NETGEAR FVS318v3 Using Policies to Manage VPN Traffic, Using Automatic Key Management

Reference Manual for the ProSafe VPN Firewall FVS318v3

6-2 Advanced Virtual Private Networking

January 2005

Using Policies to Manage VPN Traffic

You create policy definitions to manage VPN traffic on the FVS318v3. There are two kinds of

policies:

•IKE Policies: Define the authentication scheme and automatically generate the encryption

keys. As an alternative option, to further automate the process, you can create an IKE policy

that uses a trusted certificate authority to provide the authentication while the IKE policy still

handles the encr yption.

•VPN Policies: Apply the IKE policy to specific traf fic that requires a VPN tunn el. Or, you can

create a VPN policy that does not use an IKE policy but in which you manually enter all the

authentication and key parameters.

Since VPN policies use IKE policies, you defin e the IKE policy first. The FVS318v3 also allows

you to manually input the authentication scheme and encryption key values. In the case of manual

key management there will not be any IKE policies.

In order to establish secure communication over the Internet with the remote site you need to

configure matching VPN policies on both the local and remote FVS318v3 VP N Fire walls . T he

outbound VPN policy on one end must match to the inboun d VPN policy on other end, and vice

versa.

When the network traffic enters into the FVS318v3 from the LAN network interface, if there is no

VPN policy found for a type of network traffic, then that traffic passes through withou t any

change. However, if the traffic is selected by a VPN policy, then the IPSec authentication and

encryption rules are applied to it as defined in the VPN policy.

By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy

table.

The most common configuration scenarios will use IKE policies to automatically manage the

authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel

are generated automatically. The IKE protocols perform negotiations between the two VPN

endpoints to automatically generate required parameters.

Some organizations will use an IKE policy with a Certificate Authority (CA) to perform

authentication. Typically, CA authentication is used in large organizations that maintain their own

internal CA server. This requires that each VPN gateway have a certificate from the CA. Using

CAs reduces the amount of data entry required on each VPN endpoint.