SRXN3205 Reference Manual
Page 9
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Restricting Wireless Access by MAC Address 4-18 Chapter 5 Firewall Security and Content Filtering About Firewall Security and Content Filtering 5-1 Using Rules & Services to Block or Allow Traffic 5-2 Services-Based Rules 5-2 Viewing the Firewall Rules 5-7 Order of Precedence for Rules 5-7 Setting the Outbound Policy 5-7 Creating a LAN WAN Outbound Services Rule 5-8 Creating a LAN WAN Inbound...
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Restricting Wireless Access by MAC Address 4-18 Chapter 5 Firewall Security and Content Filtering About Firewall Security and Content Filtering 5-1 Using Rules & Services to Block or Allow Traffic 5-2 Services-Based Rules 5-2 Viewing the Firewall Rules 5-7 Order of Precedence for Rules 5-7 Setting the Outbound Policy 5-7 Creating a LAN WAN Outbound Services Rule 5-8 Creating a LAN WAN Inbound...
SRXN3205 Reference Manual
Page 10
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Testing the Connection 6-11 Managing VPN Tunnel Policies 6-11 About IKE ...6-12 Managing IKE Policies 6-12 About the IKE Policy Table 6-13 VPN Policy ...6-15 VPN Tunnel Connection Status 6-16 Manually Assigning IP Addresses to Remote Users (ModeConfig 6-17 Mode Config Operation 6-17 Configuring the VPN Firewall 6-17 Configuring the ProSafe VPN Client for ModeConfig 6-20 Extended Authentication (XAUTH) Configuration 6-22 Configuring XAUTH...
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Testing the Connection 6-11 Managing VPN Tunnel Policies 6-11 About IKE ...6-12 Managing IKE Policies 6-12 About the IKE Policy Table 6-13 VPN Policy ...6-15 VPN Tunnel Connection Status 6-16 Manually Assigning IP Addresses to Remote Users (ModeConfig 6-17 Mode Config Operation 6-17 Configuring the VPN Firewall 6-17 Configuring the ProSafe VPN Client for ModeConfig 6-20 Extended Authentication (XAUTH) Configuration 6-22 Configuring XAUTH...
SRXN3205 Reference Manual
Page 103
... multi-vendor VPN interoperability. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 6 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Wireless-N VPN Firewall to provide secure, encrypted communications between a VPN gateway and a VPN client Virtual Private Networking Using IPsec 6-1 v1.0, October 2008 The section below provides wizard and NETGEAR VPN Client configuration procedures...
... multi-vendor VPN interoperability. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 6 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Wireless-N VPN Firewall to provide secure, encrypted communications between a VPN gateway and a VPN client Virtual Private Networking Using IPsec 6-1 v1.0, October 2008 The section below provides wizard and NETGEAR VPN Client configuration procedures...
SRXN3205 Reference Manual
Page 105
...by the Wizard. If this information is used for additional settings configured by your SRXN3205. but could be 192.168.1.x. If you do modify those settings, you will ...Click Apply to make the same modifications on both of the remote gateway. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Note: When the SRXN3205 is online, this screen is 192.168.1.x, then the remote subnet could...Qualified Domain Name (FQDN) as registered in the IKE negotiation phase. Tip: The Remote LAN IP address must be in . The VPN Policies screen is automatically filled in a different subnet...
...by the Wizard. If this information is used for additional settings configured by your SRXN3205. but could be 192.168.1.x. If you do modify those settings, you will ...Click Apply to make the same modifications on both of the remote gateway. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Note: When the SRXN3205 is online, this screen is 192.168.1.x, then the remote subnet could...Qualified Domain Name (FQDN) as registered in the IKE negotiation phase. Tip: The Remote LAN IP address must be in . The VPN Policies screen is automatically filled in a different subnet...
SRXN3205 Reference Manual
Page 109
...; Netgear SRXN3205 ProSafe Wireless-N VPN Firewall • Netgear ProSafe VPN Client • NAT router: Netgear FVX538 Configuring the SRXN3205 1. Give the client connection a name, such as enabled. 8. As an alternative to the Internet or may be behind NAT routers. Each PC will allow remote PCs to be unknown, the PC must always be the initiator of VPN connection. 3. The default is srxn_remote.com. 6. Click the IKE...
...; Netgear SRXN3205 ProSafe Wireless-N VPN Firewall • Netgear ProSafe VPN Client • NAT router: Netgear FVX538 Configuring the SRXN3205 1. Give the client connection a name, such as enabled. 8. As an alternative to the Internet or may be behind NAT routers. Each PC will allow remote PCs to be unknown, the PC must always be the initiator of VPN connection. 3. The default is srxn_remote.com. 6. Click the IKE...
SRXN3205 Reference Manual
Page 116
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual - Selecting RSA-Signature will connect to a RADIUS server and pass on the credentials it deletes the IPSec and IKE Security Association. - In that case, a certificate must match the remote VPN.) - Pre-shared Key Note: The " (Double Quote) character is alive or not. The VPN... tearing down the connection. • Extended Authentication. If the peer is the interval between the router and the RADIUS server can be configured in the router are used to see if the user credentials are sent only when the IPSec traffic is selected,...
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual - Selecting RSA-Signature will connect to a RADIUS server and pass on the credentials it deletes the IPSec and IKE Security Association. - In that case, a certificate must match the remote VPN.) - Pre-shared Key Note: The " (Double Quote) character is alive or not. The VPN... tearing down the connection. • Extended Authentication. If the peer is the interval between the router and the RADIUS server can be configured in the router are used to see if the user credentials are sent only when the IPSec traffic is selected,...
SRXN3205 Reference Manual
Page 117
...configured at each remote VPN Endpoint, then the policy order is not important.) 3. Traffic covered by a remote gateway with a username and password combination. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual IPSec Host: The router... is authenticated by a policy will automatically be sent via a VPN tunnel. 2. When using the IKE (...
...configured at each remote VPN Endpoint, then the policy order is not important.) 3. Traffic covered by a remote gateway with a username and password combination. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual IPSec Host: The router... is authenticated by a policy will automatically be sent via a VPN tunnel. 2. When using the IKE (...
SRXN3205 Reference Manual
Page 118
... algorithm used during VPN Wizard configuration). • Local. Allows you to access individual policies to terminate or build the SA (connection), if required. 6-16 Virtual Private Networking Using IPsec v1.0, October 2008 IP address or address range of the SA. The name of all active IKE Policies to be to...8226; Policy Name. Allows you to make any changes or modifications. Each policy is given a unique name (the Connection Name when using the VPN Wizard is "Key Exchange phase". • Action. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Name.
... algorithm used during VPN Wizard configuration). • Local. Allows you to access individual policies to terminate or build the SA (connection), if required. 6-16 Virtual Private Networking Using IPsec v1.0, October 2008 IP address or address range of the SA. The name of all active IKE Policies to be to...8226; Policy Name. Allows you to make any changes or modifications. Each policy is given a unique name (the Connection Name when using the VPN Wizard is "Key Exchange phase". • Action. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Name.
SRXN3205 Reference Manual
Page 119
..., you must be configured-the Mode Config menu and the IKE Policies menu. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of the network. Configuring the VPN Firewall Two menus must go to the IKE Policies menu and configure an IKE policy using these IP addresses. • NETGEAR SRXN3205 ProSafe Wireless-N VPN Firewall - Click IPsec VPN in the main...
..., you must be configured-the Mode Config menu and the IKE Policies menu. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of the network. Configuring the VPN Firewall Two menus must go to the IKE Policies menu and configure an IKE policy using these IP addresses. • NETGEAR SRXN3205 ProSafe Wireless-N VPN Firewall - Click IPsec VPN in the main...
SRXN3205 Reference Manual
Page 121
... Mode, and Aggressive Mode requires that both ends of IKE Policies Table. (See Figure 6-3 on page 6-5.) 2. The Add IKE Policy screen displays. 3. c. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Enter an identifier in the List of... the tunnel be set to Aggressive. 5. Typically, this is not used as 192.168.2.1/255.255.255.0. (If not specified, it will be used by checking the Yes radio box and selecting the Mode Config record you must match the configuration...
... Mode, and Aggressive Mode requires that both ends of IKE Policies Table. (See Figure 6-3 on page 6-5.) 2. The Add IKE Policy screen displays. 3. c. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Enter an identifier in the List of... the tunnel be set to Aggressive. 5. Typically, this is not used as 192.168.2.1/255.255.255.0. (If not specified, it will be used by checking the Yes radio box and selecting the Mode Config record you must match the configuration...
SRXN3205 Reference Manual
Page 122
... the user credentials are available. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Authentication Algorithm: SHA-1 • Diffie-Hellman: Group 2 • SA Lifetime: 3600 seconds 7. XAUTH is selected, the firewall will also be associated with the IKE policy. Enter a Username and Password to see "Creating a New User Account" on page 8-4 or "RADIUS Client Configuration" on page 6-24). Note...
... the user credentials are available. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Authentication Algorithm: SHA-1 • Diffie-Hellman: Group 2 • SA Lifetime: 3600 seconds 7. XAUTH is selected, the firewall will also be associated with the IKE policy. Enter a Username and Password to see "Creating a New User Account" on page 8-4 or "RADIUS Client Configuration" on page 6-24). Note...
SRXN3205 Reference Manual
Page 123
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual d. From the left -side of the menu, click My Identity ...Mode radio button. c. Enable Replay Detection should be checked. 4. Enter the Authentication values to match those in the SRXN3205 IKE menu. e. in this example it is "local_id.com". On the left side of the menu, choose Security Policy...down menu, choose Domain Name and create an identifier based on the left -side of the IKE policy you configured in the firewall ModeConfig Record menu. 5. f. Click Pre-Shared Key and enter the key you created; Note...
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual d. From the left -side of the menu, click My Identity ...Mode radio button. c. Enable Replay Detection should be checked. 4. Enter the Authentication values to match those in the SRXN3205 IKE menu. e. in this example it is "local_id.com". On the left side of the menu, choose Security Policy...down menu, choose Domain Name and create an identifier based on the left -side of the IKE policy you configured in the firewall ModeConfig Record menu. 5. f. Click Pre-Shared Key and enter the key you created; Note...
SRXN3205 Reference Manual
Page 124
...relying on the VPN client icon in this is selected, the firewall is more gateway tunnels terminate. If this option is chosen, you configured will read "On... or editing an IKE Policy. If this case "My Connections\modecfg_test". 2. Right-click on a single common preshared key for the firewall to be associated ...VPN client icon in the local network. The connection policy you must specify the user name and password used as a RADIUS server, provides a method for storing the authentication information centrally in the toolbar will appear; ProSafe Wireless-N VPN Firewall SRXN3205...
...relying on the VPN client icon in this is selected, the firewall is more gateway tunnels terminate. If this option is chosen, you configured will read "On... or editing an IKE Policy. If this case "My Connections\modecfg_test". 2. Right-click on a single common preshared key for the firewall to be associated ...VPN client icon in the local network. The connection policy you must specify the user name and password used as a RADIUS server, provides a method for storing the authentication information centrally in the toolbar will appear; ProSafe Wireless-N VPN Firewall SRXN3205...
SRXN3205 Reference Manual
Page 125
... IKE Policy incorporating XAUTH by a VPN policy, the VPN policy must be used in verifying credentials of the remote VPN gateways. - You then must specify the authentication type to be used to use this firewall as a VPN concentrator where one or more gateway tunnels terminate. Users must be authenticated against the firewall's user database. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring XAUTH...
... IKE Policy incorporating XAUTH by a VPN policy, the VPN policy must be used in verifying credentials of the remote VPN gateways. - You then must specify the authentication type to be used to use this firewall as a VPN concentrator where one or more gateway tunnels terminate. Users must be authenticated against the firewall's user database. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring XAUTH...
SRXN3205 Reference Manual
Page 126
...User Account" on page 8-4. User Database Configuration When XAUTH is not present, the firewall will store a database of user information, and can validate a user at the request of a VPN connection, the VPN gateway can interrupt the process with the IKE policy for managing Authentication, Authorization, and Accounting... with an XAUTH request. In the adjacent Username and Password fields, type in the user database to save your settings. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual - If RADIUS-PAP is enabled) and then by the RADIUS server) to the List of multiple users in...
...User Account" on page 8-4. User Database Configuration When XAUTH is not present, the firewall will store a database of user information, and can validate a user at the request of a VPN connection, the VPN gateway can interrupt the process with the IKE policy for managing Authentication, Authorization, and Accounting... with an XAUTH request. In the adjacent Username and Password fields, type in the user database to save your settings. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual - If RADIUS-PAP is enabled) and then by the RADIUS server) to the List of multiple users in...
SRXN3205 Reference Manual
Page 128
Click Apply to save the settings. Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens. 6-26 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 8.
Click Apply to save the settings. Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens. 6-26 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 8.
SRXN3205 Reference Manual
Page 210
... screen 12-8 Diffie-Hellman Group IKE Policy 6-14 Disable DHCP Server 3-4 DMZ WAN Rule example of 5-12 DNS 7-2 ISP server addresses 2-9 server IP address 3-3 DNS proxy 9-6 enable 3-3 feature 1-3 DNS Suffix 7-11 Domain Name router 3-2 Domain Name Blocking 5-18 Domain... Name Servers. See DoS. See DDNS dynamic IP addresses v1.0, October 2008 See DNS. DHCP 2-5 DNS server address 3-3 DHCP Address Pool 3-3 DHCP log monitoring 11-10 DHCP server about protection 1-2 Dynamic DNS configuration of Service. ProSafe Wireless-N VPN Firewall SRXN3205...
... screen 12-8 Diffie-Hellman Group IKE Policy 6-14 Disable DHCP Server 3-4 DMZ WAN Rule example of 5-12 DNS 7-2 ISP server addresses 2-9 server IP address 3-3 DNS proxy 9-6 enable 3-3 feature 1-3 DNS Suffix 7-11 Domain Name router 3-2 Domain Name Blocking 5-18 Domain... Name Servers. See DoS. See DDNS dynamic IP addresses v1.0, October 2008 See DNS. DHCP 2-5 DNS server address 3-3 DHCP Address Pool 3-3 DHCP log monitoring 11-10 DHCP server about protection 1-2 Dynamic DNS configuration of Service. ProSafe Wireless-N VPN Firewall SRXN3205...
SRXN3205 Reference Manual
Page 211
...IGP 3-11 IKE Policy about 5-1 firewall protection 5-1 firmware downloading 9-14 upgrade 9-14 firmware, upgrading 1-4 fixed IP address 2-5, 3-7 FQDN 2-11 Fragmentation Length default setting 4-18 fragmented IP packets 9-5 fully qualified domain name. See XAUTH. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual... viewing activity 11-13 Firewall Log Field Description 11-6 Firewall Logs emailing of 5-27, 11-3 viewing 11-6 Firewall Logs & E-mail screen 5-27, 11-4 Firewall Protection Content Filtering, about 6-12 management of 6-12 ModeConfig, configuring with ModeConfig 6-20 Edit...
...IGP 3-11 IKE Policy about 5-1 firewall protection 5-1 firmware downloading 9-14 upgrade 9-14 firmware, upgrading 1-4 fixed IP address 2-5, 3-7 FQDN 2-11 Fragmentation Length default setting 4-18 fragmented IP packets 9-5 fully qualified domain name. See XAUTH. ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual... viewing activity 11-13 Firewall Log Field Description 11-6 Firewall Logs emailing of 5-27, 11-3 viewing 11-6 Firewall Logs & E-mail screen 5-27, 11-4 Firewall Protection Content Filtering, about 6-12 management of 6-12 ModeConfig, configuring with ModeConfig 6-20 Edit...
SRXN3205 Reference Manual
Page 213
...ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual M MAC address 4-18, 12-6 authentication by ISP 2-13 configuring 2-5 format 2-14, 5-21 in LAN groups database 3-7 restricting access 4-3 spoofing 12-5 trusted PCs 4-3 MAC addresses blocked, adding 5-20 main menu 2-3 metric in static routes 3-11 ModeConfig 6-17 about 6-17 assigning remote addresses, example 6-17 Client Configuration 6-20 IKE Policies menu, configuring 6-17 menu, configuring... 12-7 performance degradation causes of 4-2 N NAS Identifier 6-25 NAT configuring 2-10 firewall, use with 5-2 multi-NAT 5-13 one-to-one mapping 2-10...
...ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual M MAC address 4-18, 12-6 authentication by ISP 2-13 configuring 2-5 format 2-14, 5-21 in LAN groups database 3-7 restricting access 4-3 spoofing 12-5 trusted PCs 4-3 MAC addresses blocked, adding 5-20 main menu 2-3 metric in static routes 3-11 ModeConfig 6-17 about 6-17 assigning remote addresses, example 6-17 Client Configuration 6-20 IKE Policies menu, configuring 6-17 menu, configuring... 12-7 performance degradation causes of 4-2 N NAS Identifier 6-25 NAT configuring 2-10 firewall, use with 5-2 multi-NAT 5-13 one-to-one mapping 2-10...