NETGEAR FVG318 - ProSafe 802.11g Wireless VPN Firewall 8 Router, Reference Manual

Page 1: ...BETA BETA Version 1 August 2005 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 ...

Page 2: ...idential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be ...

Page 3: ...ons set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the rig...

Page 4: ...roduct and Publication Details Model Number FVG318 Publication Date August 2005 Product Family Router Product Name FVG318 ProSafe 802 11g Wireless VPN Firewall Home or Business Product Business Language English ...

Page 5: ...Auto Uplink 2 3 Extensive Protocol Support 2 4 Easy Installation and Management 2 4 Maintenance and Support 2 5 Package Contents 2 6 The FVG318 Front Panel 2 7 The FVG318 Rear Panel 2 8 NETGEAR Related Products 2 9 NETGEAR Product Registration Support and Documentation 2 9 Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVG318 3 1 First Connect the FVG318 3 1 Now Configur...

Page 6: ...s 4 3 Default Factory Settings 4 6 Before You Change the SSID and WEP Settings 4 7 How to Set Up and Test Basic Wireless Connectivity 4 8 How to Restrict Wireless Access by MAC Address 4 9 How to Configure WEP 4 10 How to Configure WPA with Radius 4 12 How to Configure WPA2 with Radius 4 14 How to Configure WPA and WPA2 with Radius 4 16 How to Configure WPA PSK 4 18 How to Configure WPA2 PSK 4 20 ...

Page 7: ...the Client to Gateway VPN Tunnel on the FVG318 6 6 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC 6 9 Monitoring the Progress and Status of the VPN Client Connection 6 16 Transferring a Security Policy to Another Client 6 18 Exporting a Security Policy 6 18 Importing a Security Policy 6 19 How to Set Up a Gateway to Gateway VPN Configuration 6 20 Procedure to Configure a Gatewa...

Page 8: ...reshared Secrets 7 15 FVG318 Scenario 1 FVG318 to Gateway B IKE and VPN Policies 7 16 How to Check VPN Connections 7 21 Testing the Gateway A FVG318 LAN and the Gateway B LAN 7 21 FVG318 Scenario 2 FVG318 to FVG318 with RSA Certificates 7 22 Chapter 8 Maintenance Viewing Wireless VPN Firewall Status Information 8 1 Viewing a List of Attached Devices 8 5 Upgrading the Firewall Software 8 5 Configur...

Page 9: ...d 10 7 Problems with Date and Time 10 7 Appendix A Technical Specifications Appendix B VPN Configuration of NETGEAR FVS318v3 Case Study Overview B 1 Gathering the Network Information B 1 Configuring the Gateways B 2 Activating the VPN Tunnel B 5 The FVG318 to FVG318 Case B 6 Configuring the VPN Tunnel B 6 Viewing and Editing the VPN Parameters B 9 Initiating and Checking the VPN Connections B 11 T...

Page 10: ...BETA x Contents The FVG318 to VPN Client Case B 27 Client to Gateway VPN Tunnel Overview B 27 Configuring the VPN Tunnel B 28 Initiating and Checking the VPN Connections B 36 ...

Page 11: ...typographical conventions This guide uses the following formats to highlight special messages This manual is written for the FVG318 Wireless VPN Firewall according to these specifications Table 1 1 Typographical Conventions italics Emphasis books CDs URL names bold User input fixed Screen text file and server names extensions commands IP addresses Note This format is used to highlight information ...

Page 12: ...sing forwards or backwards through the manual one page at a time A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directly to where the topic is described in the manual A button to access the full NETGEAR Inc online Knowledge Base for the product model Links to PDF versions of the full manual and individual chapters ...

Page 13: ...wing opens in a browser window Note Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this featur...

Page 14: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 1 4 About This Manual BETA ...

Page 15: ...e FVG318 Wireless VPN Firewall provides you with multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Parents and network administrators can establish restricted access policies based on time of day Web site addresses and address keywords and share high speed cable DSL Internet access for up to 253 personal computers In addition to NAT the buil...

Page 16: ...be restricted by MAC Address Wireless network name broadcast can be turned off so that only devices that have the network name SSID can connect Wireless Multimedia WMM Support WMM is a subset of the 802 11e standard WMM allows wireless traffic to have a range of priorities depending on the kind of data Time dependent information such as video or audio will have a higher priority than normal traffi...

Page 17: ...tside the LAN are discarded preventing users outside the LAN from finding and directly accessing the PCs on the LAN Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request or to one designated DNS host computer You can spec...

Page 18: ...oxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN Point to Point Protocol over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a di...

Page 19: ...mote management access to a specified remote IP address or range of addresses and you can choose a nonstandard port number Visual monitoring The FVG318 Wireless VPN Firewall s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVG318 Wireless VPN Firewall Flash memory for firmwar...

Page 20: ...ireless VPN Firewall AC power adapter Category 5 Cat 5 Ethernet cable Installation Guide Resource CD including This guide Application Notes and other helpful information Registration and Warranty Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the firewall for repair ...

Page 21: ...TEST On Off The system is initializing The system is ready and running INTERNET 100 100 Mbps On Off The Internet WAN port is operating at 100 Mbps The Internet WAN port is operating at 10 Mbps LINK ACT Link Activity On Blinking The Internet port has detected a link with an attached device Data is being transmitted or received by the Internet port LOCAL 100 100 Mbps On Off The Local port is operati...

Page 22: ...he port connections listed below Figure 2 2 FVG318 rear panel Viewed from left to right the rear panel contains the following features Detachable wireless antenna Factory default reset push button Eight Ethernet LAN ports Internet Ethernet WAN port for connecting the firewall to a cable or DSL modem DC power input Antenna Power INTERNET Port LOCAL Ports FACTORY Reset Button ...

Page 23: ...cumentation link under the Web Support menu to view support information or the documentation for the wireless VPN firewall Table 2 2 NETGEAR Related Products Category Wireless Wired Notebooks WAG511 108 Mbps Dual Band PC Card WG511T 108 Mbps PC Card WG511 54 Mbps PC Card WG111 54 Mbps USB 2 0 Adapter MA521 802 11b PC Card MA111 802 11b USB Adapter FA511 CardBus Adapter FA120 USB 2 0 Adapter Deskto...

Page 24: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 2 10 Introduction BETA ...

Page 25: ...ll Your FVG318 For Cable Modem Service When you set up the wireless VPN firewall be sure to use the computer you first registered with your cable modem service provider For DSL Service You may need information such as the DSL login name and password in order to complete the wireless VPN firewall setup First Connect the FVG318 1 Connect the wireless VPN firewall to your computer and modem a Turn of...

Page 26: ...Restart your network in the correct sequence Warning Failure to restart your network in the correct sequence could prevent you from connecting to the Internet a First plug in and turn on the cable or DSL modem Wait about 2 minutes b Now plug in the power cord to your FVG318 and wait about 30 seconds c Last turn on your computer Note For DSL customers if ISP provided software logs you in to the Int...

Page 27: ... not lit see the Troubleshooting Tips in this guide LOCAL A LOCAL light should be lit Now Configure the FVG318 for Internet Access and Wireless Connectivity Use the Smart Wizard configuration assistant to configure the FVG318 1 From the Ethernet connected computer you just set up open a browser With the FVG318 in its factory default state your browser will display the NETGEAR Smart Wizard welcome ...

Page 28: ...and go to http www routerlogin net Then when prompted enter admin as the user name and password for the password both in lower case letters Troubleshooting Tips Here are some tips for correcting simple problems you may have Be sure to restart your network in the correct sequence Always follow this sequence 1 Unplug and turn off the modem FVG318 and computer 2 plug in and turn on the modem wait two...

Page 29: ...uter registered on the account If so in the Router MAC Address section of the Basic Settings menu select Use this Computer s MAC Address The router will then capture and use the MAC address of the computer that you are now using You must be using the computer that is registered with the ISP Click Apply to save your settings Restart the network in the correct sequence Check the router status lights...

Page 30: ...VPN firewall the wireless VPN firewall will automatically connect to that browser and display the Configuration Assistant welcome page There is no need to enter the wireless VPN firewall URL in the browser or provide the login user name and password Manually enter a URL to bypass the Smart Wizard Configuration Assistant You can bypass the Smart Wizard Configuration Assistant feature by typing http...

Page 31: ...net connection A login window like the one shown below opens Configuration Settings Have Been Applied Enter the standard URL to access the wireless VPN firewall Connect to the wireless VPN firewall by typing either of these URLs in the address field of your browser then press Enter http www routerlogin net http www routerlogin com The wireless VPN firewall will prompt you to enter the user name of...

Page 32: ...CREEN When the wireless VPN firewall is connected to the Internet click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the wireless VPN firewall If you do not click Logout the wireless VPN firewall will wait five minutes after there is no activity before it automatically logs you out How to Bypass the Configuration Assis...

Page 33: ...manual configuration or to verify the Internet connection settings follow this procedure 1 Connect to the wireless VPN firewall by typing http www routerlogin net in the address field of your browser then press Enter 2 For security reasons the firewall has its own user name and password When prompted enter admin for the firewall user name and password for the firewall password both in lower case l...

Page 34: ...ually Configure Your Internet Connection You can manually configure your firewall using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous section Figure 3 4 Browser based configuration Basic Settings menu NEED NEW SCREENs ISP Does Not Require Login ISP Does Require Login ...

Page 35: ...igned Also enter the netmask and the Gateway IP address The Gateway is the ISP s firewall to which your firewall will connect c Domain Name Server DNS Address If you know that your ISP does not automatically transmit DNS addresses to the firewall during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter ...

Page 36: ... need to launch the ISP s login program on your PC in order to access the Internet When you start an Internet application your firewall will automatically log you in a For connections that require a login using protocols such as PPPoE PPTP Telstra Bigpond Cable broadband connections select your Internet service provider from the drop down list Figure 3 5 Basic Settings ISP list b The screen will c...

Page 37: ... your wireless VPN firewall Near the center of the area in which your PCs will operate In an elevated location such as a high shelf where the wirelessly connected PCs have line of sight access even if through walls The best location is elevated such as wall mounted or on the top of a cubicle and at the center of your wireless coverage area for all the mobile devices Away from sources of interferen...

Page 38: ... an obstacle against unwanted access to your network but the data broadcast over the wireless link is fully exposed Turn Off the Broadcast of the Wireless Network Name SSID If you disable broadcast of the SSID only devices that have the correct SSID can connect This nullifies wireless network discovery feature of some products such as Windows XP but the data is still exposed WEP Wired Equivalent P...

Page 39: ...a new standard wireless device driver and software availability may be limited Understanding Wireless Settings To configure the wireless settings of your FVG318 click the Wireless link in the Setup section of the main menu The wireless settings menu will appear as shown below Figure 4 2 Wireless Settings menu Note The 802 11b and 802 11g wireless networking protocols are configured in exactly the ...

Page 40: ...s channel frequencies please refer to Wireless Channels on page E 7 Mode Select the desired wireless mode The options are g b Both 802 11g and 802 11b wireless stations can be used g only Only 802 11g wireless stations can be used b only All 802 11b wireless stations can be used 802 11g wireless stations can still be used if they can operate in 802 11b mode The default is g b which allows both 802...

Page 41: ...igure the Radius Server Settings Each user Wireless Client must have a user login on the Radius Server normally done via a digital certificate Also this device must have a client login on the Radius server Data transmissions are encrypted using a key which is automatically generated WPA and WPA2 with Radius This selection allows clients to use either WPA with AES encryption or WPA2 with TKIP encry...

Page 42: ... in the illustration FWG114P v2 Rear Panel on page 2 9 After you install the FVG318 Wireless VPN Firewall use the procedures below to customize any of the settings to better meet your networking needs FEATURE DEFAULT FACTORY SETTINGS SSID NETGEAR RF Channel 11 until the region is selected Access Point Enabled SSID broadcast Enabled Wireless Card Access List for Access Point Connections All wireles...

Page 43: ...onfigured with the same SSID Authentication Circle one Open System or Shared Key Choose Shared Key for more security Note If you select shared key the other devices in the network will not connect unless they are set to Shared Key as well and have the same keys in the same positions as those in the FVG318 WEP Encryption Keys For all four 802 11b keys choose the Key Size Circle one 64 or 128 bits K...

Page 44: ...te The characters are case sensitive An access point always functions in infrastructure mode The SSID for any wireless device communicating with the access point must match the SSID configured in the FVG318 ProSafe 802 11g Wireless VPN Firewall If they do not match you will not get a wireless connection to the FVG318 4 Set the Channel It should not be necessary to change the wireless channel unles...

Page 45: ...ctions How to Restrict Wireless Access by MAC Address To restrict access based on MAC addresses follow these steps 1 Log in at the default LAN address of http 192 168 0 1 with the default user name of admin and default password of password 2 Click Wireless in the main menu of the FVG318 From the Wireless Settings menu click Setup Access List Figure 4 4 Wireless Station Access menu 3 Click the Turn...

Page 46: ... WEP data encryption follow these steps 1 Log in at the default LAN address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever LAN address and password you set up Note When configuring the FVG318 from a wireless computer whose MAC address is not in the access control list if you select Turn Access Control On you will lose your wireless connec...

Page 47: ...se the Authentication Type and Encryption Strength options You can manually or automatically program the four data encryption keys These values must be identical on all PCs and Access Points in your network Authentication Type Normally this can be left at the default value of Automatic If set to Open System or Shared Key wireless stations must use the same method Encryption Select the desired WEP ...

Page 48: ... the matching WEP key information for your network in the selected key box For 64 bit WEP Enter ten hexadecimal digits any combination of 0 9 A F For 128 bit WEP Enter twenty six hexadecimal digits any combination of 0 9 A F Please refer to Overview of WEP Parameters on page E 5 for a full explanation of each of these options as defined by the IEEE 802 11b wireless communication standard 5 Click A...

Page 49: ...enu The WPA with Radius menu will open Encryption There is no choice for encryption this is displayed for your information For WPA with Radius TKIP is used 4 Enter the Radius settings Primary Server Name IP Address This field is required Enter the name or IP address of the primary Radius Server on your LAN Secondary Radius Server Name IP Address This field is optional If you have a Secondary Radiu...

Page 50: ...the Radius accounting server periodically If enabled enter the desired Update Report interval in the field provided 5 Click Apply to save your settings How to Configure WPA2 with Radius Note Not all wireless adapters support WPA2 Furthermore client software is required on the client Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA2 Nevertheless the w...

Page 51: ...Settings menu WPA2 with Radius 3 Select WPA2 with Radius on the pulldown menu The WPA2 with Radius menu will open Encryption There is no choice for encryption this is displayed for your information For WPA2 with Radius AES is used 4 Enter the Radius settings Primary Server Name IP Address This field is required Enter the name or IP address of the primary Radius Server on your LAN ...

Page 52: ...e this AP send Accounting update messages to the Radius accounting server periodically If enabled enter the desired Update Report interval in the field provided 5 Click Apply to save your settings How to Configure WPA and WPA2 with Radius Note Not all wireless adapters support WPA and WPA2 Furthermore client software is required on the client Windows XP and Windows 2000 with Service Pack 3 do incl...

Page 53: ... 3 Select WPA and WPA2 with Radius on the pulldown menu The WPA and WPA2 with Radius menu will open Encryption There is no choice for encryption this is displayed for your information For WPA and WPA2 with Radius WPA clients must use TKIP and WPA2 clients must use AES 4 Enter the Radius settings Primary Server Name IP Address This field is required Enter the name or IP address of the primary Radiu...

Page 54: ...te Report Enable this if you wish to have this AP send Accounting update messages to the Radius accounting server periodically If enabled enter the desired Update Report interval in the field provided 5 Click Apply to save your settings How to Configure WPA PSK Note Not all wireless adapters support WPA Furthermore client software is required on the client Windows XP and Windows 2000 with Service ...

Page 55: ... PSK you can choose TKIP or AES 5 Enter the pre shared key in the Passphrase field Enter a word or group of printable characters in the Passphrase box The Passphrase must be 8 to 63 characters in length The 256 Bit key used for encryption is generated from this passphrase 6 Enter the Key Lifetime This setting determines how often the encryption key is changed Shorter periods provide greater securi...

Page 56: ...hardware and driver must also support WPA2 Consult the product document for your wireless adapter and WP2 client software for instructions on configuring WPA2 settings To configure WPA2 PSK follow these steps 1 Log in at the default LAN address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever LAN address and password you have set up 2 Click...

Page 57: ...sired you can change the default value 7 Click Apply to save your settings How to Configure WPA PSK and WPA2 PSK Note Not all wireless adapters support WPA and WPA2 Furthermore client software is required on the client Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA and WPA2 Nevertheless the wireless adapter hardware and driver must also support WPA...

Page 58: ...SK the only option is TKIP AES WPA clients must use TKIP and WPA2 clients must use AES 5 Enter the pre shared key in the Passphrase field Enter a word or group of printable characters in the Passphrase box The Passphrase must be 8 to 63 characters in length The 256 Bit key used for encryption is generated from this passphrase 6 Enter the Key Lifetime This setting determines how often the encryptio...

Page 59: ...chat or games A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two A firewall incorporates the functions of a NAT Network Address Translation router while adding features for dealing with a hacker intrusion or attack and for controlling the types...

Page 60: ...rd blocking check Turn keyword blocking on then click Apply To add a keyword or domain type it in the Keyword box click Add Keyword then click Apply To delete a keyword or domain select it from the list click Delete Keyword then click Apply Keyword application examples If the keyword XXX is specified the URL http www badstuff com xxx html is blocked as is the newsgroup alt pictures XXX If the keyw...

Page 61: ... rules are used to block or allow specific traffic passing through from one side to the other Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and on...

Page 62: ...list already displays many common services but you are not limited to these choices Use the Services menu to add any additional services or applications that do not already appear Action Choose how you would like this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu Source Address Specify...

Page 63: ...member that allowing inbound services opens holes in your FVG318 Wireless VPN Firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP a...

Page 64: ...o not match the allowed parameters Figure 5 4 Rule example a videoconference from restricted addresses Considerations for Inbound Rules If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network If the IP address of th...

Page 65: ... the Internet site being contacted destination address Time of day Type of service being requested service port number Following is an application example of an outbound rule Outbound Rule Example Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any ext...

Page 66: ...ning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet The Move button allows you to relocate a defined rule to a new position in the table Default DMZ Server Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to on...

Page 67: ...d to a ping from the Internet click the Respond to Ping on Internet WAN Port check box This should only be used as a diagnostic tool since it allows your firewall to be discovered Don t check this box unless you have a specific reason to do so Note For security NETGEAR strongly recommends that you avoid using the Default DMZ Server feature When a computer is designated as the Default DMZ Server it...

Page 68: ...P Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the FVG318 already holds a list of many service port numbers you are not limited to these choices Use t...

Page 69: ...om Service menu 2 Enter a descriptive name for the service so that you will remember what it is 3 Select whether the service uses TCP or UDP as its transport protocol If you can t determine which is used select both 4 Enter the lowest port number used by the service 5 Enter the highest port number used by the service If the service only uses a single port number enter the same number in both field...

Page 70: ...r Allow Specific Traffic If you enabled content filtering in the Block Sites menu or if you defined an outbound rule to use a schedule you can set up a schedule for when blocking occurs or when access is restricted The firewall allows you to specify when blocking will be enforced by configuring the Schedule page shown below Figure 5 9 Schedule page ...

Page 71: ...y when you have finished configuring this page Time Zone The FVG318 Wireless VPN Firewall uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Internet In order to localize the time for your log entries you must specify your Time Zone Time Zone Select your local time zone This setting will be used for the blocking schedule and for t...

Page 72: ... mail If your enable e mail notification these boxes cannot be blank Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com You may be able to find this information in the configuration menu of your e mail program Enter the e mail address to which logs and alerts are sent This e mail address will also be used as the From address If you leave this box blank log ...

Page 73: ...on your selection you may also need to specify Day for sending log Relevant when the log is sent weekly or daily Time for sending log Relevant when the log is sent daily or weekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent the log is cleared from the firewa...

Page 74: ...oming and outgoing service requests hacker probes and administrator logins If you enable content filtering in the Block Sites menu the Log page will also show you when someone on your network tried to access a blocked site If you enabled e mail notification you ll receive these logs in an e mail message If you don t have e mail notification enabled you can view the logs here An example is shown in...

Page 75: ...try descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the d...

Page 76: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 5 18 Firewall Protection and Content Filtering BETA ...

Page 77: ...etween a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 provides the steps needed to configure a VPN tunnel between two network gateways using the VPN Wizard VPN Tunnel Control on page 6 26 provides the step by step procedures for activating verifying deactivating and deleting a VPN tunnel on...

Page 78: ...re access from a remote PC such as a telecommuter connecting to an office network see Figure 6 1 Figure 6 1 Client to gateway VPN tunnel A VPN client access allows a remote PC to connect to your network from any location on the Internet In this case the remote PC is one tunnel endpoint running the VPN client software The FVG318 Wireless VPN Firewall on your network is the other tunnel endpoint See...

Page 79: ...ngs on one end to match the inbound VPN settings on other end and vice versa This set of configuration information defines a security association SA between the two VPN endpoints When planning your VPN you must make a few choices first Will the local end be any device on the LAN a portion of the local network as defined by a subnet or by a range of IP addresses or a single PC Will the remote end b...

Page 80: ... input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys AES What level of authentication will you use MDS 128 bits faster but less secure SHA 1 160 bits slower but more secure Table 6 1 Parameters recommended by th...

Page 81: ... defaults see Table 6 1 on page 6 4 are not appropriate for your special circumstances How to Set Up a Client to Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway see Figure 6 3 involves the following two steps Step 1 Configuring the Client to Gateway VPN Tunnel on the FVG318 on page 6 6 uses the VPN Wizard to configure the ...

Page 82: ...Wizard link in the main menu to display this screen Click Next to proceed Figure 6 4 VPN Wizard start screen 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Note The Connection Name is arbitrary and not relevant to how the configuration functions Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default ...

Page 83: ... Networking 6 7 BETA Figure 6 5 Connection Name and Remote IP Type The Summary screen below displays Figure 6 6 VPN Wizard Summary Enter the new Connection Name RoadWarrior in this example Enter the pre shared key 12345678 in this example Select the radio button A remote VPN client single PC ...

Page 84: ...lick the here link see Figure 6 6 Click Back to return to the Summary screen Figure 6 7 VPNC Recommended Settings 3 Click Done on the Summary screen see Figure 6 6 to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled Figure 6 8 VPN Policies To view or modify the tunnel settings select the radio button next to the tunnel entry and click...

Page 85: ... see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message c Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary d The system should show the ProSafe icon in the system tray after rebooting e Double click the sys...

Page 86: ...ection Name you entered in the VPN Settings of the FVG318 on LAN A Note In this example the Connection Name used on the client side of the VPN tunnel is NETGEAR_VPN_router and it does not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel see Figure 6 5 because Connection Names are unrelated to how the VPN tunnel functions Tip Choose Connection Names that make...

Page 87: ...c through the VPN tunnel g Select the Connect using Secure Gateway Tunnel check box h Select IP Address in the ID Type menu below the check box i Enter the public WAN IP Address of the FVG318 in the field directly below the ID Type menu In this example 22 23 24 25 would be used The resulting Connection Settings are shown in Figure 6 10 3 Configure the Security Policy in the NETGEAR ProSafe VPN Cli...

Page 88: ...e 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide The Pre Shared Key that you configured in the FVG318 Either a fixed IP address or a fixed virtual IP address of the VPN client PC a In the Network Security Policy list on the left side of the Security Policy Editor window click on My I...

Page 89: ...In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable or DSL line You may also choose Any if you will be switching between adapters or if you have only one adapter e Click the Pre Shared Key button In the Pre Shared Key dialog box click the...

Page 90: ...clicking its name or clicking on the symbol Then select Proposal 1 below Authentication Figure 6 14 Security Policy Editor Authentication c In the Authentication Method menu select Pre Shared key d In the Encrypt Alg menu select the type of encryption In this example use Triple DES e In the Hash Alg menu select SHA 1 f In the SA Life menu select Unspecified g In the Key Group menu select Diffie He...

Page 91: ...e VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN firewall s LAN 8 Check the VPN Connection To check the VPN Connection you can initiate a request from the remo...

Page 92: ...se should change from timed out to reply Figure 6 17 Ping test results Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote FVG318 After a short wait you should see the login screen of the Wireless VPN Firewall unless another PC already has the FVG318 management interface open Monitoring the Progress and Status of the VPN Client Connectio...

Page 93: ...n for a similar connection is shown below Figure 6 19 Connection Monitor screen In this example you can see the following The FVG318 has a public IP WAN address of 22 23 24 25 The FVG318 has a LAN IP address of 192 168 3 1 The VPN client PC has a dynamically assigned address of 192 168 2 2 Note Use the active VPN tunnel information and pings to determine whether a failed connection is due to the V...

Page 94: ...PN Client configuration can be copied to other PCs running the NETGEAR ProSafe VPN Client Exporting a Security Policy The following procedure Figure 6 20 enables you to export a security policy as an spd file Figure 6 20 Exporting a security policy Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the ...

Page 95: ...xisting security policy Figure 6 21 Importing a security policy Step 1 Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown Step 2 Select the security policy to import In this example the security policy file is named FVS318v3_clientpolicy_direct spd and located on the Desktop The security policy is now imported In this example the connection name is Scena...

Page 96: ...ges of each VPN endpoint must be different The connection will fail if both are using the NETGEAR default address range of 192 168 0 x In this example LAN A uses 192 168 0 1 and LAN B uses 192 168 3 1 Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 6 1 on page 6 4 If you have special requirements not covered by these VPNC recommended...

Page 97: ...s of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed Figure 6 23 VPN Wizard start screen 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Figure 6 24 Connection Name and Remote IP Type Enter the new Connection Name G...

Page 98: ...and click Next Figure 6 25 Remote IP 4 Identify the IP addresses at the target endpoint that can use this tunnel and click Next Figure 6 26 Secure Connection Remote Accessibility Enter the WAN IP address of the remote VPN gateway 22 23 24 25 in this example Enter the LAN IP settings of the remote VPN gateway IP Address 192 168 3 1 in this example Subnet Mask 255 255 255 0 in this example ...

Page 99: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 Basic Virtual Private Networking 6 23 BETA The Summary screen below displays Figure 6 27 VPN Wizard Summary ...

Page 100: ...n and encryption settings used by the VPN Wizard click the here link see Figure 6 27 Click Back to return to the Summary screen Figure 6 28 VPN Recommended Settings 5 Click Done on the Summary screen see Figure 6 27 to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled Figure 6 29 VPN Policies ...

Page 101: ...5 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps a Open the FVG318 management interface and click on VPN Status under VPN to get the VPN Status Log screen Figure 6 30 Figure 6 30 VPN Status Log screen b Click on VPN Status Figure 6 32 to get the Current VPN Tunnels SAs screen Figure 6 31 Click on Connect for the VPN tunnel you ...

Page 102: ...the VPN tunnel Use the VPN Status page Activate the VPN tunnel by pinging the remote endpoint Start Using a VPN Tunnel to Activate It To use a VPN tunnel use a Web browser to go to a URL whose IP address or range is covered by the policy for that VPN tunnel Using the VPN Status Page to Activate a VPN Tunnel To use the VPN Status screen to activate a VPN tunnel perform the following steps 1 Log in ...

Page 103: ...le remote endpoint LAN IP address To activate the VPN tunnel by pinging the remote endpoint 192 168 3 1 do the following steps depending on whether your configuration is client to gateway or gateway to gateway Client to Gateway Configuration to check the VPN Connection you can initiate a request from the remote PC to the FVG318 s network by using the Connect option in the NETGEAR ProSafe menu bar ...

Page 104: ...318 Within two minutes the ping response should change from timed out to reply Note Use Ctrl C to stop the pinging Figure 6 35 Ping test results Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote FVG318 After a short wait you should see the login screen of the Wireless VPN Firewall unless another PC already has the FVG318 management int...

Page 105: ... the status of a VPN tunnel perform the following steps 1 Log in to the Wireless VPN Firewall 2 Open the FVG318 management interface and click VPN Status under VPN to get the VPN Status Log screen Figure 6 37 Figure 6 37 VPN Status Log screen Log this log shows the details of recent VPN activity including the building of the VPN tunnel If there is a problem with the VPN tunnel refer to the log for...

Page 106: ... VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero the SA Security Association will re negotiated HLifeTime Secs the remaining Hard Lifetime for this SA in seconds When the Hard Lifetime becomes zero the SA Security Association will be terminated It will be re established if...

Page 107: ...el you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel perform the following steps 1 Log in to the Wireless VPN Firewall 2 Click VPN Status under VPN to get the VPN Status Log screen Figure 6 40 Figure 6 40 VPN Status Log screen ...

Page 108: ...in to the Wireless VPN Firewall 2 Click VPN Policies under VPN to display the VPN Policies screen Figure 6 42 Select the radio button for the VPN tunnel to be deleted and click the Delete button Figure 6 42 VPN Policies Note When NETBIOS is enabled which it is in the VPNC defaults implemented by the VPN Wizard automatic traffic will reactivate the tunnel To prevent reactivation from happening eith...

Page 109: ...or a description on how to use the basic VPN features Overview of FVG318 Policy Based VPN Configuration The FVG318 uses state of the art firewall and security technology to facilitate controlled and actively monitored VPN connectivity Since the FVG318 strictly conforms to IETF standards it is interoperable with devices from major network equipment vendors Figure 7 1 Secure access through FVG318 VP...

Page 110: ...g VPN policies on both the local and remote FVG318 Wireless VPN Firewalls The outbound VPN policy on one end must match to the inbound VPN policy on other end and vice versa When the network traffic enters into the FVG318 from the LAN network interface if there is no VPN policy found for a type of network traffic then that traffic passes through without any change However if the traffic is selecte...

Page 111: ...orking 7 3 BETA IKE Policies Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7 2 Figure 7 2 IKE Policy Configuration Menu ...

Page 112: ...here the IP address of the remote client is unknown If Remote Access is selected the Exchange Mode must be Aggressive and the Identities below both Local and Remote must be Name On the matching VPN Policy the IP address of the remote VPN endpoint should be set to 0 0 0 0 Exchange Mode Main Mode or Aggressive Mode This setting must match the setting used on the remote VPN endpoint Main Mode is slow...

Page 113: ...dentify the target remote FVG318 by name IKE SA Parameters These parameters determine the properties of the IKE Security Association Encryption Algorithm Choose the encryption algorithm for this IKE policy DES is the default 3DES is more secure Authentication Algorithm If you enable Authentication Header AH this menu lets you to select from these authentication algorithms MD5 the default SHA 1 mor...

Page 114: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 7 6 Advanced Virtual Private Networking BETA Figure 7 3 VPN Auto Policy menu ...

Page 115: ...main name By its IP Address Address Type The address type used to locate the remote VPN firewall or client to which you wish to connect By its Fully Qualified Domain Name FQDN your domain name By its IP Address Address Data The address used to locate the remote VPN firewall or client to which you wish to connect The remote VPN endpoint must have this FVG318 s Local Identity Data entered as its Rem...

Page 116: ...P Addresses Subnet Address Authenticating Header AH Configuration AH specifies the authentication protocol for the VPN header These settings must match the remote VPN endpoint Enable Authentication Use this check box to enable or disable AH for this VPN policy Authentication Algorithm If you enable AH then select the authentication algorithm MD5 the default SHA1 more secure Encapsulated Security P...

Page 117: ...licies link from the VPN section of the main menu to display the menu shown below Authentication Algorithm If you enable AH then use this menu to select which authentication algorithm will be employed The choices are MD5 the default SHA1 more secure NETBIOS Enable Check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel The NETBIOS protocol is used by Microsoft Networking for suc...

Page 118: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 7 10 Advanced Virtual Private Networking BETA Figure 7 4 VPN Manual Policy menu ...

Page 119: ...address space The choices are ANY for all valid IP addresses in the Internet address space Single IP Address Range of IP Addresses Subnet Address Remote IP The drop down menu allows you to configure the destination IP address of the outbound network traffic for which this VPN policy will provide security Usually this address is from the remote site s corporate network address space The choices are...

Page 120: ...tication when you use ESP Two ESP modes are available Plain ESP encryption ESP encryption with authentication These settings must match the remote VPN endpoint SPI Incoming Enter a hexadecimal value 3 8 chars Any value is acceptable provided the remote VPN endpoint has the same value in its Outgoing SPI field SPI Outgoing Enter a hexadecimal value 3 8 chars Any value is acceptable provided the rem...

Page 121: ...es are produced by providing the particulars of the user being identified to the CA The information provided may include the user s name e mail ID and domain name Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy Authentication Algorithm If you enable authentication then use this menu to select the algorithm MD5 the default SHA1 more secure Key In...

Page 122: ...eans that the certificate is not revoked IKE can then use this certificate for authentication If the certificate is present in the CRL it means that the certificate is revoked and the IKE will not authenticate the client You must manually update the FVG318 CRL regularly in order for the CA based authentication process to remain valid Walk Through of Configuration Scenarios on the FVG318 There are ...

Page 123: ...4 to the Internet Gateway A s LAN interface has the address 10 5 6 1 and its WAN Internet interface has the address 14 15 16 17 Gateway B connects the internal LAN 172 23 9 0 24 to the Internet Gateway B s WAN Internet interface has the address 22 23 24 25 Gateway B s LAN interface address 172 23 9 1 can be used for testing IPsec but is not needed for configuring Gateway A The IKE Phase 1 paramete...

Page 124: ... by reviewing the security settings as seen in the Figure 5 2 on page 5 3 Figure 7 6 LAN to LAN VPN access from an FVG318 to an FVG318 Use this scenario illustration and configuration screens as a model to build your configuration 1 Log in to the FVG318 labeled Gateway A as in the illustration Log in at the default address of http 192 168 0 1 with the default user name of admin and default passwor...

Page 125: ...nternet IP Address menu b Configure the WAN Internet Address according to the settings above and click Apply to save your settings For more information on configuring the WAN IP settings in the Basic Settings topics please see How to Manually Configure Your Internet Connection on page 3 10 WAN IP addresses ISP provides these addresses ...

Page 126: ...IP address according to the settings above and click Apply to save your settings For more information on LAN TCP IP setup topics please see Configuring LAN TCP IP Setup Parameters on page 9 3 Note After you click Apply to change the LAN IP address settings your workstation will be disconnected from the FVG318 You will have to log on with http 10 5 6 1 which is now the address you use to connect to...

Page 127: ... main menu VPN section click on the IKE Policies link and then click the Add button to display the screen below Figure 7 9 Scenario 1 IKE Policy b Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings For more information on IKE Policy topics please see IKE Policies Automatic Key and Authentication Management on page 7 3 ...

Page 128: ...licy button Figure 7 10 Scenario 1 VPN Auto Policy b Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings For more information on IKE Policy topics please see IKE Policies Automatic Key and Authentication Management on page 7 3 5 After applying these changes all traffic from the range of LAN IP addresses specified on FVG318 A and FVG318...

Page 129: ...on and click the Diagnostics link b To test connectivity to the WAN port of Gateway B enter 22 23 24 25 and then click Ping c This causes a ping to be sent to the WAN interface of Gateway B Within two minutes the ping response should change from timed out to reply You may have to run this test several times before you get the reply message back from the target FVG318 d At this point the connection...

Page 130: ...r instructions on this topic see Time Zone on page 5 13 1 Obtain a root certificate a Obtain the root certificate that includes the public key from a Certificate Authority CA Note The procedure for obtaining certificates differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for its members For example an adminis...

Page 131: ...ficate Subject This is the name that other organizations will see as the holder owner of this certificate This should be your registered business name or official company name Generally all certificates should have the same value in the Subject field Hash Algorithm Select the desired option MD5 or SHA1 Signature Algorithm Select the desired option DSS or RSA Signature Key Length Select the desired...

Page 132: ...s shown below Figure 7 12 Self Certificate Request data 4 Transmit the Self Certificate Request data to the Trusted Root CA a Highlight the text in the Data to supply to CA area copy it and paste it into a text file b Give the certificate request data to the CA In the case of a Windows 2000 internal CA you might simply e mail it to the CA administrator The procedures of a CA like Verisign and a CA...

Page 133: ...ate back from the Trusted Root CA and save it as a text file Note In the case of a Windows 2000 internal CA the CA administrator might simply email it to back to you Follow the procedures of your CA Save the certificate you get back from the CA as a text file called final txt 6 Upload the new certificate a From the main menu VPN section click the Certificates link b Click the radio button of the S...

Page 134: ...318 Self Certificate Request is gone as illustrated below Figure 7 14 Self Certificates table 7 Associate the new certificate and the Trusted Root CA certificate on the FVG318 a Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 see Scenario 1 IKE Policy on page 7 19 except now use the RSA Signature instead of the shared key Figure 7 15 IKE policy using RSA Signat...

Page 135: ...st CRL checking a Get a copy of the CRL from the CA and save it as a text file Note The procedure for obtaining a CRL differs from a CA like Verisign and a CA such as a Windows 2000 certificate server which an organization operates for providing certificates for its members Follow the procedures of your CA b From the main menu VPN section click the CRL link c Click Add to add a CRL d Click Browse ...

Page 136: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 7 28 Advanced Virtual Private Networking BETA ...

Page 137: ...hese features can be found by clicking on the Maintenance heading in the main menu of the browser interface Viewing Wireless VPN Firewall Status Information The Router Status menu provides status and usage information From the main menu of the browser interface click Maintenance then select Router Status to view this screen Figure 8 1 Router Status screen ...

Page 138: ...e Internet IP Subnet Mask The IP Subnet Mask being used by the Internet WAN port of the firewall DHCP The protocol on the WAN port used to obtain the WAN IP address This field can show DHCP Client Fixed IP PPPoE BPA or PPTP For example if set to Client the firewall is configured to obtain an IP address dynamically from the ISP LAN Port These parameters apply to the Local WAN port of the firewall M...

Page 139: ...n Connection Time The length of time the firewall has been connected to your Internet service provider s network Connection Method The method used to obtain an IP address from your Internet service provider IP Address The WAN Internet IP address assigned to the firewall Network Mask The WAN Internet subnet mask assigned to the firewall Default Gateway The WAN Internet default gateway the firewall ...

Page 140: ...ce TxPkts The number of packets transmitted on this interface since reset or manual clear RxPkts The number of packets received on this interface since reset or manual clear Collisions The number of collisions on this interface since reset or manual clear Tx B s The current transmission outbound bandwidth used on the interfaces Rx B s The current reception inbound bandwidth used on the interfaces ...

Page 141: ...8 4 Attached Devices menu For each device the table shows the IP address NetBIOS Host Name if available and Ethernet MAC address Note that if the firewall is rebooted the table data is lost until the firewall rediscovers the devices To force the firewall to look for attached devices click the Refresh button Upgrading the Firewall Software Table 8 2 Connection Status action buttons Field Descriptio...

Page 142: ... or Netscape Navigator 5 0 or above From the main menu of the browser interface under the Maintenance heading select the Router Upgrade heading to display the menu shown below Figure 8 5 Router Upgrade menu To upload new firmware 1 Download and unzip the new software file from NETGEAR 2 In the Router Upgrade menu click the Browse button and browse to the location of the binary BIN upgrade file 3 C...

Page 143: ...u You can use the Settings Backup menu to back up your configuration in a file restore from that file or erase the configuration settings Backing Up the Configuration To save your settings select the Backup tab Click the Backup button Your browser will extract the configuration file from the firewall and prompts you for a location on your PC to store the file You can give the file a meaningful nam...

Page 144: ...on settings without knowing the login password or IP address you must use the reset button on the rear panel of the firewall See Restoring the Default Configuration and Password on page 10 7 Changing the Administrator Password The default password for the firewall s Web Configuration Manager is password NETGEAR recommends that you change this password to a more secure password From the main menu o...

Page 145: ...nt that can connect to a dynamic DNS service provider To use this feature you must select a service provider and obtain an account with them After you have configured your account information in the firewall whenever your ISP assigned IP address changes your firewall will automatically contact your dynamic DNS service provider log in to your account and register your new IP address 1 Log in to the...

Page 146: ...ourhost dyndns org to be aliased to the same IP address as yourhost dyndns org 9 Click Apply to save your configuration Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP From the main menu of the browser interface under Advanced click on LAN IP Setup to view the menu shown below Figure 9 1 LAN IP Setup Menu Note If your ISP assigns a ...

Page 147: ...ss the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or firewall RIP Direction RIP Router Information Protocol allows a firewall to exchange routing information with other firewalls The RIP Direction selection controls how the firewall sends and receives RIP packets Both is the default When set to Both or Out Only the firew...

Page 148: ...ually configure the network settings of all of your computers clear the Use router as DHCP server check box Otherwise leave it checked To specify the pool of IP addresses to be assigned set the Starting IP Address and Ending IP Address These addresses should be part of the same IP address subnet as the firewall s LAN IP address Using the default addressing scheme you should define a range between ...

Page 149: ...it here 4 Click Apply to enter the reserved address into the table Note The reserved address will not be assigned until the next time the PC contacts the firewall s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew To edit or delete a reserved address entry 1 Click the button next to the reserved address you want to edit or delete 2 Click Edit or Delete Co...

Page 150: ...or this static route in the Route Name box This is for identification purpose only 3 Select Private if you want to limit access to the LAN only The static route will not be reported in RIP 4 Select Active to make this route effective 5 Type the Destination IP Address of the final destination 6 Type the IP Subnet Mask for this destination If the destination is a single host type 255 255 255 255 7 T...

Page 151: ...cal network for all 192 168 0 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s firewall In this case you must define a static route telling your firewall that 134 177 0 0 should ...

Page 152: ...oose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP 4 Click Apply to have your changes take effect 5 When accessing your firewall from the Internet the Secure Sockets Layer SSL will be enabled You will enter https and type your firewall s WAN IP address into your browser followed by a colon and the custo...

Page 153: ...on 9 9 BETA Tip If you are using a dynamic DNS service such as TZO you can always identify the IP address of your FVG318 by running TRACERT from the Windows Start menu Run option For example type tracert yourFVG318 mynetgear net and you will see the IP address your ISP assigned to the FVG318 ...

Page 154: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 9 10 Advanced Configuration BETA ...

Page 155: ...re connected c The Internet port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is green If the port is 10 Mbps the LED will be green If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your fire...

Page 156: ...t Configuration and Password on page 10 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made check the following Make sure that the Ethernet cable connections are secure at the firewall and at the hub or workstation Make sure that power...

Page 157: ...all and reboot your PC If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 0 1 This procedure is explained in Restoring the Default Configuration and Password on page 10 7 Make sure your browser has Java JavaScript or ActiveX enabled If you are using Intern...

Page 158: ...ain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your firewall 3 Wait five minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate that it has reacquired sync with the ISP reapply power to your firewall If your ...

Page 159: ... not have the firewall configured as its TCP IP gateway If your PC obtains its information from the firewall by DHCP reboot the PC and verify the gateway address Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting...

Page 160: ...e IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 IP address where IP address is the IP address of a remote device such as your ISP s DNS server If the pa...

Page 161: ...of the firewall see Erasing the Configuration on page 8 8 Use the Reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address are not known 1 Press and hold the Reset button until the Test LED turns on and begins blinking about 10 seconds 2 Release the Reset button and wait for the firewall to reboot Problems with Date and Time The E Mail...

Page 162: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 10 8 Troubleshooting BETA ...

Page 163: ...1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V DC 1 2 A output 18W maximum Physical Specifications Dimensions 39 6 x 254 x 178 mm 1 6 x 10 x 7 in Weight 1 23 kg 2 72 lb Environmental Specifications Operating temperature 0 to 40 C 32º to 104º F Opera...

Page 164: ...VPN Firewall FVG318 A 2 Technical Specifications BETA Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T or 100BASE Tx RJ 45 WAN 10BASE T or 100BASE Tx RJ 45 ...

Page 165: ...rview The procedure for configuring a VPN tunnel between two gateway endpoints is as follows 1 Gather the network information 2 Configure gateway A 3 Configure gateway B 4 Activate the VPN tunnel Gathering the Network Information The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin ...

Page 166: ...ested information as prompted by the VPN Wizard Connection Name and Pre Shared Key Remote WAN IP address Remote LAN IP Subnet IP Address and Subnet Mask 2 Repeat the above steps for Gateway B a Log in to the router at Gateway B b Use the VPN Wizard to configure this router Enter the requested information as prompted by the VPN Wizard Note The WAN and LAN IP addresses must be unique at each end of ...

Page 167: ...zard for the router at each gateway part 1 of 2 Step 1 Click VPN Wizard on the Side Menu Bar Step 2 Enter the following o Connection name o Pre Shared Key must be the same for each end o Select A remote VPN Gateway Step 3 Enter the remote WAN s IP address Step 4 Enter the following o Remote LAN IP Address o Remote LAN Subnet Mask to Figure B 3 ...

Page 168: ...e The default log in address for the FVG318 router is http 192 168 0 1 with the default user name of admin and default password of password The login address will change to the local LAN IP subnet address after you configure the router The user name and password will also change to the ones you have chosen to use in your installation Step 5 Verify the information example screen Example screen ...

Page 169: ...tion as described in the following flowchart Figure B 4 Testing Flowchart All traffic from the range of LAN IP addresses specified on the router at Gateway A and the router at Gateway B will now flow over a secure VPN tunnel Test Step 1 Ping Remote LAN IP Address Test Step 2 Ping Remote WAN IP Address Test Step 3 View VPN Tunnel Status Start Fix the Router Network Fix the VPN Tunnel End Fail Pass ...

Page 170: ...t address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen Table B 1 Policy Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway Security Scheme IKE with Preshared Secret Key Date Tested November 2004 Model Firmware Tested NETGEAR Gateway A FVS318v3 with firmware ve...

Page 171: ...y B as in the illustration Figure B 5 Log in at the default address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen 4 Repeat the process using the VPN Wizard to configure the FVG318 at Gateway B Follow the steps listed in Figure B 2 and Figure B 3 but use the following parameters instead as illustra...

Page 172: ...5 255 0 in this example All traffic from the range of LAN IP addresses specified on FVG318 A and FVG318 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated see Initiating and Checking the VPN Connections on page 11 Figure B 6 VPN parameter entry at Gateway A FVS318v3 and Gateway B FVS318v3 Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure...

Page 173: ...VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium VPNC The policy definitions to manage VPN traffic on the FVG318 are presented in Figure B 7 and Figure B 8 Figure B 7 VPN policies at Gateway A FVS318v3 and Gateway B FVS318v3 Gateway A VPN Policy Parameters Gateway B VPN Policy Parameters ...

Page 174: ... Gateway B FVS318v3 Note The Pre Shared Key must be the same at both VPN tunnel endpoints The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints Gateway A IKE Parameters Gateway B IKE Parameters ...

Page 175: ...nt to VPN tunnel endpoint connection is established 2 Test 2 Ping Remote WAN IP Address if Test 1 fails To test connectivity between the Gateway A and Gateway B WAN ports follow these steps a Log in to the router on LAN A go to the main menu Maintenance section and click the Diagnostics link b To test connectivity to the WAN port of Gateway B enter 22 23 24 25 and then click Ping you would enter 1...

Page 176: ...A Figure B 9 VPN Status for the FVS318v3 routers at Gateway A and Gateway B 22 23 24 25 22 23 24 25 Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B VPN Status at Gateway A FVS318v3 VPN Status at Gateway B FVS318v3 Status of VPN tunnel from Gateway A Status of VPN tunnel to Gateway A 22 23 24 25 ...

Page 177: ...t the default address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen Table B 2 Policy Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway Security Scheme IKE with Preshared Secret Key Date Tested November 2004 Model Firmware Tested NETGEAR Gateway A FVS318v3 with...

Page 178: ...y B as in the illustration Figure B 10 Log in at the default address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen 4 Repeat the process using the VPN Wizard to configure the FVS318v2 at Gateway B Follow the steps listed in Figure B 2 and Figure B 3 but use the following parameters instead as illus...

Page 179: ...5 255 0 in this example All traffic from the range of LAN IP addresses specified on FVG318 A and FVG318 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated see Initiating and Checking the VPN Connections on page 18 Figure B 11 VPN parameter entry at Gateway A FVS318v3 and Gateway B FVS318v2 Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figur...

Page 180: ...l FVG318 B 16 VPN Configuration of NETGEAR FVS318v3 BETA Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium VPNC The policy definitions to manage VPN traffic are presented in Figure B 12 ...

Page 181: ...Safe 802 11g Wireless VPN Firewall FVG318 VPN Configuration of NETGEAR FVS318v3 B 17 BETA Figure B 12 VPN Parameters at Gateway A FVS318v3 and Gateway B FVS318v2 Gateway A VPN Parameters FVS318v3 Gateway B VPN Parameters FVS318v2 ...

Page 182: ... At this point the VPN tunnel endpoint to VPN tunnel endpoint connection is established 2 Test 2 Ping Remote WAN IP Address if Test 1 fails To test connectivity between the Gateway A and Gateway B WAN ports follow these steps a Log in to the router on LAN A go to the main menu Maintenance section and click the Diagnostics link b To test connectivity to the WAN port of Gateway B enter 22 23 24 25 a...

Page 183: ...o the FVG318 main menu VPN section and click the VPN Status link For the FVS318v2 click Show VPN Status from the Router Status screen Figure B 13 VPN Status for the routers at Gateway A FVS318v3 and Gateway B FVS318v2 22 23 24 25 22 23 24 25 Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B VPN Status at Gateway A FVS318v3 IPSec Connection Status at Gateway B FVS318v2 Status of...

Page 184: ...he default address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen Table B 3 Policy Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway Security Scheme IKE with Preshared Secret Key Date Tested November 2004 Model Firmware Tested NETGEAR Gateway A FVS318v3 with fi...

Page 185: ...y B as in the illustration Figure B 14 Log in at the default address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever password and LAN address you have chosen 4 Repeat the process using the VPN Wizard to configure the FVL328 at Gateway B Follow the steps listed in Figure B 2 and Figure B 3 but use the following parameters instead as illustr...

Page 186: ...55 255 0 in this example All traffic from the range of LAN IP addresses specified on FVG318 A and FVL328 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated see Initiating and Checking the VPN Connections on page 25 Figure B 15 VPN parameter entry at Gateway A FVS318v3 and Gateway B FVL328 Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure...

Page 187: ...rameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium VPNC The policy definitions to manage VPN traffic on the FVG318 and FVL328 are presented in Figure B 16 and Figure B 17 Figure B 16 VPN policies at Gateway A FVS318v3 and Gateway B FVL328 Gateway A VPN Policy Parameters Gateway B VPN Policy Parameters ...

Page 188: ...nd Gateway B FVL328 Note The Pre Shared Key must be the same at both VPN tunnel endpoints The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints Gateway A IKE Parameters Gateway B IKE Parameters ...

Page 189: ...should change from timed out to reply At this point the VPN tunnel endpoint to VPN tunnel endpoint connection is established 2 Test 2 Ping Remote WAN IP Address if Test 1 fails To test connectivity between the Gateway A and Gateway B WAN ports follow these steps a Log in to the router on LAN A go to the main menu Maintenance section and click the Diagnostics link b To test connectivity to the WAN ...

Page 190: ...S318v3 BETA Figure B 18 VPN Status for the routers at Gateway A FVS318v3 and Gateway B FVL328 22 23 24 25 22 23 24 25 Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B VPN Status at Gateway A FVS318v3 IPSec Connection Status at Gateway B FVL328 Status of VPN tunnel to and from Gateway A ...

Page 191: ...GEAR Gateway A Static IP address NETGEAR Client B Dynamic IP address Table B 5 Differences between VPN tunnel types Operation Gateway to Gateway VPN Tunnels Client to Gateway VPN Tunnels Exchange Mode Main Mode The IP addresses of both gateways are known especially when FQDN is used so each gateway can use the Internet source of the traffic for validation purposes Aggressive Mode The IP address of...

Page 192: ...fault user name of admin and default password of password or using whatever password and LAN address you have chosen 2 Use the VPN Wizard to configure the FVG318 at Gateway A Follow the steps illustrated in Figure B 19 the resulting parameter screens are shown in Figure B 20 Connection Name Scenario_1 in this example Pre Shared Key 12345678 in this example must be the same at both VPN tunnel endpo...

Page 193: ...ProSafe 802 11g Wireless VPN Firewall FVG318 VPN Configuration of NETGEAR FVS318v3 B 29 BETA Figure B 20 VPN Wizard at Gateway A FVS318v3 Pre Shared Key must be the same at both ends of the VPN tunnel Select A Remote VPN Client ...

Page 194: ...Reference Manual for the ProSafe 802 11g Wireless VPN Firewall FVG318 B 30 VPN Configuration of NETGEAR FVS318v3 BETA Figure B 21 VPN parameters at Gateway A FVS318v3 ...

Page 195: ...nsult the documentation that came with your software b Add a new connection using the Edit Add Connection menu and rename it Scenario_1 Scenario_1 is used in this example to reflect the fact that the connection uses the Pre Shared Key security scheme and encryption parameters proposed by the VPN Consortium but you may want to choose a name for your connection that is meaningful to your specific in...

Page 196: ...P Traffic Selector on the VPN Autopolicy screen shown in Figure B 21 for the gateway router Enable Connect Using Secure Gateway Tunnel select Domain Name for ID_Type enter fvs_local for Domain Name and enter 14 15 16 17 for Gateway IP Address Domain Name must match the Local Identity Data parameter of the IKE Policy Configuration screen shown in Figure B 21 for the gateway router Also Gateway IP A...

Page 197: ...on the left hierarchy menu and then select Aggressive Mode under Select Phase 1 Negotiation Mode see Figure B 24 The Select Phase 1 Negotiation Mode choice must match the Exchange Mode setting for the General IKE Policy Configuration parameters shown in Figure B 21 for the gateway router Figure B 24 Scenario_1 Security Policy screen parameters ...

Page 198: ...io Then enter 12345678 for the Pre Shared Key value The Preshared Key value must match the value you entered in the VPN Wizard for the gateway Pre Shared Key value shown in Figure B 20 Under My Identity select Domain Name for the ID Type and then enter fvs_remote Domain Name must match the Remote Identity Data parameter of the IKE Policy Configuration screen shown in Figure B 21 for the gateway ro...

Page 199: ...eway router Figure B 26 Scenario_1 Proposal 1 parameters for Authentication and Key Exchange g Save the Scenario_1 connection using Save under the File menu You can also export the connection parameters using Export Security Policy under the File menu You are new ready to activate the tunnel but you must do it from the client endpoint see Initiating and Checking the VPN Connections on page 36 In t...

Page 200: ... address it must initiate the request a Open the popup menu by right clicking on the system tray icon b Select Connect to open the My Connections list c Choose Scenario_1 The VPN Client reports the results of the attempt to connect Once the connection is established you can access resources of the network connected to the VPN router Alternative Ping Test To perform a ping test as an alternative st...

Page 201: ... of Gateway A Within two minutes the ping response should change from timed out to reply You may have to run this test several times before you get the reply message back from the target FVS318v3 d At this point the gateway to gateway connection is verified 3 Test 3 View VPN Tunnel Status To view the FVG318 event log and status of Security Associations go to the FVG318 main menu VPN section and cl...

Page 202: ... FVS318v3 BETA Figure B 28 VPN Status for Gateway A FVS318v3 and Gateway B VPN Client 22 23 24 25 22 23 24 25 Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B VPN Status at Gateway A FVS318v3 Connection Monitor at Gateway B remote VPN Client Status of VPN tunnel to and from Gateway A ...