NETGEAR fvs114 - page 115

Reference Manual for the ProSafe VPN Firewall FVS114

Advanced Virtual Private Networking 6-27

202-10098-01, April 2005

Now, the traffic from devices within the range of the LAN subnet addresses on FVS114 A and

Gateway B will be authenticated using the certificates rather than via a shared key.

8. Set up Certificate Revocation List (CRL) checking.

a. Get a copy of the CRL from the CA and save it as a text file.

Note: The procedure for obtaining a CRL differs from a CA like Verisign and a CA such

as a Windows 2000 certificate server, which an organization operates for providing

certificates for its members. Follow the procedures of your CA.

b. From the main menu VPN section, click the CRL link.

c. Click Add to add a CRL.

d. Click Browse to locate the CRL file.

e. Click Upload.

Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by

IKE policies which use this CA.

Note: You must update the CRLs regularly in order to maintain the validity of the

certificate-based VPN policies.

Contents

Main ii 202-10098-01, April 2005 Trademarks Statement of Conditions Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice EN 55 022 Declaration of Conformance Page Page Contents Page Page Page Page Page Page Page Chapter 1 About This Manual Audience, Scope, Conventions, and Formats How to Use This Manual How to Print this Manual Page Chapter 2 Introduction Key Features of the VPN Firewall A Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents The FVS114 Front Panel 2-6 Introduction The FVS114 Rear Panel The rear panel of the FVS114 VPN Firewall contains the port connections listed below. Figure 2-2: FVS114 rear panel Table 2-1. LED Descriptions Introduction 2-7 NETGEAR-Related Products NETGEAR products related to the FVS114 are listed in the following table: NETGEAR Product Registration, Support, and Documentation Table 2-2. NETGEAR-Related Products Page Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVS114 ProSafe VPN Firewall First, Connect the FVS114 1. CONNECT THE CABLES BETWEEN THE FVS114, COMPUTER, AND MODEM &DEOH A B Cable 1 Internet port C D 2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Now, Configure the FVS114 for Internet Access Page Troubleshooting Tips Connecting the Firewall to the Internet 3-7 Overview of How to Access the FVS114 VPN Firewall http://www.routerlogin.net/basicsetting.htm Table 3-1. Ways to access the firewall http://www.routerlogin.net http://www.routerlogin.com How to Log On to the FVS114 After Configuration Settings Have Been Applied How to Bypass the Configuration Assistant Using the Smart Setup Wizard How to Manually Configure Your Internet Connection Page Page Page Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview Block Sites Using Rules to Block or Allow Specific Kinds of Traffic Page Page Inbound Rules (Port Forwarding) Page Outbound Rules (Service Blocking) Page Order of Precedence for Rules Services Page Page Time Zone Getting E-Mail Notifications of Event Logs and Alerts Page Viewing Logs of Web Access or Attempted Web Access Syslog Chapter 5 Basic Virtual Private Networking Overview of VPN Configuration Client-to-Gateway VPN Tunnels 192.168.3.1 Gateway-to-Gateway VPN Tunnels FVS114 Planning a VPN VPN Gateway A VPN Gateway B Page VPN Tunnel Configuration How to Set Up a Client-to-Gateway VPN Configuration 192.168.3.1 FVS114 24.0.0.1 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS114 The Summary screen below displays. Page Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC Page Page Page Page Page Page Monitoring the Progress and Status of the VPN Client Connection Transferring a Security Policy to Another Client Page Page How to Set Up a Gateway-to-Gateway VPN Configuration AB Procedure to Configure a Gateway-to-Gateway VPN Tunnel 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. 4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next. Page Page Page VPN Tunnel Control Activating a VPN Tunnel Page Page Verifying the Status of a VPN Tunnel Deactivating a VPN Tunnel Page Deleting a VPN Tunnel Chapter 6 Advanced Virtual Private Networking Overview of FVS114 Policy-Based VPN Configuration Using Policies to Manage VPN Traffic Using Automatic Key Management Page 6-4 Advanced Virtual Private Networking The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration fields Advanced Virtual Private Networking 6-5 VPN Policy Configuration for Auto Key Negotiation Table 6-1. IKE Policy Configuration fields Page Advanced Virtual Private Networking 6-7 The VPN Auto Policy fields are defined in the following table. Table 6-1. VPN Auto Policy Configuration Fields 6-8 Advanced Virtual Private Networking Table 6-1. VPN Auto Policy Configuration Fields VPN Policy Configuration for Manual Key Exchange Page Advanced Virtual Private Networking 6-11 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields 6-12 Advanced Virtual Private Networking 202-10098-01, April 2005 Table 6-1. VPN Manual Policy Configuration Fields Using Digital Certificates for IKE Auto-Policy Authentication Certificate Revocation List (CRL) Walk-Through of Configuration Scenarios on the FVS114 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets FVS114 Scenario 1: FVS114 to Gateway B IKE and VPN Policies Page Page Page Page How to Check VPN Connections FVS114 Scenario 2: FVS114 to FVS114 with RSA Certificates Page Page Page Page Page Page Page This screen shows the following parameters: Page Click Show Statistics to display firewall usage statistics. This screen shows the following statistics: WAN Status action buttons are described in the table below: Viewing a List of Attached Devices Upgrading the Firewall Software Configuration File Management Backing Up the Configuration Restoring the Configuration Erasing the Configuration Changing the Administrator Password Diagnostics Page Page Chapter 8 Advanced Configuration WAN Set u p Default DMZ Server Respond to Ping on Internet WAN Port How to Configure Dynamic DNS Page Using the LAN IP Setup Options Configuring LAN TCP/IP Setup Parameters Page Using the Firewall as a DHCP server Using Address Reservation Configuring Static Routes Page Static Route Example Enabling Remote Management Access Page Page UPnP Page Chapter 9 Troubleshooting Basic Functioning Power LED Not On LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the Web Configuration Interface Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall Testing the Path from Your PC to a Remote Device Restoring the Default Configuration and Password Problems with Date and Time Page Appendix A Technical Specifications Page Appendix B Network, Routing, and Firewall Basics Related Publications Basic Router Concepts What is a Router? Routing Information Protocol IP Addresses and the Internet Page Netmask Subnet Addressing Page Private IP Addresses Single IP Address Operation Using NAT MAC Addresses and Address Resolution Protocol Related Documents Domain Name Server IP Configuration by DHCP Internet Security and Firewalls What is a Firewall? Ethernet Cabling Category 5 Cable Quality Inside Twisted Pair Cables Uplink Switches, Crossover Cables, and MDI/MDIX Switching Page Page Appendix C Virtual Private Networking What is a VPN? What Is IPSec and How Does It Work? IPSec Security Features IPSec Components Encapsulating Security Payload (ESP) Authentication Header (AH) IKE Security Association Page Key Management Understand the Process Before You Begin VPN Process Overview Network Interfaces and Addresses VPN Tunnel Between Gateways VPN Gateway A VPN Gateway B IPSec Security Association IKE VPN Tunnel Negotiation Steps VPNC IKE Security Parameters VPNC IKE Phase I Parameters VPNC IKE Phase II Parameters Testing and Troubleshooting Additional Reading Page Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking Configuring Windows 95, 98, and Me for TCP/IP Networking Install or Verify Windows Networking Components Page Enabling DHCP to Automatically Configure TCP/IP Settings Locate your Network Neighborhood icon. Page Selecting Windows Internet Access Method Verifying TCP/IP Properties Configuring Windows NT4, 2000 or XP for IP Networking Install or Verify Windows Networking Components Enabling DHCP to Automatically Configure TCP/IP Settings DHCP Configuration of TCP/IP in Windows XP Page DHCP Configuration of TCP/IP in Windows 2000 Page Page DHCP Configuration of TCP/IP in Windows NT4 Page Verifying TCP/IP Properties for Windows XP, 2000, and NT4 Configuring the Macintosh for TCP/IP Networking MacOS 8.6 or 9.x MacOS X Verifying TCP/IP Properties for Macintosh Computers Verifying the Readiness of Your Internet Account Are Login Protocols Used? What Is Your Configuration Information? Obtaining ISP Configuration Information for Windows Computers Obtaining ISP Configuration Information for Macintosh Computers Restarting the Network Page Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric A B C D E G I L M P Q R S T U W