FVX538 Reference Manual
Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25...VPN Wizard for Client and Gateway Configurations 5-3 Creating Gateway to Gateway VPN Tunnels with the Wizard 5-3 Creating a Client to Gateway VPN Tunnel 5-6 Use the VPN Wizard Configure the Gateway for a Client Tunnel 5-7 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN...
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25...VPN Wizard for Client and Gateway Configurations 5-3 Creating Gateway to Gateway VPN Tunnels with the Wizard 5-3 Creating a Client to Gateway VPN Tunnel 5-6 Use the VPN Wizard Configure the Gateway for a Client Tunnel 5-7 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN...
FVX538 Reference Manual
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That Reduce Traffic 6-2 Service...
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That Reduce Traffic 6-2 Service...
FVX538 Reference Manual
Page 17
..., plus 1 Gigabit Switch port. • One console port for local management. Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice,...within minutes. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear...
..., plus 1 Gigabit Switch port. • One console port for local management. Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice,...within minutes. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear...
FVX538 Reference Manual
Page 21
... remote reboot. • Remote Management. Application Notes and other helpful information. - ProSafe VPN Client Software - Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - ProSafe VPN Firewall 200 FVX538 Reference Manual • Diagnostic Functions.
... remote reboot. • Remote Management. Application Notes and other helpful information. - ProSafe VPN Client Software - Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - ProSafe VPN Firewall 200 FVX538 Reference Manual • Diagnostic Functions.
FVX538 Reference Manual
Page 77
...mode, all packets going to the Remote VPN Gateway are sent to random ports on the WAN (placing this router between two VPN end points), encrypted packets are first filtered through . Tunnels can be : - For example, if a VPN Client or Gateway on the LAN side of service... the submenu and then the Attack Checks tab. ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. Check the radio boxes of UDP packets to this router filters the encrypted packets through NAT, the packets become invalid unless VPN Pass through is listening at that port, (2) see...
...mode, all packets going to the Remote VPN Gateway are sent to random ports on the WAN (placing this router between two VPN end points), encrypted packets are first filtered through . Tunnels can be : - For example, if a VPN Client or Gateway on the LAN side of service... the submenu and then the Attack Checks tab. ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. Check the radio boxes of UDP packets to this router filters the encrypted packets through NAT, the packets become invalid unless VPN Pass through is listening at that port, (2) see...
FVX538 Reference Manual
Page 107
... the wizard to configure a VPN tunnel between 2 VPN gateways • Using the wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for the various VPN scenarios. Tip: When using...
... the wizard to configure a VPN tunnel between 2 VPN gateways • Using the wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for the various VPN scenarios. Tip: When using...
FVX538 Reference Manual
Page 108
... modify these settings after completing the wizard, you must be entered both here and on the remote VPN gateway, or the remote VPN client. is set up the VPN policy with rollover enabled. 6. Choose which will not set to use as your connection type. 3....March 2009 Create a Connection Name. Enter a Pre-shared Key. This allows the VPN tunnel to roll over when the WAN Mode is not supplied to enable VPN rollover. ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to help you are using a dual WAN rollover configuration, after completing the ...
... modify these settings after completing the wizard, you must be entered both here and on the remote VPN gateway, or the remote VPN client. is set up the VPN policy with rollover enabled. 6. Choose which will not set to use as your connection type. 3....March 2009 Create a Connection Name. Enter a Pre-shared Key. This allows the VPN tunnel to roll over when the WAN Mode is not supplied to enable VPN rollover. ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to help you are using a dual WAN rollover configuration, after completing the ...
FVX538 Reference Manual
Page 110
...ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are appropriately configured and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the VPN tunnel will automatically establish when both the local and target gateway policies are configured, go to VPN > IPsec VPN... Private Networking Creating a Client to Gateway VPN Tunnel Figure 5-7 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to an ...
...ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are appropriately configured and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the VPN tunnel will automatically establish when both the local and target gateway policies are configured, go to VPN > IPsec VPN... Private Networking Creating a Client to Gateway VPN Tunnel Figure 5-7 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to an ...
FVX538 Reference Manual
Page 111
...; Local identifier Figure 5-8 2. it is not supplied to form FQDNs used in the VPN client software. Virtual Private Networking 5-7 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for your VPN tunnel connection. 3. This descriptive name is only for a Client Tunnel 1. In this example, we are using GW1_remote.com, and GW1_local.com...
...; Local identifier Figure 5-8 2. it is not supplied to form FQDNs used in the VPN client software. Virtual Private Networking 5-7 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for your VPN tunnel connection. 3. This descriptive name is only for a Client Tunnel 1. In this example, we are using GW1_remote.com, and GW1_local.com...
FVX538 Reference Manual
Page 112
... enabled. Figure 5-10 5-8 Virtual Private Networking v1.0, March 2009 Click Apply to the FVX538. ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to save your settings: the VPN Policies page shows the policy is enabled. Right-click on the...
... enabled. Figure 5-10 5-8 Virtual Private Networking v1.0, March 2009 Click Apply to the FVX538. ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to save your settings: the VPN Policies page shows the policy is enabled. Right-click on the...
FVX538 Reference Manual
Page 116
... 5-14 Within 30 seconds you should say On: 5-12 v1.0, March 2009 Virtual Private Networking NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log information, follow these steps. 1. ProSafe VPN Firewall 200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information.
... 5-14 Within 30 seconds you should say On: 5-12 v1.0, March 2009 Virtual Private Networking NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log information, follow these steps. 1. ProSafe VPN Firewall 200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information.
FVX538 Reference Manual
Page 117
Figure 5-17 Virtual Private Networking v1.0, March 2009 5-13 To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-16 • Right-click the VPN Client icon in the system tray and select Log Viewer. ProSafe VPN Firewall 200 FVX538 Reference Manual 2.
Figure 5-17 Virtual Private Networking v1.0, March 2009 5-13 To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-16 • Right-click the VPN Client icon in the system tray and select Log Viewer. ProSafe VPN Firewall 200 FVX538 Reference Manual 2.
FVX538 Reference Manual
Page 118
Table 5-2. Figure 5-18 5-14 v1.0, March 2009 Virtual Private Networking The client policy is deactivated. A flashing vertical bar indicates traffic on the tunnel. FVX538 VPN Connection Status and Logs To view FVX538 VPN connection status, go to VPN > Connection Status. System Tray Icon Status The client policy is activated and connected. The client policy is deactivated but not connected. ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below.
Table 5-2. Figure 5-18 5-14 v1.0, March 2009 Virtual Private Networking The client policy is deactivated. A flashing vertical bar indicates traffic on the tunnel. FVX538 VPN Connection Status and Logs To view FVX538 VPN connection status, go to VPN > Connection Status. System Tray Icon Status The client policy is activated and connected. The client policy is deactivated but not connected. ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below.
FVX538 Reference Manual
Page 127
... more gateway tunnels terminate. Figure 5-21 Extended Authentication (XAUTH) Configuration When connecting many VPN clients to be used as a RADIUS server, provides a method for all clients. To upload a Certificate Identify to the CRL list. The Certificates screen will appear...of the CA which issued this is selected, the router is enabled when adding or editing an IKE Policy. ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify - Although the administrator could configure a unique VPN policy for the VPN gateway router to upload" field. If this CRL. •...
... more gateway tunnels terminate. Figure 5-21 Extended Authentication (XAUTH) Configuration When connecting many VPN clients to be used as a RADIUS server, provides a method for all clients. To upload a Certificate Identify to the CRL list. The Certificates screen will appear...of the CA which issued this is selected, the router is enabled when adding or editing an IKE Policy. ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify - Although the administrator could configure a unique VPN policy for the VPN gateway router to upload" field. If this CRL. •...
FVX538 Reference Manual
Page 128
...be authenticated against the router's user database. When this router as a VPN concentrator where one or more gateway tunnels terminate. Select VPN from the main menu and Policies from the pull-down menu which will first check the local User Database for VPN Clients Once the XAUTH has... on the Local Database to be configured when XAUTH is not present, the router will then connect to use by clicking Add. 3. Users must enable a RADIUS-CHAP or RADIUS-PAP server. ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you must be associated with this ...
...be authenticated against the router's user database. When this router as a VPN concentrator where one or more gateway tunnels terminate. Select VPN from the main menu and Policies from the pull-down menu which will first check the local User Database for VPN Clients Once the XAUTH has... on the Local Database to be configured when XAUTH is not present, the router will then connect to use by clicking Add. 3. Users must enable a RADIUS-CHAP or RADIUS-PAP server. ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you must be associated with this ...
FVX538 Reference Manual
Page 129
If the user account is selected, the router will display. 2. Whether or not you use an external RADIUS server, you want some users to be added to the User Name database. These users ... server (see if the user credentials are available. ProSafe VPN Firewall 200 FVX538 Reference Manual - If RADIUS-PAP is not present, the router will be authenticated by the RADIUS server) to see "RADIUS Client Configuration" on the authentication mode accepted by the remote gateway. Select VPN from the main menu and VPN Client from the submenu. To add a new user...
If the user account is selected, the router will display. 2. Whether or not you use an external RADIUS server, you want some users to be added to the User Name database. These users ... server (see if the user credentials are available. ProSafe VPN Firewall 200 FVX538 Reference Manual - If RADIUS-PAP is not present, the router will be authenticated by the RADIUS server) to see "RADIUS Client Configuration" on the authentication mode accepted by the remote gateway. Select VPN from the main menu and VPN Client from the submenu. To add a new user...
FVX538 Reference Manual
Page 131
...Configured Users table. To configure the Primary RADIUS Server: 1. The RADIUS Client screen will display. 2. Select VPN from the main menu, VPN Client from the submenu and then select the RADIUS Client tab. At that point, the remote user must provide authentication information such ... information, and can validate a user at the request of a VPN connection, the VPN gateway can interrupt the process with an XAUTH (eXtended AUTHentication) request. The Edit User screen will display. 2. ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit...
...Configured Users table. To configure the Primary RADIUS Server: 1. The RADIUS Client screen will display. 2. Select VPN from the main menu, VPN Client from the submenu and then select the RADIUS Client tab. At that point, the remote user must provide authentication information such ... information, and can validate a user at the request of a VPN connection, the VPN gateway can interrupt the process with an XAUTH (eXtended AUTHentication) request. The Edit User screen will display. 2. ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit...
FVX538 Reference Manual
Page 133
... Config module will allocate an IP address from the router. Virtual Private Networking v1.0, March 2009 5-29 Click Apply to the previous settings. 10. LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation ... you must go to the IKE Policies menu and configure an IKE policy using these IP addresses. • NETGEAR ProSafe VPN Firewall 200 - Remote users are given IP addresses available in the Mode Config record. WAN IP address: 172.21.4.1 - ProSafe VPN Firewall 200 FVX538 Reference Manual 9.
... Config module will allocate an IP address from the router. Virtual Private Networking v1.0, March 2009 5-29 Click Apply to the previous settings. 10. LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation ... you must go to the IKE Policies menu and configure an IKE policy using these IP addresses. • NETGEAR ProSafe VPN Firewall 200 - Remote users are given IP addresses available in the Mode Config record. WAN IP address: 172.21.4.1 - ProSafe VPN Firewall 200 FVX538 Reference Manual 9.
FVX538 Reference Manual
Page 134
... Table (a sample record is your local network IP addresses. The Mode Config screen will default to which the remote client will display. 3. Enter one range of the router.) 9. Click Add. ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured-the Mode Config menu and the IKE Policies menu. Enter a descriptive Record Name...
... Table (a sample record is your local network IP addresses. The Mode Config screen will default to which the remote client will display. 3. Enter one range of the router.) 9. Click Add. ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured-the Mode Config menu and the IKE Policies menu. Enter a descriptive Record Name...
FVX538 Reference Manual
Page 136
... also be configured in verifying credentials of the remote VPN client. b. For Local information: d. XAUTH is disabled by the remote gateway). 9. If the user account is not used as a VPN concentrator where one or more gateway tunnels terminate. (...router will be used in the Remote Identity Data field that will need to specify the user name and password to be authenticated by any other IKE policies. These settings must be associated with the IKE policy. Specify the IKE SA parameters. Recommended settings are available. ProSafe VPN Firewall 200 FVX538...
... also be configured in verifying credentials of the remote VPN client. b. For Local information: d. XAUTH is disabled by the remote gateway). 9. If the user account is not used as a VPN concentrator where one or more gateway tunnels terminate. (...router will be used in the Remote Identity Data field that will need to specify the user name and password to be authenticated by any other IKE policies. These settings must be associated with the IKE policy. Specify the IKE SA parameters. Recommended settings are available. ProSafe VPN Firewall 200 FVX538...