FVS338 Reference Manual
Page 9
... Gateway Configurations 5-2 Creating Gateway to Gateway VPN Tunnels with the Wizard 5-2 Creating a Client to Gateway VPN Tunnel 5-5 Use the VPN Wizard Configure the Gateway for a Client Tunnel 5-6 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection 5-7 Testing the Connections and Viewing Status Information 5-11 NETGEAR VPN Client Status and Log Information 5-11 FVS338 VPN Connection Status and Logs 5-13 IKE...
... Gateway Configurations 5-2 Creating Gateway to Gateway VPN Tunnels with the Wizard 5-2 Creating a Client to Gateway VPN Tunnel 5-5 Use the VPN Wizard Configure the Gateway for a Client Tunnel 5-6 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection 5-7 Testing the Connections and Viewing Status Information 5-11 NETGEAR VPN Client Status and Log Information 5-11 FVS338 VPN Connection Status and Logs 5-13 IKE...
FVS338 Reference Manual
Page 20
... parts are incorrect, missing, or damaged, contact your NETGEAR dealer. ProSafe VPN Client Software - Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. FVS338 ProSafe VPN Firewall 50 Reference Manual Package Contents The product package should contain the following items: • ProSafe VPN Firewall 50. • AC power adapter. • Category 5 Ethernet cable...
... parts are incorrect, missing, or damaged, contact your NETGEAR dealer. ProSafe VPN Client Software - Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. FVS338 ProSafe VPN Firewall 50 Reference Manual Package Contents The product package should contain the following items: • ProSafe VPN Firewall 50. • AC power adapter. • Category 5 Ethernet cable...
FVS338 Reference Manual
Page 65
FVS338 ProSafe VPN Firewall 50 Reference Manual When the victimized system is flooded, it is forced to send many ICMP packets, eventually making the attacker's network location anonymous. Check the radio boxes of this router wants to connect to another VPN endpoint on the WAN (placing this router between two VPN end points... do not reach him, thus making it unreachable by other clients. When the router is enabled. The Attack Checks screen will pass the VPN traffic without any filtering. Select Security from the main menu, Firewall Rules from a single computer on the LAN side of the...
FVS338 ProSafe VPN Firewall 50 Reference Manual When the victimized system is flooded, it is forced to send many ICMP packets, eventually making the attacker's network location anonymous. Check the radio boxes of this router wants to connect to another VPN endpoint on the WAN (placing this router between two VPN end points... do not reach him, thus making it unreachable by other clients. When the router is enabled. The Attack Checks screen will pass the VPN traffic without any filtering. Select Security from the main menu, Firewall Rules from a single computer on the LAN side of the...
FVS338 Reference Manual
Page 94
... following scenarios: • Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client Configuring a VPN tunnel connection requires that promotes multi-vendor VPN interoperability. The section below provides wizard and NETGEAR VPN Client configuration procedures for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. FVS338 ProSafe VPN Firewall 50 Reference Manual Table 5-1 summarizes the WAN addressing requirements for...
... following scenarios: • Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client Configuring a VPN tunnel connection requires that promotes multi-vendor VPN interoperability. The section below provides wizard and NETGEAR VPN Client configuration procedures for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. FVS338 ProSafe VPN Firewall 50 Reference Manual Table 5-1 summarizes the WAN addressing requirements for...
FVS338 Reference Manual
Page 95
... remote VPN client. Enter the Remote and Local WAN IP Addresses or Internet Names of 8 characters and should not exceed 49 characters. 5. Select VPN > IPsec VPN > VPN Wizard to help you manage the VPN settings; Select Gateway as your local WAN address are required. To view the wizard default settings, click the VPN Default values link. FVS338 ProSafe VPN Firewall 50 Reference...
... remote VPN client. Enter the Remote and Local WAN IP Addresses or Internet Names of 8 characters and should not exceed 49 characters. 5. Select VPN > IPsec VPN > VPN Wizard to help you manage the VPN settings; Select Gateway as your local WAN address are required. To view the wizard default settings, click the VPN Default values link. FVS338 ProSafe VPN Firewall 50 Reference...
FVS338 Reference Manual
Page 97
... update interval, set it to the gateway. Creating a Client to Gateway VPN Tunnel Figure 5-6 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to an appropriately short time. Virtual Private Networking 5-5 v1.0, March 2009 FVS338 ProSafe VPN Firewall 50 Reference Manual The tunnel will automatically establish when...
... update interval, set it to the gateway. Creating a Client to Gateway VPN Tunnel Figure 5-6 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to an appropriately short time. Virtual Private Networking 5-5 v1.0, March 2009 FVS338 ProSafe VPN Firewall 50 Reference Manual The tunnel will automatically establish when...
FVS338 Reference Manual
Page 98
... model number of your gateway to the remote VPN client; Enter a Pre-shared Key; The key length must also be 8 characters minimum and cannot exceed 49 characters. 5. in the VPN client software. The public Remote and Local Identifier are...The VPN Wizard displays. • VPN Client connection • Connection name • Pre-shared key: r3m0+eC1ient • Remote identifier • Local identifier Figure 5-7 2. This descriptive name is only for a Client Tunnel 1. FVS338 ProSafe VPN Firewall 50 Reference Manual Use the VPN Wizard Configure the Gateway for your VPN tunnel...
... model number of your gateway to the remote VPN client; Enter a Pre-shared Key; The key length must also be 8 characters minimum and cannot exceed 49 characters. 5. in the VPN client software. The public Remote and Local Identifier are...The VPN Wizard displays. • VPN Client connection • Connection name • Pre-shared key: r3m0+eC1ient • Remote identifier • Local identifier Figure 5-7 2. This descriptive name is only for a Client Tunnel 1. FVS338 ProSafe VPN Firewall 50 Reference Manual Use the VPN Wizard Configure the Gateway for your VPN tunnel...
FVS338 Reference Manual
Page 99
... the VPN client icon in your VPN client. 1. Follow these steps to the FVS338. Figure 5-8 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to configure your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is now enabled. FVS338 ProSafe VPN Firewall 50 Reference...
... the VPN client icon in your VPN client. 1. Follow these steps to the FVS338. Figure 5-8 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to configure your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is now enabled. FVS338 ProSafe VPN Firewall 50 Reference...
FVS338 Reference Manual
Page 103
... on the VPN client icon in the system tray should receive the message "Successfully connected to My Connections\gw1". NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log information, follow these steps. 1. FVS338 ProSafe VPN Firewall 50 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVS338 provide VPN connection and...
... on the VPN client icon in the system tray should receive the message "Successfully connected to My Connections\gw1". NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log information, follow these steps. 1. FVS338 ProSafe VPN Firewall 50 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVS338 provide VPN connection and...
FVS338 Reference Manual
Page 104
To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-16 5-12 v1.0, March 2009 Virtual Private Networking FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Figure 5-15 • Right-click the VPN Client icon in the system tray and select Log Viewer.
To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-16 5-12 v1.0, March 2009 Virtual Private Networking FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Figure 5-15 • Right-click the VPN Client icon in the system tray and select Log Viewer.
FVS338 Reference Manual
Page 105
FVS338 ProSafe VPN Firewall 50 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. The client policy is deactivated but not connected. A flashing vertical bar indicates traffic on the tunnel. Figure 5-17 Virtual Private Networking v1.0, March 2009 5-13 The client policy is activated and connected. FVS338 VPN Connection Status and Logs To view FVS338 VPN connection status, go to VPN > Connection Status. System Tray Icon Status The client policy is deactivated. Table 5-2.
FVS338 ProSafe VPN Firewall 50 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. The client policy is deactivated but not connected. A flashing vertical bar indicates traffic on the tunnel. Figure 5-17 Virtual Private Networking v1.0, March 2009 5-13 The client policy is activated and connected. FVS338 VPN Connection Status and Logs To view FVS338 VPN connection status, go to VPN > Connection Status. System Tray Icon Status The client policy is deactivated. Table 5-2.
FVS338 Reference Manual
Page 110
... RADIUS-CHAP. • IPSec Host. Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN gateway router, an administrator may want authentication by the remote gateway, enter a User Name and Password to a RADIUS server. 5-18 v1.0, March 2009 Virtual Private Networking FVS338 ProSafe VPN Firewall 50 Reference Manual • Endpoint. Two types of the SA. Although the administrator...
... RADIUS-CHAP. • IPSec Host. Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN gateway router, an administrator may want authentication by the remote gateway, enter a User Name and Password to a RADIUS server. 5-18 v1.0, March 2009 Virtual Private Networking FVS338 ProSafe VPN Firewall 50 Reference Manual • Endpoint. Two types of the SA. Although the administrator...
FVS338 Reference Manual
Page 111
...an existing IKE Policy to add XAUTH, if it is in the information user name and password associated with the IKE policy for VPN Clients Once the XAUTH has been enabled, you must enable a RADIUS-CHAP or RADIUS-PAP server. In the Extended Authentication section, ... User Database to add a RADIUS server. You can modify the IKE Policy. FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring XAUTH for authenticating this option is not present, the router will then connect to the RADIUS server (see "RADIUS Client Configuration" on page 5-21). • IPSec Host if you will be used ...
...an existing IKE Policy to add XAUTH, if it is in the information user name and password associated with the IKE policy for VPN Clients Once the XAUTH has been enabled, you must enable a RADIUS-CHAP or RADIUS-PAP server. In the Extended Authentication section, ... User Database to add a RADIUS server. You can modify the IKE Policy. FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring XAUTH for authenticating this option is not present, the router will then connect to the RADIUS server (see "RADIUS Client Configuration" on page 5-21). • IPSec Host if you will be used ...
FVS338 Reference Manual
Page 112
...v1.0, March 2009 Virtual Private Networking These users must be used to the User Database Configured Users table. Select VPN from the main menu and VPN Client from the submenu. Enter a Password for use an external RADIUS server, you may want to save your settings... will be added to configure and administer VPN Client users for the user, and reenter the password in the User Name field of a user which will display. 2. Figure 5-19 User Database Configuration The User Database Screen is the unique ID of the VPN client. 3. FVS338 ProSafe VPN Firewall 50 Reference Manual 4.
...v1.0, March 2009 Virtual Private Networking These users must be used to the User Database Configured Users table. Select VPN from the main menu and VPN Client from the submenu. Enter a Password for use an external RADIUS server, you may want to save your settings... will be added to configure and administer VPN Client users for the user, and reenter the password in the User Name field of a user which will display. 2. Figure 5-19 User Database Configuration The User Database Screen is the unique ID of the VPN client. 3. FVS338 ProSafe VPN Firewall 50 Reference Manual 4.
FVS338 Reference Manual
Page 114
... the router should be configured on both client and server. 5. Click Apply to the previous settings. 10. In a RADIUS transaction, the NAS must be configured on the configuration of the VPN Client screen. 5-22 v1.0, March 2009 Virtual Private Networking Set the Maximum Retry Count. Enter the Primary Server NAS Identifier (Network Access Server). FVS338 ProSafe VPN Firewall 50...
... the router should be configured on both client and server. 5. Click Apply to the previous settings. 10. In a RADIUS transaction, the NAS must be configured on the configuration of the VPN Client screen. 5-22 v1.0, March 2009 Virtual Private Networking Set the Maximum Retry Count. Enter the Primary Server NAS Identifier (Network Access Server). FVS338 ProSafe VPN Firewall 50...
FVS338 Reference Manual
Page 115
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-21 Assigning IP Addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the router. LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Virtual Private Networking v1.0, March 2009 5-23 Remote users are given IP addresses...
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-21 Assigning IP Addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the router. LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Virtual Private Networking v1.0, March 2009 5-23 Remote users are given IP addresses...
FVS338 Reference Manual
Page 116
...an IKE policy using the template security proposal information configured in the First IP Pool field to give to remote VPN clients. Enter one range of the remote VPN client, 8. If you enable Perfect Forward Secrecy (PFS), select DH Group 1 or 2. This setting must be edited...Config record as "Remote Users". 4. Enter a descriptive Record Name such as the Remote Host Configuration Record. FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is your router's LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it will have a ...
...an IKE policy using the template security proposal information configured in the First IP Pool field to give to remote VPN clients. Enter one range of the remote VPN client, 8. If you enable Perfect Forward Secrecy (PFS), select DH Group 1 or 2. This setting must be edited...Config record as "Remote Users". 4. Enter a descriptive Record Name such as the Remote Host Configuration Record. FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is your router's LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it will have a ...
FVS338 Reference Manual
Page 117
... v1.0, March 2009 5-25 Specify the VPN policy settings. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. From the main menu, select VPN. These settings must match the configuration of... IKE Policies Table. The IKE Policies screen will display showing the current policies in the VPN Remote Host Mode Config Table (a sample record is shown below). The new record should appear in the List of the remote VPN client. FVS338 ProSafe VPN Firewall 50...
... v1.0, March 2009 5-25 Specify the VPN policy settings. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. From the main menu, select VPN. These settings must match the configuration of... IKE Policies Table. The IKE Policies screen will display showing the current policies in the VPN Remote Host Mode Config Table (a sample record is shown below). The new record should appear in the List of the remote VPN client. FVS338 ProSafe VPN Firewall 50...
FVS338 Reference Manual
Page 118
... requires that both ends of the local identifier in the VPN client configuration. These settings must specify the Authentication Type to be used as "salesperson". When this router as part of the remote VPN client. Enable Mode Config by the remote gateway. Set Direction/... of the remote identifier in the VPN client configuration. 6. Enter a Pre-Shared Key that is disabled by any other IKE policies. b. Select Fully Qualified Domain Name for the Local Identity Type. Specify the IKE SA parameters. In the General section: a. FVS338 ProSafe VPN Firewall 50 Reference Manual 2.
... requires that both ends of the local identifier in the VPN client configuration. These settings must specify the Authentication Type to be used as "salesperson". When this router as part of the remote VPN client. Enable Mode Config by the remote gateway. Set Direction/... of the remote identifier in the VPN client configuration. 6. Enter a Pre-Shared Key that is disabled by any other IKE policies. b. Select Fully Qualified Domain Name for the Local Identity Type. Specify the IKE SA parameters. In the General section: a. FVS338 ProSafe VPN Firewall 50 Reference Manual 2.
FVS338 Reference Manual
Page 120
...Editor window, click the New Policy editor icon. f. From the left of the VPN firewall (this example it is the LAN network IP address of the VPN firewall; Give the connection a descriptive name such as "modecfg_test" (this example it ...will only be used internally). To configure the client PC: 1. FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. Right-click the VPN client icon in the FVS338 IKE menu. 5-28 v1.0, March 2009 ...
...Editor window, click the New Policy editor icon. f. From the left of the VPN firewall (this example it is the LAN network IP address of the VPN firewall; Give the connection a descriptive name such as "modecfg_test" (this example it ...will only be used internally). To configure the client PC: 1. FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. Right-click the VPN client icon in the FVS338 IKE menu. 5-28 v1.0, March 2009 ...