NETGEAR FVS338 Configuring XAUTH for VPN Clients

FVS338 ProSafe VPN Firewall 50 Reference Manual

Virtual Private Networking 5-21

v1.0, March 2008

.

Configuring XAUTH for VPN Clients

Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be

authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.

To enable and configure XAUTH:

1. Select VPN from the main menu and Policies from the submenu. The IKE Policies screen will

display.

2. You can either modify an existing IKE Policy by clicking Edit adjacent to the policy, or create

a new IKE Policy by clicking Add.

3. In the Extended Authentication section, select the Authentication Type from the pull-down

menu which will be used to verify user account information. Select

•Edge Device to use this router as a VPN concentrator where one or more gateway tunnels

terminate. When this option is chosen, you will need to specify the authentication type to

be used in verifying credentials of the remote VPN gateways.

–User Database to verify against the router’s user database. User s must be added

through the User Database screen (see “User Database Configuratio n” on page 5-22).

–RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted

by the RADIUS server) to add a RADIUS server. If RADIS–PAP is selected, the

router will first check in the User Database to see if the user credentials are available.

If the user account is not present, the router will then connect to the RADIUS server

(see “RADIUS Client Configuration” on page 5-23).

Note: If a RADIUS-PAP se rver is enabled for authentication, XAUTH will first check the

local User Database for the user credentials. If the user account is not present, the

router will then connect to a RADIUS server.

Note: If you are modifying an existing IKE Policy to add XAUTH, if it is in use by a

VPN Policy, the VPN policy must be disabled before you can modify the IKE

Policy.

Note: If the IKE policy is in use by a VPN Policy, you must either disable or delete

the VPN policy before making changes to the IKE Policy.

Contents

Main Page iii Voluntary Control Council for Interference (VCCI) Statement Additional Copyrights v1.0, March 20 08 iv v Product and Publication Details Contents Page Page Page Page Page About This Manual Conventions, Formats and Scope How to Use This Manual How to Print this Manual Revision History Page Chapter 1 Introduction Key Features Full Routing on Both the Broadband and Serial WAN Ports A Powerful, True Firewall with Content Filtering Security Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents Router Hardware Components Router Front Panel FVS338 ProSafe VPN Firewall 50 Re ference Manual 1-6 Introduction Router Rear Panel Figure 1-2 Table 1-1. Object Descriptions Rack Mounting Hardware Factory Default Login Page Chapter 2 Connecting the FVS338 to the Internet Connecting the VPN Firewall to Your Network Logging in to the VPN Firewall Configuring your Internet Connection Page Page Page Page Setting the Routers MAC Address (Advanced Options) Page Manually Configuring Your Internet Connection Page Page Programming the Traffic Meter (if Desired) Page FVS338 ProSafe VPN Firewall 50 Re ference Manual 2-14 Connecting the FVS338 to the Internet Table 2-2. Traffic Meter Settings Configuring the WAN Mode Configuring Dynamic DNS (If Needed) Page Page Chapter 3 LAN Configuration Configuring Your LAN (Local Area Network) Using the VPN Firewall as a DHCP Server Page Page Configuring Multi-Home LAN IPs Page Managing Groups and Hosts Creating the Network Database Page Page Page Setting Up Address Reservation Configuring Static Routes Static Route Example RIP Configuration Page Page Chapter 4 Firewall Protection and Content Filtering About Firewall Security Using Rules to Block or Allow Specific Kinds of Traffic Services-Based Rules FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering 4-3 Table 4-1. Outbound Rules Fields Page FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering 4-5 Table 4-2. Inbound Rules Fields Order of Precedence for Firewall Rules Setting LAN WAN Rules LAN WAN Outbound Services Rules LAN WAN Inbound Services Rules Attack Checks Page Session Limit Inbound Rules Examples Page Page Page Page Outbound Rules Example Blocking Instant Messenger Adding Customized Services Page Specifying Quality of Service (QoS) Priorities Setting a Schedule to Block or Allow Traffic Setting Block Sites (Content Filtering) Page Page Page IP/MAC Binding Page Setting Up Port Triggering Page Bandwidth Limiting Page E-Mail Notifications of Event Logs and Alerts Page Page Page Administrator Information Page Page Chapter 5 Virtual Private Networking Dual WAN Port Systems Setting up a VPN Connection using the VPN Wizard Creating a VPN Tunnel to a Gateway Creating a VPN Tunnel Connection to a VPN Client IKE Policies IKE Policy Operation IKE Policy Table VPN Policies VPN Policy Operation VPN Policy Table VPN Tunnel Connection Status Creating a VPN Gateway Connection: Between FVS338 and FVX538 Configuring the FVS338 Page Page Configuring the FVX538 Testing the Connectio n Creating a VPN Client Connection: VPN Client to FVS338 Configuring the FVS338 Configuring the VPN Client Page Page Page Page Testing the Connectio n Extended Authentication (XAUTH) Configuration Configuring XAUTH for VPN Clients User Database Configuration RADIUS Client Configuration Page Manually Assigning IP Addresses to Remote Users (ModeConfig) ModeConfig Operation Setting Up ModeConfig Page Page Page Configuring the ProSafe VPN Client for ModeConfig Page Page Certificates Trusted Certificates (CA Certificates) Self Certificates Page Page Managing your Certificate Revocation List (CRL) Page Chapter 6 Router and Network Management Performance Management VPN Firewall Features That Reduce Traffic Page Page VPN Firewall Features That Increase Traffic Page Page Using QoS to Shift the Traffic Mix Tools for Traffic Management Administration Changing Passwords and Settings Page Enabling Remote Management Access Page Page Using a SNMP Manager Page Settings Backup and Firmware Upgrade Page Setting the Time Zone Monitoring the Router Enabling the Traffic Meter Setting Login Failures and Attacks Notification Page Viewing Port Triggering Status Viewing Router Configuration and System Status Monitoring WAN Ports Status Monitoring VPN Tunnel Connection Status VPN Logs DHCP Log Page Page Page Chapter 7 Troubleshooting Basic Functions Power LED Not On LEDs Never Turn Off LAN or Internet Port LEDs Not On Troubleshooting the Web Configuration Interface Page Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your Firewall Testing the Path from Your PC to a Remote Device Restoring the Default Configuration and Password Problems with Date and Time Page Appendix A Default Settings and Technical Specifications FVS338 ProSafe VPN Firewall 50 Re ference Manual Technical Specifications for the ProSafe VPN Firewall 50 are listed in the following table. A-2 Default Settings and Technical Specifications Table A-2. VPN firewall Default Technical Specifications Table A-1. FVS338 Default Settings (continued) Page Page Appendix B System Logs and Error Messages System Log Messages System Startup Reboot NTP FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs and Error Messages B-3 Login/Logout This section describes logs generated by the administrative interfaces of the device. This logging is always done. Firewall Restart Table B-4. System Logs: NTP IPSec Restart WAN Status Page FVS338 ProSafe VPN Firewall 50 Re ference Manual B-6 System Logs and Error Messages System Logs: WAN Status, Auto Rollover FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs and Error Messages B-7 PPPoE Idle-Timeout Logs. Table B-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout FVS338 ProSafe VPN Firewall 50 Re ference Manual B-8 System Logs and Error Messages PPTP Idle-Timeout Logs. Web Filtering and Content Filtering Logs Table B-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Table B-11. System Logs: WAN Status, PPE, PPP Authentication FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs and Error Messages B-9 Table B-12. System Logs: Web Filtering and Content Filtering Traffic Metering Logs Unicast Logs ICMP Redirect Logs FTP Logging Invalid Packet Logging FVS338 ProSafe VPN Firewall 50 Re ference Manual B-12 System Logs and Error Messages FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs and Error Messages B-13 FVS338 ProSafe VPN Firewall 50 Re ference Manual B-14 System Logs and Error Messages Routing Logs LAN to WAN Logs LAN to DMZ Logs WAN to LAN Logs DMZ to WAN Logs DMZ to LAN Logs WAN to DMZ Logs Appendix C Related Documents Page Index-1 Index A B C FVS338 ProSafe VPN Firewall 50 Re ference Manual D E F FVS338 ProSafe VPN Firewall 50 Reference Manual Index-3 G I K FVS338 ProSafe VPN Firewall 50 Re ference Manual Index-4 L M N O FVS338 ProSafe VPN Firewall 50 Reference Manual P Q R FVS338 ProSafe VPN Firewall 50 Re ference Manual Index-6 S T FVS338 ProSafe VPN Firewall 50 Reference Manual Index-7 U V W X