NETGEAR DG834GSP, Reference Manual

Page 1: ...202 10262 01 June 2007 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Reference Manual for the ADSL Modem Wireless Router DG834GSP ...

Page 2: ...nstallation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined...

Page 3: ...4GSP is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC Español Spanish Por medio de la presente NETGEAR Inc declara que el 54 Mbps ADSL Modem Wireless Router Model DG834GSP cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE Ελληνική Greek ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc ΔΗΛΩΝΕΙ ΟΤΙ ...

Page 4: ... 5 EC Magyar Hungarian Alulírott NETGEAR Inc nyilatkozom hogy a 54 Mbps ADSL Modem Wireless Router Model DG834GSP megfelel a vonatkozó alapvetõ követelményeknek és az 1999 5 EC irányelv egyéb elõírásainak Polski Polish Niniejszym NETGEAR Inc oœwiadcza e 54 Mbps ADSL Modem Wireless Router Model DG834GSP jest zgodny z zasadniczymi wymogami oraz pozosta ymi stosownymi postanowieniami Dyrektywy 1999 5...

Page 5: ...djacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Customer Support Refer to the Support Informati...

Page 6: ...v1 0 June 2007 vi ...

Page 7: ... Easy Installation and Management 2 3 Protocol Support 2 4 Virtual Private Networking VPN 2 5 Auto Sensing and Auto Uplink LAN Ethernet Connections 2 5 Content Filtering 2 6 Wi Fi Multimedia WMM Quality of Service QoS 2 6 What s in the Box 2 6 The Router s Front Panel 2 8 The Router s Rear Panel 2 9 Chapter 3 Configuring Your Internet Connection Connecting the Router to the Internet 3 1 Manual Set...

Page 8: ...reless Security 4 2 Understanding Wireless Settings 4 4 How to Set Up and Test Basic Wireless Connectivity 4 7 How to Restrict Wireless Access to Your Network 4 8 How to Configure WPA PSK WPA2 PSK Security 4 11 How to Configure WPA 802 1x WPA2 802 1x Security 4 12 Choosing WEP Authentication and Security Encryption Methods 4 13 How to Configure WEP 4 14 Chapter 5 Protecting Your Network Protecting...

Page 9: ...tatus and Usage Statistics 6 4 Viewing Attached Devices 6 9 Viewing Selecting and Saving Logged Information 6 9 Examples of Log Messages 6 12 Enabling Security Event E mail Notification 6 13 Running Diagnostic Utilities and Rebooting the Modem Router 6 15 Enabling Remote Management 6 16 Configuring Remote Management 6 16 Chapter 7 Advanced Configuration Configuring Advanced Security 7 1 Setting Up...

Page 10: ...How to Set Up a Gateway to Gateway VPN Configuration 8 21 VPN Tunnel Control 8 29 Activating a VPN Tunnel 8 29 Verifying the Status of a VPN Tunnel 8 33 Deactivating a VPN Tunnel 8 35 Deleting a VPN Tunnel 8 37 How to Set Up VPN Tunnels in Special Circumstances 8 38 Using Auto Policy to Configure VPN Tunnels 8 38 Using Manual Policy to Configure VPN Tunnels 8 48 Chapter 9 Troubleshooting Basic Fun...

Page 11: ...n B 2 DG834GSP with FQDN to FVL328 B 6 Configuration Profile B 6 Step By Step Configuration B 8 Configuration Summary Telecommuter Example B 14 Setting Up the Client to Gateway VPN Configuration Telecommuter Example B 14 Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office B 15 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the ...

Page 12: ...6 v1 0 June 2007 ...

Page 13: ...t firewall and VPN technologies tutorial information is provided in the Appendices and on the Netgear website This guide uses the following typographical conventions This guide uses the following formats to highlight special messages Table 1 1 italics Emphasis books CDs URL names bold User input fixed Screen text file and server names extensions commands IP addresses Note This format is used to hi...

Page 14: ...DF of This Chapter link at the top left of any page Click the PDF of This Chapter link at the top right of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com ...

Page 15: ...lete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this feature Tip If your printer supports printing two pages on a single sheet of paper you can ...

Page 16: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 1 4 About This Manual v1 0 June 2007 ...

Page 17: ...s between your Ethernet devices With minimum setup you can install and use the modem router within minutes The ADSL Modem Wireless Router provides multiple Web content filtering options reporting and instant alerts Parents and network administrators can establish restricted access policies based on time of day Web site addresses and address keywords They can also share high speed ADSL Internet acc...

Page 18: ...wall Unlike simple Internet sharing NAT routers the DG834GSP is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN Blocks access...

Page 19: ...anagement Browser based configuration allows you to easily configure your modem router from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface Smart Wizard The firmware in the modem router automatically senses the type of Internet connection asking yo...

Page 20: ...ic Configuration of Attached PCs by DHCP The DG834GSP dynamically assigns network configuration information including IP modem router and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network DNS Proxy When DHCP is enabled and no DNS addresses are specified the modem ...

Page 21: ...g and other peer to peer services Virtual Private Networking VPN The ADSL Modem Wireless Router provides a secure encrypted connection between your local area network LAN and remote networks or clients It includes the following VPN features Supports 5 VPN connections Supports industry standard VPN protocols The ADSL Modem Wireless Router supports standard Manual or IKE keying methods standard MD5 ...

Page 22: ...log and report attempts to access objectionable Internet sites Wi Fi Multimedia WMM Quality of Service QoS WMM is a QoS feature that provides prioritization of wireless data packets from different applications based on four access categories voice video best effort and background For an application to receive the benefits of WMM QoS both it and the client running that application must be WMM enabl...

Page 23: ...eless Router DG834GSP Introduction 2 7 v1 0 June 2007 If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair ...

Page 24: ...he system is initializing The system is ready and running 3 Internet On Green Blink Green On Amber Blink Amber Off The Internet port is connected and an Internet session is in progress If the IP or PPPoE session is dropped due to an idle timeout the light will remain green If the session is dropped for any other reason the LED color will change to amber Data is being transmitted or received by the...

Page 25: ...ts for connecting the firewall to the local computers 3 Factory Default Reset push button 4 AC power adapter outlet 5 Wireless antenna 4 Wireless On Off Indicates that the Wireless port is initialized The Wireless Access Point is turned off 5 LAN On Green Blink Green On Amber Blink Amber Off The Local port has detected a link with a 100 Mbps device Data is being transmitted or received at 100 Mbps...

Page 26: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 2 10 Introduction v1 0 June 2007 ...

Page 27: ...m router What You Need Before You Begin You need to prepare the following before you can set up your modem router Active Internet service provided by an ADSL account The Internet Service Provider ISP configuration information for your ADSL account ISP Login Name and Password ISP Domain Name Server DNS Addresses Fixed or Static IP Address ASDL microfilters as explained below Your computers set to D...

Page 28: ... technology uses the same wires as your telephone service However ADSL adds signals to the telephone lines which create noise in the telephone service You must use ADSL microfilters to filter out these signals before they reach your telephone ADSL Microfilter Each device such as a telephone fax machine answering machine or caller ID display will require an ADSL microfilter Note If you purchased th...

Page 29: ...must provide connectivity for both the modem router and telephone equipment Computers Set to DHCP For the initial connection to your modem router your computer has to be set to automatically get its TCP IP configuration from the modem router via DHCP This is usually the case The NETGEAR Smart Wizard CD automatically takes care of this requirement For manual setup refer to the documentation that ca...

Page 30: ... ADSL configuration information from your Internet Service Provider ISP 1 Connect the ADSL filter a You need to install an ADSL filter for every telephone that uses the same phone line as your modem router Select the filter that came with your modem router Note If you purchased the DG834GSP in a country where an ADSL filter is not included you must acquire one 1 One Line Filter Use with a phone or...

Page 31: ...Line Filter Example Insert the two line filter into the phone outlet and connect the phone to the phone line connector A Figure 3 4 Note To use a one line filter with a separate splitter insert the splitter into the phone outlet connect the one line filter to the splitter and connect the phone to the filter Phone DSL Line A ...

Page 32: ...ne 2007 2 Connect the modem router to the ADSL filter a Using the included phone cable with RJ 11 jacks connect the ADSL port B of the modem router to the ADSL port C of the two line filter Figure 3 5 Warning Improperly connecting a filter to your modem router will block your ADSL connection Phone DSL Line C B ...

Page 33: ...he ADSL Modem Wireless Router DG834GSP Configuring Your Internet Connection 3 7 v1 0 June 2007 b Connect the Ethernet cable D from a modem router LAN port to the Ethernet adapter in your computer Figure 3 6 D Phone DSL Line ...

Page 34: ... you have a physical connection to the ADSL network d Now turn on your computer If software usually logs you in to your Internet connection do not run that software Cancel it if it starts automatically Verify the following The local LAN lights are lit for any connected computers 3 Log in to the modem router a Type http 10 1 1 1 in the address field of a browser such as Internet Explorer or Netscap...

Page 35: ...uter DG834GSP Configuring Your Internet Connection 3 9 v1 0 June 2007 This login window opens Enter admin for the user name and password for the password both in lower case letters b After logging in you will see the menu below Figure 3 7 Figure 3 8 ...

Page 36: ...ting Your modem router is now configured to provide Internet access for your network Your modem router automatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enternet to connect log in or disconnect These functions are performed automatically by the modem router as needed To access the...

Page 37: ... login protocol such as PPP over Ethernet PPPoE you will be directed to the PPPoE page shown Enter the PPPoE login user name and password Wizard Detected PPPoA Login Account Setup If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over ATM PPPoA you will be directed to the PPPoA page shown Enter your login user name and password These fields are cas...

Page 38: ...s the connection method Wizard Detected IP Over ATM Account Setup If the Setup Wizard determines that your Internet service account uses IP over ATM Classical IP assignment RFC1577 you will be directed to the page shown 1 Enter your assigned IP Address and Subnet Mask This information should have been provided to you by your ISP You need the configuration parameters from your ISP 2 Enter the IP ad...

Page 39: ...your ISP 2 Choose Use Static IP Address or Use IP Over ATM IPoA RFC1483 Routed according to the information from your ISP If you choose IPoA the router will be able to detect the gateway IP address but you still need to provide the router IP address 3 Enter your assigned IP Address Subnet Mask and the IP Address of your ISP s gateway modem router This information should have been provided to you b...

Page 40: ...work Your modem router automatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enternet to connect log in or disconnect These functions are performed by the modem router as needed To access the Internet from any computer connected to your modem router launch a browser such as Microsoft ...

Page 41: ...n 3 15 v1 0 June 2007 Manually Configuring Your Internet Connection You can manually configure your modem router using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous section Figure 3 13 ISP Does Not Require Login ISP Does Require Login ...

Page 42: ...DSL Settings work fine for most ISPs and you can skip this step If you have any problems with your connection check the ADSL Settings See ADSL Settings on page 3 20 for more details Internet Connection Requires Login and Uses PPPoE 1 If your Internet connection does require login select Yes and fill in the settings according to the instructions below 2 Choose PPPoE for the encapsulation method 3 E...

Page 43: ...ll in addition to disabling NAT The Disable option leaves the firewall active With the firewall disabled the protections normally provided to your network will be disabled Internet Connection Requires Login and Uses PPPoA 1 If your Internet connection does require login select Yes and fill in the settings according to the instructions below 2 Choose PPPoA for the encapsulation method 3 Enter the l...

Page 44: ... directly manage the IP addresses the DG834GSP uses Classical routing should be selected only by experienced users The Disable Firewall option disables the firewall in addition to disabling NAT The Disable option leaves the firewall active With the firewall disabled the protections normally provided to your network will be disabled Internet Connection Requires Login and Uses PPTP 1 If your Interne...

Page 45: ... ISP if your ISP uses DHCP to assign your IP address Your ISP will automatically assign this address If you know that your ISP does not automatically transmit DNS addresses to the modem router during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also A DNS server is a host on the Internet that tr...

Page 46: ... MAC address To change the MAC address select Use this Computer s MAC address The modem router will then capture and use the MAC address of the computer that you are now using You must be using the one computer that is allowed by the ISP Alternatively select Use this MAC address and enter it 8 Click Apply to save your settings 9 Click Test to test your Internet connection If the NETGEAR Web site d...

Page 47: ...nection 3 21 v1 0 June 2007 1 Select the ADSL Settings link from the main menu 2 For the Multiplexing Method select LLC based or VC based 3 Type a number between 0 and 255 for the VPI The default is 8 4 Type a number between 1 and 65535 for the VCI The default is 35 5 Click Apply Figure 3 14 ...

Page 48: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 3 22 Configuring Your Internet Connection v1 0 June 2007 ...

Page 49: ...eless connection can vary significantly based on the physical placement of the wireless modem router The latency data throughput performance and notebook power consumption also vary depending on your configuration choices For best results place your modem router Near the center of the area in which your computers will operate In an elevated location such as a high shelf where the wirelessly connec...

Page 50: ...everal ways you can enhance the security of your wireless network Restrict Access Based on MAC Address You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the DG834GSP Restricting access by MAC address adds an obstacle against unwanted access to your network but the data broadcast over the wireless link is fully exposed Turn Off the Broadcast of the Wireless ...

Page 51: ...ded by WPA PSK and WPA2 PSK WPA 802 1x WPA2 802 1x Wi Fi Protected Access WPA with user authentication implemented using IEE 802 1x and RADIUS servers WPA PSK TKIP WPA2 PSK AES Wi Fi Protected Access WPA using a pre shared key to perform authentication and generate the initial data encryption keys The very strong authentication along with dynamic per frame re keying of WPA make it virtually imposs...

Page 52: ...less Configuration v1 0 June 2007 Understanding Wireless Settings To configure the Wireless interface of your modem router click the Wireless Settings link in the Setup section of the main menu The Wireless Settings menu will appear similar to that shown below Figure 4 2 ...

Page 53: ...802 11g wireless stations to be used b only allows 802 11b wireless stations 802 11g wireless stations can still be used if they can operate in 802 11b mode Wireless Access Point Enable Wireless Access Point This field lets you turn off or turn on the wireless access point built in to the modem router The wireless icon on the front of the modem router will also display the current status of the Wi...

Page 54: ...of WEP shared key see Wireless Communications in Appendix C Encryption Strength If Shared or Open Network Authentication is enabled you can choose 64 or 128 bit WEP data encryption Note With Open Network Authentication and 64 or 128 bit WEP Data Encryption the DG834GSP does perform 64 or 128 bit data encryption but does not perform any authentication Security Encryption WEP Key These key values mu...

Page 55: ...nerate the initial data encryption keys Then it dynamically varies the encryption key WPA PSK TKIP implements most of the IEEE 802 11i standard and is designed to work with all wireless network interface cards but not all wireless access points WPA2 PSK AES implements the full standard but will not work with some older network cards For a full explanation of WPA see Wireless Communications in Appe...

Page 56: ...ame SSID and encryption type and passphrase as you configured in your modem router Check that they have a wireless link and are able to obtain an IP address by DHCP from the modem router Once your computers have basic wireless connectivity to the modem router you can configure the advanced wireless security functions of the modem router How to Restrict Wireless Access to Your Network By default an...

Page 57: ...twork name SSID However by default this feature is turned off If you turn this feature on wireless devices will not see your DG834GSP You must configure your wireless devices to match the wireless network name SSID you configure in the ADSL Modem Wireless Router Restricting Wireless Access Based on the Wireless Station Access List This list determines which wireless hardware devices will be allowe...

Page 58: ...ently connected to the network you can select it from the Available Wireless Stations list Click Add to add the station to the Trusted Wireless Stations list 5 If the wireless station is not currently connected you can enter its address manually Enter the MAC address of the authorized computer The MAC address is usually printed on the wireless card or it may appear in the modem router s DHCP table...

Page 59: ...word of password or using whatever LAN address and password you have set up 2 Click Wireless Settings in the Setup section of the main menu of the DG834GSP 3 Choose the WPA PSK WPA2 PSK or WPA PSK WPA2 PSK radio button The WPA PSK WPA2 PSK option is the most flexible as it allows wireless clients to use either WPA PSK or WPA2 PSK protocol The Security Encryption section will be displayed 4 Enter t...

Page 60: ...ss Settings in the Setup section of the main menu of the DG834GSP 3 Choose the WPA 802 1x WA2 802 1x or WPA 802 1x WPA2 802 1x radio button The WPA 802 1x WPA2 802 1x option is the most flexible as it allows wireless clients to use either WPA 802 1x or WPA2 802 1x protocol The page will display the WPA 802 1x WPA2 802 1x section 4 Enter the Radius server name IP address 5 Enter the Radius port num...

Page 61: ...ropping on your wireless data communications Also if you are using the Internet for such activities as purchases or banking those Internet sites use another level of highly secure encryption called SSL You can tell if a web site is using SSL because the web address begins with HTTPS rather than HTTP Authentication Type Selection The DG834GSP lets you select the following wireless authentication sc...

Page 62: ...ed 64 or 128 bit WEP When 64 Bit WEP or 128 Bit WEP is selected WEP encryption will be applied If WEP is enabled you can manually or automatically program the four data encryption keys These values must be identical on all computers and access points in your network There are two methods for creating WEP encryption keys Passphrase Enter a word or group of printable characters in the Passphrase box...

Page 63: ...Strength setting 7 Enter the encryption keys You can manually or automatically program the four data encryption keys These values must be identical on all computers and Access Points in your network Automatic enter a word or group of printable characters in the Passphrase box and click the Generate button The four key boxes will be automatically populated with key values Manual enter hexadecimal d...

Page 64: ... settings Note When configuring the modem router from a wireless computer if you configure WEP settings you will lose your wireless connection when you click Apply You must then either configure your wireless adapter to match the modem router WEP settings or access the modem router from a wired computer to make any further changes ...

Page 65: ...d You can use procedures below to change the modem router s password and the amount of time for the administrator s login timeout NETGEAR recommends that you change this password to a more secure password The ideal password should contain no dictionary words from any language and should be a mixture of both upper and lower case letters numbers and symbols Your password can be up to 30 characters H...

Page 66: ... security the administrator s login to the modem router configuration will timeout after a period of inactivity To change the login timeout period 1 In the Set Password menu type a number in Administrator login times out field The suggested default value is 5 minutes 2 Click Apply to save your changes or click Cancel to keep the current period Figure 5 1 Note After changing the password you will b...

Page 67: ...tions include Keyword blocking of HTTP traffic Outbound Service Blocking limits access from your LAN to Internet locations or services that you specify as off limits Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocking unwanted traffic from the Internet to your LAN The section below exp...

Page 68: ...r domain in the Keyword box click Add Keyword then click Apply Some examples of Keyword application follow If the keyword XXX is specified the URL http www badstuff com xxx html is blocked If the keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Enter the keyword to block all Internet browsing access Up to 32 entries are supported in the Keyword li...

Page 69: ...s Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the DG834GSP are Inbound Block all access from outside except responses to requests from the LAN side Outbound Allow all access from the LAN side to the outside You can define additional rules that will specif...

Page 70: ...r an Outbound or Inbound Service To edit an existing rule select its button on the left side of the table and click Edit To delete an existing rule select its button on the left side of the table and click Delete To move an existing rule to a different position in the table select its button on the left side of the table and click Move At the script prompt enter the number of the desired new posit...

Page 71: ...lso known as port forwarding Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address ...

Page 72: ...t enter the Start and Finish fields Single address enter the required address in the Start field Log You can select whether the traffic will be logged The choices are Never no log entries will be made for this service Always any traffic for this service type will be logged Match traffic of this type which matches the parameters and action will be logged Not match traffic of this type which does no...

Page 73: ...address IP address of the Internet site being contacted destination address Time of day Type of service being requested service port number Following is an application example of outbound rules Outbound Rule Example Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP...

Page 74: ...n their source LAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the required address in the Start field WAN Users These settings determine which packets are covered by the rule based on their destination WAN IP address Select the desired option Any all IP a...

Page 75: ... Services Services are functions performed by server computers at the request of client computers For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears ...

Page 76: ...ser Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 2 Select the Services link of the Content Filtering menu to display the Services menu shown To create a new Service click the Add Custom Service button To edit an existing Service select its button on the left side of the table and click Edit Service To delete an existing ...

Page 77: ...n order to localize the time for your log entries you must specify your Time Zone 1 Log in to the modem router at its default LAN address of http 10 1 1 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 2 Select the Schedule link of the Content Filtering menu to display menu shown below 3 Select your t...

Page 78: ...using whatever Password and LAN address you have chosen for the modem router 2 Select the Schedule link of the Content Filtering menu to display menu shown above 3 To block Internet services based on a schedule select Every Day or select one or more days If you want to limit access completely for the selected days select All Day Otherwise to limit access during certain times for the selected days ...

Page 79: ...o your computer restored or reverted to factory default settings The procedures below explain how to do these tasks How to Back Up the Configuration to a File 1 Log in to the modem router at its default LAN address of http 10 1 1 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Ma...

Page 80: ...em router to the factory default settings This can be done by using the Erase function 1 To erase the configuration from the Maintenance menu Settings Backup link click the Erase button on the screen 2 The modem router will then reboot automatically After an erase the modem router s password will be password the LAN IP address will be 10 1 1 1 and the modem router s DHCP client will be enabled Upg...

Page 81: ...efault User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 3 From the Main Menu of the browser interface under the Maintenance heading select the Router Upgrade heading to display the menu shown 4 In the Router Upgrade menu click Browse to locate the binary BIN or IMG upgrade file 5 Click Upload Figure 6 2 Warnin...

Page 82: ... Network v1 0 June 2007 Network Management Information The DG834GSP provides a variety of status and usage information which is discussed below Viewing Modem Router Status and Usage Statistics From the Main Menu under Maintenance click Router Status to view this screen Figure 6 3 ...

Page 83: ...twork type depends is determined by your ISP Common network types are PPPoE and PPPoA IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet ADSL port of the modem router Domain Name Server DNS This field displays the DNS Server IP addresses being used by the modem router These addresses are usually obtained dynamically from the ISP LAN Port These parameters apply to the ...

Page 84: ...entifier setting VCI The Virtual Channel Identifier setting Wireless Port These are the settings as set in the Wireless Settings page see Understanding Wireless Settings in Chapter 4 for details Name SSID The Service Set ID also known as the wireless network name Region The country where the unit is set up for use Channel The current channel which determines the operating frequency Wireless AP Ind...

Page 85: ...bandwidth used on this port Rx B s The average line utilization for this port Up Time The time elapsed since the last power cycle or reset ADSL Link Downstream or Upstream The statistics for the upstream and downstream ADSL link These statistics will be of interest to your technical support representative if you are having problems obtaining or maintaining a connection Connection Speed Typically t...

Page 86: ...igure 6 5 Table 6 3 Connection Status Fields for PPPoA Field Description Connection Time The time elapsed since the last connection to the Internet via the ADSL port Connecting to Sender The connection status Negotiation ON or OFF Authentication ON or OFF IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider Network Mask The Network Mask assigned to the WAN port ...

Page 87: ...hat if the modem router is rebooted the table data is lost until the modem router rediscovers the devices To force the modem router to look for attached devices click the Refresh button Viewing Selecting and Saving Logged Information The modem router will log security related events such as denied incoming service requests hacker probes and administrator logins If you enabled content filtering in ...

Page 88: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 6 10 Managing Your Network v1 0 June 2007 An example of the logs file is shown below Figure 6 7 ...

Page 89: ...rce IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or Web site Destination port and interface The service port number of the destination device and whether it s on the LAN or WAN Table 6 5 Security Log a...

Page 90: ...Broadcast on Lan or enter the IP address of the server where the Syslog file will be written Examples of Log Messages Following are examples of log messages In all cases the log entry shows the timestamp as Day Year Month Date Hour Minute Second Activation and Administration Tue 2002 05 21 18 48 39 NETGEAR activated This entry indicates a power up or reboot with initial time entry Tue 2002 05 21 1...

Page 91: ...002 05 22 21 02 53 ICMP packet dropped Source 64 12 47 28 0 WAN Destination 134 177 0 11 0 LAN Inbound Default rule match These entries show an inbound FTP port 21 packet User Datagram Protocol UDP packet port 6970 and Internet Control Message Protocol ICMP packet port 0 being dropped as a result of the default inbound rule which states that all inbound packets are denied Enabling Security Event E...

Page 92: ...d like immediate notification of a significant security event such as a known attack port scan or attempted access to a blocked site Send logs according to this schedule Specifies how often to send the logs Hourly Daily Weekly or When Full Day for sending log Specifies which day of the week to send the log Relevant when the log is sent weekly or daily Time for sending log Specifies the time of day...

Page 93: ... the ping packet always goes through the VPN if the VPN tunnel is enabled and working Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the DNS server configuration is working Display the Routing Table to identify what other modem routers the modem router is communicating with Reboot the modem router to enable new network configurations to take effect or to ...

Page 94: ...ess of http 10 1 1 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Advanced section of the main menu select the Remote Management link 3 Select the Turn Remote Management On check box Tip Be sure to change the modem router s default password to a very secure password The ideal pa...

Page 95: ...ber that will be used for accessing the management interface Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management Web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate...

Page 96: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 6 18 Managing Your Network v1 0 June 2007 ...

Page 97: ...eless Router Model DG834GSP provides a variety of advanced features such as Setting up a Demilitarized Zone DMZ Server Connecting Automatically as Required Disabling Port Scan and DOS Protection Responding to a Ping on the Internet WAN Port MTU Size Flexibility on configuring your LAN TCP IP settings Using the Router as a DHCP Server Configuring Dynamic DNS Configuring Static Routes Wireless Bridg...

Page 98: ... response to one of your local computers or a service that you have configured in the Ports menu Instead of discarding this traffic you can have it forwarded to one computer on your network This computer is called the Default DMZ Server How to Configure a Default DMZ Server To assign a computer or server to be a Default DMZ server follow these steps 1 Log in to the modem router at its default LAN ...

Page 99: ...Click Apply to save your changes Connect Automatically as Required Normally this option should be enabled so that an Internet connection will be made automatically whenever Internet bound traffic is detected If this causes high connection costs you can disable this setting If disabled you must connect manually using the sub screen accessed from the Connection Status button on the Status screen If ...

Page 100: ...tool since it allows your modem router to be discovered Do not select this box unless you have a specific reason to do so MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes or 1492 Bytes for PPPoE connections For some ISPs you may need to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP conn...

Page 101: ...ent to use a different IP addressing scheme you can make those changes in this menu The LAN TCP IP Setup parameters are IP Address This is the LAN IP address of the modem router Figure 7 2 Warning If you change the LAN IP address of the modem router while connected through the browser you or anyone else using the router will be disconnected You must then open a new connection to the new IP address...

Page 102: ...odem router sends It recognizes both formats when receiving By default this is set for RIP 1 RIP 1 is universally supported RIP 1 is probably adequate for most networks unless you have an unusual network setup RIP 2 carries more information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B uses subnet broadcasting RIP 2M uses multicasting Access Router Management Interface on add...

Page 103: ...sses The router will deliver the following parameters to any LAN device that requests DHCP An IP Address from the range you have defined Subnet Mask Gateway IP Address is the router s LAN IP address Primary DNS Server if you entered a Primary DNS address in the Basic Settings menu otherwise the router s LAN IP address Secondary DNS Server if you entered a Secondary DNS address in the Basic Setting...

Page 104: ...address you want to edit or delete 2 Click Edit or Delete How to Configure LAN TCP IP Settings 1 Log in to the router at its default LAN address of http 10 1 1 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router Tip If the computer is already present on your network you can copy its MAC address from ...

Page 105: ...nently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently In this case you can use a commercial dynamic DNS service that will allow you to register you...

Page 106: ...ult LAN address of http 10 1 1 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Main Menu of the browser interface under Advanced select Dynamic DNS to display the page below 3 Access the Web site of one of the dynamic DNS service providers whose names appear in the Service Provider box...

Page 107: ...tional static routes You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network Static Route Example As an example of when a static route is needed consider the following case Your primary Internet access is through a cable modem to an ISP You have an ISDN router on your home network for connecting to the company where you are em...

Page 108: ... This is a direct connection so it is set to 1 Private is selected only as a precautionary security measure in case RIP is activated How to Configure Static Routes 1 Log in to the router at its default LAN address of http 10 1 1 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Main Menu...

Page 109: ...hich must be a router on the same LAN segment as your DG834GSP ADSL Modem Wireless Router h Type a number between 2 and 15 as the Metric value This represents the number of routers between your network and the destination Usually a setting of 2 or 3 works but if this is a direct connection set it to 2 4 Click Apply to have the static route entered into the table Universal Plug and Play UPnP Univer...

Page 110: ... device status but can significantly reduce network traffic Advertisement Time To Live The time to live for the advertisement is measured in hops steps for each UPnP packet sent A hop is the number of steps allowed to propagate for each UPnP advertisement before it disappears The number of hops can range from 1 to 255 The default value for the advertisement time to live is 4 hops which should be f...

Page 111: ...e Manual for the ADSL Modem Wireless Router DG834GSP Advanced Configuration 7 15 v1 0 June 2007 c Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP devices ...

Page 112: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 7 16 Advanced Configuration v1 0 June 2007 ...

Page 113: ...N Tunnel Configuration on page 8 6 summarizes the three ways to configure a VPN tunnel VPN Wizard recommended for most situations Auto Policy and Manual Policy How to Set Up a Client to Gateway VPN Configuration on page 8 7 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client How to Set Up a Gateway to...

Page 114: ...tunnels Client to Gateway VPN Tunnels Client to Gateway VPN Tunnels provide secure access from a remote PC such as a telecommuter connecting to an office network A VPN client access allows a remote PC to connect to your network from any location on the Internet In this case the remote PC is one tunnel endpoint running the VPN client software The ADSL Modem Wireless Router on your network is the ot...

Page 115: ...main office A VPN between two or more NETGEAR VPN enabled modem routers is a good way to connect branch or home offices and business partners over the Internet VPN tunnels also enable access to network resources across the Internet In this case use DG834GSPs on each end of the tunnel to form the VPN tunnel end points See How to Set Up a Gateway to Gateway VPN Configuration on page 8 21 to set up t...

Page 116: ...ween the two VPN endpoints When planning your VPN you must make a few choices first Will the local end be any device on the LAN a portion of the local network as defined by a subnet or by a range of IP addresses or a single PC Will the remote end be any device on the remote LAN a portion of the remote network as defined by a subnet or by a range of IP addresses or a single PC Table 8 1 VPN Tunnel ...

Page 117: ...g setup in which you must specify each phase of the connection see Using Manual Policy to Configure VPN Tunnels on page 8 48 What level of IPSec VPN encryption will you use DES The Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the da...

Page 118: ...tances but you want to automate the Internet Key Exchange IKE setup See Using Manual Policy to Configure VPN Tunnels on page 8 48 when the VPN Wizard and its VPNC defaults see Table 8 2 are not appropriate for your special circumstances and you must specify each phase of the connection You manually enter all the authentication and key parameters You have more control over the process however the p...

Page 119: ...VPN Client on the Remote PC on page 8 12 configures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the DG834GSP The worksheet below identifies the parameters used in the following procedure A blank worksheet is at Planning a VPN on page 8 4 Figure 8 3 Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters lis...

Page 120: ... 12345678 Secure Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP WAN IP Addre...

Page 121: ...VPN Wizard link in the main menu to display this screen Click Next to proceed 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Figure 8 4 Figure 8 5 Tip The Connection Name is arbitrary and not relevant to how the configuration functions Enter the new Connection Name e g RoadWarrior Enter the pre shared key e g 12345678 Select the r...

Page 122: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP 8 10 Virtual Private Networking v1 0 June 2007 The Summary screen below displays Figure 8 6 ...

Page 123: ...the VPNC recommended authentication and encryption settings used by the VPN Wizard click the here link Click Back to return to the Summary screen 3 Click Done on the Summary screen to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled Figure 8 7 Figure 8 8 ...

Page 124: ...D to complete the installation If you do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necess...

Page 125: ... the ID Type menu e In this example type 10 1 3 1 in the Subnet field as the network address of the DG834GSP f Enter 255 255 255 0 in the Mask field as the LAN Subnet Mask of the DG834GSP g Select All in the Protocol menu to allow all traffic through the VPN tunnel Figure 8 9 Note In this example the Connection Name used on the client side of the VPN tunnel is toDG834 and it does not have to match...

Page 126: ...NETGEAR ProSafe VPN Client software a In the Network Security Policy list expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear below the connection name b Click on the Security Policy subheading to show the Security Policy menu c Select the Main Mode in the Select Phase 1 Negotiation Mode check box group 4 Configure the ...

Page 127: ...n the ID Type menu If you are using a virtual fixed IP address enter this address in the Internal Network IP Address box Otherwise leave this box empty d In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable or DSL line You may also choose ...

Page 128: ...lient Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the DG834GSP configuration a In the Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b Expand the Authentic...

Page 129: ...oup 2 6 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the DG834GSP configuration a Expand the Key Exchange subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange b In the SA Life menu select Unspecified c In...

Page 130: ... The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b On the Windows taskbar click the Start button and then click Run c Type ping t 10 1 3 1 and then click OK This will ...

Page 131: ...on is shown below 9 The Connection Monitor screen for this connection is shown below In this example you can see the following The DG834GSP has a public IP WAN address of 22 23 24 25 The DG834GSP has a LAN IP address of 10 1 3 1 The VPN client PC has a dynamically assigned address of 10 1 2 2 Figure 8 15 Note Use the active VPN tunnel information and pings to determine whether a failed connection ...

Page 132: ...d in this menu will say SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol shown in the illustration above Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN connection in order to have normal Internet access ...

Page 133: ...he Internet The examples below assume the following settings Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 8 2 on page 8 5 If you have special requirements not covered by these VPNC recommended parameters refer to How to Set Up VPN Tunnels in Special Circumstances on page 8 38 to set up the VPN tunnel Figure 8 17 A B VPN Tunnel DG8...

Page 134: ...GtoG Pre Shared Key 12345678 Secure Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gate...

Page 135: ... 8 23 v1 0 June 2007 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Figure 8 18 Figure 8 19 Enter the new Connection Name e g MyOfficeVPN Enter the pre shared key e g 12345678 Select the radio button A remote VPN Gateway ...

Page 136: ...r the target VPN endpoint WAN connection and click Next 4 Identify the IP addresses at the target endpoint that can use this tunnel and click Next Figure 8 20 Figure 8 21 Enter the WAN IP address of the remote VPN gateway e g 208 32 25 25 Enter the LAN IP settings of the remote VPN gateway IP Address e g 10 1 1 1 Subnet Mask e g 255 255 255 0 ...

Page 137: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP Virtual Private Networking 8 25 v1 0 June 2007 The Summary screen below displays Figure 8 22 ...

Page 138: ...ded authentication and encryption settings used by the VPN Wizard click the here link see Figure 8 22 Click Back to return to the Summary screen 5 Click Done on the Summary screen see Figure 8 22 to complete the configuration procedure The VPN Settings menu below displays showing that the new tunnel is enabled Figure 8 23 Figure 8 24 ...

Page 139: ...gs of the remote VPN gateway IP Address e g 10 1 1 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps Note Refer to Using Auto Policy to Configure VPN Tunnels on page 8 38 to enable the IKE keep alive capability on an existing VPN tunnel Note The VPN Status screen is only one of three ways to active a ...

Page 140: ...erface and click on VPN Status to get the VPN Status Log screen Figure 8 25 b Click on VPN Status Figure 8 27 to get the Current VPN Tunnels SAs screen Figure 8 26 Click on Connect for the VPN tunnel you want to activate c Look at the VPN Status Log screen Figure 8 25 to verify that the tunnel is connected Figure 8 25 Figure 8 26 MyOfficeVPN ...

Page 141: ...remote endpoint Start using the VPN tunnel Using the VPN Status Page to Activate a VPN Tunnel To use the VPN Status screen to activate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834GSP management interface and click on VPN Status to get the VPN Status Log screen Figure 8 27 Note Refer to Using Auto Policy to Configure VPN Tunnels on page 8 38 to enable the I...

Page 142: ...gateway Client to Gateway Configuration to check the VPN Connection you can initiate a request from the remote PC to the DG834GSP s network by using the Connect option in the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our...

Page 143: ...d change from timed out to reply Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote DG834GSP After a short wait you should see the login screen of the Modem Router unless another PC already has the DG834GSP management interface open Gateway to Gateway Configuration test the VPN tunnel by pinging the remote network from a PC attached to ...

Page 144: ...Networking v1 0 June 2007 b ping 10 1 1 1 Start Using a VPN Tunnel to Activate It To use a VPN tunnel use a Web browser to go to a URL whose IP address or range is covered by the policy for that VPN tunnel Note The pings may fail the first time If so then try the pings a second time ...

Page 145: ... in to the Modem Router 2 Open the DG834GSP management interface and click on VPN Status to get the VPN Status Log screen Figure 8 31 Log this log shows the details of recent VPN activity including the building of the VPN tunnel If there is a problem with the VPN tunnel refer to the log for information about what might be the cause of the problem Click Refresh to see the most recent entries Click ...

Page 146: ...on For Automatic key exchange the SPI is generated by the IKE protocol Policy Name the name of the VPN policy associated with this SA Remote Endpoint the IP address on the remote VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero the SA Security Association will re negotiated...

Page 147: ... VPN Tunnel To use the VPN Policies page to deactivate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834GSP management interface and click on VPN Policies to get the VPN Policies screen Figure 8 33 3 Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN St...

Page 148: ...ing v1 0 June 2007 2 Open the DG834GSP management interface and click on VPN Status to get the VPN Status Log screen Figure 8 34 3 Click VPN Status Figure 8 34 to get the Current VPN Tunnels SAs screen Figure 8 35 Click Drop for the VPN tunnel you want to deactivate Figure 8 34 Figure 8 35 ...

Page 149: ...1 0 June 2007 Deleting a VPN Tunnel To delete a VPN tunnel 1 Log in to the Modem Router 2 Open the DG834GSP management interface and click VPN Policies to display the VPN Policies screen Figure 8 36 Select the radio button for the VPN tunnel to be deleted and click the Delete button Figure 8 36 ...

Page 150: ...s is more complex and there are more opportunities for errors or configuration mismatches between your DG834GSP and the corresponding VPN endpoint gateway or client workstation Using Auto Policy to Configure VPN Tunnels You need to configure matching VPN settings on both VPN endpoints The outbound VPN settings on one end must match to the inbound VPN settings on other end and vice versa See Exampl...

Page 151: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP Virtual Private Networking 8 39 v1 0 June 2007 Figure 8 37 10 1 1 1 ...

Page 152: ...ess will be pinged periodically to generate traffic for the VPN tunnel The remote keep alive IP address must be covered by the remote LAN IP range and must correspond to a device that can respond to ping The range should be made as narrow as possible to meet this objective Local LAN This identifies which PCs on your LAN are covered by this policy For each selection data must be provided as follows...

Page 153: ... connection to the remote VPN endpoint Please be sure you want this option before selecting it The remote VPN endpoint must have these IP addresses entered as its Local addresses IKE Direction Type this setting is used when determining if the IKE policy matches the current traffic Select the desired option Responder only incoming connections are allowed but outgoing connections will be blocked Ini...

Page 154: ...m authentication Algorithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway Auto MD5 and SHA 1 are supported Auto negotiates with the remote VPN endpoint and is not available in responder only mode MD5 128 bits faster but less secure SHA 1 default 160 bits slower but more secure Pre shared Key the key must be entered both here and on the remote VPN Gat...

Page 155: ... or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP WAN IP Address DG834GSP A LAN_A 10 1 1 1 255 255 2...

Page 156: ...emote VPN Endpoint Address Type Fixed IP Address Remote VPN Endpoint Address Data 22 23 24 25 Local LAN use default setting Remote LAN IP Address select Subnet address from the pulldown menu Start IP address 10 1 3 1 Subnet Mask 255 255 255 0 IKE Direction Initiator and Responder Exchange Mode Main Mode Diffie Hellman DH Group Group 2 1024 Bit Local Identity Type use default setting Remote Identit...

Page 157: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP Virtual Private Networking 8 45 v1 0 June 2007 Authentication Algorithm MD5 Pre shared Key 12345678 Figure 8 40 10 1 1 1 10 1 3 1 ...

Page 158: ...owing network settings as appropriate General Remote Address Data e g 14 15 16 17 Remote LAN Start IP Address IP Address e g 10 1 1 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps Figure 8 41 Note The VPN Status screen is only one of three ways to active a VPN tunnel See Activating a VPN Tunnel on p...

Page 159: ... interface and click on VPN Status to display the VPN Status Log screen Figure 8 42 b Click VPN Status Figure 8 42 to display the Current VPN Tunnels SAs screen Figure 8 43 Click on Connect for the VPN tunnel you want to activate c Review the VPN Status Log screen Figure 8 42 to verify that the tunnel is connected Figure 8 42 Figure 8 43 ...

Page 160: ... you may use Manual Keying in which you must specify each phase of the connection A Manual VPN policy requires all settings for the VPN tunnel to be manually input at each end both VPN endpoints Click the VPN Policies link of the main menu and then click the Add Manual Policy radio button to display the Manual Keys menu shown in Figure 8 44 Figure 8 44 10 1 1 0 10 1 1 0 10 1 1 ...

Page 161: ...e used on your LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field Any the remote VPN endpoint may be at any IP address The remote VPN endpoint must have these IP addresses entered as its Remote addresses Remote LAN This identifies which PCs on the remote LAN are covered by this policy For each selection data must be pro...

Page 162: ... on the remote VPN endpoint and the out setting here must match the in setting on the remote VPN endpoint Encryption select the desired Encryption Algorithm and enter the key in the field provided For 3DES the keys should be 24 ASCII characters and for DES the keys should be 8 ASCII characters DES the Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values us...

Page 163: ...ernet Go to Troubleshooting the ISP Connection on page 9 4 I can t remember the router s configuration password Go to Restoring the Default Configuration and Password on page 9 9 I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 9 9 Basic Functioning After you turn on power to the router the following sequence of events should occ...

Page 164: ...sts you have a hardware problem and should contact technical support Test LED Never Turns On or Test LED Stays On When the router is turned on the Test LED turns on for about 10 seconds and then turns off If the Test LED does not turn on or if it stays on there is a fault within the router If you experience problems with the Test LED Cycle the power to see if the router recovers and the LED blinks...

Page 165: ... 1 2 to 10 1 1 254 Refer to Preparing a Computer for Network Access in Appendix C to find your computer s IP address If your router s IP address was changed and you do not know the current IP address clear the router s configuration to factory defaults This will set the router s IP address to 10 1 1 1 This procedure is explained in Using the Reset button on page 9 9 Make sure your browser has Java...

Page 166: ...ted with the Internet LED Internet LED Green or Blinking Green If your Internet LED is green or blinking green then you have a good ADSL connection You can be confident that the service provider has connected your line correctly and that your wiring is correct Internet LED Blinking Amber If your Internet LED is blinking amber then your modem router is attempting to make an ADSL connection with the...

Page 167: ... internet and your Internet LED is green or blinking green you should determine whether the modem router is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your modem router must request an IP address from the ISP You can determine whether the request was successful using the browser interface To check the WAN IP address from the browser interface 1 L...

Page 168: ...dress This can be done in the Basic Settings menu Refer to the ADSL Modem Wirelesss Router Setup Manual Troubleshooting PPPoE or PPPoA The PPPoA or PPPoA connection can be debugged as follows 1 Access the Main Menu of the router at http 10 1 1 1 2 Under the Maintenance heading select the Router Status link 3 Click the Connection Status button 4 If all of the steps indicate OK then your PPPoE or PP...

Page 169: ... have the modem router configured as its TCP IP modem router If your computer obtains its information from the modem router by DHCP reboot the computer and verify the modem router address as described in Preparing a Computer for Network Access in Appendix C Troubleshooting a TCP IP Network Using the Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an echo req...

Page 170: ...kstation are correct and that the addresses are on the same subnet Testing the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 IP address where IP address is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies a...

Page 171: ...n erase the current configuration and restore factory defaults in two ways Use the Erase function of the Web Configuration Manager see Backing Up Restoring or Erasing Your Settings on page 6 1 Use the Default Reset button on the rear panel of the router Use this method for cases when the administration password or IP address is not known Using the Reset button To restore the factory default config...

Page 172: ...d a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the router wait at least five minutes and check the date and time again Time is off by one hour Cause The router does not automatically sense Daylight Savings Time In the E mail menu check or uncheck the box marked Adjust for Daylight Savings Time ...

Page 173: ...stralia 240V AC 50 Hz input Europe 230V AC 50 Hz input Japan 100V AC 50 60 Hz input All regions output 12 V DC 1 0A output Physical Specifications Dimensions 6 9 x 4 7 x 1 1 175 mm x 119 mm x 28 mm Weight 0 7 lbs 0 3 kg Environmental Specifications Operating temperature 0 to 40 C 32º to 104º F Operating humidity 90 maximum relative humidity noncondensing Electromagnetic Emissions Meets requirement...

Page 174: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP A 2 Technical Specifications v1 0 June 2007 ...

Page 175: ...dressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Check that there are no firewall restrictions Table B 1 Profile Summary VPN Consortium Scenario Scenario 1 ...

Page 176: ...llows a In Step 1 enter toFVL328 for the Connection Name b In Step 2 enter 22 23 24 25 for the remote WAN s IP address c In Step 3 enter the following IP Address 172 23 9 1 Subnet Mask 255 255 255 0 Figure B 1 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834GSP asp Unit WAN IP LAN IP LAN Subnet Mask DG834G 14 15 16 17 10 5 6 1 255 255 255 0 FVL328 2...

Page 177: ...he ADSL Modem Wireless Router DG834GSP NETGEAR VPN Configuration B 3 v1 0 June 2007 Figure B 2 toFVL328 10 5 6 1 172 23 9 1 toFVL328 22 23 24 25 10 10 5 6 172 23 9 Click VPN Policies under Advanced VPN to invoke this screen ...

Page 178: ...procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 8 21 being certain to use appropriate network addresses for the environment a In Step 1 enter toDG834 for the Connection Name b In Step 2 enter 14 15 16 17 for the remote WAN s IP address c In Step 3 enter the following IP Address 10 5 6 1 Subnet Mask 255 255 255 0 ...

Page 179: ...iguration B 5 v1 0 June 2007 Figure B 3 toDG834 toDG834 toDG834 toDG834 toDG834 22 23 24 25 14 15 16 17 14 15 16 17 22 23 24 25 14 15 16 17 172 23 9 1 10 5 6 1 172 23 9 10 5 6 1 Click IKE Policies under VPN to invoke this screen Click VPN Policies under VPN to invoke this screen ...

Page 180: ... or both routers This case study follows the VPN Consortium interoperability profile guidelines found at http www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware...

Page 181: ...e IKE with Preshared Secret Key not Certificate based IP Addressing NETGEAR Gateway A Fully Qualified Domain Name FQDN NETGEAR Gateway B FDQN Figure B 5 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834GSP asp Gateway A fvl328 dyndns org dg834g dyndns org 10 5 6 0 24 172 23 9 0 24 172 23 9 1 10 5 6 1 WAN IP WAN IP LAN IP LAN IP Gateway B VPNC Example...

Page 182: ...gear tzo com ngDDNS ngddns iego net In this example Gateway A is configured using an example FQDN provided by a DDNS Service provider In this case we established the hostname dg834g dyndns org for gateway A using the DynDNS service Gateway B will use the DDNS Service Provider when establishing a VPN tunnel In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS and G...

Page 183: ...DNS Setup Screen see Figure B 6 in the Advanced menu b Configure this screen with appropriate account and hostname settings and then click Apply Check the box Use a Dynamic DNS Service Host Name dg834g dyndns org User Name user s account username Password user s account password c Click Show Status The resulting screen should show Update OK good see Figure B 7 Figure B 6 Figure B 7 ...

Page 184: ...operly configured DynDNS account a Browse to the Dynamic DNS Setup Screen see Figure B 8 in the Advanced menu b Select the DynDNS org radio button see Figure B 8 configure with appropriate account and hostname settings see Figure B 9 and then click Apply Host and Domain Name fvl328 dyndns org User Name user s account username Password user s account password Figure B 8 ...

Page 185: ...nce Manual for the ADSL Modem Wireless Router DG834GSP NETGEAR VPN Configuration B 11 v1 0 June 2007 c Click Show Status The resulting screen should show Update OK good see Figure B 10 Figure B 9 Figure B 10 ...

Page 186: ...the following IP Address 172 23 9 1 Subnet Mask 255 255 255 0 6 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 8 21 being certain to use appropriate network addresses for the environment a In Step 1 enter toDG834 for the Connection Name b In Step 2 enter dg834g dyndns org for the remote WAN s IP addre...

Page 187: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP NETGEAR VPN Configuration B 13 v1 0 June 2007 Figure B 11 Note The pings may fail the first time If this happens try the pings a second time ...

Page 188: ...e Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway involves the following two steps Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Table B 3 Configuration summary telecommuter example VPN Consortium Scenario Scenario 1 Type of VPN PC client to gateway with client behind NAT router Security Scheme ...

Page 189: ...1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Follow this procedure to configure a client to gateway VPN tunnel by filling out the VPN Auto Policy screen 1 Log in to the VPN router at its LAN address of http 10 1 1 1 with its default user name of admin and password of password Click the VPN Policies link in the main menu to display the VPN Policies ...

Page 190: ...romDG834G com in this example fromDG834GSP in the example Dynamic IP address Subnet address Single address 192 168 0 1 in this example 255 255 255 0 192 168 2 3 in this example IKE Keep Alive is optional must match Remote LAN IP Address when enabled Main Mode remote PC must respond to pings 3DES 12345678 in this example 3600 Remote NAT router must have Address Reservation set and VPN Passthrough e...

Page 191: ...ireless Router DG834GSP NETGEAR VPN Configuration B 17 v1 0 June 2007 2 Click Apply when done to get the VPN Policies screen To view or modify the tunnel settings select the radio button next to the tunnel entry and click Edit Figure B 14 ...

Page 192: ...VPN Client on the remote PC and reboot a You may need to insert your Windows CD to complete the installation b If you do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message c Install the IPSec Component You may have the option to install e...

Page 193: ...matches the Connection Name you entered in the VPN Settings of the DG834GSP on Gateway A Note In this example the Connection Name used on the client side of the VPN tunnel is to DG834GSP and it does not have to match the VPN_client Connection Name used on the gateway side of the VPN tunnel see Figure B 16 because Connection Names are arbitrary to how the VPN tunnel functions Tip Choose Connection ...

Page 194: ...raffic through the VPN tunnel h Select the Connect using Secure Gateway Tunnel check box i Select Domain Name in the ID Type menu below the check box and enter fromDG834G com in this example j Select Gateway Hostname and enter ntgr dyndns org in this example k The resulting Connection Settings are shown in Figure B 16 3 Configure the Security Policy in the 54 Mbps ADSL Modem Wireless Router Model ...

Page 195: ...ty Policy menu c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834GSP and either a fixed IP address or a fixed virtual IP address of the VPN client PC Figure B 17 ...

Page 196: ...Identity b Choose None in the Select Certificate menu c Select Domain Name in the ID Type menu and enter toDG834G com in this example in the box below it Choose Disabled in the Virtual Adapter menu d In the Internet Interface box select Intel PRO 100VE Network Connection in this example your Ethernet adapter may be different in the Name menu and enter 10 1 2 3 in this example in the IP Addr box Fi...

Page 197: ... VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration a In the Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b Expand the A...

Page 198: ...e of encryption In this example use Triple DES e In the Hash Alg menu select SHA 1 f In the SA Life menu select Unspecified g In the Key Group menu select Diffie Hellman Group 2 6 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration Figu...

Page 199: ...In the Encrypt Alg menu select the type of encryption In this example use Triple DES f In the Hash Alg menu select SHA 1 g In the Encapsulation menu select Tunnel h Leave the Authentication Protocol AH checkbox unchecked 7 Save the VPN Client settings From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information your P...

Page 200: ...a Right click the system tray icon to open the popup menu b Select Connect to open the My Connections list c Choose toDG834G The 54 Mbps ADSL Modem Wireless Router Model DG834GSP will report the results of the attempt to connect Once the connection is established you can access resources of the network connected to the VPN router To perform a ping test using our example start from the remote PC a ...

Page 201: ...from timed out to reply Once the connection is established you can open the browser of the PC and enter the LAN IP address of the VPN router After a short wait you should see the login screen of the VPN router unless another PC already has the VPN router management interface open Figure B 23 Figure B 24 Note You can use the VPN router diagnostic utilities to test the VPN connection from the VPN ro...

Page 202: ...the VPN client connection open the 54 Mbps ADSL Modem Wireless Router Model DG834GSP Log Viewer 1 To launch this function click on the Windows Start button then select Programs then 54 Mbps ADSL Modem Wireless Router Model DG834GSP then Log Viewer 2 The Connection Monitor screen is shown below Note Use the active VPN tunnel information and pings to determine whether a failed connection is due to t...

Page 203: ...atus and Log Information To view information on the status of the VPN client connection open the VPN router s VPN Status screen by following the steps below 1 To view this screen click the Router Status link of the VPN router s main menu then click the VPN Status button The VPN Status Log screen for a connection is shown below Note While your PC is connected to a remote LAN through a VPN you might...

Page 204: ...ence Manual for the ADSL Modem Wireless Router DG834GSP B 30 NETGEAR VPN Configuration v1 0 June 2007 2 To view the VPN tunnels status click the VPN Status link on the right side of the main menu Figure B 27 ...

Page 205: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP NETGEAR VPN Configuration B 31 v1 0 June 2007 ...

Page 206: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP B 32 NETGEAR VPN Configuration v1 0 June 2007 ...

Page 207: ...tworking and TCP IP Addressing http documentation netgear com reference enu tcpip index htm Wireless Communications http documentation netgear com reference enu wireless index htm Preparing a Computer for Network Access http documentation netgear com reference enu wsdhcp index htm Virtual Private Networking VPN http documentation netgear com reference enu vpn index htm Glossary http documentation ...

Page 208: ...Reference Manual for the ADSL Modem Wireless Router DG834GSP C 2 Related Documents v1 0 June 2007 ...