IPSec Security Association SA negotiation | NETGEAR fvs114 manual

VPN Tunnel

PCs

PCs

	IPSec Security Association IKE
	VPN Tunnel Negotiation Steps
	1) Communication
	request sent to VPN Gateway
	VPN Gateway	VPN Gateway
	2) IKE Phase I authentication
	3) IKE Phase II negotiation
	4) Secure data transfer
	5) IPSec tunnel termination
Figure	IPSec Security Association (SA) negotiation

Or, you can configure your gateways using manual key exchange, which involves manually configuring each paramter on both gateways.

1.The IPSec software on Host A initiates the IPSec process in an attempt to communicate with Host B. The two computers then begin the Internet Key Exchange (IKE) process.

Virtual Private Networking

C-9

202-10098-01, April 2005

Image 175

NETGEAR fvs114 IPSec Security Association IKE VPN Tunnel Negotiation Steps, IPSec Security Association SA negotiation

Contents

Reference Manual for the ProSafe VPN Firewall FVS114 Certificate of the Manufacturer/Importer TrademarksStatement of Conditions EN 55 022 Declaration of Conformance Product and Publication Details 202-10098-01, April Contents Chapter Firewall Protection Content Filtering Chapter Advanced Virtual Private Networking Chapter Advanced Configuration Appendix C Virtual Private Networking Appendix D Preparing Your Network Contents Xii Contents Manual Scope Chapter About This ManualAudience, Scope, Conventions, and Formats Typographical Conventions How to Use This Manual Printing the Full Manual How to Print this ManualPrinting a Page in the Html View Printing a Chapter Reference Manual for the ProSafe VPN Firewall FVS114 Chapter Introduction Key Features of the VPN Firewall Security Powerful, True Firewall with Content Filtering Extensive Protocol Support Autosensing Ethernet Connections with Auto Uplink Maintenance and Support Easy Installation and Management Package Contents LED Descriptions FVS114 Rear Panel NETGEAR-Related Products DC power input ON/OFF switchNETGEAR-Related Products Netgear Product Registration, Support, and Documentation Reference Manual for the ProSafe VPN Firewall FVS114 Prepare to Install Your FVS114 ProSafe VPN Firewall Connecting the Firewall to the InternetFirst, Connect the FVS114 Modem VPN Firewall Restart Your Network in the Correct Sequence Status lights Now, Configure the FVS114 for Internet Access Netgear Smart Wizard Configuration Assistant welcome screen Make sure the Ethernet cables are securely plugged Troubleshooting TipsMake sure the network settings of the computer are correct Be sure to restart your network in this sequence Ways to access the firewall Overview of How to Access the FVS114 VPN Firewall Login URL Login result FVS114 home How to Bypass the Configuration Assistant Using the Smart Setup Wizard ISP Does Not Require Login How to Manually Configure Your Internet Connection Reference Manual for the ProSafe VPN Firewall FVS114 10 Basic Settings ISP list Reference Manual for the ProSafe VPN Firewall FVS114 Firewall Protection and Content Filtering Overview Chapter Firewall Protection Content Filtering Block Sites menu Block Sites Using Rules to Block or Allow Specific Kinds of Traffic Rules menu Reference Manual for the ProSafe VPN Firewall FVS114 Inbound Rule Example a Local Public Web Server Inbound Rules Port Forwarding Rule example a local public Web server Considerations for Inbound Rules Outbound Rules Service Blocking Rule example blocking Instant Messenger Outbound Rule Example Blocking Instant Messenger Rules table Order of Precedence for Rules Services menu Services Add Custom Service menu Schedule Using a Schedule to Block or Allow Specific Traffic Time Zone 10 E-mail menu Getting E-Mail Notifications of Event Logs and Alerts Reference Manual for the ProSafe VPN Firewall FVS114 11 Logs menu Viewing Logs of Web Access or Attempted Web Access Log entry descriptions SyslogLog entries are described in Table Log action buttons are described in Table Chapter Basic Virtual Private Networking VPN Tunnel Single Advanced methods see , Advanced Virtual Private Networking VPN Tunnel Configuration VPN Wizard start screen Configuring the Client-to-Gateway VPN Tunnel on the FVS114 Connection Name and Remote IP Type Summary screen below displays Vpnc Recommended Settings Configuring the Netgear ProSafe VPN Client on the Remote PC Security Policy Editor new connection Select Secure in the Connection Security check box 11 Security Policy Editor Security Policy 12 Security Policy Editor My Identity 13 Security Policy Editor Pre-Shared Key 15 Security Policy Editor Key Exchange 16 Running a Ping test to the LAN from the PC 18 Log Viewer screen Exporting a Security Policy Transferring a Security Policy to Another Client Importing a Security Policy Select Export Security Policy from the File pulldown Scenario1 Select the security policy to import FVS114 VPN Firewall PCs 23 VPN Wizard start screen Procedure to Configure a Gateway-to-Gateway VPN Tunnel 25 Remote IP 27 VPN Wizard Summary 28 VPN Recommended Settings 30 VPN Status/Log screen Activating a VPN Tunnel Start Using a VPN Tunnel to Activate ItUsing the VPN Status Page to Activate a VPN Tunnel VPN Tunnel Control 32 VPN Status/Log screen Activate the VPN Tunnel by Pinging the Remote Endpoint Type ping Type ping -t 192.168.3.1 and then click OK 36 Pinging test results Verifying the Status of a VPN Tunnel 38 Current VPN Tunnels SAs screen Deactivating a VPN Tunnel 39 VPN Policies Using the VPN Status Page to Deactivate a VPN Tunnel 41 Current VPN Tunnels SAs screen Deleting a VPN Tunnel Virtual Private Using Automatic Key Management Using Policies to Manage VPN Traffic IKE Policy Configuration Menu IKE Policies’ Automatic Key and Authentication Management Field Description General IKE Policy Configuration fields Field Description Remote VPN Policy Configuration for Auto Key Negotiation VPN Auto Policy menu VPN Auto Policy fields are defined in the following table VPN Auto Policy Configuration Fields Authenticating Header AH Netbios Enable VPN Policy Configuration for Manual Key Exchange VPN Manual Policy menu VPN Manual Policy fields are defined in the following table VPN Manual Policy Configuration Fields Value in its Authentication Algorithm Key Out field Netbios Enable Certificate Revocation List CRL Walk-Through of Configuration Scenarios on the FVS114 VPN Consortium Scenario Are IPv4 From Settings menu FVS114 Internet IP Address menu WAN IP addresses LAN IP Setup menu Scenario 1 IKE Policy Set up the IKE Policy illustrated below on the FVS114 10 Scenario 1 VPN Auto Policy Set up the FVS114 VPN -Auto Policy illustrated below Testing the Gateway a FVS114 LAN and the Gateway B LAN How to Check VPN Connections Create a certificate request for the FVS114 Install the trusted CA certificate for the Trusted Root CAFVS114 Scenario 2 FVS114 to FVS114 with RSA Certificates Obtain a root certificate 11 Generate Self Certificate Request menu 12 Self Certificate Request data Highlight, copy and paste this data into a text file 13 Self Certificate Requests table Click the Upload Certificate button 14 Self Certificates table Set up Certificate Revocation List CRL checking Reference Manual for the ProSafe VPN Firewall FVS114 Viewing VPN Firewall Status Information Chapter Maintenance FVS114 Status fields This screen shows the following parameters Connection Status action buttons Click Show WAN Status to display the WAN connection statusThis screen shows the following statistics Connection Status fields WAN Status action buttons are described in the table below Click Show Statistics to display firewall usage statisticsRouter Statistics fields Upgrading the Firewall Software Viewing a List of Attached Devices Router Upgrade menu Configuration File Management Restoring the Configuration Backing Up the ConfigurationErasing the Configuration Diagnostics Changing the Administrator Password Ping or Trace an IP address Diagnostics menu Reference Manual for the ProSafe VPN Firewall FVS114 WAN Setup Chapter Advanced Configuration Default DMZ Server Respond to Ping on Internet WAN Port How to Configure Dynamic DNSTo assign a computer or server to be a Default DMZ server Click Default DMZ Server Dynamic DNS Configuring LAN TCP/IP Setup Parameters Using the LAN IP Setup Options Reference Manual for the ProSafe VPN Firewall FVS114 Using Address Reservation Using the Firewall as a Dhcp server Click Edit or Delete Configuring Static Routes Static Routes table Static Route Example Enabling Remote Management Access Remote Management menu Https//134.177.0.1238080 UPnP menu UPnP Reference Manual for the ProSafe VPN Firewall FVS114 Power LED Not On Chapter TroubleshootingBasic Functioning LAN or Internet Port LEDs Not On LEDs Never Turn Off Troubleshooting the Web Configuration Interface Troubleshooting the ISP Connection Testing the LAN Path to Your Firewall Troubleshooting a TCP/IP Network Using a Ping Utility Ping -n 10 IP address Testing the Path from Your PC to a Remote DeviceIf the path is working, you see this message If the path is not working, you see this message Problems with Date and Time Restoring the Default Configuration and Password Reference Manual for the ProSafe VPN Firewall FVS114 Data and Routing Protocols Appendix a Technical SpecificationsPPP over Ethernet PPPoE 10BASE-T or 100BASE-Tx, RJ-45 Interface SpecificationsElectromagnetic Emissions Related Publications Basic Router Concepts Appendix B Network, Routing, and Firewall Basics Is normally written as What is a Router?IP Addresses and the Internet Routing Information Protocol Figure B-1 Three Main Address Classes Combined with NetmaskEquals Figure B-2 Example of Subnetting a Class B Address Subnet Addressing Table B-2. Netmask formats Table B-1 Netmask notation translation table for one octet Table B-2 Netmask formats Private IP Addresses Figure B-3 Single IP Address Operation Using NAT Single IP Address Operation Using NAT Related Documents MAC Addresses and Address Resolution ProtocolDomain Name Server Internet Security and Firewalls IP Configuration by Dhcp Stateful Packet Inspection What is a Firewall?Denial of Service Attack Ethernet Cabling Category 5 Cable Quality Table B-3 UTP Ethernet cable wiring, straight-through Figure B-4illustrates straight-through twisted pair cable Inside Twisted Pair Cables Uplink Switches, Crossover Cables, and MDI/MDIX Switching Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114 Appendix C Virtual Private Networking What is a VPN? IPSec contains the following elements What Is IPSec and How Does It Work?IPSec Security Features IPSec Components Encapsulating Security Payload ESP IKE Security Association Authentication Header AH Mode Key Management Understand the Process Before You Begin Addresses VPN Process OverviewIt functions as a Firewalls VPN Tunnel Between GatewaysTable C-2 Subnet addressing IPSec Security Association SA negotiation IPSec Security Association IKE VPN Tunnel Negotiation Steps Vpnc IKE Security Parameters Vpnc IKE Phase I Parameters Vpnc IKE Phase II Parameters Testing and TroubleshootingAdditional Reading Relevant RFCs listed numerically Preparing Your Computers for TCP/IP Networking Appendix D Preparing Your Network Install or Verify Windows Networking Components Configuring Windows 95, 98, and Me for TCP/IP Networking Select TCP/IP, and then click OK Select Microsoft Choose Settings, and then Control Panel Enabling Dhcp to Automatically Configure TCP/IP SettingsRestart your PC for the changes to take effect Primary Network Logon is set to Windows logon Verifying TCP/IP Properties Selecting Windows’ Internet Access MethodClick OK to continue Restart the PC Double-click the Network and Dialup Connections icon Configuring Windows NT4, 2000 or XP for IP Networking Then, restart your PC Dhcp Configuration of TCP/IP in Windows XPLocate your Network Neighborhood icon Reference Manual for the ProSafe VPN Firewall FVS114 Dhcp Configuration of TCP/IP in Windows Reference Manual for the ProSafe VPN Firewall FVS114 Obtain an IP address automatically is selected Dhcp Configuration of TCP/IP in Windows NT4 Reference Manual for the ProSafe VPN Firewall FVS114 TCP/IP Properties dialog box now displays Verifying TCP/IP Properties for Windows XP, 2000, and NT4 MacOS Configuring the Macintosh for TCP/IP NetworkingDefault gateway is Type exit MacOS 8.6 or Verifying TCP/IP Properties for Macintosh Computers What Is Your Configuration Information? Are Login Protocols Used?Verifying the Readiness of Your Internet Account Select the Gateway tab Select the IP Address tab Reference Manual for the ProSafe VPN Firewall FVS114 Restarting the Network Reference Manual for the ProSafe VPN Firewall FVS114 Numeric List of Glossary Terms AES Packet sent to all devices on a network DNS See Internet Control Message Protocol Internet service provider Megabits per second Set of rules for communication between devices on a network Radius See Wide Area Network Reference Manual for the ProSafe VPN Firewall FVS114 Reference Manual for the ProSafe VPN Firewall FVS114