Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual

							Set Up Virtual Private Networking With IPSec Connections 
419  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
7. Enter the settings as described in the following table.
8. Click the Apply button.
Your settings are saved.
SettingDescription
PPTP Server
Enable To enable the PPTP server, select the Enable check box.
Start IP Address Type the first IP address of the address pool.
End IP Address Type the last IP address of the address pool. A maximum of 26 contiguous 
addresses can be part of the pool. (The first address of the pool cannot be 
assigned to a user.)
User time out Enter the time-out period in seconds, from 0 to 999 seconds. The default is 
0   seconds. If there is no traffic from a user, the connection is disconnected after 
the specified period.
Authentication
Select one or more of the following authentication methods to authenticate PPTP users:
• PA P. RADIUS-Password Authentication Protocol (PAP).
• CHAP. RADIUS-Challenge Handshake Authentication Protocol (CHAP).
• MSCHAP. RADIUS-Microsoft CHAP (MSCHAP).
• MSCHAPv2. RADIUS-Microsoft CHAP version 2 (MSCHAPv2).
Encryption
If the authentication is MSCHAP or MSCHAPv2, the PPTP server can support Microsoft Point-to-Point 
Encryption (MPPE). Select one or more of the following types of MPPE:
• MPPE-40. MPPE 40-bit encryption.
• MPPE-128. MPPE 128-bit encryption. This is the most secure type of MPPE encryption.
• MPPE-stateful. Stateful MPPE encryption. This is the least secure type of MPPE encryption. 
						

							Set Up Virtual Private Networking With IPSec Connections 
420 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
View the Active PPTP Users and Disconnect Active Users
The following procedure describes how to view all active PPTP users and disconnect active 
PPTP users. 
To view all active PPTP users and disconnect active PPTP users:
1. On your computer, launch an Internet browser.
2. In the address field of your browser, enter the IP address that was assigned to the VPN 
firewall during the installation process.
The VPN firewall factory default IP address is 192.168.1.1.
The NETGEAR Configuration Manager Login screen displays.
3. In the Username field, type your user name and in the Password / Passcode field, type 
your password.
For the default administrative account, the default user name is admin and the default 
password is password.
4. If you changed the default domain or were assigned a domain, from the Domain menu, 
select the domain.
If you did not change the domain or were not assigned a domain, leave the menu 
selection at geardomain.
5. Click the Login button.
The Router Status screen displays.
6. Select VPN > Connection Status > PPTP Active Users.
The PPTP Active Users screen displays. The following figure does not show any active 
users.
The List of PPTP Active Users table lists each active connection with the information that 
is described in the following table.
ItemDescription
Username The name of the PPTP user that you defined (see Manage User Accounts on 
page  498).
Remote IP The remote client’s IP address. 
						

							Set Up Virtual Private Networking With IPSec Connections 
421  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
7. To disable an active PPTP user, in the List of PPTP Active Users table, click the 
corresponding Disconnect button.
The user is disconnected.
8. To disable another active PPTP user, repeat Step 7.
Manage the L2TP Server
The following sections provide information about how to manage the L2TP server:
•L2TP Servers Overview
•Enable and Configure the L2TP Server
•View the Active L2TP Users and Disconnect Active Users
L2TP Servers Overview
As an alternate to IPSec VPN tunnels, you can configure a Layer 2 Tunneling Protocol 
(L2TP) server on the VPN firewall to allow users to access L2TP clients over L2TP tunnels. A 
maximum of 25 simultaneous L2TP user sessions are supported. (The very first IP address 
of the L2TP address pool is used for distribution to the VPN firewall.) 
An L2TP Access Concentrator (LAC) typically initiates a tunnel to fulfill a connection request 
from an L2TP user; the L2TP server accommodates the tunnel request. After an L2TP tunnel 
is established, the L2TP user can connect to an L2TP client that is located behind the VPN 
firewall.
Note:IPSec VPN provides stronger authentication and encryption than 
L2TP. (Packets that traverse the L2TP tunnel are not encapsulated by 
IPSec.)
You must enable the L2TP server on the VPN firewall, specify an L2TP server address pool, 
and create L2TP user accounts. (L2TP users are authenticated through local authentication 
with geardomain.) For information about how to create L2TP user accounts, see 
Manage 
User Accounts on page 498.
Enable and Configure the L2TP Server
The following procedure describes how to enable and configure the L2TP server.
PPTP IP The IP address that is assigned by the PPTP server on the VPN firewall.
Action The Disconnect button lets you terminate an active PPTP connection. (This button 
displays only if an active PPTP connection exists.)
ItemDescription 
						

							Set Up Virtual Private Networking With IPSec Connections 
422 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
To enable the L2TP server and configure the L2TP server pool:
1. On your computer, launch an Internet browser.
2. In the address field of your browser, enter the IP address that was assigned to the VPN 
firewall during the installation process.
The VPN firewall factory default IP address is 192.168.1.1.
The NETGEAR Configuration Manager Login screen displays.
3. In the Username field, type your user name and in the Password / Passcode field, type 
your password.
For the default administrative account, the default user name is admin and the default 
password is password.
4. If you changed the default domain or were assigned a domain, from the Domain menu, 
select the domain.
If you did not change the domain or were not assigned a domain, leave the menu 
selection at geardomain.
5. Click the Login button.
The Router Status screen displays.
6. Select VPN > L2TP Server. 
The L2TP Server screen displays. The following figure shows an example.
7. Enter the settings as described in the following table.
SettingDescription
L2TP Server Configuration
Enable To enable the L2TP server, select the Enable check box.
Starting IP Address The first IP address of the pool. This address is used for distribution to the VPN 
firewall. 
						

							Set Up Virtual Private Networking With IPSec Connections 
423  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
8. Click the Apply button.
Your settings are saved.
View the Active L2TP Users and Disconnect Active Users
The following procedure describes how to view all active L2TP users and disconnect active 
L2TP users.
To view all active L2PTP users and disconnect active L2TP users:
1. On your computer, launch an Internet browser.
2. In the address field of your browser, enter the IP address that was assigned to the VPN 
firewall during the installation process.
The VPN firewall factory default IP address is 192.168.1.1.
The NETGEAR Configuration Manager Login screen displays.
3. In the Username field, type your user name and in the Password / Passcode field, type 
your password.
For the default administrative account, the default user name is admin and the default 
password is password.
4. If you changed the default domain or were assigned a domain, from the Domain menu, 
select the domain.
If you did not change the domain or were not assigned a domain, leave the menu 
selection at geardomain.
5. Click the Login button.
The Router Status screen displays.
6. Select VPN > Connection Status > L2TP Active Users.
The L2TP Active Users screen displays. The following figure does not show any active 
users.
Ending IP Address The last IP address of the pool. A maximum of 26 contiguous addresses is 
supported. (The first address of the pool cannot be assigned to a user.)
Idle Timeout The period after which an idle user is automatically logged out of the L2TP server. 
The default idle time-out period is 5 minutes.
Authentication
Select one or more of the following authentication methods to authenticate L2TP users:
• PA P. RADIUS-Password Authentication Protocol (PAP).
• CHAP. RADIUS-Challenge Handshake Authentication Protocol (CHAP).
• MSCHAP. RADIUS-Microsoft CHAP (MSCHAP).
• MSCHAPv2. RADIUS-Microsoft CHAP version 2 (MSCHAPv2).
SettingDescription 
						

							Set Up Virtual Private Networking With IPSec Connections 
424 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
The List of L2TP Active Users table lists each active connection with the information that 
is described in the following table.
7. To disable an active L2TP user, in the List of L2TP Active Users table, click the 
corresponding Disconnect button.
The user is disconnected.
8. To disable another active L2TP user, repeat Step 7.
ItemDescription
Username The name of the L2TP user that you have defined (see Manage User Accounts on 
page  498
).
Remote IP The client’s IP address on the remote L2TP Access Concentrator (LAC).
L2TP IP The IP address that is assigned by the L2TP server on the VPN firewall.
Action The Disconnect button lets you terminate an active L2TP connection. (This button 
displays only if an active L2TP connection exists.) 
						

							425
9
9.   Set Up Virtual Private Networking 
with SSL Connections
This chapter describes how to use the SSL VPN solution of the VPN firewall to provide remote 
access for mobile users to their corporate resources. The chapter contains the following 
sections:
•SSL VPN Portals Overview
•Build an SSL Portal Using the SSL VPN Wizard
•Access a Custom SSL VPN Portal
•Manually Set Up or Change an SSL Portal 
						

							Set Up Virtual Private Networking with SSL Connections 
426 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
SSL VPN Portals Overview
The following sections provide concept information about the SSL VPN portal:
•SSL VPN Capabilities
•SSL Tunnels
•SSL Port Forwarding
•Build and Access an SSL Portal
SSL VPN Capabilities
The VPN firewall integrates a hardware-based SSL VPN engine that can provide mobile 
users remote access to their corporate resources. With SSL VPN, remote users do not need 
to install a VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) 
protocol, which is common for e-commerce transactions, the VPN firewall can authenticate 
itself to an SSL-enabled client, such as a standard web browser.
When the authentication and encryption negotiation are successful, the server and client 
establish an encrypted connection. With support for up to five dedicated SSL VPN tunnels, 
the VPN firewall allows users to easily access the remote network from virtually any available 
platform. You can customize a secure user portal and assign a level of SSL service.
The VPN firewall’s SSL VPN portal can provide two levels of SSL service to the remote user: 
SSL VPN tunnel and SSL port forwarding. The SSL VPN portal can present the remote user 
with one or both of these SSL service levels, depending on how you set up the configuration.
SSL Tunnels
With an SSL VPN tunnel, the VPN firewall provides full network connectivity of a VPN tunnel 
using the remote user’s browser. The SSL capability of the user’s browser provides 
authentication and encryption, establishing a secure connection to the VPN firewall. Upon 
successful connection, an ActiveX-based SSL VPN client is downloaded to the remote 
computer to allow the remote user to virtually join the corporate network.
The SSL VPN client provides a point-to-point (PPP) connection between the client and the 
VPN firewall, and a virtual network interface is created on the user’s computer. The VPN 
firewall assigns the computer an IP address and DNS server IP addresses, allowing the 
remote computer to access network resources in the same manner as if it were connected 
directly to the corporate network, subject to any policy restrictions that you configure.
SSL Port Forwarding
Like an SSL VPN tunnel, SSL port forwarding is a web-based client that is installed 
transparently and then creates a virtual, encrypted tunnel to the remote network. However, 
port forwarding differs from an SSL VPN tunnel in several ways: 
						

							Set Up Virtual Private Networking with SSL Connections 
427  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
•Port forwarding supports only TCP connections, not UDP connections or connections 
using other IP protocols.
•Port forwarding detects and reroutes individual data streams on the user’s computer to 
the port forwarding connection rather than opening up a full tunnel to the corporate 
network.
•Port forwarding offers more fine-grained management than an SSL VPN tunnel. You 
define individual applications and resources that are available to remote users.
Note:Any applications and services that you do not select for SSL port 
forwarding are not visible from the SSL VPN portal. However, if users 
know the IP address of an application or service, they can still access 
it unless you create SSL VPN access policies to prevent access to the 
application or service. For information about access policies, see 
Configure User, Group, and Global Policies on page 473.
Build and Access an SSL Portal
You can either use the SSL VPN Wizard to build a basic portal or you can build the portal 
manually, which gives you more granularity. If you use the SSL VPN Wizard to build a basic 
portal, you can also refine the portal settings manually after you have set up the portal. For 
more information, see the following sections:
•Build an SSL Portal Using the SSL VPN Wizard
•Manually Set Up or Change an SSL Portal
After you built the custom portal, you access it at a different URL from the default SSL VPN 
portal that provides access to the web management interface. For example, if your SSL VPN 
portal is hosted at https://vpn.company.com and you create a portal layout named Support, 
then users access the subsite at https://vpn.company.com/portal/Support. For more 
information, see 
Access a Custom SSL VPN Portal on page 440.
Note:All screens that you can access from the SSL VPN menu of the web 
management interface display a user portal link in the upper right, 
above the menu bars (
). When you click the User Portal 
link, the SSL VPN default portal opens. This default portal is not the 
same as a custom SSL portal login screen that you can build with the 
SSL VPN Wizard or manually.
Build an SSL Portal Using the SSL VPN Wizard
The following sections provide information about using the SSL VPN Wizard to build an SSL 
portal:
•SSL VPN Wizard Overview
•Build an SSL Portal with the SSL VPN Wizard 
						

							Set Up Virtual Private Networking with SSL Connections 
428 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
SSL VPN Wizard Overview
This section provides an overview of the SSL VPN Wizard. For more information about how 
to set up a portal, see 
Build an SSL Portal with the SSL VPN Wizard on page 429.
The SSL VPN Wizard helps you set up an SSL VPN client connection by guiding you through 
six screens, the last of which lets you save the SSL VPN policy:
•Step 1 of 6. Create the portal layout and theme.
In Step 1, you specify the banner that the portal displays and whether the portal provides 
full network connectivity, access to specific defined network services through port 
forwarding, or both. In addition, you can set up HTTP meta tags for cache control and 
ActiveX web cache cleaner.
•Step 2 of 6. Create a new domain for SSL users.
In Step 2, you create a new domain for the portal and specify the type of authentication. 
You can also use the default domain (geardomain).
•Step 3 of 6. Create a new SSL user. 
In Step 3, you create one new SSL VPN user account for the portal and the selected 
domain. You must create one user account; otherwise, the SSL VPN Wizard cannot 
create the portal. After the portal is created, you can provide more SSL VPN users 
access to the portal.
The VPN firewall automatically adds a user policy that permits access for the user 
account that you define with the SSL VPN Wizard.
•Step 4 of 6. Set up a client address range and client routes.
The settings in Step 4 apply only if the portal provides full network connectivity. These 
settings do not apply if the portal provides access to specific defined network services 
through port forwarding.
In Step 4, you set up the client IP address range. For split tunnel mode, you must also set 
up client routes to specific networks that are accessible to clients. Client routes do not 
apply to full tunnel mode because clients have access to the entire LAN network.
•Step 5 of 6. Set up port forwarding.
The settings in Step 5 apply only if the portal provides access to specific defined network 
services through port forwarding. These settings do not apply if the portal provides full 
network connectivity.
In Step 5, you set up the local IP address of the server for the network service or 
application and the associated TCP port number. You can also set up an FQDN for the 
service or application.
•Step 6 of 6. Verify and save the settings.
After you built the SSL portal with the SSL VPN Wizard, you can refine the portal and its 
associated settings through the following tasks: