Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking With IPSec Connections 389 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Extended Authentication Overview When many VPN clients connect to a VPN firewall, you might want to use a unique user authentication method beyond relying on a single common pre-shared key for all clients. Although you could configure a unique VPN policy for each user, it is more efficient to authenticate users from a stored list of user accounts. Extended authentication (XAUTH) provides the mechanism for requesting individual authentication information from the user. The VPN firewall’s local user database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. You can enable XAUTH when you manually add or change an IKE policy. The VPN firewall provides two types of XAUTH: •Edge device. The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate. Specify the authentication type that must be used during verification of the credentials of the remote VPN gateways: the VPN firewall’s user database, an external RADIUS-PAP server, or an external RADIUS-CHAP server. •IPSec host. The VPN firewall functions as a VPN client of the remote gateway. Authentication occurs at the remote gateway through a user name and password that are associated with the IKE policy. The user name and password that are used to authenticate the VPN firewall must be specified on the remote gateway. After you have enabled XAUTH, you must establish user accounts in the VPN firewall’s local user database to be authenticated against XAUTH or you must enable a RADIUS-CHAP or RADIUS-PAP server. If you use a RADIUS-PAP server for authentication, XAUTH first checks the VPN firewall local user database for the user credentials. If the user account is not present, the VPN firewall then connects to a RADIUS server. Enable and Configure Extended Authentication for VPN Clients The following procedure describes how to enable and configure extended authentication (XAUTH) for VPN clients. To enable and configure XAUTH: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Set Up Virtual Private Networking With IPSec Connections 390 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. If the IKE policy for which you want to configure XAUTH is associated with a VPN policy, first disable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To disable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you want to change. Note:When you use the VPN IPsec Wizard, the VPN and IKE policies that are added automatically have the same name. d. Click the Disable button. The VPN policy is disabled. The green circle to the left of the VPN policy turns gray. 7. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view. 8. To change an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. 9. In the List of IKE Policies table, click the Edit button for the IKE policy for which you want to enable and configure XAUTH. The Edit IKE Policy screen displays.
Set Up Virtual Private Networking With IPSec Connections 391 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 10. Locate the Extended Authentication section. 11. Enter the settings as described in the following table. 12. Click the Apply button. Your settings are saved. 13. If you disabled the VPN policy with which the IKE policy for which you configured XAUTH is associated, reenable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To reenable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you changed. SettingDescription Select a radio button to specify whether Extended Authentication (XAUTH) is enabled and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate. The authentication modes that are available for this configuration are User Database, RADIUS PAP, and RADIUS CHAP. • IPSec Host. The VPN firewall functions as a VPN client of the remote gateway. In this configuration, the VPN firewall is authenticated by a remote gateway with a user name and password combination. Authentication TypeFor an Edge Device configuration, from the menu, select an authentication type: • User Database. XAUTH occurs through the VPN firewall’s local user database. For information about adding users, see Manage User Accounts on page 498. • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP). The VPN firewall first checks its local user database. If the user account is not present in the local user database, the VPN firewall connects to a RADIUS server. For more information, see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392. • Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol (CHAP). For more information, see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392. Username The user name for XAUTH. Password The password for XAUTH.
Set Up Virtual Private Networking With IPSec Connections 392 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 d. Click the Enable button. The VPN policy is reenabled. The gray circle to the left of the VPN policy turns green. RADIUS Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing authentication, authorization, and accounting (AAA) of multiple users in a network. A RADIUS server stores a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to network resources. During the establishment of a VPN connection, the VPN gateway can interrupt the process with an XAUTH request. At that point, the remote user must provide authentication information such as a user name and password or some encrypted response using the user name and password information. The gateway then attempts to verify this information first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. After you configure the RADIUS servers for the VPN firewall’s RADIUS client (see Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client on page 392), you can select the RADIUS authentication protocol (PAP or CHAP) when you add or change an IKE policy. For more information, see Manually Add an IKE Policy on page 368 and Change an IKE Policy on page 375. Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client The following procedure describes how to configure the primary and backup RADIUS servers for the VPN firewall’s RADIUS client, which is used for extended authentication. To configure primary and backup RADIUS servers for the VPN firewall’s RADIUS client: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Set Up Virtual Private Networking With IPSec Connections 393 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > RADIUS Client. The RADIUS Client screen displays. 7. Enter the settings as described in the following table. SettingDescription Primary RADIUS Server To enable and configure the primary RADIUS server, select the Ye s radio button and enter the settings for the three fields to the right. By default, No radio button is selected. Primary Server IP Address The IPv4 address of the primary RADIUS server. Secret Phrase A shared secret phrase to authenticate the transactions between the client and the primary RADIUS server. The same secret phrase must be configured on both the client and the server. Primary Server NAS IdentifierThe primary Network Access Server (NAS) identifier that must be present in a RADIUS request. The VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information. In a RADIUS transaction, the NAS must provide some NAS identifier information to the RADIUS server. Depending on the configuration of the RADIUS server, the VPN firewall’s IP address might be sufficient as an identifier, or the server might require a name, which you must enter in the Primary Server NAS Identifier field. Backup RADIUS Server
Set Up Virtual Private Networking With IPSec Connections 394 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Click the Apply button. Your settings are saved. Assign IPv4 Addresses to Remote Users The following sections provide information about how to configure Mode Config: •Mode Config Overview •Configure Mode Config Operation on the VPN Firewall •Configure the NETGEAR ProSAFE VPN Client for Mode Config Operation •Test the Mode Config Connection •Change a Mode Config Record •Remove One or More Mode Config Records Mode Config Overview To simplify the process of connecting remote VPN clients to the VPN firewall, use the Mode Config feature to automatically assign IPv4 addresses to remote users, including a network access IP address, subnet mask, WINS server, and DNS address. The VPN firewall assigns To enable and configure the backup RADIUS server, select the Ye s radio button and enter the settings for the three fields to the right. By default, the No radio button is selected. Backup Server IP Address The IPv4 address of the backup RADIUS server. Secret Phrase A shared secret phrase to authenticate the transactions between the client and the backup RADIUS server. The same secret phrase must be configured on both the client and the server. Backup Server NAS IdentifierThe backup Network Access Server (NAS) identifier that must be present in a RADIUS request. The VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information. In a RADIUS transaction, the NAS must provide some NAS identifier information to the RADIUS server. Depending on the configuration of the RADIUS server, the VPN firewall’s IP address might be sufficient as an identifier, or the server might require a name, which you must enter in the Backup Server NAS Identifier field. Connection Configuration Time out period The period in seconds that the VPN firewall waits for a response from a RADIUS server. The default setting is 30 seconds. Maximum Retry Counts The maximum number of times that the VPN firewall attempts to connect to a RADIUS server. The default setting is 4 retry counts. SettingDescription
Set Up Virtual Private Networking With IPSec Connections 395 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 to remote users IP addresses from a secured network space so that the remote users appear as seamless extensions of the network. You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4 addresses to clients but you cannot assign IPv6 addresses to clients. During the establishment of a VPN tunnel, after the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask, WINS server, and DNS address from the VPN firewall. The Mode Config feature allocates an IP address from the configured IP address pool and activates a temporary IPSec policy, using the information that you specify in the Traffic Tunnel Security Level section of the Mode Config record. For more information, see Configure Mode Config Operation on the VPN Firewall on page 395. Note:After configuring a Mode Config record, you must manually add or change an IKE policy and select the newly created Mode Config record (see Configure Mode Config Operation on the VPN Firewall on page 395). Configure Mode Config Operation on the VPN Firewall To configure Mode Config on the VPN firewall, first create a Mode Config record and then select the Mode Config record for an IKE policy. The following procedure lets you create a new IKE policy rather than adding the Mode Config record to an existing IKE policy. To configure Mode Config on the VPN firewall: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > Mode Config.
Set Up Virtual Private Networking With IPSec Connections 396 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Mode Config screen displays. As an example, the screen shows two existing Mode Config records with the names EMEA Sales and Americas Sales: •For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown. •For Americas Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool (172.25.210.1 through 172.25.210.99), and a third pool (172.25.220.80 through 172.25.220.99) are shown. 7. Under the List of Mode Config Records table, click the Add button. The Add Mode Config Record screen displays.
Set Up Virtual Private Networking With IPSec Connections 397 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. SettingDescription Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients. The Second Pool and Third Pool fields are optional. To specify any client pool, enter the starting IP address for the pool in the Starting IP field, and enter the ending IP address for the pool in the Ending IP field. Note:No IP pool must be within the range of the local network IP addresses. Use a different range of private IP addresses such as 172.16.xxx.xx. Second Pool Third Pool WINS Server If there is a WINS server on the local network, enter its IP address in the Primary field. You can enter the IP address of a second WINS server in the Secondary field. DNS Server In the Primary field, enter the IP address of the DNS server that is used by remote VPN clients. You can enter the IP address of a second DNS server in the Secondary field. Traffic Tunnel Security Level Note:Generally, the default settings work well for a Mode Config configuration. PFS Key Group Select the PFS Key Group check box on the left to enable Perfect Forward Secrecy (PFS), and select a Diffie-Hellman (DH) group from the corresponding menu on the right. The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the menu, select the the strength: • Group 1 (768 bit) • Group 2 (1024 bit). This is the default setting. • Group 5 (1536 bit) SA Lifetime The lifetime of the security association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated. From the SA Lifetime menu on the right, select how you must specify the SA lifetime in the SA Lifetime field on the left: • Seconds. In the SA Lifetime field, enter a period in seconds. The minimum value is 300 seconds. The default setting is 3600 seconds. • KBytes. In the SA Lifetime field, enter a number of kilobytes. The minimum value is 1920000 KB. Encryption Algorithm From the menu, select the algorithm to negotiate the security association (SA): • None. No encryption. • DES. Data Encryption Standard (DES). • 3DES. Triple DES. This is the default algorithm. • AES-128. Advanced Encryption Standard (AES) with a 128-bit key size. • AES-192. AES with a 192-bit key size. • AES-256. AES with a 256-bit key size.
Set Up Virtual Private Networking With IPSec Connections 398 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Click the Apply button. Your settings are saved. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedure by configuring an IKE policy. (You can also change an existing IKE policy.) 10. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view. 11. To add an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. 12. Under the List of IKE Policies table, click the Add button. The Add IKE Policy screen displays. The Add IKE Policy screen for IPv4 is identical to the Add IKE Policy screen for IPv6. Note:You can configure an IPv6 IKE policy to assign IPv4 addresses to clients, but you cannot assign IPv6 addresses to clients. Integrity Algorithm From the menu, select the algorithm to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Local IP Address The local IP address to which remote VPN clients have access. If you do not specify a local IP address, the VPN firewall’s default LAN IP address is used (by default, 192.168.1.1). Local Subnet Mask The local subnet mask. Typically, this is 255.255.255.0. Note:If you do not specify a local IP address, you do not need to specify a subnet either. SettingDescription