Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall NETGEAR, Inc.
© 2003 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß dasFVS318 Broadband ProSafe VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
iv M-10146-01
Contents Chapter 1 About This Manual Audience .........................................................................................................................1-1 Scope .............................................................................................................................1-1 Typographical Conventions ............................................................................................1-2 Special Message Formats ...........................................................
Where Do I Get the Internet Configuration Parameters? ..................................3-2 Worksheet for Recording Your Internet Connection Information ..............................3-3 How to Connect the FVS318 VPN Firewall ....................................................................3-4 Wizard-Detected PPPoE Option ..............................................................................3-9 Wizard-Detected Dynamic IP Option .....................................................................
Setting the MTU Size ...............................................................................................5-8 Using the Router as a DHCP Server ........................................................................5-8 How to Specify Reserved IP Addresses ...................................................................5-9 How to Configure LAN TCP/IP Settings .................................................................5-10 How to Configure Dynamic DNS ......................................
Backing Up, Restoring, or Erasing Your Settings ...........................................................7-9 How to Back Up the Configuration to a File .............................................................7-9 How to Restore a Configuration from a File ...........................................................7-10 How to Erase the Configuration ............................................................................. 7-11 Running Diagnostic Utilities and Rebooting the Router ..................
Related Documents ................................................................................................. B-9 Domain Name Server .............................................................................................. B-9 IP Configuration by DHCP .................................................................................... B-10 Internet Security and Firewalls .................................................................................... B-10 What is a Firewall? .................
Restarting the Network ................................................................................................ C-21 Appendix D Virtual Private Networking What is a VPN? ............................................................................................................. D-1 What Is IPSec and How Does It Work? ......................................................................... D-2 IPSec Security Features ..................................................................................
Test the VPN Connection .........................................................................................F-8 Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 Configuration Profile ...................................................................................................... G-1 The Use of a Fully Qualified Domain Name (FQDN) .............................................. G-2 Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................
xii Contents M-10146-01
Chapter 1 About This Manual Congratulations on your purchase of the NETGEAR® FVS318 Broadband ProSafe VPN Firewall . The FVS318 VPN Firewall provides connection for multiple personal computers (PCs) to the Internet through an external broadband access device (such as a cable modem or DSL modem). Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Typographical Conventions This guide uses the following typographical conventions: Table 1. Typographical conventions italics Emphasis. bold times roman User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key. SMALL CAPS DOS file and directory names.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Use the HTML Version of this Manual The HTML version of this manual includes these features. 2 1 3 Figure Preface -2: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs. To view the HTML version of the manual, you must have a version 4 or later browser with Java or JavaScript enabled. To use the Favorites feature, your browser must be set to accept cookies.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Print this Manual To print this manual you man choose one of the following several options, according to your needs. • A “How To ... ” Sequence of Steps in the HTML View. Use the Print button on the upper right of the toolbar to print the currently displayed topic.
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS318 Broadband ProSafe VPN Firewall . About the FVS318 The FVS318 is a complete security solution that protects your network from attacks and intrusions. Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FVS318 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Supports 8 VPN connections. • Supports industry standard VPN protocols The FVS318 VPN Firewall supports standard Manual or IKE keying methods, standard MD5 and SHA-1 authentication methods, and standard DES, 3DES, and AES encryption methods. It is compatible with many other VPN products. • Supports up to 256 bit AES encryption for maximum security.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Easy Installation and Management You can install, configure, and operate the FVS318 within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall What’s in the Box? The product package should contain the following items: • • • • FVS318 Broadband ProSafe VPN Firewall AC power adapter Category 5 (CAT5) Ethernet cable Resource CD (SW-10021-01), including: — This manual — Application Notes, Tools, and other helpful information • • Warranty and registration card Support information card If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall These LEDs are green when lit, except for the TEST LED, which is amber. Table 2-1: LED Descriptions Label Activity Description POWER On Power is supplied to the firewall. TEST On Off The system is initializing. The system is ready and running. 100 On/Blinking The port is operating at 100 Mbps. LINK/ACT (Link/Activity) On/Blinking The port has detected a link with a connection and is operating at 10 Mbps.
Chapter 3 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your Local Area Network (LAN), connect to the Internet, perform basic configuration of your FVS318 Broadband ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you can connect your firewall to the Internet: 1. A computer properly connected to the firewall as explained below.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall LAN Configuration Requirements For the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from the firewall via DHCP. Note: Please refer to Appendix C, "Preparing Your Network" for assistance with DHCP configuration.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Connect the FVS318 VPN Firewall This section provides instructions for connecting the FVS318 Broadband ProSafe VPN Firewall to your Local Area Network (LAN). Note: The Resource CD included with your firewall contains an animated Installation Assistant to help you through this procedure. There are three steps to connecting your firewall: 1. Connect the firewall to your network 2. Log in to the firewall 3.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall c. Connect the Ethernet cable (A) from your Cable or DSL modem to the FVS318’s Internet port. A Cable or DSL modem Figure 3-2: Connect the Cable or DSL Modem to the firewall d. Connect the Ethernet cable (B) which came with the firewall from a Local port on the router to your computer.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall e. Turn on the Cable or DSL modem and wait about 30 seconds for the lights to stop blinking. 2. Log in to the Firewall Note: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. Please refer to Appendix C, "Preparing Your Network" for instructions on how to do this. a. Turn on the firewall and wait for the Test light to stop blinking. b. Now, turn on your computer.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall A login window opens as shown in Figure 3-5 below: Figure 3-5: Login window Note: If you were unable to connect to the firewall, please refer to “Basic Functions” on page 8-1. d. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall User Name and password for the firewall Password, both in lower case letters.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall b. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet. Note: If you choose not to use the Setup Wizard, you can manually configure your Internet connection settings by following the procedure “How to Manually Configure Your Internet Connection“ on page 3-13.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Wizard-Detected PPPoE Option If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 3-7: Figure 3-7: Setup Wizard menu for PPPoE login accounts 1. Enter your Account Name (may also be called Host Name) and Domain Name.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall If you enter an address here, after you finish configuring the firewall, reboot your PCs so that the settings take effect. 4. Click on Apply to save your settings. 5. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting”.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall. 3.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Worksheet for Recording Your Internet Connection Information” on page 3-3. 2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. Click the Basic Settings link under the Setup section of the main menu. 3. If your Internet connection does not require a login, click No at the top of the Basic Settings menu and fill in the settings according to the instructions below. If your Internet connection does require a login, click Yes, and skip to step 4. a. Enter your Account Name (may also be called Host Name) and Domain Name.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall a. Connections which require a login using protocols such as PPPoE, PPTP, Telstra Bigpond Cable broadband connections. Select your Internet service provider from the drop-down list. Figure 3-11: Basic Settings ISP list b. The screen will change according to the ISP settings requirements of the ISP you select. c. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 3-7. d.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3-16 Connecting the Firewall to the Internet M-10146-01
Chapter 4 Protecting Your Network This chapter describes how to use the basic firewall features of the FVS318 Broadband ProSafe VPN Firewall to protect your network. Protecting Access to Your FVS318 VPN Firewall For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect. When prompted, enter admin for the firewall User Name and password for the firewall Password.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. From the Main Menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown in Figure 4-1. Figure 4-1: Set Password menu 3. To change the password, first enter the old password, and then enter the new password twice. 4. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The firewall provides a variety of options for blocking Internet based content and communications services. With its content filtering feature, the FVS318 VPN Firewall prevents objectionable content from reaching your PCs. The FVS318 allows you to control access to Internet content by screening for keywords within Web addresses.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. Click on the Block Sites link of the Security menu. Figure 4-2: Block Sites menu 3. To block ActiveX, Java, Cookies, or Web Proxy functions for all Internet sites, click the check box next to the function and then click Apply. Be aware that blocking these functions can cause some web sites to not load or function properly. 4.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Up to 32 entries are supported in the Keyword list. 5. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. 6. To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply. You may specify one Trusted User, which is a PC that will be exempt from blocking and logging.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. • To edit an existing entry, select its button on the left side of the table and click Edit. • To delete an existing entry, select its button on the left side of the table and click Delete. Modify the menu shown below for defining or editing a service. Figure 4-4: Add Services menu The parameters are: • Service. From this list, select the application or service to be allowed or blocked.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall You can select whether the traffic will be logged. The choices are: • • • • 4. Never - no log entries will be made for this service. Always - any traffic for this service type will be logged. Match - traffic of this type which matches the parameters and action will be logged. Not match - traffic of this type which does not match the parameters and action will be logged. Click Apply to save your changes.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. Click on the Add Service link of the Security menu to display the Services list shown in Figure 4-5: Figure 4-5: Services table • To create a new entry, click the Add Custom Service button. • To edit an existing entry, select its button on the left side of the table and click Edit. • To delete an existing entry, select its button on the left side of the table and click Delete.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. Modify the menu shown below for defining or editing a service. Figure 4-6: Add Services menu The parameters are: • Name. This name will appear in the drop-down list services to be allowed or blocked in the Add Block Service menu as seen in Figure 4-4 above. • Type. Choose the type of traffic to be handled: TCP/UDP; TCP; or UDP. • Start Port. Specify the starting port number here.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Setting Times and Scheduling Firewall Services The FVS318 VPN Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list. How to Set Your Time Zone In order to localize the time for your log entries, you must specify your Time Zone: 1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries. Check the Daylight Savings Time box if your time zone is currently in daylight savings time. Note: If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 4-12 Protecting Your Network M-10146-01
Chapter 5 Advanced WAN and LAN Configuration This chapter describes how to configure the advanced features of your FVS318 Broadband ProSafe VPN Firewall . Configuring Advanced WAN Settings The FVS318 Broadband ProSafe VPN Firewall provides a variety of advanced features, such as: • Setting up a Demilitarized Zone (DMZ) Server. • Port forwarding for enabling networked gaming and various Internet services.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Incoming traffic from the Internet is normally discarded by the Firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server. To assign a computer or server to be a Default DMZ server: 1. Click Default DMZ Server. 2.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. From the Main Menu of the browser interface, under Advanced, click on Ports to view the port forwarding menu, shown in Figure 5-1 Figure 5-1: Port Forwarding Menu Respond to Ping on Internet WAN Port If you want the Firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your Firewall to be discovered.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Clear a Port Assignment To edit or eliminate a port assignment entry: 1. Click the button next to that port in the table. 2. Click Delete or Edit. 3. Click Apply. Local Web and FTP Server Example If a local PC with a private IP address of 192.168.0.33 acts as a Web and FTP server, configure the Ports menu to forward HTTP (port 80) and FTP (port 21) to local address 192.168.0.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. Change the beginning port number in the Start Port box. For these games, use the supplied number in the default listing and add +1 for each additional computer. For example, if you've already configured one computer to play Hexen II (using port 26900), the second computer's port number would be 26901, and the third computer would be 26902. 4. Type the same port number in the End Port box that you typed in the Start Port box. 5.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Enable UPnP 1. Log in to the Firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the Firewall. 2. Click the LAN IP Setup link from the Advanced section of the main menu to display the menu shown in Figure 5-3 Figure 5-2: Enabling UPnP via the LAN IP Setup Menu 3.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Understanding LAN TCP/IP Setup Parameters The Firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The Firewall’s default LAN IP configuration is: • • LAN IP addresses—192.168.0.1 Subnet mask—255.255.255.0 These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Note: If you change the LAN IP address of the Firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. Setting the MTU Size The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes. For some ISPs, particularly some using PPPoE, your router will need to automatically reduce the MTU.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The Firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined • Subnet Mask • Gateway IP Address is the Firewall’s LAN IP address • Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu; otherwise, the Firewall’s LAN IP address • Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu • WINS S
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure LAN TCP/IP Settings 1. Log in to the Firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the Firewall. 2. From the Main Menu, under Advanced, click the LAN IP Setup link to view the menu, shown in Figure 5-3 Figure 5-3: LAN IP Setup Menu 3.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. Access the website of one of the dynamic DNS service providers whose names appear in the ‘Use a dynamic DNS service’ list, and register for an account. For example, for oray.net, click the link or go to www.oray.net. 4. Select the Use a dynamic DNS service radio button for the service you are using. 5. Type the FQDN that your dynamic DNS service provider gave you. If the URL the dynamic DNS service provider gave you is YourName.Ng.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall When you first configured your Firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your Firewall will forward your request to the ISP.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall a. Click the Edit button to open the Edit Menu, shown in Figure 5-6. Figure 5-6: Static Route Entry and Edit Menu 4. b. Type a route name for this static route in the Route Name box under the table. This is for identification purpose only. c. Select Active to make this route effective. d. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. e.
Chapter 6 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVS318 VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Overview of VPN Configuration Two common scenarios for configuring VPN tunnels are between two or more networks, and between a remote computer and a network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPN client access allows a remote PC to connect to your network from any location on the Internet. In this case, the remote PC is one tunnel endpoint, running VPN client software. The FVS318 VPN Firewall router on your network is the other tunnel endpoint • The FVS318 VPN Firewall supports up to eight concurrent tunnels. These scenarios are described below. Note: The FVS318 VPN Firewall uses industry standard VPN protocols.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall — Manual Keys: Does not use IKE. Rather, you manually enter all the authentication and key parameters. You have more control over the process however the process is much more complex and there are more opportunities for errors or configuration mismatches between you FVS318 and the corresponding VPN endpoint gateway or client workstation. You need to configure matching VPN settings on both VPN endpoints.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The FVS318 VPN tunnel network connection fields are defined in the following table. Table 6-1. VPN network connection configuration fields Field Description Connection Name The descriptive name of the VPN tunnel. Each tunnel should have a unique name. It is only used to help you identify VPN tunnels. Local IPSec identifier Enter a Local IPSec Identifier name for this endpoint.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Configuring a SA Using IKE Main Mode The most common configuration scenarios will use IKE to manage the authentication and encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to automatically generate required parameters. The IKE Main Mode settings are introduced below. The IKE Aggressive Mode settings are introduced in the section after this one.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table 6-1. Security Association Main Mode Configuration Fields Field Description Pre-Shared Key Specify the key. Any value is acceptable, provided the remote VPN endpoint has the same value in its Pre-Shared Key field. Key Life The default is 3600 seconds (one hour). IKE Life Time At the end of this time, the connection will drop, the security association will be re-established, and the connection will be reactivated.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The Security Association IKE Aggressive Mode fields are defined in the following table. Table 6-1. Security Association Aggressive Mode Configuration Fields Field Description Secure Association Choose Aggressive Mode key exchange mode for this VPN tunnel: • IKE Main Mode -- the default. • IKE Aggressive Mode -- faster but less secure. • Manual Keys -- more control but more complex.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-5: IKE - VPN Settings Manual Key Configuration Menu The Manual Keys configuration fields are defined in the following table. Table 6-1. VPN Manual Keys Configuration Fields Field Description Secure Association Choose Manual Keys key exchange mode for this VPN tunnel: • IKE Main Mode -- the default. • IKE Aggressive Mode -- faster but less secure. • Manual Keys -- more control but more complex.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table 6-1. VPN Manual Keys Configuration Fields Field Description Authentication Protocol Use this drop-down list to select the authentication protocol: • MD5 - the default • SHA1 - more secure Authentication Key Enter the key. • For MD5, the key should be 16 characters. • For SHA-1, the key should be 20 characters. Any value is acceptable, provided the remote VPN endpoint has the same value in its Authentication Protocol Key field.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Will the local end be any device on the LAN, a portion of the local network (as defined by a subnet or by a range of IP addresses), or a single PC? • Will the remote end be any device on the remote LAN, a portion of the remote network (as defined by a subnet or by a range of IP addresses), or a single PC? • At least one side must have a fixed IP address or you must be using a dynamic DNS service for FQDN configurations.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure a Network to Network VPN Tunnel VPN Tunnel A B Figure 6-6: LAN to LAN VPN access through an FVS318 to an FVS318 Follow this procedure to configure a VPN tunnel between two FVS318 VPN Firewalls. The worksheet below shows the settings for this example. A blank worksheet is provided at page 6-31. Table 6-1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 1. Set up the two LANs to have different IP address ranges. Note: The LAN IP address ranges of each connected network must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. This procedure uses the settings in the configuration worksheet above. A blank worksheet you can use to record your settings is provided on page 6-31. a.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall d. Reboot all computers on network A and log back in to FVS318 A at the new address of http://192.168.3.1. The network configuration should now look like this: FVS318 A VPN Tunnel FVS318 B 10.0.0.1 24.0.0.1 192.168.0.1 192.168.3.1 Figure 6-8: Network configuration 2. Configure the VPN settings on each FVS318. a.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall b. For each FVS318, fill in the Connection Name VPN settings as illustrated above. • • • • • • • • The Connection Names can be the same: VPNAB Local IPSec Identifier name in the FVS318 on LAN A: LAN_A Note: The IPSec names must unique in this VPN network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The IKE settings for each end point of the VPN tunnel must match exactly. To configure the IKE settings, enter the following settings in each FVS318: • Enable Perfect Forward Secrecy. • For Encryption Protocol, select: DES. • Enter the Pre-Shared Key. In this example, enter r>T(h4&3@#kB as the Pre-Shared Key. With IKE, a pre-shared key that you make up is used for mutual identification.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall c. This will cause a continuous ping to be sent to the first FVS318. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.” Figure 6-11: Ping test results At this point the connection is established. Now that your VPN connection is working, whenever a PC on the second LAN needs to access an IP address on the first LAN, the Firewalls will automatically establish the connection.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The worksheet below identifies the parameters used in the procedure below. A blank worksheet is at, “PC to Network IKE VPN Tunnel Settings Configuration Worksheet” on page 6-32.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-13: VPN Edit menu for connecting with a VPN client b. Fill in the Connection Name VPN settings as illustrated. • • • • • Connection Name: VPNLANPC Local IPSec Identifier: LANAPCIPSEC Note: This IPSec name must not be used in any other SA in this VPN network. Remote IPSec Identifier: PCIPSEC Remote LAN IP Address: 192.168.100.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Remote WAN IP Address: 0.0.0.0 since the remote PC has a dynamically assigned IP address. Alternatively, you could use the FQDN of the PC. Note: If one side has a dynamic IP address and you do not use FQDN, that side must always initiate the connection. c. Under Secure Association, select Main Mode and fill in the settings below. • Enable Perfect Forward Secrecy.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-14: Security Policy Editor New Connection b. Add a new connection • Run the SafeNet Security Policy Editor program and, using the “PC to Network IKE VPN Tunnel Settings Configuration Worksheet” on page 6-17, create a VPN Connection. • From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall c. Configure the Security Policy in the SafeNet VPN Client Software. • In the Network Security Policy list, expand the new connection by double clicking its name or clicking on the “+” symbol. My Identity and Security Policy subheadings appear below the connection name. • Click on the Security Policy subheading to show the Security Policy menu.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall d. Configure the Global Policy Settings. Figure 6-16: Security Policy Editor Global Policy Options e. • From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. • Increase the Retransmit Interval period to 45 seconds. • Check the Allow to Specify Internal Network Address checkbox and click OK.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-17: Security Policy Editor My Identity f. • Choose None in the Select Certificate menu. • Select IP Address in the ID Type menu. If you are using a virtual fixed IP address, enter this address in the Internal Network IP Address box. Otherwise, leave this box empty. Use 192.168.100.2 for this example. • In the Internet Interface box, select the adapter you use to access the Internet.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall g. • Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication. • In the Authentication Method menu, select Pre-Shared key. • In the Encrypt Alg menu, select the type of encryption to correspond with what you configured for the Encryption Protocol in the FVS318 in Figure 6-13. In this example, use DES. • In the Hash Alg menu, select MD5.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVS318’s network by using the “Connect” option in the SafeNet menu bar. The SafeNet client will report the results of the attempt to connect. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request. Another method is to ping from the remote PC to the LAN IP address of the FVS318.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Monitoring the PC VPN Connection Using SafeNet Tools Information on the progress and status of the VPN client connection can be viewed by opening the SafeNet Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then SafeNet SoftRemote, then either the Connection Monitor or Log Viewer.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • • • • The FVS318 has a public IP WAN address of 134.177.100.11 The FVS318 has a LAN IP address of 192.168.0.1 The VPN client PC has a dynamically assigned address of 12.236.5.184 The VPN client PC is using a “virtual fixed” IP address of 192.168.100.100 While the connection is being established, the Connection Name field in this menu will say “SA” before the name of the connection.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure Manual Keys as an Alternative to IKE As an alternative to IKE, you may use Manual Keying, in which you must specify each phase of the connection. Follow the steps to configure Manual Keying. 1. When editing an entry in the VPN Settings menu table, you may select manual keying.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The SPI should be a string of hexadecimal [0-9,A-F] characters, and should not be used in any other Security Association. Note: For simplicity or troubleshooting, the Incoming and Outgoing SPI can be identical. 4. For Encryption Protocol, select one: Figure 6-23: VPN encryption options • • • • 5. Null - Fastest, but no security. DES - Faster but less secure than 3DES or AES. 3DES - (Triple DES) higher level of security than DES.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click the NETBIOS Enable check box to allow NETBIOS over the VPN tunnel. 9. Click Apply to update the SA in the VPN Settings table. 8. How to Delete a Security Association To delete a security association: 1. Log in to the Firewall. 2. Click the VPN Settings link. 3. In the VPN Settings Security Association table, select the radio button for the security association to be deleted. 4. Click the Delete button. 5.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Blank VPN Tunnel Configuration Worksheets The blank configuration worksheets below are provided to aid you in collecting and recording the parameters used in the VPN configuration procedure.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table 6-4: PC to Network IKE VPN Tunnel Settings Configuration Worksheet IKE Tunnel Security Association Settings Connection Name: Pre-Shared Key: Secure Association -- Main Mode, Aggressive Mode, or Manual Keys: Perfect Forward Secrecy: Encryption Protocol -- Null, DES, 3DES, or AES -128, -192, or -256: Key Life in seconds: IKE Life Time in seconds: Network Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP (WAN IP Addre
Chapter 7 Managing Your Network This chapter describes how to perform network management tasks with your FVS318 Broadband ProSafe VPN Firewall . Network Management Information The FVS318 provides a variety of status and usage information which is discussed below. Viewing Router Status and Usage Statistics From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 7-1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The Router Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, under Maintenance, select Router Status to view the status screen, shown in Figure 7-1. This screen shows the following parameters: Table 7-1. Menu 3.2 - Router Status Fields Field Description System Name This field displays the Host Name assigned to the firewall in the Basic Settings menu.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click on the “Show Statistics” button to display firewall usage statistics, as shown in Figure 7-2 below: Figure 7-2. Router Statistics screen This screen shows the following statistics:. Table 7-2. Router Statistics Fields Field Description WAN, LAN, or Serial Port The statistics for the WAN (Internet), LAN (local), and Serial ports. For each port, the screen displays: Status The link status of the port.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown in Figure 7-3 Figure 7-3: Attached Devices menu For each device, the table shows the IP address, NetBIOS Host Name, if available, and the Ethernet MAC address.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Viewing, Selecting, and Saving Logged Information The firewall will log security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Log entries are described in Table 7-5 Table 7-5: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Router operation (start up, get time, etc.) • Known DoS attacks and Port Scans Saving Log Files on a Server You can choose to write the logs to a PC running a syslog program. To activate this feature, check the box under Syslog and enter the IP address of the server where the log file will be written. Examples of log messages Following are examples of log messages.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Enabling Security Event E-mail Notification In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading: Figure 7-7: E-mail menu • Turn e-mail notification on Check this box if you wish to receive e-mail logs and alerts from the firewall.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program. If you leave this box blank, log and alert messages will not be sent via e-mail. • Send to this e-mail address Enter the e-mail address to which logs and alerts are sent.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. From the Maintenance heading of the Main Menu, click the Settings Backup link to display the menu seen in Figure 7-8. Figure 7-8: Settings Backup menu 3. Click Backup to save a copy of the current settings. 4. Store the .cfg file on a computer on your network. How to Restore a Configuration from a File 1. Log in to the firewall at its default LAN address of http://192.168.0.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Erase the Configuration It is sometimes desirable to restore the firewall to the factory default settings. This can be done by using the Erase function. 1. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase button on the screen. 2. The firewall will then reboot automatically. After an erase, the firewall's password will be password, the LAN IP address will be 192.168.0.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall From the Main Menu of the browser interface, under the Maintenance heading, select the Router Diagnostics heading to display the menu shown in Figure 7-9. Figure 7-9: Diagnostics menu How to Enable Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your NETGEAR Cable/DSL ProSafe VPN Firewall.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 4. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever User Name, Password and LAN address you have chosen for the firewall. 3. From the Main Menu of the browser interface, under the Maintenance heading, select the Router Upgrade heading to display the menu shown in Figure 7-10. Figure 7-10: Router Upgrade menu 4.
Chapter 8 Troubleshooting This chapter gives information about troubleshooting your FVS318 Broadband ProSafe VPN Firewall . For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions” on page 8-1. • I can’t access the firewall’s configuration with my browser. Go to “Troubleshooting the Web Configuration Interface” on page 8-3. • I’ve configured the firewall but I can’t access the Internet.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall If a port’s Link LED is lit, a link has been established to the connected device. If a port is connected to a 100 Mbps device, verify that the port’s 100 LED is lit. If any of these conditions does not occur, refer to the appropriate following section.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Make sure that power is turned on to the connected hub or PC. • Be sure you are using the correct cable: — When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu. • Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for your PC’s MAC address. In this case: Inform your ISP that you have bought a new network device, and ask them to use the firewall’s MAC address. OR Configure your firewall to spoof your PC’s MAC address.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: 1. From the Windows toolbar, click on the Start button and select Run. 2. In the field provided, type Ping followed by the IP address of the firewall, as in this example: ping 192.168.0.1 3. Click on OK.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall PING -n 10 where is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: — Check that your PC has the IP address of your firewall listed as the default gateway.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 1. Turn the firewall off. 2. While pressing the Default Reset button, turn the firewall on. 3. Keep holding the button until the TEST LED turns off (about 10 seconds later), then blinks (about 20 seconds total). Reset Figure 8-1. 4. Using Reset Button Release the Default Reset button and wait for the firewall to reboot.
Appendix A Technical Specifications Technical Specifications The technical specifications for the FVS318 Broadband ProSafe VPN Firewall are presented in the following table. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T or 100BASE-Tx, RJ-45 A-2 Technical Specifications M-10146-01
Appendix B Networks, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and firewalls. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVS318 VPN Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Class A Network Node Class B Network Node Class C Network Node 7261 Figure B-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range: 1.x.x.x to 126.x.x.x. • Class B Class B addresses can have up to 65,354 hosts on a network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet addressing makes use of those bits that are free, as shown below.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240. Table B-1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table B-2. Netmask Formats 255.255.255.254 /31 255.255.255.255 /32 NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS318 VPN Firewall employs an address-sharing method called Network Address Translation (NAT).
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall . Table B-1. UTP Ethernet cable wiring, straight-through Pin Wire color Signal 1 Orange/White Transmit (Tx) + 2 Orange Transmit (Tx) - 3 Green/White Receive (Rx) + 4 Blue 5 Blue/White 6 Green 7 Brown/White 8 Brown Receive (Rx) - Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. Computers and workstation adapter cards are usually media-dependent interface ports, called MDI or uplink ports.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure B-6: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The FVS318 VPN Firewall incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall B-16 Networks, Routing, and Firewall Basics M-10146-01
Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS318 Broadband ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • All versions of UNIX or Linux include TCP/IP components. Follow the instructions provided with your operating system or networking software to install TCP/IP on your computer. In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Verify the following settings as shown: – Client for Microsoft Network exists – Ethernet adapter is present – TCP/IP is present – Primary Network Logon is set to Windows logon • Click on the Properties button. The following TCP/IP Properties window will display.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address. • Click OK to continue. • Restart the PC. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4 You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows. DHCP Configuration of TCP/IP in Windows XP Open your Network Connections window. • Select Network from the Windows XP new Start Menu.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection. • The TCP/IP details are presented on the Support tab page.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. • Verify that you have the correct Ethernet card selected in the Connect using: box.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • With Internet Protocol (TCP/IP) selected, click on Properties button to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that – Obtain an IP address automatically is selected. – Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties. • Click OK again to complete the configuration process for Windows 2000. • Restart the PC.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window. • Double-click the Network icon in the Control Panel window. The Network panel will display.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. • Restart the PC. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 1. On the Windows taskbar, click the Start button, and then click Run. The Run window opens. 2. Type cmd and then click OK. A command window opens 3. Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: 4. • The IP address is between 192.168.0.2 and 192.168.0.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The TCP/IP Control Panel opens: 2. From the “Connect via” box, select your Macintosh’s Ethernet interface. 3. From the “Configure” box, select Using DHCP Server. You can leave the DHCP Client ID box empty. 4. Close the TCP/IP Control Panel. 5. Repeat this for each Macintosh on your network. MacOS X 1. From the Apple menu, choose System Preferences, then Network. 2.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: • The IP Address is between 192.168.0.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall. 1. Turn off the modem, router, and PCs. 2. Turn on the modem. 3. Wait until the indicator lights on the modem show that it is synchronized with the broadband network. 4.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall C-22 Preparing Your Network M-10146-01
Appendix D Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table D-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPN Tunnel VPN Gateway B VPN Gateway A Figure D-5: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
Appendix E NETGEAR VPN Configuration of FVS318 or FVM318 to FVL328 This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR FVS318 or FVM318 to a FVL328. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html). The configuration options and screens for the FVS318 and FVM318 are the same.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 10.5.6.0/24 Gateway B Gateway A LAN IP 10.5.6.1 172.23.9.0/24 VPNC Example Network Interface Addressing 14.15.16.17 22.23.24.25 WAN IP WAN IP LAN IP 172.23.9.1 Figure E-1: Addressing and Subnets Used for Examples Note: Product updates are available on the NETGEAR web site at www.netgear.com/support/main.asp. Documentation updates are available on the NETGEAR, Inc. web site at www.netgear.com/docs.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure E-2: NETGEAR FVS318 vA1.4 VPN Settings (part 1) – Main Mode – – – – – – – – In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used toFVL328. Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used 14.15.16.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall – – Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field. Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure E-3: NETGEAR FVS318 vA1.4 VPN Settings (part 2) – Main Mode – – – – – – – From the Secure Association drop-down box, select Main Mode. Next to Perfect Forward Secrecy, select the Enabled radio button.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Step-By-Step Configuration of FVL328 Gateway B 1. Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 172.23.9.1 for Gateway B and have set your own user name and password. 2.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall – – From the Local Identity drop-down box, select WAN IP Address (WAN IP address will automatically be populated into the Local Identity Data field after policy is applied). From the Remote Identity drop-down box, select Remote WAN IP (WAN IP address will automatically be populated into the Local Identity Data field after policy is applied). Figure E-5: NETGEAR FVL328 v1.4 IKE Policy Configuration – Part 2 – – – – – – 3.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 4. Click on the VPN Policies link under the VPN category link on the left side of the main menu. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. Figure E-7: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 1) – – – – – – – – – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall – Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field. Figure E-8: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 2) – From the Traffic Selector Remote IP drop-down box, select “Subnet addresses”. – Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. – Type the LAN Subnet Mask of Gateway A (255.255.255.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Test the VPN Connection 1. From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVS318 gateway B LAN Interface address (example address 172.23.9.1). Note: You can run ping tests from Diagnostics link on the NETGEAR main menu or from a DOS prompt on a PC. 2. From a PC behind the FVL328 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address (example address 10.5.6.1).
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 13:19:02 - FVS318 IPSec:sizeof(connection)=1724 sizeof(state)=10048 sizeof(SA)=732 13:19:42 - FVS318 IPsec:call ipsecdoi_initiate 13:19:42 - FVS318 IPsec:New State index:0, sno:1 13:19:42 - FVS318 IPsec:Initiating Main Mode 13:19:42 - FVS318 IPsec:main_outI1() policy=65 13:19:42 - FVS318 IKE:[toFVL328] Initializing IKE Main Mode 13:19:42 - FVS318 IKE:[toFVL328] TX >> MM_I1: 22.23.24.
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to Cisco IOS This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR FVS318 or FVM318 to a Cisco IOS VPN product. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html). The configuration screens for the FVS318 and FVM318 are the same.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 10.5.6.0/24 Gateway B Gateway A LAN IP 10.5.6.1 172.23.9.0/24 VPNC Example Network Interface Addressing 14.15.16.17 22.23.24.25 WAN IP WAN IP LAN IP 172.23.9.1 Figure F-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR web site at www.netgear.com/support/main.asp. Documentation updates are available on the NETGEAR, Inc. web site at www.netgear.com/docs.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure F-2: NETGEAR FVS318 vA1.4 VPN Settings (part 1) – Main Mode – In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used “toCiscoIOS”. – Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used 22.23.24.25 as the local identifier.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall – Type the starting LAN IP Address of Gateway B (10.5.6.1 in our example) in the Local IP Remote LAN Start IP Address field. – Type the finishing Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field. – Type the WAN IP address (14.15.16.17 in our example) of Gateway A in the Remote WAN IP or FQDN field. Figure F-3: NETGEAR FVS318 vA1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Step-By-Step Configuration of Cisco IOS Gateway B The following are the Cisco commands most relevant to building an inter-vendor VPN. Please refer to your Cisco documentation or www.cisco.com for additional information. 1. Log in to the Cisco router. 2. Type enable, to enter enable mode. Enter your password. 3. Type config t to enter the configuration mode at the command prompt. 4. Create an extended access list.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The following is an example Cisco ISO Configuration file. version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname centralrouter ! logging buffered 4096 debugging enable secret 5 $1$8rrD$L9v.3jriubHGCQn3Vuw.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall interface Ethernet0 ip address 22.23.24.25 255.255.255.0 ip nat outside half-duplex crypto map netgearmap ! interface FastEthernet0 ip address 172.23.9.1 255.255.255.0 ip nat inside speed auto ! interface Serial0 no ip address shutdown ! ip nat inside source route-map NONAT interface Ethernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 22.23.24.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Test the VPN Connection 1. From a PC behind the NETGEAR Gateway A attempt to ping the remote Cisco IOS Gateway B LAN Interface address (example address 172.23.9.1). Note: You can run ping tests from the Diagnostics link of the NETGEAR main menu or from a DOS prompt on a PC. 2. From a PC behind the Cisco IOS Gateway B attempt to ping the remote NETGEAR gateway A LAN Interface address (example address 10.5.6.1).
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Thur, 04/24/2003 13:19:02 - FVS318 IPSec:sizeof(connection)=1724 sizeof(state)=10048 sizeof(SA)=732 Thur, 04/24/2003 13:19:42 - FVS318 IPsec:call ipsecdoi_initiate Thur, 04/24/2003 13:19:42 - FVS318 IPsec:New State index:0, sno:1 Thur, 04/24/2003 13:19:42 - FVS318 IPsec:Initiating Main Mode Thur, 04/24/2003 13:19:42 - FVS318 IPsec:main_outI1() policy=65 Thur, 04/24/2003 13:19:42 - FVS318 IKE:[toCiscoIOS] Initializing IKE Main Mode Thur, 04
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Thur, 04/24/2003 13:19:48 - FVS318 IKE:[toCiscoIOS] TX >> QM_I2: 22.23.24.25 Thur, 04/24/2003 13:19:48 - FVS318 IKE:[toCiscoIOS] established with 22.23.24.
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 This appendix is a case study on how to configure a VPN tunnel from a NETGEAR FVS318 or FVM318 to a FVL328 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html). The configuration options and screens for the FVS318 and FVM318 are the same.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 10.5.6.0/24 Gateway A Gateway B WAN IP WAN IP LAN IP 10.5.6.1 172.23.9.0/24 VPNC Example Network Interface Addressing FQDN netgear.dydns.org 22.23.24.25 LAN IP 172.23.9.1 Figure G-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR web site at www.netgear.com/support/main.asp. Documentation updates are available on the NETGEAR, Inc. web site at www.netgear.com/docs.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table G-1. DynDNS TZO.com ngDDNS Example DDNS Service Providers www.dyndns.org netgear.tzo.com ngddns.iego.net In this example, Gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname netgear.dyndns.org for gateway A using the DynDNS service. Gateway B will use the DDNS Service Provider when establishing a VPN tunnel.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-2: Dynamic DNS Setup Menu 4. Select the Use a dynamic DNS service radio button for the service you are using. In this example we are using www.DynDNS.org as the service provider. – – – 5. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. In this example we are using dyndns.org as the domain suffix.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 6. Click on the VPN Settings link on the left side of the main menu. – For the FVS318: Click the radio button of the first available VPN tunnel. Click the Edit button below. This will take you to the VPN Settings – Main Mode Menu. – For the FVM318: Click Add. This will take you to the VPN Settings – Main Mode Menu. Figure G-3: NETGEAR FVS318 vA1.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall – – – – – Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local LAN IP Subnetmask field. Choose “a subnet of remote addresses” from the “Tunnel can access” pull-down menu. Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Step-By-Step Configuration of FVL328 Gateway B 1. Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 172.23.9.1 for Gateway B. 2.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-6: NETGEAR FVL328 v1.4 IKE Policy Configuration – Part 2 – – – – – – 3. From the Encryption Algorithm drop-down box, select 3DES. From the Authentication Algorithm drop-down box, select MD5. From the Authentication Method radio button, select Pre-shared Key. In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both gateways.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-8: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 1) – – – – – – – – – – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step – this being the FVS318 IKE Policy.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-9: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 2) – – – – – – – – 5. From the Traffic Selector Remote IP drop-down box, select “Subnet addresses”. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Remote IP Subnet Mask field.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-10: NETGEAR FVL328 v1.4 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable checkbox is selected. Click the Apply button.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Test the VPN Connection 1. From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVL328 gateway B LAN Interface address (example address 172.23.9.1). Note: You can run ping tests from NETGEAR main menu or from a DOS prompt on a PC. 2. From a PC behind the FVL328 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address (example address 10.5.6.1). 3.
Glossary Use the list below to find definitions for technical terms used in this manual. Numeric 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 10BASE-T The IEEE specification for 10 Mbps Ethernet over Category 3, 4, or 5 twisted-pair cable. 100BASE-TX The IEEE specification for 100 Mbps Fast Ethernet over Category 5 twisted-pair cable.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Advanced Network Device Layer/Software Term for the Device Driver level. AES Advanced Encryption Standard, a symmetric 128-bit block data encryption technique. It is an iterated block cipher with a variable block length and a variable key length. The block length and the key length can be independently specified to 128, 192 or 256 bits.The U.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Bandwidth The information capacity, measured in bits per second, that a channel could transmit. Bandwidth examples include 10 Mbps for Ethernet, 100 Mbps for Fast Ethernet, and 1000 Mbps (I Gbps) for Gigabit Ethernet. Baud The signaling rate of a line, that is, the number of transitions (voltage or frequency changes) made per second. Also known as line speed. Broadcast A packet sent to all devices on a network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall D Denial of Service attack DoS. A hacker attack designed to prevent your computer or network from operating or communicating. DHCP See “Dynamic Host Configuration Protocol.” on page 5. DMZ A Demilitarized Zone is used by a company that wants to host its own Internet services without sacrificing unauthorized access to its private network.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall DSLAM DSL Access Multiplexor. The piece of equipment at the telephone company central office that provides the ADSL signal. Dynamic Host Configuration Protocol. DHCP is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. In some systems, the device's IP address can even change while it is still connected.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Full-duplex A system that allows packets to be transmitted and received at the same time and, in effect, doubles the potential throughput of a link. G Gateway A local device, usually a router, that connects hosts on a local network to other networks. H Half-duplex A system that allows packets to transmitted and received, but not at the same time. Contrast with full-duplex.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Internet Control Message Protocol ICMP is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection. Internet Protocol The method or protocol by which data is sent from one computer to another on the Internet.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall ISP Internet service provider. L LAN See “Local Area Network” on page 8. LDAP See “Lightweight Directory Access Protocol” on page 8. Lightweight Directory Access Protocol A set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. Unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Maximum Receive Unit The size in bytes of the largest packet that can be sent or received. Maximum Transmit Unit The size in bytes of the largest packet that can be sent or received. Mbps Megabits per second. MD5 MD5 creates digital signatures using a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Network Basic Input Output System. An application programming interface (API) for sharing services and information on local-area networks (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall PKIX PKIX. The most widely used standard for defining digital certificates. Point-to-Point Protocol PPP. A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPP A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPPoA PPPoA. PPP over ATM is a protocol for connecting remote hosts to the Internet over an always-on connection by simulating a dial-up connection. PPPoE PPPoE.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Q QoS See “Quality of Service” on page 12. Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is the amount of data transferred from one device to another or processed in a specified amount of time - typically, throughputs are measured in bytes per second (Bps). R RFC Request For Comment.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall SSID A Service Set Identification is a thirty-two character (maximum) alphanumeric key identifying a wireless local area network. For the wireless devices in a network to communicate with each other, all devices must be configured with the same SSID. This is typically the configuration parameter for a wireless PC card. It corresponds to the ESSID in the wireless Access Point and to the wireless network name.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall V VPN Virtual Private Network. A method for securely transporting data between two private networks by using a public network such as the Internet as a connection. W WAN See “Wide Area Network” on page 14. Web Also known as World-Wide Web (WWW) or W3. An Internet client-server system to distribute information, based upon the hypertext transfer protocol (HTTP).
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Glossary 15 M-10146-01
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Glossary 16 M-10146-01
Index A D Account Name 3-9, 3-10, 3-14 date and time 8-8 ActiveX 4-3 Daylight Savings Time 4-11, 8-8 Address Resolution Protocol B-9 daylight savings time 4-11 Addressing D-7 Default DMZ Server 5-1 Authentication Header (AH) D-3, D-4 Denial of Service (DoS) protection 2-2, 4-3 Auto MDI/MDI-X B-15, G-2 denial of service attack B-11 Auto Uplink 2-3, B-15, G-2 DHCP 2-3, 5-8, B-10 DHCP Client ID C-16 B DHCP Setup field, Ethernet Setup menu 7-2 backup configuration 7-9 DMZ Server 5-1 Bigpond
firewall features 2-2 IPSec D-1 FLASH memory 7-13 IPSec Components D-2 FQDN 6-10, 6-14, 6-19 IPSec SA negotiation D-9 front panel 2-5 IPSec Security Features D-2 fully qualified domain name (FQDN) 6-2 G J Java 4-3 gateway address C-20 H Half Life 5-4 K KALI 5-4 Key Life 6-15, 6-19 host name 3-9, 3-10, 3-14 I IANA contacting B-2 IETF B-1 Web site address B-7 L LAN IP Setup Menu 5-6, 5-10, 6-12 LEDs description 2-6 troubleshooting 8-2 IKE 6-15 log sending 7-8 IKE Aggressive Mode 6-6 Log Vi
N NAT C-18 requirements access device 3-1 hardware 3-1 NAT.
Telstra 3-8, 3-15 Testing and Troubleshooting D-11 time of day 8-8 time zone 4-11 timeout, administrator login 4-2 time-stamping 4-11 Transport Mode D-5 troubleshooting 8-1 Trusted Host 4-5 Tunnel Mode D-5 typographical conventions 1-2 U Uplink switch B-14 UPnP 5-5 URL 4-4 USB C-18 V VPN 2-1, D-1 VPN Consortium D-6 VPN Process Overview D-7 VPN Settings Menus 6-2 VPN Tunnel Connection 6-4 VPNC IKE Phase I Parameters D-10 VPNC IKE Phase II Parameters D-11 W web proxy 4-3 Windows, configuring for IP routing