Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 NETGEAR, Inc.
© 2004 by NETGEAR, Inc. All rights reserved. FullManual. Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this document are copyright Intoto, Inc.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß dasFVL328 Prosafe High Speed VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
iv May 2004, 202-10030-02
Contents Chapter 1 About This Manual Audience .........................................................................................................................1-1 Scope .............................................................................................................................1-1 Typographical Conventions ............................................................................................1-2 Special Message Formats ...........................................................
Testing Your Internet Connection ....................................................................................3-9 Manually Configuring Your Internet Connection ...........................................................3-10 How to Complete a Manual Configuration ............................................................. 3-11 Chapter 4 WAN and LAN Configuration Configuring LAN IP Settings ...........................................................................................
Inbound Rules (Port Forwarding) .............................................................................5-7 Example: Port Forwarding to a Local Public Web Server ..................................5-8 Example: Port Forwarding for Videoconferencing .............................................5-8 Example: Port Forwarding for VPN Tunnels when NAT is Off ...........................5-9 Outbound Rules (Service Blocking or Port Filtering) ..............................................
Chapter 7 Managing Your Network Protecting Access to Your FVL328 Firewall ....................................................................7-1 How to Change the Built-In Password .....................................................................7-1 How to Change the Administrator Login Timeout ....................................................7-2 Internet Traffic .................................................................................................................
Troubleshooting the Web Configuration Interface ..........................................................8-3 Troubleshooting the ISP Connection ..............................................................................8-4 Troubleshooting a TCP/IP Network Using a Ping Utility .................................................8-5 How to Test the LAN Path to Your Firewall ..............................................................8-6 How to Test the Path from Your PC to a Remote Device .................
Appendix C Preparing Your Network What You Will Need Before You Begin .......................................................................... C-1 LAN Hardware Requirements ................................................................................. C-1 LAN Configuration Requirements ........................................................................... C-2 Internet Configuration Requirements ......................................................................
Policy Administration LOG ............................................................................................. D-7 Appendix E Virtual Private Networking What is a VPN? ............................................................................................................. E-1 What is IPSec and How Does It Work? ......................................................................... E-2 IPSec Security Features ...................................................................................
Testing the VPN Connection ........................................................................................ G-14 From the Client PC to the FVL328 ........................................................................ G-14 From the FVL328 to the Client PC ........................................................................ G-15 Monitoring the PC VPN Connection ............................................................................ G-15 Viewing the FVL328 VPN Status and Log Information ....
Chapter 1 About This Manual This chapter introduces the Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2. Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site. Scope This manual is written for the FVL328 Firewall according to these specifications: Table 1-1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Typographical Conventions This guide uses the following typographical conventions: Table 1-2. Typographical conventions italics Emphasis. bold User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key. SMALL CAPS DOS file and directory names.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Use this Manual This manual is published in both HTML and .PDF file formats. The HTML version of this manual provides links to the .PDF versions of the manual and includes these features. To view the HTML version of the manual, you must have a browser with JavaScript enabled. 2 1 3 Figure Preface 1-1: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, and Search tabs. 2.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Print this Manual To print this manual you can choose one of the following options, according to your needs. • Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the upper right side of the toolbar to print the currently displayed topic. Use this button when a step-by-step procedure is displayed to send the entire procedure to your printer.
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVL328 Prosafe High Speed VPN Firewall. The FVL328 Firewall is now ICSA certified. It provides connections for multiple computers to the Internet through an external broadband access device (such as a cable modem or DSL modem) and supports IPSec-based secure tunnels to IPSec-compatible VPN servers.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • IP-MAC access control: ensures a computer with an assigned MAC address always gets the same IP address when using DHCP • Port Triggering • Ease of Use Improvements • – Period (.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS feature is enabled with one of the supported service providers. • VPNC Certified. A Powerful, True Firewall Unlike simple Internet sharing NAT routers, the FVL328 is a true firewall, using stateful packet inspection to defend against hacker attacks.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The firewall incorporates Auto UplinkTM technology. Each local Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address. See “Configuring Dynamic DNS” on page 4-11.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: Product updates are available on the NETGEAR Web site at http://kbserver.netgear.com/products/FVL328.asp. • Includes a battery-backed real-time clock so time will persist if power is removed. • Regional support, including ISPs like Telstra DSL and BigPond or Deutsche Telekom.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall. These LEDs are green when lit, except for the TEST LED, which is amber. Table 2-1: LED Descriptions Label Activity Description POWER On Power is supplied to the firewall. TEST On Off The system is initializing. The system is ready and running. On/Blinking The Internet port is operating at 100 Mbps.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2-8 Introduction May 2004, 202-10030-02
Chapter 3 Connecting the FVL328 to the Internet This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configuration of your FVL328 Prosafe High Speed VPN Firewall using the Setup Wizard, or manually configure your Internet connection. Connecting the FVL328 to Your LAN This section provides instructions for connecting the FVL328 Prosafe High Speed VPN Firewall to your Local Area Network (LAN).
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 c. Locate the Ethernet cable (Cable 1 in the diagram below) that runs from your broadband modem to the computer. Disconnect the cable at the computer end only — point (A) in the diagram. Disconnect from computer A Cable 1 %URDGEDQG PRGHP Figure 3-1: Disconnect the broadband modem d. Securely insert the end of the Ethernet cable (Cable 1) that you disconnected from your computer into the Internet port (B) on the FVL328.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 e. Locate the blue Ethernet cable that came with your router. Securely insert one end of the cable (Cable 2 in the diagram below) into a LAN port on the router such as LAN port 8 (C), and the other end into the Ethernet port of your computer (D). D Cable 2 ,/#!, -ODEL &6, (I 3PEED 60. &IREWALL C ).4%2.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Warning: Failure to restart your network in the correct sequence could prevent you from connecting to the Internet. First, turn on the broadband modem and wait 2 minutes. b. Now, turn on your firewall. c. Last, turn on your computer. Note: If software usually logs you in to the Internet, do not run that software, or cancel it if it starts automatically. a. d.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 c. A login window opens as shown here: Figure 3-5: Login window Enter admin for the router user name and password for the router password, both in lower case letters. d. After logging in to the router, you will see the Internet connection Setup Wizard on the settings main page. Note: The user name and password are not the same as any user name or password you may use to log in to your Internet connection. 4.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 a. You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses (192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP addresses the FVL328 uses. Classical routing should be selected only by experienced users. c.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually. 2. Enter the PPPoE login user name and password provided by your ISP.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Configuring for a Wizard-Detected Dynamic IP Account If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the Dynamic IP menu. 1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Worksheet for Recording Your Internet Connection Information” on page C-3. 2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Complete a Manual Configuration Manually configure the firewall in the Basic Settings menu using these steps: 1. Answer the question, “Does Your Internet Connection Require a Login?” • Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet. You must also log in to establish a PPPoE connection that uses a Static IP address.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – If you want to disable NAT, select the Disable radio button. Before disabling NAT, back up your current configuration settings. Note: Disabling NAT will reboot the router and reset all the FVL328 configuration settings to the factory default. Disable NAT only if you plan to install the FVL328 in a setting where you will be manually administering the IP address space on the LAN side of the router.
Chapter 4 WAN and LAN Configuration This chapter describes how to configure the WAN and LAN settings of your FVL328 Prosafe High Speed VPN Firewall. Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the Main Menu of the browser interface. The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction selection controls how the firewall sends and receives RIP packets. Both is the default. — When set to Both or Out Only, the firewall will broadcast its routing table periodically. — When set to Both or In Only, it will incorporate the RIP information that it receives.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the ‘Use router as DHCP server’ check box. Otherwise, leave it checked. Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP address.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 4-1: LAN IP Setup Menu 3. Enter the LAN TCP/IP and DHCP parameters. 4. Click Apply to save your changes. How to Configure Reserved IP Addresses When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings. To reserve an IP address: 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Type the MAC Address of the PC or server. Note: If the PC is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here. 4. Click Apply to enter the reserved address into the table. Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 4-2: WAN Setup Connect Automatically, as Required Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. If this causes high connection costs, you can disable this setting. If disabled, you must connect manually, using the sub-screen accessed from the Connection Status button on the Status screen.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Setting Up a Default DMZ Server Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing this, so only do this if you're willing to risk open access. If you do not assign a Default DMZ Server, the router discards any incoming service requests that are undefined.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Select the PC to be used as the DMZ Server for this IP address. • Click Apply. Note: • All incoming traffic to that IP address will be sent to the selected PC. • Out-going traffic from the selected PC will use the IP address you entered, not the default WAN IP address. • If you only have one (1) Internet IP address, you cannot use the Multi-DMZ feature, only the Default DMZ Server setting above.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M. Use the half-duplex settings unless you are sure you need full duplex. Port Triggering Port Triggering is used to allow applications which would otherwise be blocked by the firewall. Using this feature requires that you know the port numbers used by the Application. Once configured, operation is as follows: 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Port Triggering Rules This table lists the current rules: • Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to disable a rule unless it interferes with some other function, such as Port Forwarding. • Name - The name for this rule. • Outgoing Ports - The port or port range for outgoing traffic. An outgoing connection using one of these ports will Trigger this rule.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Incoming (Response) Port Range - enter the range of port numbers used by the remote system when it responds to the PC's request. Modifying or Deleting an existing Rule 1. Select the desired rule by clicking the radio button beside the rule. 2. Click Edit or Delete as desired. Checking Operation and Status To see which rules are currently being used, click the Status button.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Configure Dynamic DNS 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS. 3. Click the radio button for the dynamic DNS service you will use.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your firewall will forward your request to the ISP.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. To add or edit a Static Route: a. Click the Edit button to open the Edit Menu, shown below. Figure 4-6: Static Route Entry and Edit Menu 4. b. Type a route name for this static route in the Route Name box under the table. This is for identification purpose only. c. Select Active to make this route effective. d. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. e.
Chapter 5 Protecting Your Network This chapter describes how to use the firewall features of the FVL328 Prosafe High Speed VPN Firewall to protect your network. Firewall Protection and Content Filtering Overview The FVL328 Prosafe High Speed VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses, and Web address keywords.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Many Web sites will not function correctly if these components are blocked. These options are discussed below. The Keyword Blocking menu is shown here. Figure 5-1: Block Sites menu To enable filtering, click the checkbox next to the type of filtering you want to enable.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Cookies: blocks all cookies To enable keyword blocking, check “Turn keyword blocking on”, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples: • If the keyword “XXX” is specified, the URL
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Defining a Service Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Using Inbound/Outbound Rules to Block or Allow Services Firewall rules are used to block or allow specific traffic passing through from one side of the firewall to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 You can define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined. To create a new rule, click the Add button.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Examples of Using Services and Rules to Regulate Traffic Use the examples to see how you combine Services and Rules to regulate how the TCP/IP protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on your firewall.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Example: Port Forwarding to a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server any time of day. Figure 5-3: Rule example: A Local Public Web Server This rule is shown in Figure 5-3.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-4: Rule example: Videoconference from Restricted Addresses Example: Port Forwarding for VPN Tunnels when NAT is Off If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses anywhere on the Internet when NAT is off, first create a service and then an inbound rule.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-6: Inbound rule example: VPN IPSec when NAT is off In the example shown in Figure 5-6, VPN IPSec connections are allowed for any internal LAN IP address. Outbound Rules (Service Blocking or Port Filtering) The FVL328 allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-7: Rule example: Blocking Instant Messenger Other Rules Considerations The order of precedence of rules is determined by the position of the rule on a list of many rules. Also, there are optional Rules settings you can configure. These topics are presented here. Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Rules Menu Options Figure 5-8: Rules menu options Use the Options checkboxes to enable the following: • • • • • Enable VPN Passthrough (IPSec, PPTP, L2TP) If LAN users need to use VPN (Virtual Private Networking) software on their computer, and connect to remote sites or servers, enable this checkbox. This will allow the VPN protocols (IPSec, PPTP, L2TP) to be used. If this checkbox is not checked, these protocols are blocked.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Using a Schedule to Block or Allow Content or Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The router allows you to specify when blocking will be enforced by configuring the Schedule tab shown below.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for the selected days, type a Start Time and an End Time. Note: Enter the values in 24-hour time format.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 User-defined NTP Server Choose your NTP server. The firewall uses NETGEAR NTP servers by default. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server. If you prefer to use a particular NTP server, enable this and enter the name or IP address of an NTP Server in the Server 1 field.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Send alerts and logs by e-mail. If you enable e-mail notification, these boxes cannot be blank. • Enter the e-mail address to which logs and alerts will be sent. This e-mail address will also be used as the From address. If you leave this box blank, log and alert messages will not be sent via e-mail.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – • If a user on your LAN attempts to access a Web site that you blocked using Keyword blocking. Send logs according to this schedule. You can specify that logs are sent to you according to a schedule. Select whether you would like to receive the logs Hourly, Daily, Weekly, When Full, or None for no logs. Depending on your selection, you may also need to specify: – Day for sending log Relevant when the log is sent weekly or daily.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-12: Logs menu See Appendix D, “Firewall Log Formats” for a full explanation of log entry formats.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 . Table 5-1. Log action buttons Field Description Refresh Refreshes the log screen. Clear Log Clears the log entries. Send Log E-mails the log immediately. What to Include in the Event Log Use these checkboxes to determine which events are included in the log. Checking all options will increase the size of the log, so it is good practice to disable any events which are not really required.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Disable - select this if you do not have a Syslog server. • Broadcast on LAN - the Syslog data is broadcast, rather than sent to a specific Syslog server. Use this if your Syslog Server does not have a fixed IP address. • Send to this Syslog server IP address - If your Syslog server has a fixed IP address, select this option, and enter the IP address of your Syslog server.
Chapter 6 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. See also “How to Use the VPN Wizard to Configure a VPN Tunnel” on page 6-15.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • IKE Policies: Define the authentication scheme and automatically generate the encryption keys. As an alternative option, to further automate the process, you can create an Internet Key Exchange (IKE) policy which uses a trusted certificate authority to provide the authentication while the IKE policy still handles the encryption. • VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the IKE policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. IKE Policy Configuration Fields Field Description Remote These parameters apply to the target remote FVL328 firewall, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVL328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) – your domain name.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The VPN Auto Policy fields are defined in the following table. Table 6-1. VPN Auto Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify VPN policies.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Auto Policy Configuration Fields Field Description Encapsulated Security Payload (ESP) Configuration ESP provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication. Two ESP modes are available: Plain ESP encryption or ESP encryption with authentication These settings must match the remote VPN endpoint.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 6-4: VPN - Manual Policy Menu 6-10 Virtual Private Networking May 2004, 202-10030-02
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authenticating Header (AH) Configuration AH specifies the authentication protocol for the VPN header. These settings must match the remote VPN endpoint. Note: The “Incoming” settings must match the “Outgoing” settings on the remote VPN endpoint, and the “Outgoing” settings must match the “Incoming” settings on the remote VPN endpoint.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Manual Policy Configuration Fields Field Description Encapsulated Security Payload (ESP) Configuration ESP provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both encryption and authentication. when you use ESP. Two ESP modes are available: • Plain ESP encryption • ESP encryption with authentication These settings must match the remote VPN endpoint.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Manual Policy Configuration Fields Field Description Enable Authentication Authentication Algorithm Use this check box to enable or disable ESP authentication for this VPN policy. If you enable authentication, then use this menu to select the algorithm: • MD5 – the default • SHA1 – more secure Key - In Enter the key. • For MD5, the key should be 16 characters. • For SHA-1, the key should be 20 characters.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 A CA is part of a trust chain. A CA has a public key which is signed. The combination of the signed public key and the private key enables the CA process to eliminate ‘man in the middle’ security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the CA’s certificate to authenticate. Each CA has its own certificate.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the VPN Wizard link in the main menu to display this screen. Click Next to proceed. Figure 6-5: VPN Wizard Start Screen 2. Fill in the Connection Name, pre-shared key, and select the type of target end point, and click Next to proceed.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Figure 6-7: Remote IP 4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next. Figure 6-8: Secure Connection Remote Accessibility The Summary screen below displays.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 6-9: VPN Wizard Summary To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings the VPN Wizard used, click the “here” link. 5. Click Done to complete the configuration procedure. The VPN Settings menu displays showing that the new tunnel is enabled To view or modify the tunnel settings, select the radio button next to the tunnel entry and click Edit.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • VPN Consortium Scenarios without any product implementation details • VPN Consortium Scenarios based on the FVL328 user interface The purpose of providing these two versions of the same scenarios is to help you determine where the two vendors use different vocabulary. Seeing the examples presented in these different ways will reveal how systems from different vendors do the same thing.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The IKE Phase 1 parameters used in Scenario 1 are: • • • • • • Main mode TripleDES SHA-1 MODP group 2 (1024 bits) pre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rek
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 FVL328 Scenario 1: How to Configure the IKE and VPN Policies Note: This scenario assumes all ports are open on the FVL328. You can verify this by reviewing the security settings as seen in the Rules menu. Use this scenario illustration and configuration screens as a model to build your configuration. FVL328 Gateway A 10.5.6.1/24 LAN IP Scenario 1 Gateway B 14.15.16.17 WAN IP 22.23.24.25 WAN IP 172.23.9.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 WAN IP addresses ISP provides these addresses Figure 6-12: FVL328 Internet IP Address menu b. Select whether enable or disable NAT (Network Address Translation). NAT allows all LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. You should only disable NAT if you are sure you do not require it.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 d. From the main menu Advanced section, click the LAN IP Setup link. e. Configure the LAN IP address according to the settings in Figure 6-11 above and click Apply to save your settings. For more information on LAN TCP/IP setup topics, please see “How to Configure LAN TCP/IP Settings and View the DHCP Log” on page 4-3.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 a. From the main menu VPN section, click the IKE Policies link, and then click the Add button to display the screen below. Figure 6-13: Scenario 1 IKE Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings. For more information on IKE Policy topics, please see “IKE Policies’ Automatic Key and Authentication Management” on page 6-3.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 4. Set up the FVL328 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click the VPN Policies link, and then click the Add Auto Policy button. Figure 6-14: Scenario 1 VPN - Auto Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 5. After applying these changes, you will see a table entry like the one below. Figure 6-15: VPN Policies table Now all traffic from the range of LAN IP addresses specified on FVL328 A and FVL328 B will flow over a secure VPN tunnel. How to Check VPN Connections You can test connectivity and view VPN status information on the FVL328. 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. To test connectivity between the FVL328 Gateway A and Gateway B WAN ports, follow these steps: a. Using our example, log in to the FVL328 on LAN A, go to the main menu Maintenance section and click the Diagnostics link. b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click Ping. c. This will cause a ping to be sent to the WAN interface of Gateway B.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: The procedure for obtaining certificates differs between a CA like Verisign and a CA such as a Windows 2000 certificate server, which an organization operates for providing certificates for its members. For example, an administrator of a Windows 2000 certificate server might provide it to you via e-mail. b. Save the certificate as a text file called trust.txt. 2. Install the trusted CA certificate for the Trusted Root CA. a.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 b. Click the Generate Request button to display the screen illustrated in Figure 6-17 below. . Figure 6-17: Generate Self Certificate Request menu c. Fill in the fields on the Add Self Certificate screen. • Required – – – – – • Name. Enter a name to identify this certificate. Subject. This is the name other organizations will see as the holder (owner) of this certificate.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 d. Click the Next button to continue. The FVL328 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 6-18: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA. a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file. b. Give the certificate request data to the CA.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 6-19: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file. Note: In the case of a Windows 2000 internal CA, the CA administrator might simply email it to back to you. Follow the procedures of your CA. Save the certificate you get back from the CA as a text file called final.txt. 6. Upload the new certificate. a.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 f. You will now see the “FVL328” entry in the Active Self Certificates table and the pending “FVL328” Self Certificate Request is gone, as illustrated below. Figure 6-20: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVL328. a.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Now, the traffic from devices within the range of the LAN subnet addresses on FVL328 Gateway A and Gateway B will be authenticated using the certificates and generated keys rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. a. Get a copy of the CRL from the CA and save it as a text file.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 6-34 Virtual Private Networking May 2004, 202-10030-02
Chapter 7 Managing Your Network This chapter describes how to perform network management tasks with your FVL328 Prosafe High Speed VPN Firewall. Protecting Access to Your FVL328 Firewall For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect. You can use the procedures below to change the firewall's password and the amount of time for the administrator’s login timeout.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-1: Set Password menu 3. To change the password, first enter the old password, then enter the new password twice. 4. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration. If you have backed up the firewall settings previously, you should do a new backup so that the saved settings file includes the new password.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Internet Traffic Figure 7-2: Internet Traffic Internet Traffic Limit • Enable WAN Port Traffic Meter—Check this if you wish to record the volume of Internet traffic passing through the Router's WAN port.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: Enter a Monthly Limit if Traffic Limit is enabled; otherwise, the default limit is 0 MB and there will be no Internet access allowed. • Restart traffic counter—This determines when the traffic counter restarts. Choose the desired time and day of the month. • Restart Counter Now—Click this button to restart the Traffic Counter immediately.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Traffic by Protocol Click this button if you want to know more details of the Internet Traffic. The volume of traffic for each protocol will be displayed in a sub-window. Figure 7-3: Internet Traffic by Protocol Network Database The Network Database is an automatically-maintained list of all known PCs and network devices.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-4: Network Database Advantages of the Network Database • Generally, you do not need to enter either IP address or MAC addresses. • Instead, you can just select the desired PC or device. • No need to reserve an IP address for a PC in the DHCP Server.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Known PCs and Devices This table lists all current entries in the Network Database. For each PC or device, the following data is displayed. • Radio button Use this to select a PC for editing or deletion. • Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. • IP Address The current IP address.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Network Management The FVL328 provides remote management access and a variety of status and usage information which is discussed below. How to Configure Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVL328 Prosafe High Speed VPN Firewall. Note: Be sure to change the router's default password to a very secure password.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 6. 7. The IP Address to connect to this device is used to manage this router via the Internet. You need its public IP Address, as seen from the Internet. This public IP Address is allocated by your ISP, and is shown here. But if your ISP account uses a Dynamic IP Address, the address can change each time you connect to your ISP. There are 2 solutions to this problem: a. Have your ISP allocate you a Fixed IP address. b.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-5: Router Status screen The Router Status menu provides a limited amount of status and usage information. This screen shows the following parameters: Table 7-1. Router Status Fields Field Description System Name This field displays the Host Name assigned to the firewall in the Basic Settings menu. Firmware Version This field displays the firewall firmware version.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 7-1. Router Status Fields Field Description IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN) port of the firewall. The default is 255.255.255. WAN Port These parameters apply to the Internet (WAN) port of the firewall. Network Address Translation (NAT) NAT allows all LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 7-2. Router Statistics Fields Field Description System up Time The time elapsed since the last power cycle or reset. WAN or LAN Port The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen displays: Status The link status of the port. TxPkts The number of packets transmitted on this port since reset or manual clear.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button. Viewing, Selecting, and Saving Logged Information The firewall logs security-related events such as denied incoming service requests, hacker probes, and administrator logins.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Log entries are described below: Table 7-9: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • • • • • • All Outgoing TCP/UDP/ICMP traffic Other IP traffic — if selected, all other traffic (IP packets which are not TCP, UDP, or ICMP) is logged Router operation (start up, get time, etc.) — if selected, Router operations, such as starting up and getting the time from the Internet Time Server, are logged.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-11: E-mail notification menu To enable E-mail notification, configure the following fields: • Turn e-mail notification on Select this check box if you want to receive e-mail logs and alerts from the firewall. • Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Send logs according to this schedule Specify how often to send the logs: None, Hourly, Daily, Weekly, or When Full. – Day for sending log Specify which day of the week to send the log. Relevant when the log is sent weekly or daily. – Time for sending log Specify the time of day to send the log. Relevant when the log is sent daily or weekly.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-12: Settings Backup menu 3. Click Backup to save a copy of the current settings. 4. Store the .cfg file on a computer on your network. How to Restore a Configuration from a File 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever Password and LAN address you have chosen for the firewall. 2.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. The firewall will then reboot automatically. After an erase, the firewall's password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client will be enabled. Note: To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the rear panel of the firewall. See “How to Use the Default Reset Button” on page 8-7.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the DNS server configuration is working. • Display the Routing Table to identify what other routers the router is communicating with. • Reboot the Router to enable new network configurations to take effect or to clear problems with the router’s network connection.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-14: Router Upgrade menu 4. In the Router Upgrade menu, click Browse to locate the binary (.BIN or .IMG) upgrade file. 5. Click Upload. Note: Do not interrupt the process of uploading software to the firewall by closing the window, clicking a link, or loading a new page. Interrupting the upgrade may corrupt the software. When the upload is complete, your firewall will automatically restart.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 7-22 Managing Your Network May 2004, 202-10030-02
Chapter 8 Troubleshooting This chapter gives information about troubleshooting your FVL328 Prosafe High Speed VPN Firewall. For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions” on page 8-1. • I can’t access the firewall’s configuration with my browser. Go to “Troubleshooting the Web Configuration Interface” on page 8-3. • I’ve configured the firewall but I can’t access the Internet.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 a. The Test LED is not lit. b. The Local port Link LEDs are lit for any local ports that are connected. c. The Internet Link port LED is lit. If a port’s Link LED is lit, a link has been established to the connected device. If a port is connected to a 100 Mbps device, verify that the port’s 100 LED is lit. If any of these conditions does not occur, refer to the appropriate following section.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Local or Internet Port Link LEDs Not On If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the firewall and at the hub or computer. • Make sure that power is turned on to the connected hub or computer.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Try quitting the browser and launching it again. • Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the following: • Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login. • If your ISP requires a login, you may have incorrectly set the login name and password. • Your ISP may check for your computer's host name.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Test the LAN Path to Your Firewall You can ping the firewall from your computer to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: 1. From the Windows toolbar, click the Start button and select Run. 2. In the field provided, type Ping followed by the IP address of the firewall, as in this example: ping 192.168.0.1 3. Click OK.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 PING -n 10 where is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: — Check that your PC has the IP address of your firewall listed as the default gateway.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds). 2. Release the Default Reset button and wait for the firewall to reboot. Problems with Date and Time The E-mail menu in the Security section displays the current date and time of day. The FVL328 Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet.
Appendix A Technical Specifications This appendix provides technical specifications for the FVL328 Prosafe High Speed VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T or 100BASE-Tx, RJ-45 Certifications Firewall: ICSA Certified, Small/Medium Business (SMB) Category version 4.
Appendix B Networks, Routing, and Firewall Basics This appendix provides an overview of IP networks, routing, and firewalls. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVL328 Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Class A Network Node Class B Network Node Class C Network Node Figure 8-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range: 1.x.x.x to 126.x.x.x. • Class B Class B addresses can have up to 65,354 hosts on a network.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet addressing makes use of those bits that are free, as shown below.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 8-1. Netmask Notation Translation Table for One Octet Number of Bits Dotted-Decimal Value 1 128 2 192 3 224 4 240 5 248 6 252 7 254 8 255 The following table displays several common netmask values in both the dotted-decimal and the masklength formats. Table 8-2. Netmask Formats Dotted-Decimal Masklength 255.0.0.0 /8 255.255.0.0 /16 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address. In order for this scheme to work, all devices on the segment must agree on which bits comprise the host address. • So that a local router or bridge recognizes which addresses are local and which are remote.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Private IP addresses assigned by user IP addresses assigned by ISP 192.168.0.2 192.168.0.3 192.168.0.1 172.21.15.105 Internet 192.168.0.4 192.168.0.5 Figure 8-3: Single IP Address Operation Using NAT This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device. The receiving station provides the transmitting station with the required destination MAC address. The IP address data and MAC address data for each station are held in an ARP table. The next time data is sent, the address can be obtained from the address information in the table.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The FVL328 Firewall also functions as a DHCP client when connecting to the ISP. The firewall can automatically obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information by DHCP. Internet Security and Firewalls When your LAN connects to the Internet through a router, an opportunity is created for outsiders to access or disrupt your network.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Denial of Service Attack A hacker may be able to prevent your network from operating or communicating by launching a Denial of Service (DoS) attack. The method used for such an attack can be as simple as merely flooding your site with more requests than it can handle. A more sophisticated attack may attempt to exploit some weakness in the operating system used by your router or gateway.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 10 ft. (3 m) from the wall outlet to the desktop device The patch panel and other connecting hardware must meet the requirements for 100 Mbps operation (Category 5). Only 0.5 inch (1.5 cm) of untwist in the wire pair is allowed at any termination point.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure B-2: Crossover Twisted-Pair Cable Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 When connecting a PC to a PC, or a hub port to another hub port, the transmit pair must be exchanged with the receive pair. This exchange is done by one of two mechanisms. Most hubs provide an Uplink switch which will exchange the pairs on one port, allowing that port to be connected to another hub using a normal Ethernet cable.
Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVL328 Prosafe High Speed VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 LAN Configuration Requirements For the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from the firewall via DHCP. The computer you use must have a Web browser such as Internet Explorer v5 or greater or Netscape Communicator v4.7 or greater.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Preparing Your Computers for TCP/IP Networking Computers access the Internet using a protocol called TCP/IP (Transmission Control Protocol/ Internet Protocol). Each computer on your network must have TCP/IP installed and selected as its networking protocol. If a Network Interface Card (NIC) is already installed in your PC, then TCP/ IP is probably already installed as well.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Configuring Windows 95, 98, and Me for TCP/IP Networking As part of the PC preparation process, you need to manually install and configure TCP/IP on each networked PC. Before starting, locate your Windows CD; you may need to insert it during the TCP/IP installation process. Install or Verify Windows Networking Components To install or verify the necessary components for IP networking: 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c. Select the manufacturer and model of your Ethernet adapter, and then click OK. If you need TCP/IP: a. Click the Add button. b.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. From the components list, select TCP/IP->(your Ethernet adapter) and click Properties. 4. In the IP Address tab, select “Obtain an IP address automatically”. 5. Select the Gateway tab. 6. If any gateways are shown, remove them. 7. Click OK. 8. Restart the PC. Repeat steps 2 through 8 for each PC on your network. Selecting Windows’ Internet Access Method 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • The default gateway is 192.168.0.1 Configuring Windows NT, 2000 or XP for IP Networking As part of the PC preparation process, you need to manually install and configure TCP/IP on each networked PC. Before starting, locate your Windows CD; you may need to insert it during the TCP/IP installation process. Installing or Verifying Windows Networking Components To install or verify the necessary components for IP networking: 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: 4. • The IP address is between 192.168.0.2 and 192.168.0.254 • The subnet mask is 255.255.255.0 • The default gateway is 192.168.0.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 5. Repeat this for each Macintosh on your network. MacOS X 1. From the Apple menu, choose System Preferences, then Network. 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Restarting the Network Once you have set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVL328 Firewall, you are ready to access and configure the firewall.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 C-12 Preparing Your Network May 2004, 202-10030-02
Appendix D Firewall Log Formats Action List Drop: Reset: Forward: Receive: Packet dropped by Firewall current inbound or outbound rules. TCP session reset by Firewall. Packet forwarded by Firewall to the next hop based on matching the criteria in the rules table. Packet was permitted by the firewall rules and modified prior to being forwarded and/or replied to.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The format is:
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The format is:
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Other Connections and Traffic to this Router The format is:
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The format is:
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Access Block Site If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL contains a specified keyword are logged. The format is
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The format is:
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 D-8 Firewall Log Formats May 2004, 202-10030-02
Appendix E Virtual Private Networking There have been many improvements in the Internet, including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently, so that the parties can communicate securely with each other.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into the specifics.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 8-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 It will also be important to know the subnet mask of both gateway LAN Connections. Table 8-2.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 A B Figure E-5: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN side of the other gateway.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVL328 This appendix provides a case study on how to configure a secure IPSec VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVL328. The configuration options and screens for the FVS318 and FVM318 are the same. Configuration Template The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium. Gather all the necessary information before you begin the configuration process.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 10.5.6.0/24 Gateway A LAN IP 10.5.6.1 172.23.9.0/24 VPNC Example Network Interface Addressing Gateway B 14.15.16.17 22.23.24.25 WAN IP WAN IP LAN IP 172.23.9.1 Figure F-1: Addressing and Subnet Used for Examples Step-By-Step Configuration of FVS318 or FVM318 Gateway A 1. Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. Click the VPN Settings link on the left side of the Settings management GUI. Click the radio button of first available VPN leg (all 8 links are available in the example). Click the Edit button below. This will take you to the VPN Settings – Main Mode Menu.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – – – – – Choose a subnet from local address from the Tunnel can access pull-down menu. Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field. Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-5: NETGEAR FVS318 VPN Settings After Inputting Configuration Info 4. When the screen returns to the VPN Settings, make sure the Enable check box is selected. Step-By-Step Configuration of FVL328 Gateway B 1. Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-6: NETGEAR FVL328 IKE Policy Configuration – Part 1 – – – – – F-6 Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In our example we have used FVS318 as the Policy Name. In the Policy Name field type FVS318. From the Direction/Type drop-down box, select Both Directions.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-7: NETGEAR FVL328 IKE Policy Configuration – Part 2 – – – – – – 3. From the Encryption Algorithm drop-down box, select 3DES. From the Authentication Algorithm drop-down box, select MD5. From the Authentication Method radio button, select Pre-shared Key. In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both gateways.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-9: NETGEAR FVL328 VPN – Auto Policy (part 1) – – – – – – – – – – – – F-8 Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used “to318” as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step – this being the FVS318 IKE Policy.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-10: NETGEAR FVL328 VPN – Auto Policy (part 2) 5. – From the Traffic Selector Remote IP drop-down box, select Subnet address. – Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. – Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote IP Finish IP Address field. – Type the LAN Subnet Mask of Gateway A (255.255.255.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-11: NETGEAR FVL328 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button. Test the VPN Connection 1. From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVL328 gateway B LAN Interface address (example address 172.23.9.1) 2.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 13:19:02 - FVS318 IPSec:sizeof(connection)=1724 sizeof(state)=10048 sizeof(SA)=732 13:19:42 - FVS318 IPsec:call ipsecdoi_initiate 13:19:42 - FVS318 IPsec:New State index:0, sno:1 13:19:42 - FVS318 IPsec:Initiating Main Mode 13:19:42 - FVS318 IPsec:main_outI1() policy=65 13:19:42 - FVS318 IKE:[toFVL328] Initializing IKE Main Mode 13:19:42 - FVS318 IKE:[toFVL328] TX >> MM_I1 : 22.23.24.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 F-12 NETGEAR VPN Configuration FVS318 or FVM318 to FVL328 May 2004, 202-10030-02
Appendix G NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVL328. This case study follows the Virtual Private Network Consortium (VPNC) interoperability profile guidelines. The configuration options for the FVS328 and FWAG114 are the same. Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Network Addresses Gateway Client WAN IP LAN IP 66.120.188.153 192.168.0.0 FVL328 WAN IP 0.0.0.0 PC with NETGEAR ProSafe VPN client Figure G-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR Web site at www.netgear.com/support/main.asp. VPNC Interoperability guidelines can be found at http://www.vpnc.org/InteropProfiles. Step-By-Step Configuration of FVL328 or FWAG114 Gateway 1.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. Click IKE Policies under the VPN menu and click Add on the IKE Policies Menu. Figure G-2: NETGEAR FVL328 IKE Policy Configuration – – – – Enter a descriptive name for the policy in the Policy Name field. This name is not supplied to the remote VPN endpoint. It is used to help you manage the IKE policies. In our example, we used VPNclient as the Policy Name. From the Direction/Type drop-down box, select Remote Access.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – For this example we typed FVL328 in the Local Identity Data field. – From the Remote Identity drop-down box, select Fully Qualified Domain Name. – Type VPNclient in the Remote Identity Data. This will also be entered in the FVL328 Prosafe High Speed VPN Firewall My Identity ID Type fields, as seen in “My Identity” on page G-9. – From the Encryption Algorithm drop-down box, select 3DES.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Click the VPN Policies link under the VPN category on the left side of the main menu. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. Figure G-3: NETGEAR FVL328 VPN – Auto Policy General settings – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example, we use VPNclient as the Policy Name.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – – – – – – – – – – – – G-6 From the Remote VPN Endpoint Address Type drop-down box, select IP Address. Type 0.0.0.0 as the Address Data of the client because we are assuming the remote PC will have a dynamically assigned IP address. This will also be entered in the FVL328 Prosafe High Speed VPN Firewall Internal Network IP Address field, as seen in “My Identity” on page G-9. Type 86400 in the SA Life Time (Seconds) field.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – – – – From the ESP Configuration Encryption Algorithm drop-down box, select 3DES. This will also be entered in the FVL328 Prosafe High Speed VPN Firewall Security Policy Key Exchange (Phase 2) Encrypt Alg field, as seen in “Connection Security Policy Key Exchange (Phase 2)” on page G-12. Select Enable Authentication in the ESP Configuration Enable Authentication check box.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet using an FVL328 with a static IP address. The PC can be directly connected to the Internet through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically assigned IP address. 1. Install the FVL328 Firewall Software on the PC.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure G-5: Security Policy Editor Options menu Note: If the configuration settings on this screen are not available for editing, go to the Options menu, select Secure, and Specified Options to enable editing these settings. From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears. Rename the “New Connection” to FVL328. b.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 In this example, select Domain Name as the ID Type, and enter VPNclient. Also, accept the default Internal Network IP Address of 0.0.0.0. Figure G-7: My Identity Pre-Shared Key b. Click Pre-Shared Key. In this example, enter this pre-shared key in this field: hr5xb84l6aa9r6 Figure G-8: Connection Identity Pre-Shared Key 4. c. Enter hr5xb84l6aa9r6 which is the same Pre-Shared Key entered in the FVL328. d. Click OK.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure G-9: Security Policy b. For this example, ensure that the following settings are configured: – – – – 5. In the Select Phase 1 Negotiation Mode menu, select Aggressive Mode. Select the Enable Perfect Forward Secrecy (PFS) check box. In the PFS Key Group drop-down list, Diffie-Hellman Group 2. Select the Enable Replay Detection check box.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Expand the Security Policy heading, then expand the Authentication (Phase 1) heading, and click on Proposal 1. • For this example, ensure that the following settings are configured: – In the Encrypt Alg menu, select Triple DES. – In the Hash Alg, select SHA-1. – In the SA Life, select Unspecified. – In the Key Group menu, select Diffie-Hellman Group 2. Figure G-11: Connection Security Policy Key Exchange (Phase 2) b.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 6. Configure the Global Policy Settings. a. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. Figure G-12: Security Policy Editor Global Policy Options 7. b. Increase the Retransmit Interval period to 45 seconds. c. Select the Allow to Specify Internal Network Address check box and click OK. Save the VPN Client Settings.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Testing the VPN Connection You can test the VPN connection in several ways: • From the client PC to the FVL328 • From the FVL328 to the client PC These procedures are explained below. Note: Virus protection or firewall software can interfere with VPN communications.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Once the connection is established, you can access resources of the network connected to the FVL328. Another method is to ping from the remote PC to the LAN IP address of the FVL328. To perform a ping test using our example, start from the remote PC: 1. Establish an Internet connection from the PC. 2. On the Windows taskbar, click the Start button, and then click Run. 3. Type ping -t 192.168.0.1 and click OK.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The Log Viewer screen for a successful connection is shown below: Figure G-14: Log Viewer screen A sample Connection Monitor screen for a different connection is shown below: Figure G-15: Connection Monitor screen In this example the following connection options apply: • • • The FVL328 has a public IP WAN address of 66.120.188.153 The FVL328 has a LAN IP address of 192.168.0.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Viewing the FVL328 VPN Status and Log Information Information on the status of the VPN client connection can be viewed by opening the FVL328 VPN Status screen. To view this screen, click the VPN Status link on the FVL328 main menu.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 G-18 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router May 2004, 202-10030-02
Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 This appendix provides a case study on how to configure a VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVL328 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers. The configurations screens and settings for the FVS318 and FVM318 are the same. Configuration Template The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 10.5.6.0/24 172.23.9.0/24 VPNC Example Network Interface Addressing Gateway A LAN IP WAN IP FQDN netgear.dydns.org 10.5.6.1 WAN IP 22.23.24.25 Gateway B LAN IP 172.23.9.1 Figure H-1: Addressing and Subnet Used for Examples Using DDNS and Fully Qualified Domain Names (FQDN) Many ISPs (Internet Service Providers) provide connectivity to their customers using dynamic instead of static IP addressing.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS, and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider. Again, the following step-by-step procedures assume that you have already registered with a DDNS Service Provider and have the configuration information necessary to set up the gateways.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 4. Select the Use a dynamic DNS service radio button for the service you are using. In this example we are using www.DynDNS.org as the service provider. – – – 5. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. In this example we are using dyndns.org as the domain suffix. Type the User Name for your dynamic DNS account.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-4: NETGEAR FVS318 VPN Settings (part 1) – Main Mode – – – – – – – – In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used toFVL328. Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 – – – – Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field. Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field. Type the WAN IP address (22.23.24.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-6: NETGEAR FVS318 VPN Settings After Inputting Configuration Info 9. When the screen returns to the VPN Settings, make sure the Enable check box is selected. Step-By-Step Configuration of FVL328 Gateway B 1. Log in to the NETGEAR FVL328, labeled Gateway B in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-7: NETGEAR FVL328 IKE Policy Configuration – Part 1 – – – – H-8 Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In our example we have used FVS318 as the Policy Name. In the Policy Name field type FVS318. From the Direction/Type drop-down box, select Both Directions.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-8: NETGEAR FVL328 IKE Policy Configuration – Part 2 – – – – – – 3. From the Encryption Algorithm drop-down box, select 3DES. From the Authentication Algorithm drop-down box, select MD5. From the Authentication Method radio button, select Pre-shared Key. In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both gateways.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-10: NETGEAR FVL328 VPN – Auto Policy (part 1) – – – – – – – – – – – – H-10 Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step – the FVS318 IKE Policy.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-11: NETGEAR FVL328 VPN – Auto Policy (part 2) – – – – – – – – – – 5. From the Traffic Selector Remote IP drop-down box, select Subnet address. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote IP Finish IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-12: NETGEAR FVL328 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button. Test the VPN Connection 1. From a PC behind the NETGEAR FVS318 or FVM318 Gateway A, attempt to ping the remote FVL328 Gateway B LAN Interface address (example address 172.23.9.1). 2.
Glossary 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 802.11b IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 DHCP See Dynamic Host Configuration Protocol. DMZ A Demilitarized Zone is used by a company that wants to host its own Internet services without sacrificing unauthorized access to its private network. The DMZ sits between the Internet and an internal network's line of defense, usually some combination of firewalls and bastion hosts.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 IP Address A four-position number uniquely defining each host on the Internet. Ranges of addresses are assigned by Internic, an organization formed for this purpose. Usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57). IPSec Internet Protocol Security. IPSec is a series of guidelines for securing private information transmitted over public networks.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 NetBIOS Network Basic Input Output System. An application programming interface (API) for sharing services and information on local-area networks (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length. NetBIOS is needed to run Microsoft networking functions such as Network Neighborhood.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 RFC Request For Comment. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org. RIP See Routing Information Protocol. router A device that forwards data between networks. An IP router forwards data based on IP source and destination addresses. Routing Information Protocol RIP.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Glossary 6 May 2004, 202-10030-02
Index A Account Name 3-7, 3-8, 3-11 Address Resolution Protocol B-8 Addressing E-7 Austria 3-11 Authentication Header (AH) E-3, E-4 Auto MDI/MDI-X B-14 Auto Uplink 2-4, B-14 Daylight Savings Time 8-8 daylight savings time 5-14 Default DMZ Server 4-7 default reset button 8-7 Denial of Service (DoS) protection 2-3 denial of service attack B-11 DHCP 2-4, 4-2, B-9 DHCP Client ID C-9 DHCP Setup field, Ethernet Setup menu 7-10 B backup configuration 7-17 BigPond 3-11 C Disabling NAT 3-11, 3-12 DMZ Server 4-7
Firewall Policies 2-3 IPSec Security Features E-2 FLASH memory 7-20 ISP C-1 FQDN 2-3 front panel 2-6 L Fully Qualified Domain Name 2-3 LAN IP Setup Menu 4-4 G LEDs description 2-7 troubleshooting 8-3 General 6-4, 6-7, 6-11 H log sending 5-15, 7-15 Log Viewer G-15 host name 3-7, 3-8, 3-11 I IANA contacting B-2 M MAC address 8-7, B-8 spoofing 3-8, 3-12, 8-5 IETF B-1 Web site address B-7 Macintosh configuring for IP networking C-9 DHCP Client ID C-9 IKE Security Association E-4 MDI/MDI-X B-1
P S package contents 2-6 SA E-4 password restoring 8-7 Scope of Document 1-1 PC, using to configure C-11 service blocking 5-10 ping 4-8 service numbers 5-4 PKIX 6-27 Setup Wizard 3-1 port filtering 5-10 SMTP 5-16, 7-16 port forwarding behind NAT B-8 spoof MAC address 8-5 port numbers 5-4 stateful packet inspection 2-3, 5-1, B-10 Port Triggering 2-2 Static Routes 4-3 PPP over Ethernet 2-4 subnet addressing B-4 PPPoE 2-4, 3-6 subnet mask B-5 PPTP 3-11 Syslog 7-15 Secondary DNS Server
V Virtual Private Networking 2-2, 2-3 VPN E-1 VPN Consortium E-6 VPN features 2-2 VPN Process Overview E-7 VPN Wizard 2-1 VPNC IKE Phase I Parameters E-10 VPNC IKE Phase II Parameters E-11 W Windows, configuring for IP routing C-5, C-8 winipcfg utility C-7 World Wide Web 1-iii 4 Index
