Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking With IPSec Connections 409 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 After you have set up the Mode Config configuration on both the VPN client and the VPN firewall, test the configuration to make sure that the VPN firewall does assign an IP address to the VPN client. To test the Mode Config connection from the VPN client to the VPN firewall: 1. On the computer that has the VPN client installed, right-click the system tray icon and select Open tunnel ‘Tunnel_ModeConfig’. When the tunnel opens successfully, the Tunnel opened message displays above the system tray and the VPN client displays a green icon in the system tray. 2. Verify that the VPN firewall issues an IP address to the VPN client. 3. In the tree list pane of the Configuration Panel screen, right-click the IPSec configuration. In the following figure, the name of the IPSec configuration is GW_ModeConfig. (The default name is Tunnel.) The figure shows the upper part of the IPSec pane of the VPN client only. This IP address displays in the VPN Client address field. 4. From the client computer, try to access a device or web address on the LAN of the VPN firewall.
Set Up Virtual Private Networking With IPSec Connections 410 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change a Mode Config Record The following procedure describes how to change an existing Mode Config record. Note:Before you change a Mode Config record, make sure that it is not used in an IKE policy. If it is, temporarily remove the Mode Config record from the IKE policy. For information about how to change an IKE policy, see Change an IKE Policy on page 375. To change a Mode Config record: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays. 7. In the List of Mode Config Records table, click the Edit button for the record that you want to change. The Edit Mode Config Record screen displays. 8. Change the settings. For information about the settings, Configure Mode Config Operation on the VPN Firewall on page 395. 9. Click the Apply button. Your settings are saved. The modified Mode Config record displays in the List of Mode Config Records table on the Mode Config screen.
Set Up Virtual Private Networking With IPSec Connections 411 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Mode Config Records The following procedure describes how to remove one or more Mode Config records that you do no longer need in IKE policies. Note:Before you remove a Mode Config record, make sure that it is not used in an IKE policy. If it is, remove the Mode Config record from the IKE policy. For information about how to change an IKE policy, see Change an IKE Policy on page 375. To remove one or more Mode Config records: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays. 7. In the List of Mode Config Records table, select the check box to the left of each record that you want to remove or click the Select All button to select all records. 8. Click the Delete button. The selected Mode Config records are removed from the List of Mode Config Records table. Manage Keep-Alives and Dead Peer Detection The following sections provide information about how to configure keep-alives and Dead Peer Detection:
Set Up Virtual Private Networking With IPSec Connections 412 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Keep-Alive and Dead Peer Detection Overview •Configure Keep-Alives •Configure Dead Peer Detection Keep-Alive and Dead Peer Detection Overview In some cases, you might not want a VPN tunnel to be disconnected when traffic is idle, for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time. If you require a VPN tunnel to remain connected, you can use the keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason. DPD lets the VPN firewall maintain the IKE SA by exchanging periodic messages with the remote VPN peer. For DPD to function, the peer VPN device on the other end of the tunnel also must support DPD. The keep-alive feature, though less reliable than DPD, does not require any support from the peer device. The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. Configure Keep-Alives The following procedure describes how to configure the keep-alive feature for an existing VPN policy. To configure the keep-alive feature for an existing VPN policy: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies.
Set Up Virtual Private Networking With IPSec Connections 413 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN Policies screen displays the IPv4 settings. 7. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. 8. In the List of VPN Policies table, click the Edit button for the VPN policy that you want to change. The Edit VPN Policy screen displays. The following figure shows only the top part with the General section of the Edit VPN Policy screen for IPv6. The Edit VPN Policy screen for IPv4 is identical to the Edit VPN Policy screen for IPv6. 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. SettingDescription Enable Keepalive To enable the keep-alive feature, select the Yes radio button. Periodically, the VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive. Ping IP Address The IP address that the VPN firewall pings. The address must be of a host that can respond to ICMP ping requests. Detection Period The period in seconds between the keep-alive requests. The default setting is 10 seconds. Reconnect after failure countThe maximum number of keep-alive requests before the VPN firewall tears down the connection and then attempts to reconnect to the remote endpoint. The default setting is 3 keep-alive requests.
Set Up Virtual Private Networking With IPSec Connections 414 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure Dead Peer Detection The following procedure describes how to configure Dead Peer Detection for an existing IKE policy. To configure Dead Peer Detection for an existing IKE policy: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. If the IKE policy for which you want to configure Dead Peer Detection is associated with a VPN policy, first disable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To disable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you want to change. Note:When you use the VPN IPsec Wizard, the VPN and IKE policies that are added automatically have the same name. d. Click the Disable button. The VPN policy is disabled. The green circle to the left of the VPN policy turns gray. 7. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view.
Set Up Virtual Private Networking With IPSec Connections 415 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. To change an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. 9. In the List of IKE Policies table, click the Edit button for the IKE policy that you want to change. The Edit IKE Policy screen displays. The following figure shows only the IKE SA Parameters section. The Edit IKE Policy for IP4 and the Edit IKE Policy for IPv6 are identical. 10. In the IKE SA Parameters section, locate the Dead Peer Detection fields and enter the settings as described the following table. 11. Click the Apply button. Your settings are saved. 12. If you disabled the VPN policy with which the IKE policy for which you configured Dead Peer Detection is associated, reenable the VPN policy: a.Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. b. To reenable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. SettingDescription Enable Dead Peer DetectionTo enable Dead Peer Detection, select the Yes radio button. If the VPN firewall detects an IKE connection failure, it removes the IPSec and IKE SA and forces a reestablishment of the connection. You must specify the detection period in the Detection Period field and the maximum number of times that the VPN firewall attempts to reconnect in the Reconnect after failure count field. Detection Period The period in seconds between consecutive DPD R-U-THERE messages, which are sent only when the IPSec traffic is idle. The default setting is 10 seconds. Reconnect after failure countThe maximum number of DPD failures before the VPN firewall tears down the connection and then attempts to reconnect to the peer. The default setting is 3 failures.
Set Up Virtual Private Networking With IPSec Connections 416 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you changed. d. Click the Enable button. The VPN policy is reenabled. The gray circle to the left of the VPN policy turns green. Configure NetBIOS Bridging with IPSec VPN Windows networks use the Network Basic Input/Output System (NetBIOS) for several basic network services such as naming and neighborhood device discovery. Because VPN routers do not usually pass NetBIOS traffic, these network services do not function for hosts on opposite ends of a VPN connection. To solve this problem, you can configure the VPN firewall to bridge NetBIOS traffic over the VPN tunnel. To enable NetBIOS bridging on an existing VPN tunnel: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings. 7. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. 8. In the List of VPN Policies table, click the Edit button for the VPN policy that you want to change.
Set Up Virtual Private Networking With IPSec Connections 417 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Edit VPN Policy screen displays. The following figure shows only the top part with the General section of the Edit VPN Policy screen for IPv6. The Edit VPN Policy screen for IPv4 is identical to the Edit VPN Policy screen for IPv6. 9. Select the Enable NetBIOS? check box. 10. Click the Apply button. Your settings are saved. Manage the PPTP Server The following sections provide information about how to manage the PPTP server: •PPTP Servers Overview •Enable and Configure the PPTP Server •View the Active PPTP Users and Disconnect Active Users PPTP Servers Overview As an alternate to IPSec VPN and L2TP tunnels, you can configure a Point-to-Point Tunnel Protocol (PPTP) server on the VPN firewall to allow users to access PPTP clients over PPTP tunnels. A maximum of 25 simultaneous PPTP user sessions are supported. (The very first IP address of the PPTP address pool is used for distribution to the VPN firewall.) A PPTP user typically initiates a tunnel request; the PPTP server accommodates the tunnel request and assigns an IP address to the user. After a PPTP tunnel is established, the user can connect to a PPTP client that is located behind the VPN firewall.
Set Up Virtual Private Networking With IPSec Connections 418 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You must enable the PPTP server on the VPN firewall, specify a PPTP server address pool, and create PPTP user accounts. (PPTP users are authenticated through local authentication with geardomain.) For information about how to create PPTP user accounts, see Manage User Accounts on page 498. Enable and Configure the PPTP Server The following procedure describes how to enable and configure the PPTP server. To enable the PPTP server and configure the PPTP server pool, authentication, and encryption: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > PPTP Server. The PPTP Server screen displays. The following figure shows an example.