NETGEAR FVS318v3 Overview of VPN Configuration

Reference Manual for the ProSafe VPN Firewall FVS318v3

5-2 Basic Virtual Private Networking

January 2005

Overview of VPN Configuration

Two common scenarios for configuring VPN tunnels are between a remote personal computer and

a network gateway and between two or more network gateways. The FVS318v3 supports both of

these types of VPN configurations. The FVS318v3 VPN Firewall supports up to eight concurrent

tunnels.

Client-to-Gateway VPN Tunnels

Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a telecommuter

connecting to an office network (see Figure 5-1).

Figure 5-1: Client-to-ga teway VPN tunnel

A VPN client access allows a remote PC to connect to your network from any location on the

Internet. In this case, the remote PC is one tunnel endpoint, running the VPN client software. The

FVS318v3 VPN Firewall on your network is the other tunnel endpoint. See “How to Set Up a

Client-to-Gateway VPN Configuration” on page 5-5 to set up this configuration.

Gateway-to-Gateway VPN Tunnels

• Gateway-to-gateway VPN tunnels provide secure access between networks, such as a branch

or home office and a main office (see Figure 5-2).

192.168.3.1

VPN Tunnel

FVS318

24.0.0.1

PCs

Contents

Main Page January 2005 Page Contents Page Page Page Page Page Page Page Chapter 1 About This Manual Audience, Scope, Conventions, and Formats How to Use This Manual How to Print this Manual Page Chapter 2 Introduction Key Features of the VPN Firewall A Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents The FVS318v3 Front Panel 2-6 Introduction The FVS318v3 Rear Panel The rear panel of the FVS318v3 VPN Firewall contains the port connections listed below. Figure 2-2: FVS318v3 rear panel Table 2-1. LED Descriptions NETGEAR-Related Products NETGEAR Product Registration, Support, and Documentation Page Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVS318v3 ProSafe VPN Firewall First, Connect the FVS318v3 1. CONNECT THE CABLES BETWEEN THE FVS318V3, COMPUTER, AND MODEM &DEOH A B Cable 1 Internet port C D 2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Now, Configure the FVS318v3 for Internet Access Page Troubleshooting Tips Page 3-8 Connecting the Firewall to the Internet Overview of How to Access the FVS318v3 VPN Firewall http://www.routerlogin.net/basicsetting.htm Table 3-1. Ways to access the firewall http://www.routerlogin.net http://www .r outerlogin.com How to Log On to the FVS318v3 After Configuration Settings Have Been Applied How to Bypass the Configuration Assistant Using the Smart Setup Wizard Page Page Page Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview Block Sites Using Rules to Block or Allow Specific Kinds of Traffic Page Inbound Rules (Port Forwarding) Page Outbound Rules (Service Blocking) Order of Precedence for Rules Default DMZ Server Respond to Ping on Internet WAN Port Services Page Page Time Zone Getting E-Mail Notifications of Event Logs and Alerts Page Viewing Logs of Web Access or Attempted Web Access Syslog Page Chapter 5 Basic Virtual Private Networking Overview of VPN Configuration Client-to-Gateway VPN Tunnels 192.168.3.1 Gateway-to-Gateway VPN Tunnels FVS318 Planning a VPN VPN Gateway A VPN Gateway B Page VPN Tunnel Configuration How to Set Up a Client-to-Gateway VPN Configuration 192.168.3.1 FVS318v3 24.0.0.1 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS318v3 The Summary screen below displays. Page Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC Page Page Page Page Page Page Monitoring the Progress and Status of the VPN Client Connection Page Transferring a Security Policy to Another Client Page How to Set Up a Gateway-to-Gateway VPN Configuration AB Procedure to Configure a Gateway-to-Gateway VPN Tunnel 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. 4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next. Page Page Page VPN Tunnel Control Activating a VPN Tunnel Page Page Verifying the S tatus of a VPN Tunnel Deactivating a VPN Tunnel Page Deleting a VPN Tunnel Chapter 6 Advanced Virtual Private Networking Overview of FVS318v3 Policy-Based VPN Configuration Using Policies to Manage VPN Traffic Using Automatic Key Management Page 6-4 Advanced Virtual Private Networking The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration fields Advanced Virtual Private Networking 6-5 VPN Policy Configuration for Auto Key Negotiation Table 6-1. IKE Policy Configuration fields Page Advanced Virtual Private Networking 6-7 The VPN Auto Policy field s are defined in the following table. Table 6-1. VPN Auto Policy Configuration Fields 6-8 Advanced Virtual Private Networking Table 6-1. VPN Auto Policy Configuration Fields VPN Policy Configuration for Manual Key Exchange Page Advanced Virtual Private Networking 6-11 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields 6-12 Advanced Virtual Private Networking Table 6-1. VPN Manual Policy Configuration Fields Using Digital Certificates for IKE Auto-Policy Authentication Certificate Revocation List (CRL) Walk-Through of Configuration Scenarios on the FVS318v3 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets FVS318v3 Scenario 1: FVS318v3 to Gateway B IKE and VPN Policies Page Page Page Page How to Check VPN Connections FVS318v3 Scenario 2: FVS318v3 to FVS318v3 with RSA Certificates Page Page Page Page Page Page Page This screen shows the following parameters: Page Click Show Statistics to display firewall usage statistics. This screen shows the following statistics: Viewing a List of Attached Devices Upgrading the Firewall Software Page Configuration File Management Backing Up the Configuration Restoring the Configuration Erasing the Configuration Changing the Administrator Password Chapter 8 Advanced Configuration How to Configure Dynamic DNS Using the LAN IP Setup Options Configuring LAN TCP/IP Setup Parameters Using the Firewall as a DHCP server Using Address Reservation Configuring Static Routes Page Static Route Example Enabling Remote Management Access Page Page Page Chapter 9 Troubleshooting Basic Functioning Power LED Not On LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the W e b Configuration Interface Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall Testing the Path from Your PC to a Remote Device Restoring the Default Configuration and Password Problems with Date and Time Page Appendix A Technical Specifications Page Appendix B Network, Routing, and Firewall Basics Related Publications Basic Router Concepts What is a Router? Routing Information Protocol IP Addresses and the Internet Page Netmask Subnet Addressing Page Private IP Addresses Single IP Address Operation Using NAT MAC Addresses and Address Resolution Protocol Related Documents Domain Name Server IP Configuration by DHCP Internet Security and Firewalls What is a Firewall? Ethernet Cabling Category 5 Cable Quality Inside Twisted Pair Cables Uplink Switches, Crossover Cables, and MDI/MDIX Switching Page Page Appendix C Virtual Private Networking What is a VPN? What Is IPSec and How Does It Work? IPSec Security Features IPSec Components Encapsulating Security Payload (ESP) Authentication Header (AH) IKE Security Association Page Key Management Understand the Process Before You Begin VPN Process Overview Network Interfaces and Addresses VPN Tunnel Between Gateways VPN Gateway A VPN Gateway B IPSec Security Association IKE VPN Tunnel Negotiation Steps VPNC IKE Security Parameters VPNC IKE Phase I Parameters VPNC IKE Phase II Parameters Testing and Troubleshooting Additional Reading Page Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking Configuring Windows 95, 98, and Me for TCP/IP Networking Install or Verify Windows Networking Components Page Enabling DHCP to Automatically Configure TCP/IP Settings Locate your Network Neighborhood icon. Page Selecting Windows Internet Access Method Verifying TCP/IP Properties Configuring Windows NT4, 2000 or XP for IP Networking Install or Verify Windows Networking Components Enabling DHCP to Automatically Configure TCP/IP Settings DHCP Configuration of TCP/IP in Windows XP Page DHCP Configuration of TCP/IP in Windows 2000 Page Page DHCP Configuration of TCP/IP in Windows NT4 Page Verifying TCP/IP Properties for Windows XP, 2000, and NT4 Configuring the Macintosh for TCP/IP Networking MacOS 8.6 or 9.x MacOS X Verifying TCP/IP Properties for Macintosh Computers Verifying the Readiness of Your Internet Account Are Login Protocols Used? What Is Your Configuration Information? Obt aining ISP Configuration Information for W indows Computers Obtaining ISP Configuration Information for Macintosh Computers Restarting the Network Page Appendix E VPN Configuration of NETGEAR FVS318v3 Case Study Overview Gathering the Network Information Configuring the Gateways Page Page Activating the VPN Tunnel The FVS318v3-to-FVS318v3 Case Page Page Page Page Page VPN Status at Gateway B (FVS318v3) The FVS318v3-to-FVS318v2 Case Page Page Page Page Page Page The FVS318v3-to-FVL328 Case Page Page Page Page Page IPSec Connection Status at Gateway B (FVL328) VPN Configuration of NETGEAR FVS318v3 E-27 The FVS318v3-to-VPN Client Case Client-to-Gateway VPN Tunnel Overview Table E-4. Policy Summary Table E-5. Differences betwe en VPN tunnel types Scenario 1 Page Page Page Page Page Page Page Page Page Connection Monitor at Gateway B (remote VPN Client) Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric A B C D E G I Page L M P Q R S T U W