Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual NETGEAR, Inc.
© 2004 by NETGEAR, Inc. All rights reserved. FullManual. Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this document are copyright Intoto, Inc.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß dasFVS328 ProSafe VPN Firewall with Dial Back-up gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
iv May 2004, 202-10031-01
Contents Chapter 1 About This Manual Audience .........................................................................................................................1-1 Scope .............................................................................................................................1-1 Typographical Conventions ............................................................................................1-2 Special Message Formats ...........................................................
Worksheet for Recording Your Internet Connection Information ..............................3-3 Connecting the FVS328 to Your LAN .............................................................................3-4 How to Connect the FVS328 to Your LAN ...............................................................3-4 Configuring a Wizard-Detected Login Account ........................................................3-8 Configuring a Wizard-Detected Dynamic IP Account ............................................
How to Set the MTU Size .........................................................................................5-6 Configuring Dynamic DNS ..............................................................................................5-6 How to Configure Dynamic DNS ..............................................................................5-7 Using Static Routes ........................................................................................................5-7 Static Route Example .............
VPN Policy Configuration for Auto Key Negotiation .................................................7-6 VPN Policy Configuration for Manual Key Exchange ...............................................7-9 Using Digital Certificates for IKE Auto-Policy Authentication .......................................7-14 Certificate Revocation List (CRL) ...........................................................................7-14 How to Use the VPN Wizard to Configure a VPN Tunnel .....................................
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................9-5 How to Test the LAN Path to Your Firewall ..............................................................9-6 How to Test the Path from Your PC to a Remote Device .........................................9-6 Restoring the Default Configuration and Password ........................................................9-7 How to Use the Default Reset Button ......................................................
Domain Name Server .............................................................................................. C-9 IP Configuration by DHCP .................................................................................... C-10 Internet Security and Firewalls .................................................................................... C-10 What is a Firewall? ................................................................................................ C-11 Stateful Packet Inspection ........
IPSec Components ................................................................................................. E-2 Encapsulating Security Payload (ESP) ................................................................... E-3 Authentication Header (AH) .................................................................................... E-4 IKE Security Association ......................................................................................... E-4 Mode ............................................
Step-By-Step Configuration of FVS328 Gateway .......................................................... H-2 Step-By-Step Configuration of the Netgear VPN Client B ............................................. H-7 Testing the VPN Connection ........................................................................................ H-14 From the Client PC to the FVS328 ........................................................................ H-14 From the FVS328 to the Client PC ..................................
Chapter 1 About This Manual This chapter introduces the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up manual. Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site. Scope This manual is written for the FVS328 Firewall according to these specifications.: Table 1-1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Typographical Conventions This guide uses the following typographical conventions: Table 1-2. Typographical conventions italics Emphasis. bold times roman User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key. Small Caps DOS file and directory names.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Use this Manual This manual includes both PDF and HTML versions. Use the topics below to identify how to take advantage of these document formats when you need to view or print information from this manual. 2 1 3 Figure Preface 1-1: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the upper right side of the toolbar to print the currently displayed topic.
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up. The FVS328 Firewall provides connection for multiple computers to the Internet through an external broadband access device such as a cable modem or DSL modem, and supports IPSec-based secure tunnels to IPSec-compatible VPN servers. The 8-port FVS328 with auto fail-over connectivity through the serial port provides highly reliable Internet access for up to 253 users.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Remote Access Server (RAS) allows you to log in remotely through the serial port to access a server on your LAN, other LAN resources, or the Internet based on a user name and password you define. • LAN-to-LAN access between two FVS328 firewalls through the serial port with the option of enabling auto-failover Internet access across the serial LAN-to-LAN connection.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Content Filtering With its content filtering feature, the FVS328 prevents objectionable content from reaching your computers. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • DNS Proxy When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. • PPP over Ethernet (PPPoE) PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot. These functions allow you to test Internet connectivity and reboot the firewall. You can use these diagnostic functions directly from the FVS328 when your are connected on the LAN or when you are connected over the Internet via the remote management function.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual -/$%, "ROADBAND 0RO3AFE 60. &IREWALL WITH $IAL "ACKUP 072 4%34 ).4%2.%4 -ODEM &63 ,/#!, ,.+ !#4 ,.+ !#4 Figure 2-1: FVS328 Front Panel These LEDs are green when lit, except for the TEST LED, which is amber.These LEDs are green when lit, except for the TEST LED, which is amber. Table 2-1: LED Descriptions Label Activity Description POWER On Power is supplied to the firewall.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The Firewall’s Rear Panel The rear panel of the FVS328 contains the connections identified below. LO CA L 10/100M M O DEM 8 7 6 5 4 3 2 1 IN TER N ET 1 2 V DC 1 .
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 2-8 Introduction May 2004, 202-10031-01
Chapter 3 Connecting the FVS328 to the Internet This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configuration of your FVS328 ProSafe VPN Firewall with Dial Back-up using the Setup Wizard, or manually configure your Internet connection.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Internet Configuration Requirements Depending on how your ISP or IT group set up your Internet access, you will need one or more of these configuration parameters to connect your firewall to the Internet: • • • • Host and Domain Names ISP Login Name and Password ISP Domain Name Server (DNS) Addresses Fixed or Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Intern
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Connecting the FVS328 to Your LAN This section provides instructions for connecting the FVS328 ProSafe VPN Firewall with Dial Back-up to your Local Area Network (LAN). Note: The Resource CD included with your firewall contains an animated Installation Assistant to help you through this procedure. How to Connect the FVS328 to Your LAN There are three steps to connecting your firewall: • Connect the firewall to your network.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Warning: Failure to restart your network in the correct sequence could prevent you from connecting to the Internet. First, turn on the broadband modem and wait 2 minutes. b. Now, turn on your firewall. c. Last, turn on your computer. a. Note: If software usually logs you in to the Internet, do not run that software or cancel it if it starts automatically. -/$%, "ROADBAND 0RO3AFE 60. &IREWALL WITH $IAL "ACKUP 072 4%34 ).4%2.%4 ,.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 3. LOG IN TO THE FIREWALL a. From your PC, launch your Internet browser. b. Connect to the firewall by typing http://192.168.0.1 in the address field of Internet Explorer or Netscape® Navigator. c. For security reasons, the router has its own user name and password. When prompted, enter admin for the router user name and password for the router password, both in lower case letters.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 4. RUN THE SMART WIZARD TO CONNECT TO THE INTERNET Figure 3-3: Setup Wizard a. You are now connected to the router. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses (192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP addresses the FVS328 uses.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • • Connections that use dynamic IP address assignment. Connections that use fixed IP address assignment. The procedures for filling in the configuration menu for each type of connection follow below. Configuring a Wizard-Detected Login Account If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to the correct setup menu. 1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual If your ISP requires MAC authentication, then select either Use this Computer's MAC address to have the router use the MAC address of the computer you are now using, or Use This MAC Address to manually type in the MAC address that your ISP expects. 6. Click Apply to save your settings. 7. Click the Test button to test your Internet connection.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 9, Troubleshooting. Configuring a Wizard-Detected Fixed IP (Static) Account If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the correct setup menu. 1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual b. From the Setup Basic Settings menu, click Serial Port. Figure 3-4: Serial Internet Connection configuration menu c. Fill in the ISDN or analog ISP Internet configuration parameters as appropriate: • • d. For a Dial-up Account, enter the Account information. Check “Connect as required” to enable the firewall to automatically dial the number. To enable Idle Time disconnect, check the box and enter a time in minutes.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: You can validate modem string settings by first connecting the modem directly to a PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FVS328 Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site. • • Select the Serial Line Speed.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Testing Your Internet Connection After completing the Internet connection configuration, your can test your Internet connection. Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the NETGEAR Web site does not appear within one minute, refer to Chapter 9, Troubleshooting. Your firewall is now configured to provide Internet access for your network.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Manually Configure the Primary Internet Connection Use these steps to manually configure the primary Internet connection in the Basic Settings menu. 1. Select your Internet connection type (broadband with or without login, or serial). Note: If you are a Telstra BigPond broadband customer, or if you are in an area such as Austria that uses broadband PPTP, login is required.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 7. Router’s MAC Address: This section determines the Ethernet MAC address that will be used by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your firewall to masquerade as that PC by “cloning” its MAC address.
Chapter 4 Serial Port Configuration This chapter describes how to configure the serial port options of your FVS328 ProSafe VPN Firewall with Dial Back-up. The FVS328 serial port lets you share the broadband connection of another FVS328, share resources between two LANs, and take advantage of the routing functions on the broadband (WAN), LAN, and serial network interfaces.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Configuring a Serial Port Modem You can configure a serial port modem for any of the features described above. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure. Basic Requirements for Serial Port Modem Configuration Configuring a serial port modem requires these elements: 1. A serial analog or ISDN modem. 2. A serial modem cable with a DB9 connector. 3. An active phone or ISDN line.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual — If your modem is not on the list, select “User Defined” and enter the Modem Properties. If you are using the “User Defined” selection and configuring your own modem stings, fill in the Modem Properties settings.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 4-2: Auto-Rollover configuration menu 3. Configure the Auto-Rollover settings. 4. Click Apply for the changes to take effect. Configuring Dial-in on the Serial Port Dial-in lets a single remote computer connect to the FVS328 through the serial port to gain access to LAN resources or a remote access server. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Basic Requirements for Dial-in Dial-in requires these elements: 1. A broadband connection to the FVS328. 2. An analog phone line. 3. A serial modem properly configured and attached to the DB9 connector on the serial port. 4. The Dial-in settings configured and applied to the FVS328. How to Configure Dial-in Follow the steps below to configure a serial port dial-in connection. 1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Configuring LAN-to-LAN Settings LAN-to-LAN enables direct communications between two FVS328 firewalls. Firewall A Serial Connection Firewall B 192.168.0.1 192.168.3.1 Figure 4-4: LAN-to-LAN network configuration Basic Requirements for LAN-to-LAN Connections Serial port LAN-to-LAN configurations require these elements: 1. An ISDN or analog phone line with an active ISDN or dial-up ISP account. 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 4-5: LAN-to-LAN configuration menu 3. Configure the LAN-to-LAN settings. Note: The LAN subnet address of each FVS328 must be different. 4. Click Apply for the changes to take effect.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 4-8 Serial Port Configuration May 2004, 202-10031-01M-10207-01, Reference Manual v2
Chapter 5 WAN and LAN Configuration This chapter describes how to configure the WAN and LAN settings of your FVS328 ProSafe VPN Firewall with Dial Back-up. Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the Main Menu of the browser interface. The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual — When set to None, it will not send any RIP packets and will ignore any RIP packets received. • RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends. It recognizes both formats when receiving. By default, this is set for RIP-1. — RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you have an unusual network setup. — RIP-2 carries more information.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The firewall will deliver the following parameters to any LAN device that requests DHCP: • • • • • An IP Address from the range you have defined Subnet Mask Gateway IP Address is the firewall’s LAN IP address Primary DNS Server, if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address Secondary DNS Server, if you entered a Secondary DNS address in the Basic Settings menu How to Configure
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 3. Enter the LAN TCP/IP and DHCP parameters. 4. Click Apply to save your changes. How to Configure Reserved IP Addresses When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings. To reserve an IP address: 1. Click the Add button. 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Connecting Automatically, as Required Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. However, if this causes high connection costs, you can disable this setting. If disabled, you must connect manually, using the sub-screen accessed from the Connection Status button on the Status screen.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Responding to Ping on Internet WAN Port If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered. Don't check this box unless you have a specific reason to do so.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Configure Dynamic DNS 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS. 3. Click the radio button for the dynamic DNS service you will use.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your firewall will forward your request to the ISP.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual a. Click the Edit button to open the Edit Menu, shown below. Figure 5-3: Static Route Entry and Edit Menu 4. b. Type a route name for this static route in the Route Name box under the table. This is for identification purpose only. c. Select Active to make this route effective. d. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. e.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5-10 WAN and LAN Configuration May 2004, 202-10031-01
Chapter 6 Protecting Your Network This chapter describes how to use the basic firewall features of the FVS328 ProSafe VPN Firewall with Dial Back-up to protect your network. Protecting Access to Your FVS328 Firewall For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 6-1: Set Password menu 3. To change the password, first enter the old password, then enter the new password twice. 4. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration. If you have backed up the firewall settings previously, you should do a new backup so that the saved settings file includes the new password.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Using the Block Sites Menu to Screen Content The FVS328 allows you to restrict access based on the following categories: • Use of a proxy server • Type of file (Java, ActiveX, Cookie) • Web addresses • Web address keywords These options are discussed below. The Keyword Blocking menu is shown here. Figure 6-2: Block Sites menu To enable filtering, click the checkbox next to the type of filtering you want to enable.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • • • Java: blocks use of Java applets ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows Cookies: blocks all cookies To enable keyword blocking, check “Turn keyword blocking on”, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Defining a Service Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Using Inbound/Outbound Rules to Block or Allow Services Firewall rules are used to block or allow specific traffic passing through from one side of the firewall to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual You can define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined. To create a new rule, click the Add button.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Examples of Using Services and Rules to Regulate Traffic Use the examples to see how you combine Services and Rules to regulate how the TCP/IP protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on your firewall.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Example: Port Forwarding to a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server any time of day. Figure 6-4: Rule example: A Local Public Web Server This rule is shown in Figure 6-4.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 6-7: Inbound rule example: VPN IPSec when NAT is off In the example shown in Figure 6-7, VPN IPSec connections are allowed any internal LAN IP address. Outbound Rules (Service Blocking or Port Filtering) The FVS328 allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Outbound Rule Example: Blocking Instant Messaging If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the router log any attempt to use Instant Messenger during that blocked period.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Rules Menu Options Use the Options checkboxes to enable the following: • • • • • Enable VPN Passthrough (IPSec, PPTP, L2TP) If LAN users need to use VPN (Virtual Private Networking) software on their computer, and connect to remote sites or servers, enable this checkbox. This will allow the VPN protocols (IPSec, PPTP, L2TP) to be used. If this checkbox is not checked, these protocols are blocked.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Set Your Time Zone In order to localize the time for your log entries, you must specify your Time Zone: 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2. Click Schedule on the Security menu to display menu shown below. Figure 6-9: Schedule Services menu 3.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time on the first day of Daylight Savings Time, and uncheck it at the end. Enabling Daylight Savings Time will cause one hour to be added to the standard time. 4. Choose your NTP server. The firewall uses Netgear NTP servers by default.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 6-16 Protecting Your Network May 2004, 202-10031-01
Chapter 7 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVS328 Firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Overview of FVS328 Policy-Based VPN Configuration The FVS328 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • IKE Policies: Define the authentication scheme and automatically generate the encryption keys. As an alternative option, to further automate the process, you can create an Internet Key Exchange (IKE) policy which uses a trusted certificate authority to provide the authentication while the IKE policy still handles the encryption. • VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The IKE Policy Configuration fields are defined in the following table. Table 7-1. IKE Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the IKE policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. IKE Policy Configuration Fields Field Description Remote Identity Type Use this field to identify the remote FVS328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) – your domain name. • By a Fully Qualified User Name – your name, E-mail address, or other ID. • By DER ASN.1 DN – the binary DER encoding of your ASN.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The VPN Auto Policy fields are defined in the following table. Table 7-1. VPN Auto Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify VPN policies.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Auto Policy Configuration Fields Field Description Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security. Usually, this address will be from your network address space.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Auto Policy Configuration Fields Field Description Authentication Algorithm NetBIOS Enable If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: MD5 – the default, or SHA1 – more secure Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel. The NetBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 7-4: VPN - Manual Policy Menu 7-10 Virtual Private Networking May 2004, 202-10031-01
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The VPN Manual Policy fields are defined in the following table. Table 7-1. VPN Manual Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Manual Policy Configuration Fields Field Description Authenticating Header (AH) Configuration AH specifies the authentication protocol for the VPN header. These settings must match the remote VPN endpoint. Note: The Incoming settings must match the Outgoing settings on the remote VPN endpoint, and the Outgoing settings must match the Incoming settings on the remote VPN endpoint.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Manual Policy Configuration Fields Field Description SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Incoming SPI" field. Enable Encryption Use this check box to enable or disable ESP Encryption.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Using Digital Certificates for IKE Auto-Policy Authentication Digital certificates are character strings generated using encryption and authentication schemes which cannot be duplicated by anyone without access to the different values used in the production of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation uniquely.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Use the VPN Wizard to Configure a VPN Tunnel Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first open UDP port 500 for inbound traffic as explained in “Example: Port Forwarding for VPN Tunnels when NAT is Off” on page 6-10. Follow this procedure to configure a VPN tunnel using the VPN Wizard. Note: The LAN IP address ranges of each VPN endpoint must be different.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 7-6: Connection Name and Remote IP Type 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Figure 7-7: Remote IP 4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The Summary screen below displays. Figure 7-9: VPN Wizard Summary To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings the VPN Wizard used, click the “here” link. 5. Click Done to complete the configuration procedure. The VPN Settings menu displays showing that the new tunnel is enabled To view or modify the tunnel settings, select the radio button next to the tunnel entry and click Edit.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual In order to help make it easier to set up an IPsec system, the following two scenarios are provided. These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to make it easier to get the systems from different vendors to interoperate.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. Note: The /24 after the IP address refers to the full range of IP addresses. For example, 10.5.6.0/24 refers to IP address 10.5.6.0 with the netmask 255.255.255.0.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual FVS328 Scenario 1: How to Configure the IKE and VPN Policies Note: This scenario assumes all ports are open on the FVS328. You can verify this by reviewing the security settings as seen in the “Using Inbound/Outbound Rules to Block or Allow Services” on page 6-6. Use this scenario illustration and configuration screens as a model to build your configuration. FVS328 Gateway A 10.5.6.1/24 LAN IP Scenario 1 Gateway B 14.15.16.17 WAN IP 22.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual b. Select whether enable or disable NAT (Network Address Translation). NAT allows all LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. You should only disable NAT if you are sure you do not require it. When NAT is disabled, only standard routing is performed by this Router. c.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVS328. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in Web-based configuration manager of the FVS328. 3. Set up the IKE Policy illustrated below on the FVS328. a.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 4. Set up the FVS328 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click the VPN Policies link, and then click the Add Auto Policy button. Figure 7-14: Scenario 1 VPN - Auto Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5. After applying these changes, you will see a table entry like the one below. Figure 7-15: VPN Policies table Now all traffic from the range of LAN IP addresses specified on FVS328 A and FVS328 B will flow over a secure VPN tunnel. How to Check VPN Connections You can test connectivity and view VPN status information on the FVS328. 1. To test connectivity between the Gateway A FVS328 LAN and the Gateway B LAN, follow these steps: a.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 2. To test connectivity between the FVS328 Gateway A and Gateway B WAN ports, follow these steps: a. Using our example, log in to the FVS328 on LAN A, go to the main menu Maintenance section and click the Diagnostics link. b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click Ping. c. This will cause a ping to be sent to the WAN interface of Gateway B.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: The procedure for obtaining certificates differs between a CA like Verisign and a CA such as a Windows 2000 certificate server, which an organization operates for providing certificates for its members. For example, an administrator of a Windows 2000 certificate server might provide it to you via e-mail. b. Save the certificate as a text file called trust.txt. 2. Install the trusted CA certificate for the Trusted Root CA. a.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual b. Click the Generate Request button to display the screen illustrated in Figure 7-17 below. . Figure 7-17: Generate Self Certificate Request menu c. Fill in the fields on the Add Self Certificate screen. • Required – – – – – • Name. Enter a name to identify this certificate. Subject. This is the name other organizations will see as the holder (owner) of this certificate.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual d. Click the Next button to continue. The FVS328 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 7-18: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA. a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file. b. Give the certificate request data to the CA.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 7-19: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file. Note: In the case of a Windows 2000 internal CA, the CA administrator might simply email it to back to you. Follow the procedures of your CA. Save the certificate you get back from the CA as a text file called final.txt. 6. Upload the new certificate. a.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual f. You will now see the “FVS328” entry in the Active Self Certificates table and the pending “FVS328” Self Certificate Request is gone, as illustrated below. Figure 7-20: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVS328. a.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Now, the traffic from devices within the range of the LAN subnet addresses on FVS328 Gateway A and Gateway B will be authenticated using the certificates and generated keys rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. a. Get a copy of the CRL from the CA and save it as a text file.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 7-32 Virtual Private Networking May 2004, 202-10031-01
Chapter 8 Managing Your Network This chapter describes how to perform network management tasks with your FVS328 ProSafe VPN Firewall with Dial Back-up. Network Management The FVS328 provides remote management access and a variety of status and usage information which is discussed below. How to Configure Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVS328 Firewall.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual c. 5. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Viewing Router Status and Usage Statistics From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 8-1. Figure 8-1: Router Status screen The Router Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, under Maintenance, select Router Status to view the status screen, shown in Figure 8-1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual This screen shows the following parameters: Table 8-1. Menu 3.2 - Router Status Fields Field Description System Name This field displays the Host Name assigned to the firewall in the Basic Settings menu. Firmware Version This field displays the firewall firmware version. LAN Port These parameters apply to the Local (WAN) port of the firewall.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click the “Show Statistics” button to display firewall usage statistics, as shown in Figure 8-2 below: Figure 8-2. Router Statistics screen This screen shows the following statistics: Table 8-2. Router Statistics Fields Field Description WAN, LAN, or Serial Port The statistics for the WAN (Internet), LAN (local), and Serial ports. For each port, the screen displays: Status The link status of the port.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown in Figure 8-3. Figure 8-3: Attached Devices menu For each device, the table shows the IP address, Device Name (NetBIOS Host Name, if available), and the Ethernet MAC address.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Viewing, Selecting, and Saving Logged Information The firewall logs security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tries to access a blocked site. If you enabled e-mail notification, you will receive these logs in an e-mail message.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Log entries are described below: Table 8-5: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Changing the Include in Log Settings You can choose to log additional information.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Enabling Security Event E-mail Notification In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-mail menu: Figure 8-7: E-mail notification menu To enable E-mail notification, configure the following fields: • Turn e-mail notification on Select this check box if you want to receive e-mail logs and alerts from the firewall.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual You can specify that logs are automatically sent to the specified e-mail address with these options: • Send alert immediately Select this check box if you want immediate notification of a significant security event, such as a known attack, abnormal TCP flag, or attempted access to a blocked site. • Send logs according to this schedule Specify how often to send the logs: None, Hourly, Daily, Weekly, or When Full.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 2. From the Maintenance heading of the main menu, select the Settings Backup menu as seen below. Figure 8-8: Settings Backup menu 3. Click Backup to save a copy of the current settings. 4. Store the .cfg file on a computer on your network. How to Restore a Configuration from a File 1. Log in to the firewall at its default LAN address of http://192.168.0.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Erase the Configuration It is sometimes desirable to restore the firewall to the factory default settings. This can be done by using the Erase function. 1. To erase the configuration, from the Settings Backup menu, click the Erase button under Revert to factory default settings. 2. The firewall will then reboot automatically. After an erase, the firewall's password will be password, the LAN IP address will be 192.168.0.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 8-9: Diagnostics menu Upgrading the Router’s Firmware The software of the FVS328 Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from the NETGEAR Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN or .IMG) file before uploading it to the firewall.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Upgrade the Router 1. Download and unzip the new software file from NETGEAR. 2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 3.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 8-16 Managing Your Network May 2004, 202-10031-01
Chapter 9 Troubleshooting This chapter gives information about troubleshooting your FVS328 ProSafe VPN Firewall with Dial Back-up. For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions” on page 9-1. • I can’t access the firewall’s configuration with my browser. Go to “Troubleshooting the Web Configuration Interface” on page 9-3. • I’ve configured the firewall but I can’t access the Internet.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual a. The Test LED is not lit. b. The Local port Link LEDs are lit for any local ports that are connected. c. The Internet Link port LED is lit. If a port’s Link LED is lit, a link has been established to the connected device. If a port is connected to a 100 Mbps device, verify that the port’s 100 LED is lit. If any of these conditions does not occur, refer to the appropriate following section.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Local or Internet Port Link LEDs Not On If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the firewall and at the hub or computer. • Make sure that power is turned on to the connected hub or computer.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Try quitting the browser and launching it again. • Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the following: • Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login. • If your ISP requires a login, you may have incorrectly set the login name and password. • Your ISP may check for your computer's host name.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Test the LAN Path to Your Firewall You can ping the firewall from your computer to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: 1. From the Windows toolbar, click the Start button and select Run. 2. In the field provided, type Ping followed by the IP address of the firewall, as in this example: ping 192.168.0.1 3. Click OK.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual PING -n 10 where is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: — Check that your PC has the IP address of your firewall listed as the default gateway.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds). 2. Release the Default Reset button and wait for the firewall to reboot. Problems with Date and Time The E-mail menu in the Security section displays the current date and time of day. The FVS328 Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet.
Appendix A Technical Specifications This appendix provides technical specifications for the FVS328 ProSafe VPN Firewall with Dial Back-up. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T or 100BASE-Tx, RJ-45 A-2 Technical Specifications May 2004, 202-10031-01
Appendix B Firewall Log Formats Action List Drop: Reset: Forward: Receive: Packet dropped by Firewall current inbound or outbound rules. TCP session reset by Firewall. Packet forwarded by Firewall to the next hop based on matching the criteria in the rules table. Packet was permitted by the firewall rules and modified prior to being forwarded and/or replied to.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is:
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is:
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Other Connections and Traffic to this Router The format is:
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is:
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Access Block Site If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL contains a specified keyword are logged. The format is
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is:
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual B-8 Firewall Log Formats May 2004, 202-10031-01
Appendix C Networks, Routing, and Firewall Basics This appendix provides an overview of IP networks, routing, and firewalls. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVS328 Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Class A Network Node Class B Network Node Class C Network Node Figure 9-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range: 1.x.x.x to 126.x.x.x. • Class B Class B addresses can have up to 65,354 hosts on a network.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet addressing makes use of those bits that are free, as shown below.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240. Table 9-1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets. When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address. In order for this scheme to work, all devices on the segment must agree on which bits comprise the host address.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The router accomplishes this address sharing by translating the internal LAN IP addresses to a single address that is globally unique on the Internet. The internal LAN IP addresses can be either private addresses or registered addresses. For more information about IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT). The following figure illustrates a single IP address operation.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Ethernet Cabling Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring as described in Table 9-1. Table 9-1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Cable Quality A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or "Cat 5", by the Electronic Industry Association (EIA). This rating will be printed on the cable jacket. A Category 5 cable will meet specified requirements regarding loss and crosstalk.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual C-14 Networks, Routing, and Firewall Basics May 2004, 202-10031-01
Appendix D Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS328 ProSafe VPN Firewall with Dial Back-up and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5. Uncheck all boxes in the LAN Internet Configuration screen and click Next. 6. Proceed to the end of the Wizard. Verifying TCP/IP Properties After your PC is configured and has rebooted, you can check the TCP/IP configuration using the utility winipcfg.exe: 1. On the Windows taskbar, click the Start button, and then click Run. 2. Type winipcfg, and then click OK.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them. 6. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected. 7. Click OK and close all Network and Dialup Connections windows. 8. Make sure your PC is connected to the firewall, then reboot your PC.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The TCP/IP Control Panel opens: 2. From the “Connect via” box, select your Macintosh’s Ethernet interface. 3. From the “Configure” box, select Using DHCP Server. You can leave the DHCP Client ID box empty. 4. Close the TCP/IP Control Panel. 5. Repeat this for each Macintosh on your network. MacOS X 1. From the Apple menu, choose System Preferences, then Network. 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: • The IP Address is between 192.168.0.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Restarting the Network Once you have set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVS328 Firewall, you are ready to access and configure the firewall.
Appendix E Virtual Private Networking There have been many improvements in the Internet, including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently, so that the parties can communicate securely with each other.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into the specifics.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 9-2. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 It will also be important to know the subnet mask of both gateway LAN Connections. Table 9-3.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual A B Figure E-5: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN side of the other gateway.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 This appendix provides a case study on how to configure a secure IPSec VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVS328. The configuration options and screens for the FVS318 and FVM318 are the same. Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium. Gather all the necessary information before you begin the configuration process.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 10.5.6.0/24 Gateway A LAN IP 10.5.6.1 172.23.9.0/24 VPNC Example Network Interface Addressing Gateway B 14.15.16.17 22.23.24.25 WAN IP WAN IP LAN IP 172.23.9.1 Figure F-1: Addressing and Subnet Used for Examples Step-By-Step Configuration of FVS318 or FVM318 Gateway A 1. Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration. Out of the box, the FVS318 or FVM318 is set for its default LAN address of http://192.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 2. Click the VPN Settings link on the left side of the Settings management GUI. Click the radio button of first available VPN leg (all 8 links are available in the example). Click the Edit button below. This will take you to the VPN Settings – Main Mode Menu.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – – – – – Choose a subnet from local address from the Tunnel can access pull-down menu. Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field. Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Step-By-Step Configuration of FVS328 Gateway B 1. Log in to the NETGEAR FVS328 labeled Gateway B as in the illustration. Out of the box, the FVS328 is set for its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 172.23.9.1 for Gateway B and have set your own user name and password. 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure F-6: NETGEAR FVS328 IKE Policy Configuration – Part 2 – – – – – – 3. From the Encryption Algorithm drop-down box, select 3DES. From the Authentication Algorithm drop-down box, select MD5. From the Authentication Method radio button, select Pre-shared Key. In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both gateways.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure F-8: NETGEAR FVS328 VPN – Auto Policy (part 1) – – – – – – – – – – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used “to318” as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step – this being the FVS318 IKE Policy.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field. Figure F-9: NETGEAR FVS328 VPN – Auto Policy (part 2) 5. F-8 – From the Traffic Selector Remote IP drop-down box, select Subnet address. – Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. – Type the finishing LAN IP Address of Gateway A (0.0.0.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure F-10: NETGEAR FVS328 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button. Test the VPN Connection 1. From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVS328 gateway B LAN Interface address (example address 172.23.9.1) 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual F-10 NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 May 2004, 202-10031-01
Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 This appendix provides a case study on how to configure a VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVS328 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers. The configurations screens and settings for the FVS318 and FVM318 are the same. Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 10.5.6.0/24 172.23.9.0/24 VPNC Example Network Interface Addressing Gateway A LAN IP 10.5.6.1 WAN IP FQDN netgear.dydns.org WAN IP 22.23.24.25 Gateway B LAN IP 172.23.9.1 Figure G-1: Addressing and Subnet Used for Examples Using DDNS and Fully Qualified Domain Names (FQDN) Many ISPs (Internet Service Providers) provide connectivity to their customers using dynamic instead of static IP addressing.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual DynDNS service. Gateway B will use the DDNS Service Provider when establishing a VPN tunnel. In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS, and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 4. Select the Use a dynamic DNS service radio button for the service you are using. In this example we are using www.DynDNS.org as the service provider. – – – 5. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. In this example we are using dyndns.org as the domain suffix. Type the User Name for your dynamic DNS account.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-4: NETGEAR FVS318 VPN Settings (part 1) – Main Mode – – – – – – – – – In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used toFVS328. Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – – – Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field. Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Step-By-Step Configuration of FVS328 Gateway B 1. Log in to the NETGEAR FVS328, labeled Gateway B in the illustration. Out of the box, the FVS328 is set for its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 172.23.9.1 for Gateway B. 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-7: NETGEAR FVS328 IKE Policy Configuration – Part 2 – – – – – – 3. From the Encryption Algorithm drop-down box, select 3DES. From the Authentication Algorithm drop-down box, select MD5. From the Authentication Method radio button, select Pre-shared Key. In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both gateways.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-9: NETGEAR FVS328 VPN – Auto Policy (part 1) – – – – – – – – – – – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step – the FVS318 IKE Policy.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-10: NETGEAR FVS328 VPN – Auto Policy (part 2) – – – – – – – – – – 5. From the Traffic Selector Remote IP drop-down box, select Subnet address. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote IP Finish IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-11: NETGEAR FVS328 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button. Test the VPN Connection 1. From a PC behind the NETGEAR FVS318 or FVM318 Gateway A, attempt to ping the remote FVS328 Gateway B LAN Interface address (example address 172.23.9.1). 2.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual G-12 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 May 2004, 202-10031-01
Appendix H NETGEAR VPN Client to NETGEAR the FVS328 Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVS328. This case study follows the Virtual Private Network Consortium (VPNC) interoperability profile guidelines. The menu options for the FVS328, FVL328, and FWAG114 are the same. Profile: Traveling User or Telecommuter at Home The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 1HWZRUN $GGUHVVHV *DWHZD\ &OLHQW :$1 ,3 :$1 ,3 /$1 ,3 )96 7UDYHOOLQJ XVHU RU WHOHFRPPXWHU DW KRPH GLUHFWO\ XVLQJ D 3& ZLWK WKH 1(7*($5 3UR6DIH 931 FOLHQW Figure H-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR Web site at http://kbserver.netgear.com/products/FVS328.asp. VPNC Interoperability guidelines can be found at http://www.vpnc.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 2. Click IKE Policies under the VPN menu and click Add on the IKE Policies Menu. Figure H-2: NETGEAR FVS328 IKE Policy Configuration – – – Enter a descriptive name for the policy in the Policy Name field. This name is not supplied to the remote VPN endpoint. It is used to help you manage the IKE policies. In our example, we used VPNclient as the Policy Name. From the Direction/Type drop-down box, select Remote Access.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – From the Local Identity drop-down box, select Fully Qualified Domain Name (the actual WAN IP address of the FVS328 will also be used in the Connection ID Type fields of the VPN Client as seen in “Security Policy Editor New Connection” on page H-8).
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 3. Click the VPN Policies link under the VPN category on the left side of the main menu. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. Figure H-3: NETGEAR FVS328 VPN – Auto Policy General settings – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example, we use VPNclient as the Policy Name.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – – – – – – – – – – – – – H-6 From the Remote VPN Endpoint Address Type drop-down box, select IP Address. Type 0.0.0.0 as the Address Data of the client because we are assuming the remote PC will have a dynamically assigned IP address. This will also be entered in the VPN Client Internal Network IP Address field, as seen in “My Identity” on page H-9. Type 86400 in the SA Life Time (Seconds) field.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – – – Select Enable Authentication in the ESP Configuration Enable Authentication check box. Note: Do not confuse this with the Authentication Protocol (AH) option. Using the AH option will prevent clients behind a home NAT router from connecting. From the ESP Configuration Authentication Algorithm drop-down box, select SHA-1.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: Before installing the Netgear VPN Client software, be sure to turn off any virus protection or firewall software you may be running on your PC. 2. • You may need to insert your Windows CD to complete the installation. • Reboot your PC after installing the client software. Configure the Connection Network Settings. Figure H-4: Security Policy Editor New Connection a.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: If the configuration settings on this screen are not available for editing, go to the Options menu, select Secure, and Specified Options to enable editing these settings. From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears. Rename the “New Connection” to FVS328. b. ensure that the following settings are configured: – – – 3.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual b. Click Pre-Shared Key. In this example, enter this pre-shared key in this field: hr5xb84l6aa9r6 Figure H-8: Connection Identity Pre-Shared Key 4. c. Enter hr5xb84l6aa9r6 which is the same Pre-Shared Key entered in the FVS328. d. Click OK. Configure the Connection Identity Settings. a. In the Network Security Policy list, click the Security Policy subheading. Figure H-9: Security Policy b.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5. Configure the Connection Security Policy In this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange (Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines. Figure H-10: Connection Security Policy Authentication (Phase 1) a. Configure the Authentication (Phase 1) Settings.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure H-11: Connection Security Policy Key Exchange (Phase 2) b. H-12 Configure the Key Exchange (Phase 2). • Expand the Key Exchange (Phase 2) heading, and click on Proposal 1. • For this example, ensure that the following settings are configured: – In the SA Life menu, select Unspecified. – In the Compression menu, select None. – Check the Encapsulation Protocol (ESP) check box. – In the Encrypt Alg menu, select Triple DES.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 6. Configure the Global Policy Settings. a. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. Figure H-12: Security Policy Editor Global Policy Options 7. b. Increase the Retransmit Interval period to 45 seconds. c. Select the Allow to Specify Internal Network Address check box and click OK. Save the VPN Client Settings.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Testing the VPN Connection You can test the VPN connection in several ways: • From the client PC to the FVS328 • From the FVS328 to the client PC These procedures are explained below. Note: Virus protection or firewall software can interfere with VPN communications.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual To test the connection to a computer connected to the FVS328, simply ping the IP address of that computer. Once connected, you can open a browser on the remote PC and enter the LAN IP Address of the FVS328, which is http://192.168.0.1 in this example. After a short wait, you should see the login screen of the FVS328.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual A sample Connection Monitor screen for a different connection is shown below: Figure H-14: Connection Monitor screen In this example the following connection options apply: • • • The FVS328 has a public IP WAN address of 66.120.188.153 The FVS328 has a LAN IP address of 192.168.0.1 The VPN client PC is behind a home NAT router and has a dynamically assigned address of 192.168.0.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The FVS328 VPN Status screen for a successful connection is shown below: Figure H-15: FVS328 VPN Status screen NETGEAR VPN Client to NETGEAR the FVS328 May 2004, 202-10031-01 H-17
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual H-18 NETGEAR VPN Client to NETGEAR the FVS328 May 2004, 202-10031-01
Glossary 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 802.11b IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual DHCP See Dynamic Host Configuration Protocol. DMZ A Demilitarized Zone is used by a company that wants to host its own Internet services without sacrificing unauthorized access to its private network. The DMZ sits between the Internet and an internal network's line of defense, usually some combination of firewalls and bastion hosts.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual IP Address A four-position number uniquely defining each host on the Internet. Ranges of addresses are assigned by Internic, an organization formed for this purpose. Usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57). IPSec Internet Protocol Security. IPSec is a series of guidelines for securing private information transmitted over public networks.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual NetBIOS Network Basic Input Output System. An application programming interface (API) for sharing services and information on local-area networks (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length. NetBIOS is needed to run Microsoft networking functions such as Network Neighborhood.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual RFC Request For Comment. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org. RIP See Routing Information Protocol. router A device that forwards data between networks. An IP router forwards data based on IP source and destination addresses. Routing Information Protocol RIP.
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Glossary 6 May 2004, 202-10031-01
Index A Account Name 3-8, 3-9, 3-15 Address Resolution Protocol C-9 Addressing E-7 Austria 3-15 Authentication Header (AH) E-3, E-4 Auto Uplink 2-3 daylight savings time 6-14 Default DMZ Server 5-5 default reset button 9-7 Denial of Service (DoS) protection 2-2 denial of service attack C-11 DHCP 2-3, 5-2, C-10 DHCP Client ID D-7 DHCP Setup field, Ethernet Setup menu 8-4 B backup configuration 8-11 BigPond 3-15 C Disabling NAT 3-15 DMZ Server 5-5 DNS Proxy 2-4 DNS server 3-8, 3-9, 3-15, D-11 DNS, dynami
firewall features 2-2 IPSec SA negotiation E-9 FLASH memory 8-14 IPSec Security Features E-2 FQDN 2-2 ISP 3-1 Fully Qualified Domain Name 2-2 L G LAN IP Setup Menu 5-3 General 7-4, 7-7, 7-11 LEDs description 2-6 troubleshooting 9-3 H log sending 8-10 host name 3-8, 3-9, 3-15 Log Viewer H-15 I M IANA contacting C-2 MAC address 9-7, C-9 spoofing 3-9, 3-16, 9-5 IETF C-1 Web site address C-7 inbound rules 6-8 Macintosh D-10 configuring for IP networking D-6 DHCP Client ID D-7 Obtaining ISP C
O inbound 6-8 outbound 6-11 outbound rules 6-11 P package contents 2-5 password restoring 9-7 PC, using to configure D-12 ping 5-6 PKIX 7-25 port filtering 6-11 port forwarding behind NAT C-8 port numbers 6-5 PPP over Ethernet 2-4, D-9 PPPoE 2-4, 3-8, D-9 PPTP 3-15 Primary DNS Server 3-8, 3-9, 3-10, 3-15 protocols Address Resolution C-9 DHCP 2-3, C-10 Routing Information 2-3, C-2 support 2-3 TCP/IP 2-3 S SA E-4 Scope of Document 1-1 Secondary DNS Server 3-8, 3-9, 3-10, 3-15 Serial 3-3, 3-10, 3-12, 4-2 s
U Uplink switch C-12 USB D-9 V Virtual Private Networking 2-3 VPN E-1 VPN Consortium E-6 VPN Process Overview E-7 VPNC IKE Phase I Parameters E-10 VPNC IKE Phase II Parameters E-11 W Windows, configuring for IP routing D-2, D-5 winipcfg utility D-5 WinPOET D-9 World Wide Web 1-iii 4 Index
