NETGEAR FVS318v3 VPN Policy Configuration for Auto Key Negotiation

Reference Manual for the ProSafe VPN Firewall FVS318v3

Advanced Virtual Private Networking 6-5

January 2005

VPN Policy Configuration for Auto Key Negotiation

An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN

Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.

Remote These parameters apply to the target remote FVS318v3, VPN gateway, or

VPN client.

Remote Identity Type Use this field to identify the remote FVS318v3. You can choose one of the

following four options from the drop-down list:

• By its Internet (WAN) port IP address.

• By its Fully Qualified Domain Name (FQDN) — your domain name.

• By a Fully Qualified User Name — your name, E-mail address, or

other ID.

• By DER ASN.1 DN — the binary DER encoding of your ASN.1 X.500

Distinguished Name.

Remote Identity Data This field lets you identify the target remote FVS318v3 by name.

IKE SA Parameters These parameters determine the properties of the IKE Security

Association.

Encryption Algorithm Choose the encryption algorithm for this IKE policy:

• DES is the default

• 3DES is more secure

Authentication Algorithm If you enable Authentication Header (AH), this menu lets you to select from

these authentication algorithms:

• MD5 — the default

• SHA-1 — more secure

Authentication Method You m a y s e l e c t Pre-Shared Key or RSA Signature.

Pre-Shared Key Specify the key according to the requirements of the Authentication

Algorithm you selected.

• For MD5, the key length should be 16 bytes.

• For SHA-1, the key length should be 20 bytes.

RSA Signature RSA Signature requires a certificate.

Diffie-Hellman (D-H) Group The DH Group setting determines the bit size used in the key exchange.

This must match the value used on the remote VPN gateway or client.

SA Life Time The amount of time in seconds before the Security Association expires;

over an hour (3600) is common.

Table 6-1. IKE Policy Configuration fields

Field Description

Contents

Main Page January 2005 Page Contents Page Page Page Page Page Page Page Chapter 1 About This Manual Audience, Scope, Conventions, and Formats How to Use This Manual How to Print this Manual Page Chapter 2 Introduction Key Features of the VPN Firewall A Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents The FVS318v3 Front Panel 2-6 Introduction The FVS318v3 Rear Panel The rear panel of the FVS318v3 VPN Firewall contains the port connections listed below. Figure 2-2: FVS318v3 rear panel Table 2-1. LED Descriptions NETGEAR-Related Products NETGEAR Product Registration, Support, and Documentation Page Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVS318v3 ProSafe VPN Firewall First, Connect the FVS318v3 1. CONNECT THE CABLES BETWEEN THE FVS318V3, COMPUTER, AND MODEM &DEOH A B Cable 1 Internet port C D 2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Now, Configure the FVS318v3 for Internet Access Page Troubleshooting Tips Page 3-8 Connecting the Firewall to the Internet Overview of How to Access the FVS318v3 VPN Firewall http://www.routerlogin.net/basicsetting.htm Table 3-1. Ways to access the firewall http://www.routerlogin.net http://www .r outerlogin.com How to Log On to the FVS318v3 After Configuration Settings Have Been Applied How to Bypass the Configuration Assistant Using the Smart Setup Wizard Page Page Page Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview Block Sites Using Rules to Block or Allow Specific Kinds of Traffic Page Inbound Rules (Port Forwarding) Page Outbound Rules (Service Blocking) Order of Precedence for Rules Default DMZ Server Respond to Ping on Internet WAN Port Services Page Page Time Zone Getting E-Mail Notifications of Event Logs and Alerts Page Viewing Logs of Web Access or Attempted Web Access Syslog Page Chapter 5 Basic Virtual Private Networking Overview of VPN Configuration Client-to-Gateway VPN Tunnels 192.168.3.1 Gateway-to-Gateway VPN Tunnels FVS318 Planning a VPN VPN Gateway A VPN Gateway B Page VPN Tunnel Configuration How to Set Up a Client-to-Gateway VPN Configuration 192.168.3.1 FVS318v3 24.0.0.1 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS318v3 The Summary screen below displays. Page Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC Page Page Page Page Page Page Monitoring the Progress and Status of the VPN Client Connection Page Transferring a Security Policy to Another Client Page How to Set Up a Gateway-to-Gateway VPN Configuration AB Procedure to Configure a Gateway-to-Gateway VPN Tunnel 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. 4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next. Page Page Page VPN Tunnel Control Activating a VPN Tunnel Page Page Verifying the S tatus of a VPN Tunnel Deactivating a VPN Tunnel Page Deleting a VPN Tunnel Chapter 6 Advanced Virtual Private Networking Overview of FVS318v3 Policy-Based VPN Configuration Using Policies to Manage VPN Traffic Using Automatic Key Management Page 6-4 Advanced Virtual Private Networking The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration fields Advanced Virtual Private Networking 6-5 VPN Policy Configuration for Auto Key Negotiation Table 6-1. IKE Policy Configuration fields Page Advanced Virtual Private Networking 6-7 The VPN Auto Policy field s are defined in the following table. Table 6-1. VPN Auto Policy Configuration Fields 6-8 Advanced Virtual Private Networking Table 6-1. VPN Auto Policy Configuration Fields VPN Policy Configuration for Manual Key Exchange Page Advanced Virtual Private Networking 6-11 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields 6-12 Advanced Virtual Private Networking Table 6-1. VPN Manual Policy Configuration Fields Using Digital Certificates for IKE Auto-Policy Authentication Certificate Revocation List (CRL) Walk-Through of Configuration Scenarios on the FVS318v3 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets FVS318v3 Scenario 1: FVS318v3 to Gateway B IKE and VPN Policies Page Page Page Page How to Check VPN Connections FVS318v3 Scenario 2: FVS318v3 to FVS318v3 with RSA Certificates Page Page Page Page Page Page Page This screen shows the following parameters: Page Click Show Statistics to display firewall usage statistics. This screen shows the following statistics: Viewing a List of Attached Devices Upgrading the Firewall Software Page Configuration File Management Backing Up the Configuration Restoring the Configuration Erasing the Configuration Changing the Administrator Password Chapter 8 Advanced Configuration How to Configure Dynamic DNS Using the LAN IP Setup Options Configuring LAN TCP/IP Setup Parameters Using the Firewall as a DHCP server Using Address Reservation Configuring Static Routes Page Static Route Example Enabling Remote Management Access Page Page Page Chapter 9 Troubleshooting Basic Functioning Power LED Not On LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the W e b Configuration Interface Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall Testing the Path from Your PC to a Remote Device Restoring the Default Configuration and Password Problems with Date and Time Page Appendix A Technical Specifications Page Appendix B Network, Routing, and Firewall Basics Related Publications Basic Router Concepts What is a Router? Routing Information Protocol IP Addresses and the Internet Page Netmask Subnet Addressing Page Private IP Addresses Single IP Address Operation Using NAT MAC Addresses and Address Resolution Protocol Related Documents Domain Name Server IP Configuration by DHCP Internet Security and Firewalls What is a Firewall? Ethernet Cabling Category 5 Cable Quality Inside Twisted Pair Cables Uplink Switches, Crossover Cables, and MDI/MDIX Switching Page Page Appendix C Virtual Private Networking What is a VPN? What Is IPSec and How Does It Work? IPSec Security Features IPSec Components Encapsulating Security Payload (ESP) Authentication Header (AH) IKE Security Association Page Key Management Understand the Process Before You Begin VPN Process Overview Network Interfaces and Addresses VPN Tunnel Between Gateways VPN Gateway A VPN Gateway B IPSec Security Association IKE VPN Tunnel Negotiation Steps VPNC IKE Security Parameters VPNC IKE Phase I Parameters VPNC IKE Phase II Parameters Testing and Troubleshooting Additional Reading Page Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking Configuring Windows 95, 98, and Me for TCP/IP Networking Install or Verify Windows Networking Components Page Enabling DHCP to Automatically Configure TCP/IP Settings Locate your Network Neighborhood icon. Page Selecting Windows Internet Access Method Verifying TCP/IP Properties Configuring Windows NT4, 2000 or XP for IP Networking Install or Verify Windows Networking Components Enabling DHCP to Automatically Configure TCP/IP Settings DHCP Configuration of TCP/IP in Windows XP Page DHCP Configuration of TCP/IP in Windows 2000 Page Page DHCP Configuration of TCP/IP in Windows NT4 Page Verifying TCP/IP Properties for Windows XP, 2000, and NT4 Configuring the Macintosh for TCP/IP Networking MacOS 8.6 or 9.x MacOS X Verifying TCP/IP Properties for Macintosh Computers Verifying the Readiness of Your Internet Account Are Login Protocols Used? What Is Your Configuration Information? Obt aining ISP Configuration Information for W indows Computers Obtaining ISP Configuration Information for Macintosh Computers Restarting the Network Page Appendix E VPN Configuration of NETGEAR FVS318v3 Case Study Overview Gathering the Network Information Configuring the Gateways Page Page Activating the VPN Tunnel The FVS318v3-to-FVS318v3 Case Page Page Page Page Page VPN Status at Gateway B (FVS318v3) The FVS318v3-to-FVS318v2 Case Page Page Page Page Page Page The FVS318v3-to-FVL328 Case Page Page Page Page Page IPSec Connection Status at Gateway B (FVL328) VPN Configuration of NETGEAR FVS318v3 E-27 The FVS318v3-to-VPN Client Case Client-to-Gateway VPN Tunnel Overview Table E-4. Policy Summary Table E-5. Differences betwe en VPN tunnel types Scenario 1 Page Page Page Page Page Page Page Page Page Connection Monitor at Gateway B (remote VPN Client) Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric A B C D E G I Page L M P Q R S T U W