User's Manual

ManualsBrandsNetgear ManualsModemsNetgear DGND3700

111

112

113

114

115

116

117

118

119

120

Virtual Private Networking

115

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

Parameters

(Continued)

SA Life Time The time interval before the SA (security association) expires. (It is

automatically reestablished as required.) While using a short time

period (or data amount) increases security, it also degrades

performance. It is common to use periods over an hour (3600 seconds)

for the SA life-time. This setting applies to both IKE and IPSec SAs.

Enable IPSec PFS

(Pe

fect Forward

Secrecy)

• If this check box is selected, security is enhanced by ensuring that

the key is changed at regular intervals. Also, even if one key is

broken, subsequent keys are no easier to break. (Each key has no

relationship to the previous key.)

• This setting applies to both IKE and IPSec SAs. When configuring

the re

mote endpoint to match this setting, you might have to specify

the key group used. For this device, the key group is the same as the

DH Group setting in the IKE section.

General Policy Name Enter a unique name to identify this policy

This name is not supplied to

the remote VPN endpoint. It is used only to help you manage the

policies.

Remote VPN

Endp

oint

• The remote VPN endpoint has to have this VPN gateway’s address

entered as its remote VPN endpoint.

• If the remote endpoint has a dynamic IP address, select Dyn

amic IP

address. No address data input is required. You can set up multiple

remote dynamic IP policies, but only one such policy can be enabled

at a time. Otherwise, select an option (IP address or domain name)

and enter the address of the remote VPN endpoint to which you want

to connect.

IKE Keep Alive • If you want to ensure that a connection

is kept open, or, if that is not

possible, that it is quickly reestablished when disconnected, select

this check box.

• The ping IP address has to be associated with the remote endpoint.

The

remote LAN address has to be used. This IP address will be

pinged periodically to generate traffic for the VPN tunnel. The remote

keep-alive IP address has to be covered by the remote LAN IP range

and has to correspond to a device that can respond to ping. The

range should be made as narrow as possible to meet this objective.

Local LAN

The remote VPN

end

oint has to

have these IP

addresses entered

as its remote

addresses.

Subnet Mask Enter the network mask.

Single/Start IP

Address

• Enter the IP address for a single address, or the starting address for

address range. A single address setting is used when you want to

make a single server on your LAN available to remote users. A range

has to be an address range used on your LAN.

• Any. The remote VPN endpoint might be at any IP address.

Table 19. VPN - Auto Policy screen settings (continued)

Fields and Settings Description