Appendix C Virtual Private Networking | NETGEAR fvs114 specification

Appendix C

Virtual Private Networking

There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.

What is a VPN?

A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks, such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS).

A key aspect of data security is that the data flowing across the network is protected by encryption technologies. Private networks lack data security; so data attackers can tap directly into the network and read the data. IPSec-based VPNs use encryption to provide data security, which increases the network’s resistance to data tampering or theft.

IPSec-based VPNs can be created over any type of IP network, including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive.

VPNs are traditionally used for:

•Intranets: Intranets connect an organization’s locations. These locations range from the headquarters offices, to branch offices, to a remote employee’s home. Often this connectivity is used for e-mail and for sharing applications and files. While Frame Relay, ATM, and MPLS accomplish these tasks, the shortcomings of each limits connectivity. The cost of connecting home users is also very expensive compared to Internet-access technologies, such as DSL or cable. Because of this, organizations are moving their networks to the Internet, which is inexpensive, and using IPSec to create these networks.

Virtual Private Networking

C-1

202-10098-01, April 2005

Image 167

NETGEAR fvs114 manual Appendix C Virtual Private Networking, What is a VPN?

Contents

Reference Manual for the ProSafe VPN Firewall FVS114 Certificate of the Manufacturer/Importer TrademarksStatement of Conditions EN 55 022 Declaration of Conformance Product and Publication Details 202-10098-01, April Contents Chapter Firewall Protection Content Filtering Chapter Advanced Virtual Private Networking Chapter Advanced Configuration Appendix C Virtual Private Networking Appendix D Preparing Your Network Contents Xii Contents Manual Scope Chapter About This ManualAudience, Scope, Conventions, and Formats Typographical Conventions How to Use This Manual Printing the Full Manual How to Print this ManualPrinting a Page in the Html View Printing a Chapter Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Introduction Key Features of the VPN Firewall Security Powerful, True Firewall with Content Filtering Extensive Protocol Support Autosensing Ethernet Connections with Auto Uplink Maintenance and Support Easy Installation and Management Package Contents LED Descriptions FVS114 Rear Panel NETGEAR-Related Products DC power input ON/OFF switchNETGEAR-Related Products Netgear Product Registration, Support, and Documentation Reference Manual for the ProSafe VPN Firewall FVS114 First, Connect the FVS114 Connecting the Firewall to the InternetPrepare to Install Your FVS114 ProSafe VPN Firewall Modem VPN Firewall Restart Your Network in the Correct Sequence Status lights Now, Configure the FVS114 for Internet Access Netgear Smart Wizard Configuration Assistant welcome screen Make sure the Ethernet cables are securely plugged Troubleshooting TipsMake sure the network settings of the computer are correct Be sure to restart your network in this sequence Ways to access the firewall Overview of How to Access the FVS114 VPN Firewall Login URL Login result FVS114 home How to Bypass the Configuration Assistant Using the Smart Setup Wizard ISP Does Not Require Login How to Manually Configure Your Internet Connection Reference Manual for the ProSafe VPN Firewall FVS114 10 Basic Settings ISP list Reference Manual for the ProSafe VPN Firewall FVS114 Firewall Protection and Content Filtering Overview Chapter Firewall Protection Content Filtering Block Sites menu Block Sites Using Rules to Block or Allow Specific Kinds of Traffic Rules menu Reference Manual for the ProSafe VPN Firewall FVS114 Inbound Rule Example a Local Public Web Server Inbound Rules Port Forwarding Rule example a local public Web server Considerations for Inbound Rules Outbound Rules Service Blocking Rule example blocking Instant Messenger Outbound Rule Example Blocking Instant Messenger Rules table Order of Precedence for Rules Services menu Services Add Custom Service menu Schedule Using a Schedule to Block or Allow Specific Traffic Time Zone 10 E-mail menu Getting E-Mail Notifications of Event Logs and Alerts Reference Manual for the ProSafe VPN Firewall FVS114 11 Logs menu Viewing Logs of Web Access or Attempted Web Access Log entry descriptions SyslogLog entries are described in Table Log action buttons are described in Table Chapter Basic Virtual Private Networking VPN Tunnel Single Advanced methods see , Advanced Virtual Private Networking VPN Tunnel Configuration VPN Wizard start screen Configuring the Client-to-Gateway VPN Tunnel on the FVS114 Connection Name and Remote IP Type Summary screen below displays Vpnc Recommended Settings Configuring the Netgear ProSafe VPN Client on the Remote PC Security Policy Editor new connection Select Secure in the Connection Security check box 11 Security Policy Editor Security Policy 12 Security Policy Editor My Identity 13 Security Policy Editor Pre-Shared Key 15 Security Policy Editor Key Exchange 16 Running a Ping test to the LAN from the PC 18 Log Viewer screen Exporting a Security Policy Transferring a Security Policy to Another Client Importing a Security Policy Select Export Security Policy from the File pulldown Scenario1 Select the security policy to import FVS114 VPN Firewall PCs 23 VPN Wizard start screen Procedure to Configure a Gateway-to-Gateway VPN Tunnel 25 Remote IP 27 VPN Wizard Summary 28 VPN Recommended Settings 30 VPN Status/Log screen Activating a VPN Tunnel Start Using a VPN Tunnel to Activate ItUsing the VPN Status Page to Activate a VPN Tunnel VPN Tunnel Control 32 VPN Status/Log screen Activate the VPN Tunnel by Pinging the Remote Endpoint Type ping Type ping -t 192.168.3.1 and then click OK 36 Pinging test results Verifying the Status of a VPN Tunnel 38 Current VPN Tunnels SAs screen Deactivating a VPN Tunnel 39 VPN Policies Using the VPN Status Page to Deactivate a VPN Tunnel 41 Current VPN Tunnels SAs screen Deleting a VPN Tunnel Virtual Private Using Automatic Key Management Using Policies to Manage VPN Traffic IKE Policy Configuration Menu IKE Policies’ Automatic Key and Authentication Management Field Description General IKE Policy Configuration fields Field Description Remote VPN Policy Configuration for Auto Key Negotiation VPN Auto Policy menu VPN Auto Policy fields are defined in the following table VPN Auto Policy Configuration Fields Authenticating Header AH Netbios Enable VPN Policy Configuration for Manual Key Exchange VPN Manual Policy menu VPN Manual Policy fields are defined in the following table VPN Manual Policy Configuration Fields Value in its Authentication Algorithm Key Out field Netbios Enable Certificate Revocation List CRL Walk-Through of Configuration Scenarios on the FVS114 VPN Consortium Scenario Are IPv4 From Settings menu FVS114 Internet IP Address menu WAN IP addresses LAN IP Setup menu Scenario 1 IKE Policy Set up the IKE Policy illustrated below on the FVS114 10 Scenario 1 VPN Auto Policy Set up the FVS114 VPN -Auto Policy illustrated below Testing the Gateway a FVS114 LAN and the Gateway B LAN How to Check VPN Connections Create a certificate request for the FVS114 Install the trusted CA certificate for the Trusted Root CAFVS114 Scenario 2 FVS114 to FVS114 with RSA Certificates Obtain a root certificate 11 Generate Self Certificate Request menu 12 Self Certificate Request data Highlight, copy and paste this data into a text file 13 Self Certificate Requests table Click the Upload Certificate button 14 Self Certificates table Set up Certificate Revocation List CRL checking Reference Manual for the ProSafe VPN Firewall FVS114 Viewing VPN Firewall Status Information Chapter Maintenance FVS114 Status fields This screen shows the following parameters Connection Status action buttons Click Show WAN Status to display the WAN connection statusThis screen shows the following statistics Connection Status fields Router Statistics fields Click Show Statistics to display firewall usage statisticsWAN Status action buttons are described in the table below Upgrading the Firewall Software Viewing a List of Attached Devices Router Upgrade menu Configuration File Management Erasing the Configuration Backing Up the ConfigurationRestoring the Configuration Diagnostics Changing the Administrator Password Ping or Trace an IP address Diagnostics menu Reference Manual for the ProSafe VPN Firewall FVS114 WAN Setup Chapter Advanced Configuration Default DMZ Server Respond to Ping on Internet WAN Port How to Configure Dynamic DNSTo assign a computer or server to be a Default DMZ server Click Default DMZ Server Dynamic DNS Configuring LAN TCP/IP Setup Parameters Using the LAN IP Setup Options Reference Manual for the ProSafe VPN Firewall FVS114 Using Address Reservation Using the Firewall as a Dhcp server Click Edit or Delete Configuring Static Routes Static Routes table Static Route Example Enabling Remote Management Access Remote Management menu Https//134.177.0.1238080 UPnP menu UPnP Reference Manual for the ProSafe VPN Firewall FVS114 Basic Functioning Chapter TroubleshootingPower LED Not On LAN or Internet Port LEDs Not On LEDs Never Turn Off Troubleshooting the Web Configuration Interface Troubleshooting the ISP Connection Testing the LAN Path to Your Firewall Troubleshooting a TCP/IP Network Using a Ping Utility Ping -n 10 IP address Testing the Path from Your PC to a Remote DeviceIf the path is working, you see this message If the path is not working, you see this message Problems with Date and Time Restoring the Default Configuration and Password Reference Manual for the ProSafe VPN Firewall FVS114 PPP over Ethernet PPPoE Appendix a Technical SpecificationsData and Routing Protocols Electromagnetic Emissions Interface Specifications10BASE-T or 100BASE-Tx, RJ-45 Related Publications Basic Router Concepts Appendix B Network, Routing, and Firewall Basics Is normally written as What is a Router?IP Addresses and the Internet Routing Information Protocol Figure B-1 Three Main Address Classes Equals NetmaskCombined with Figure B-2 Example of Subnetting a Class B Address Subnet Addressing Table B-2. Netmask formats Table B-1 Netmask notation translation table for one octet Table B-2 Netmask formats Private IP Addresses Figure B-3 Single IP Address Operation Using NAT Single IP Address Operation Using NAT Domain Name Server MAC Addresses and Address Resolution ProtocolRelated Documents Internet Security and Firewalls IP Configuration by Dhcp Stateful Packet Inspection What is a Firewall?Denial of Service Attack Ethernet Cabling Category 5 Cable Quality Table B-3 UTP Ethernet cable wiring, straight-through Figure B-4illustrates straight-through twisted pair cable Inside Twisted Pair Cables Uplink Switches, Crossover Cables, and MDI/MDIX Switching Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114 Appendix C Virtual Private Networking What is a VPN? IPSec contains the following elements What Is IPSec and How Does It Work?IPSec Security Features IPSec Components Encapsulating Security Payload ESP IKE Security Association Authentication Header AH Mode Key Management Understand the Process Before You Begin It functions as a VPN Process OverviewAddresses Table C-2 Subnet addressing VPN Tunnel Between GatewaysFirewalls IPSec Security Association SA negotiation IPSec Security Association IKE VPN Tunnel Negotiation Steps Vpnc IKE Security Parameters Vpnc IKE Phase I Parameters Additional Reading Testing and TroubleshootingVpnc IKE Phase II Parameters Relevant RFCs listed numerically Preparing Your Computers for TCP/IP Networking Appendix D Preparing Your Network Install or Verify Windows Networking Components Configuring Windows 95, 98, and Me for TCP/IP Networking Select TCP/IP, and then click OK Select Microsoft Restart your PC for the changes to take effect Enabling Dhcp to Automatically Configure TCP/IP SettingsChoose Settings, and then Control Panel Primary Network Logon is set to Windows logon Click OK to continue Restart the PC Selecting Windows’ Internet Access MethodVerifying TCP/IP Properties Double-click the Network and Dialup Connections icon Configuring Windows NT4, 2000 or XP for IP Networking Locate your Network Neighborhood icon Dhcp Configuration of TCP/IP in Windows XPThen, restart your PC Reference Manual for the ProSafe VPN Firewall FVS114 Dhcp Configuration of TCP/IP in Windows Reference Manual for the ProSafe VPN Firewall FVS114 Obtain an IP address automatically is selected Dhcp Configuration of TCP/IP in Windows NT4 Reference Manual for the ProSafe VPN Firewall FVS114 TCP/IP Properties dialog box now displays Verifying TCP/IP Properties for Windows XP, 2000, and NT4 MacOS Configuring the Macintosh for TCP/IP NetworkingDefault gateway is Type exit MacOS 8.6 or Verifying TCP/IP Properties for Macintosh Computers Verifying the Readiness of Your Internet Account Are Login Protocols Used?What Is Your Configuration Information? Select the Gateway tab Select the IP Address tab Reference Manual for the ProSafe VPN Firewall FVS114 Restarting the Network Reference Manual for the ProSafe VPN Firewall FVS114 Numeric List of Glossary Terms AES Packet sent to all devices on a network DNS See Internet Control Message Protocol Internet service provider Megabits per second Set of rules for communication between devices on a network Radius See Wide Area Network Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114