NETGEAR FVS124G VPN Gateway-to-Gateway

Reference Manual for th e Pr oSafe VPN F irewall 25 with 4 Gigabi t LAN a nd Dual WAN Por ts

Network Planning 3-9

202-10085-01, March 2005

The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is

dynamic, a fully-qualified domain name m ust b e used. If an IP address is fixed, a fully-qualified

domain name is optional.

VPN Gateway-to-Gateway

The following situations exemplify the requirements for a gateway VPN firewall to establish a

VPN tunnel with another gateway VPN firewall:

• Single gateway WAN ports

• Redundant dual gateway WAN ports for increased reliability (before and after rollover)

• Dual gateway WAN ports used for load balancing

VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)

In the case of single WAN ports on the gateway VPN firewalls (Figure 3-12), either gateway WAN

port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are

known in advance.

Figure 3-12: Single gateway WAN ports case for gateway-to-gateway VPN tunnels

The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is

dynamic, a fully-qualified domain name m ust b e used. If an IP address is fixed, a fully-qualified

domain name is optional.

Gateway A

22.23.24.25

FQDN

netgear.dyndns.org

10.5.6.0/24 172.23.9.0/24

172.23.9.1

10.5.6.1

WAN IP WAN IP LAN IP

LAN IP

Gateway B

Gateway-to-Gateway Example (Single WAN Ports)

Fully-Qualified Domain Names (FQDN)

- optional for Fixed IP addresses

- required for Dynamic IP addresses

VPN Router

(at office A)

VPN Router

(at office B)

Contents

Main 2 202-10085-01, March 2005 Trademarks Statement of Conditions Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice EN 55 022 Declaration of Conformance Page Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports -4 Reference Manual for th e Pr oSafe VPN F irewall 25 with 4 Gigabi t LAN a nd Dual WAN Por ts -5 202-10085-01, March 2005 Product and Publication Details Contents Page Page Page Page Page Page Page Chapter 1 About This Manual Audience, Scope, Conventions, and Formats How to Use This Manual How to Print this Manual Page Chapter 2 Introduction Key Features of the VPN Firewall Dual WAN Ports for Increased Reliability or Outbound Load Balancing A Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents The Routers Front Panel Reference Manual for th e Pr oSafe VPN F irewall 25 with 4 Gigabi t LAN a nd Dual WAN Por ts Introduction 2-7 The Routers Rear Panel Table 2-1. FVS124G front panel The Routers IP Address, Login Name, and Password Logging into the Router Default Factory Settings NETGEAR Related Products Page Chapter 3 Network Planning Overview of the Planning Process Inbound Traffic Virtual Private Networks (VPNs) The Rollover Case for Firewalls With Dual WAN Ports The Load Balancing Case for Firewalls With Dual WAN Ports Inbound Traffic Inbound Traffic to Single WAN Port (Reference Case) Inbound Traffic to Dual WAN Port Systems Page Virtual Private Networks (VPNs) VPN Road Warrior (Client-to-Gateway) Page Page VPN Gateway-to-Gateway Page Reference Manual for th e Pr oSafe VPN F irewall 25 with 4 Gigabi t LAN a nd Dual WAN Por ts Network Planning 3-11 Figure 3-14: Dual gateway WAN ports, after rollover, for gateway-to-gateway VPN tunnels Figure 3-15: Dual gateway WAN ports (load balancing case) for gateway-to-gateway VPN tunnels Gateway-to-Gateway Example (Dual WAN Ports, After Rollover) VPN Telecommuter (Client-to-Gateway Through a NAT Router) Reference Manual for th e Pr oSafe VPN F irewall 25 with 4 Gigabi t LAN a nd Dual WAN Por ts Network Planning 3-13 Figure 3-18: Dual gateway WAN ports, after rollover, for VPN telecommuter Figure 3-17: Dual gateway WAN ports, before rollover, for VPN telecommuter Telecommuter Example (Dual WAN Ports, Before Rollover) Page Chapter 4 Connecting the FVS124G to the Internet What You Will Need to Do Before You Begin Page Cabling and Computer Hardware Requirements Computer Network Configuration Requirements Internet Configuration Requirements Where Do I Get the Internet Configuration Parameters? Record Your Internet Connection Information Connecting the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 1: Physically Connect the VPN Firewall to Your Network (Required) Step 2: Log in to the VPN Firewall (Required) Step 3: Configure the Internet Connections to Your ISPs (Required) Page Page Page Page Page Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 4-14 Connecting the FVS124G to the Internet Table 4-1. Traffic meter Step 4: Configure the WAN Mode (Required for Dual WAN) Page Page Page Page Step 5: Configure Dynamic DNS (If Needed) Page Page Step 6: Configure the WAN Options (If Needed) Page Page Configuring LAN TCP/IP Setup Parameters Page Using the Firewall as a DHCP server Using Address Reservation Multi Home LAN IPs Configuring Static Routes Page Page Chapter 6 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview Using Rules to Block or Allow Specific Kinds of Traffic Page Page Services-Based Rules Page Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 6-6 Firewall Protection and Content Filtering Table 6-1. Inbound Services Page Page Page Page Page Page Reference Manual for th e Pr oSafe VPN F irewall 25 with 4 Gigabi t LAN a nd Dual WAN Por ts Firewall Protection and Content Filtering 6-13 Note: See Source MAC Filtering on page 6-27 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall. Table 6-1. Outbound Services Page Page Page Page Page Page Managing Groups and Hosts Page Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 6-22 Firewall Protection and Content Filtering Using a Schedule to Block or Allow Specific Traffic Table 6-3. Groups and hosts Page Time Zone Block Sites Page Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 6-26 Firewall Protection and Content Filtering Table 6-4. Block Sites Source MAC Filtering Port Triggering Page Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 6-30 Firewall Protection and Content Filtering Getting E-Mail Notifications of Event Logs and Alerts Table 6-6. Port Triggering Page Page Syslog Viewing Logs of Web Access or Attempted Web Access Page Administrator Information Page Chapter 7 Virtual Private Networking Dual WAN Port Systems Rollover vs. Load Balancing Mode Fully Qualified Domain Names Page Page Creating a VPN Connection: Between FVX538 and FVS124G Configuring the FVX538 Page Page Page Configuring the FVS124G Page Testing the Connectio n Creating a VPN Connection: Netgear VPN Client to FVS124G Configuring the FVS124G Configuring the VPN Client Page Page Page Page Page Page Page Testing the Connectio n Page Page Chapter 8 Router and Network Management Performance Management Bandwidth Capacity VPN Firewall Features That Reduce Traffic Page VPN Firewall Features That Increase Traffic Page Page Using QoS to Shift the Traffic Mix Tools for Traffic Management Administrator and Guest Access Authorization Changing the Passwords and Login Timeout Enabling Remote Management Access Command Line Interface Event Alerts WAN Port Rollover Traffic Limits Reached Login Failures and Attacks Page Monitoring Viewing VPN Firewall Status and Time Information Page Page Page WAN Ports Page Page Page Page Firewall Page Page VPN Tunnels You can view the status of the VPN tunnels. SNMP Diagnostics Page Configuration File Management Restoring and Backing Up the Configuration Upgrading the Firewall Software Erasing the Configuration (Factory Defaults Reset) Page Chapter 9 Troubleshooting Basic Functioning Power LED Not On LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the W e b Configuration Interface Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall Testing the Path from Your PC to a Remote Device Restoring the Default Configuration and Password Problems with Date and Time Page Appendix A Technical Specifications Page Appendix B Network, Routing, Firewall, and Basics Related Publications Basic Router Concepts What is a Router? Routing Information Protocol IP Addresses and the Internet Page Netmask Subnet Addressing Page Private IP Addresses Single IP Address Operation Using NAT MAC Addresses and Address Resolution Protocol Related Documents Domain Name Server IP Configuration by DHCP Internet Security and Firewalls What is a Firewall? Ethernet Cabling Category 5 Cable Quality Inside Twisted Pair Cables Uplink Switches, Crossover Cables, and MDI/MDIX Switching Page Page Appendix C Preparing Your Network Preparing Your Computers for TCP/IP Networking Configuring Windows 95, 98, and Me for TCP/IP Networking Install or Verify Windows Networking Components Page Enabling DHCP to Automatically Configure TCP/IP Settings Locate your Network Neighborhood icon. Page Selecting Windows Internet Access Method Verifying TCP/IP Properties Configuring Windows NT4, 2000 or XP for IP Networking Install or Verify Windows Networking Components Enabling DHCP to Automatically Configure TCP/IP Settings DHCP Configuration of TCP/IP in Windows XP Page DHCP Configuration of TCP/IP in Windows 2000 Page Page DHCP Configuration of TCP/IP in Windows NT4 Page Verifying TCP/IP Properties for Windows XP, 2000, and NT4 Configuring the Macintosh for TCP/IP Networking MacOS 8.6 or 9.x MacOS X Verifying TCP/IP Properties for Macintosh Computers Verifying the Readiness of Your Internet Account Are Login Protocols Used? What Is Your Configuration Information? Obt aining ISP Configuration Information for W indows Computers Obtaining ISP Configuration Information for Macintosh Computers Restarting the Network Page Appendix D Virtual Private Networking What is a VPN? What Is IPSec and How Does It Work? IPSec Security Features IPSec Components Encapsulating Security Payload (ESP) Authentication Header (AH) IKE Security Association Page Key Management Understand the Process Before You Begin VPN Process Overview Network Interfaces and Addresses Setting Up a VPN Tunnel Between Gateways VPN Gateway A VPN Gateway B VPN Tunnel IPSec Security Association IKE VPN Tunnel Negotiation Steps VPNC IKE Security Parameters VPNC IKE Phase I Parameters VPNC IKE Phase II Parameters Testing and Troubleshooting Additional Reading Page Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric A B C D E G I L M P Q R S T U W