE policy that you want to change. The Edit IKE Policy screen displays. 10. Change the settings. For information about the settings, see Manually Add an IKE Policy on page 368. 11. Click the Apply button. Your settings are saved. The modified IKE policy displays in the List of IKE Policies table on the IKE Policies screen. 12. If you disabled the VPN policy with which the IKE policy that you changed is associated, reenable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To reenable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you changed. d. Click the Enable button.
Set Up Virtual Private Networking With IPSec Connections 377 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN policy is reenabled. The gray circle to the left of the VPN policy turns green. Remove One or More IKE Policies The following procedure describes how you can remove one or more IKE policies that you no longer need. WARNING: If you remove an IKE policy that is associated with a VPN policy but do not replace it with another IKE policy that you associate with the same VPN policy, the VPN policy does not function anymore. To remove one or more IKE polices: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. Note:You cannot remove an IKE policy for which the associated VPN policy is active. 6. If the IKE policy that you want to remove is associated with a VPN policy, first disable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To disable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings.
Set Up Virtual Private Networking With IPSec Connections 378 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you want to change. Note:When you use the VPN IPsec Wizard, the VPN and IKE policies that are added automatically have the same name. d. Click the Disable button. The VPN policy is disabled. The green circle to the left of the VPN policy turns gray. 7. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view. 8. To remove an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. 9. In the List of IKE Policies table, select the check box to the left of each policy that you want to remove, or click the Select All button to select all IKE policies. 10. Click the Delete button. The selected IKE policies are removed from the List of IKE Policies table. For information about adding an IKE policy, see Manually Add an IKE Policy on page 368. For information about associating an IKE policy with an existing VPN policy, see Associate a Manually added IKE policy with an Existing VPN Policy on page 374. Manage VPN Policies The following sections provide information about managing VPN policies: •VPN Policies Overview •View the VPN Policies •Manually Add a VPN Policy •Change a VPN Policy •Enable, Disable, or Remove One or More Existing VPN Policies VPN Policies Overview A VPN policy specifies the IP address or FQDN of the local VPN gateway and the IP address or FQDN of the remote VPN gateway and the authentication and encryption that is used to establish the tunnel. In addition, after the IPSec negotiations are complete and the VPN tunnel is established, the VPN policy specifies the type of authentication and encryption that is used to transfer the traffic securely. You can create two types of VPN policies: •Manual. You manually enter all settings (including the keys) for the VPN tunnel on the VPN firewall and on the remote VPN endpoint. No third-party server or organization is