Reference Manual for the ProSafe VPN Firewall FVS318v3 NETGEAR, Inc.
© 2005 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das FVS318v3 ProSafe VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Product and Publication Details Model Number: FVS318v3 Publication Date: January 2005 Product Family: Router Product Name: FVS318v3 ProSafe VPN Firewall Home or Business Product: Business Language: English iv January 2005
Contents Chapter 1 About This Manual Audience, Scope, Conventions, and Formats ................................................................1-1 How to Use This Manual ................................................................................................1-2 How to Print this Manual .................................................................................................1-3 Chapter 2 Introduction Key Features of the VPN Firewall ...........................................................
Using the Smart Setup Wizard ..................................................................................... 3-11 How to Manually Configure Your Internet Connection ..................................................3-12 Chapter 4 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview ........................................................4-1 Block Sites ...............................................................................................................
Importing a Security Policy ..............................................................................5-19 How to Set Up a Gateway-to-Gateway VPN Configuration ..........................................5-20 Procedure to Configure a Gateway-to-Gateway VPN Tunnel ................................5-21 VPN Tunnel Control ......................................................................................................5-26 Activating a VPN Tunnel ...........................................................
Backing Up the Configuration ..................................................................................7-7 Restoring the Configuration .....................................................................................7-7 Erasing the Configuration .........................................................................................7-8 Changing the Administrator Password ...........................................................................
Netmask .................................................................................................................. B-4 Subnet Addressing .................................................................................................. B-5 Private IP Addresses ............................................................................................... B-7 Single IP Address Operation Using NAT .......................................................................
VPNC IKE Phase II Parameters ............................................................................ C-11 Testing and Troubleshooting ........................................................................................ C-11 Additional Reading ...................................................................................................... C-11 Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking .......................................................
Configuring the VPN Tunnel ................................................................................... E-6 Viewing and Editing the VPN Parameters ............................................................... E-9 Initiating and Checking the VPN Connections .......................................................E-11 The FVS318v3-to-FVS318v2 Case ............................................................................. E-13 Configuring the VPN Tunnel ..............................................
xii Contents January 2005
Chapter 1 About This Manual This chapter describes the intended audience, scope, conventions, and formats of this manual. Audience, Scope, Conventions, and Formats This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the NETGEAR Web site. This guide uses the following typographical conventions: Table 1-1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Use This Manual The HTML version of this manual includes the following: • Buttons, at a time and , for browsing forwards or backwards through the manual one page • A button that displays the table of contents and an button. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual. • A product model. • Links to PDF versions of the full manual and individual chapters.
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents. • Printing a Chapter. Use the PDF of This Chapter link at the top left of any page.
Reference Manual for the ProSafe VPN Firewall FVS318v3 1-4 About This Manual January 2005
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS318v3 ProSafe VPN Firewall. Key Features of the VPN Firewall The FVS318v3 ProSafe VPN Firewall with eight-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS318v3 is a complete security solution that protects your network from attacks and intrusions.
Reference Manual for the ProSafe VPN Firewall FVS318v3 A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT firewalls, the FVS318v3 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: • DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. • Blocks unwanted traffic from the Internet to your LAN.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100 switch, the FVS318v3 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The firewall incorporates Auto UplinkTM technology.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Easy Installation and Management You can install, configure, and operate the FVS318v3 ProSafe VPN Firewall within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Package Contents The product package should contain the following items: • • • • • FVS318v3 ProSafe VPN Firewall. AC power adapter. Category 5 (Cat 5) Ethernet cable. Installation Guide. Resource CD (240-10114-02) for ProSafe VPN Firewall, including: — This guide. — Application Notes and other helpful information. • Registration and Warranty Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 2-1. LED Descriptions LED Label Activity Description PWR On Power is supplied to the firewall. TEST On Off The system is initializing. The system is ready and running. 100 (100 Mbps) On Off The Internet (WAN) port is operating at 100 Mbps. The Internet (WAN) port is operating at 10 Mbps. LINK/ACT (Link/Activity) On Blinking The Internet port has detected a link with an attached device.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • • DC power input ON/OFF switch NETGEAR-Related Products NETGEAR products related to the FVS318v3 are listed in the following table: Table 2-2. NETGEAR-Related Products Category Wireless Wired Notebooks WAG511 108 Mbps Dual Band PC Card WG511T 108 Mbps PC Card WG511 54 Mbps PC Card WG111 54 Mbps USB 2.0 Adapter MA521 802.11b PC Card MA111 802.11b USB Adapter FA511 CardBus Adapter FA120 USB 2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router.
Chapter 3 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your LAN, connect to the Internet, perform basic configuration of your FVS318v3 ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection. Follow these instructions to set up your firewall.
Reference Manual for the ProSafe VPN Firewall FVS318v3 c. Locate the Ethernet cable (Cable 1 in the diagram) that connects your PC to the modem. &DEOH A ,QWHUQHW &RPSXWHU 0RGHP Figure 3-1: Disconnect the Ethernet cable from the computer d. Disconnect the cable at the computer end only, point A in the diagram. e. Look at the label on the bottom of the VPN firewall router. Locate the Internet port.
Reference Manual for the ProSafe VPN Firewall FVS318v3 f. Securely insert the blue cable that came with your VPN firewall router (the blue NETGEAR cable in the diagram below) into a LOCAL port on the firewall such as LOCAL port 8 (point C in the diagram), and the other end into the Ethernet port of your computer (point D in the diagram).
Reference Manual for the ProSafe VPN Firewall FVS318v3 Power Test Internet Local Port 8 Figure 3-4: Status lights d. Check the VPN firewall router status lights to verify the following: • PWR: The power light should turn solid green. If it does not, see “Troubleshooting Tips” on page 3-6. • TEST: The test light blinks when the firewall is first turned on then goes off. If after two minutes it is still on, see “Troubleshooting Tips” on page 3-6. • INTERNET: The Internet LINK light should be lit.
Reference Manual for the ProSafe VPN Firewall FVS318v3 With the VPN firewall router in its factory default state, your browser will automatically display the NETGEAR Smart Wizard Configuration Assistant welcome page. Figure 3-5: NETGEAR Smart Wizard Configuration Assistant welcome screen Note: If you do not see this page, type http://www.routerlogin.net in the browser address bar and press Enter. If you still cannot see this screen, see “How to Bypass the Configuration Assistant” on page 3-10.
Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Click Done to finish. If you have trouble connecting to the Internet, see “Troubleshooting Tips” on page 3-6 to correct basic problems. Figure 3-6: NETGEAR Smart Wizard Configuration Assistant success screen Note: The Smart Wizard Configuration Assistant only appears when the firewall is in its factory default state. After you configure the VPN firewall router, it will not appear again.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Make sure the Ethernet cables are securely plugged in. • The Internet link light on the VPN firewall router will be lit if the Ethernet cable to the VPN firewall router from the modem is plugged in securely and the modem and VPN firewall router are turned on. • For each powered on computer connected to the VPN firewall router with a securely plugged in Ethernet cable, the corresponding VPN firewall router LOCAL port link light will be lit.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Overview of How to Access the FVS318v3 VPN Firewall The table below describes how you access the VPN firewall router, depending on the state of the VPN firewall router. Table 3-1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Log On to the FVS318v3 After Configuration Settings Have Been Applied 1. Connect to the VPN firewall router by typing http://www.routerlogin.net in the address field of your browser, then press Enter. Figure 3-7: Login URL 2. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 3-9: Login result: FVS318v3 home page When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router. If you do not click Logout, the VPN firewall router will wait five minutes after there is no activity before it automatically logs you out. How to Bypass the Configuration Assistant 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 If you do not click Logout, the VPN firewall router waits five minutes after there is no activity before it automatically logs you out. Using the Smart Setup Wizard You can use the Smart Setup Wizard to assist with manual configuration or to verify the Internet connection.
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Reference Manual for the ProSafe VPN Firewall FVS318v3 You can manually configure the firewall using the Basic Settings menu shown in Figure 3-10 using these steps: 1. Log in to the firewall at its default address of http://www.routerlogin.net using a browser like Internet Explorer or Netscape® Navigator. 2. Click the Basic Settings link under the Setup section of the main menu. 3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 4. If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet. Note: After you finish setting up your firewall, you will no longer need to launch the ISP’s login program on your PC in order to access the Internet.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVS318v3 ProSafe VPN Firewall to protect your network. These features can be found by clicking on the Security heading in the main menu of the browser interface. Firewall Protection and Content Filtering Overview The FVS318v3 ProSafe VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Block Sites The FVS318v3 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is shown in Figure 4-1: Figure 4-1: Block Sites menu To enable keyword blocking, check Turn keyword blocking on, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.
Reference Manual for the ProSafe VPN Firewall FVS318v3 To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply. You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address.
Reference Manual for the ProSafe VPN Firewall FVS318v3 You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined. To create a new rule, click the Add button. To edit an existing rule, select its button on the left side of the table and click Edit.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inbound Rules (Port Forwarding) Because the FVS318v3 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-4, CU-SEEME connections are allowed only from a specified range of external IP addresses.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Outbound Rules (Service Blocking) The FVS318v3 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules table, as shown below: Figure 4-6: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PC’s IP address is entered as the Default DMZ Server.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
Reference Manual for the ProSafe VPN Firewall FVS318v3 To add a service: 1. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears as shown in Figure 4-8: Figure 4-8: Add Custom Service menu 2. Enter a descriptive name for the service so that you will remember what it is. 3. Select whether the service uses TCP or UDP as its transport protocol. If you can’t determine which is used, select both. 4.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted.
Reference Manual for the ProSafe VPN Firewall FVS318v3 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time. Note: Enter the values as 24-hour time.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Getting E-Mail Notifications of Event Logs and Alerts In order to receive logs and alerts by e-mail, you must provide your e-mail information in the Send alerts and logs by e-mail area: Figure 4-10: E-mail menu • Turn e-mail notification on. Check this box if you wish to receive e-mail logs and alerts from the firewall. • Send alerts and logs by e-mail. If your enable e-mail notification, these boxes cannot be blank.
Reference Manual for the ProSafe VPN Firewall FVS318v3 – • If a user on your LAN attempts to access a Web site that you blocked using the Block Sites menu. Send logs according to this schedule. You can specify that logs are sent to you according to a schedule. Select whether you would like to receive the logs None, Hourly, Daily, Weekly, or When Full. Depending on your selection, you may also need to specify: – Day for sending log Relevant when the log is sent weekly or daily.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Log entries are described in Table 4-1 Table 4-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN.
Reference Manual for the ProSafe VPN Firewall FVS318v3 4-18 Firewall Protection and Content Filtering January 2005
Chapter 5 Basic Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVS318v3 VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. The VPN information is organized as follows: • “Overview of VPN Configuration” on page 5-2 provides an overview of the two most common VPN configurations: client-to-gateway and gateway-to-gateway.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Overview of VPN Configuration Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways. The FVS318v3 supports both of these types of VPN configurations. The FVS318v3 VPN Firewall supports up to eight concurrent tunnels.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Tunnel VPN Gateway B VPN Gateway A PCs PCs Figure 5-2: Gateway-to-gateway VPN tunnel A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources across the Internet. In this case, use FVS318v3s on each end of the tunnel to form the VPN tunnel end points.
Reference Manual for the ProSafe VPN Firewall FVS318v3 FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP address must always be the initiator. • What method will you use to configure your VPN tunnels? — The VPN Wizard using VPNC defaults (see Table 5-1) — Advanced methods (see Chapter 6, “Advanced Virtual Private Networking”) Table 5-1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Tunnel Configuration There are two tunnel configurations and three ways to configure them: • Use the VPN Wizard to configure a VPN tunnel (recommended for most situations): — See “How to Set Up a Client-to-Gateway VPN Configuration” on page 5-5. — See “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 5-20.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS318v3 Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 5-1 on page 5-4. If you have special requirements not covered by these VPNC-recommended parameters, refer to Chapter 6, “Advanced Virtual Private Networking” to set up the VPN tunnel. Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Enter the new Connection Name: (RoadWarrior in this example) Enter the pre-shared key: (12345678 in this example) Select the radio button: A remote VPN client (single PC) Figure 5-5: Connection Name and Remote IP Type The Summary screen below displays.
Reference Manual for the ProSafe VPN Firewall FVS318v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-6). Click Back to return to the Summary screen. Figure 5-7: VPNC Recommended Settings 3. Click Done on the Summary screen (see Figure 5-6) to complete the configuration procedure. The VPN Policies menu below displays showing that the new tunnel is enabled.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC This procedure describes how to configure the NETGEAR ProSafe VPN Client. This example assumes the PC running the client has a dynamically assigned IP address. The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.
Reference Manual for the ProSafe VPN Firewall FVS318v3 b. From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies. Rename the “New Connection” so that it matches the Connection Name you entered in the VPN Settings of the FVS318v3 on LAN A.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-10: Security Policy Editor connection settings c. Select Secure in the Connection Security check box. d. Select IP Subnet in the ID Type menu. In this example, type 192.168.3.1 in the Subnet field as the network address of the FVS318v3. e. Enter 255.255.255.0 in the Mask field as the LAN Subnet Mask of the FVS318v3. f. Select All in the Protocol menu to allow all traffic through the VPN tunnel. g.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-11: Security Policy Editor Security Policy c. 4. Select the Main Mode in the Select Phase 1 Negotiation Mode check box. Configure the VPN Client Identity. In this step, you will provide information about the remote VPN client PC. You will need to provide: — The Pre-Shared Key that you configured in the FVS318v3. — Either a fixed IP address or a “fixed virtual” IP address of the VPN client PC. a.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-12: Security Policy Editor My Identity b. Choose None in the Select Certificate box. c. Select IP Address in the ID Type box. If you are using a virtual fixed IP address, enter this address in the Internal Network IP Address box. Otherwise, leave this box empty. d. In the Internet Interface box, select the adapter you use to access the Internet. Select PPP Adapter in the Name menu if you have a dial-up Internet account.
Reference Manual for the ProSafe VPN Firewall FVS318v3 5. Configure the VPN Client Authentication Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS318v3 configuration. a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+” symbol. b.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-15: Security Policy Editor Key Exchange 7. b. In the SA Life menu, select Unspecified. c. In the Compression menu, select None. d. Check the Encapsulation Protocol (ESP) check box. e. In the Encrypt Alg menu, select the type of encryption. In this example, use Triple DES. f. In the Hash Alg menu, select SHA-1. g. In the Encapsulation menu, select Tunnel. h. Leave the Authentication Protocol (AH) check box unchecked.
Reference Manual for the ProSafe VPN Firewall FVS318v3 a. Establish an Internet connection from the PC. b. On the Windows taskbar, click the Start button, and then click Run. c. Type ping -t 192.168.3.1 , and then click OK. Figure 5-16: Running a Ping test to the LAN from the PC This will cause a continuous ping to be sent to the first FVS318v3. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The Log Viewer screen for a similar successful connection is shown below: Figure 5-18: Log Viewer screen Note: Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel. 2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 While the connection is being established, the Connection Name field in this menu will say “SA” before the name of the connection. When the connection is successful, the “SA” will change to the yellow key symbol shown in the illustration above. Note: While your PC is connected to a remote LAN through a VPN, you might not have normal Internet access. If this is the case, you will need to close the VPN connection in order to have normal Internet access.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Importing a Security Policy The following procedure (Figure 5-21) enables you to import an existing security policy. Step 1: Invoke the NETGEAR ProSafe VPN Client and select Import Security Policy from the File pulldown. Step 2: Select the security policy to import. In this example, the security policy file is named FVS318v3_clientpolicy_direct.spd and located on the Desktop. The security policy is now imported.
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Set Up a Gateway-to-Gateway VPN Configuration Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 5-1 on page 5-4. If you have special requirements not covered by these VPNC-recommended parameters, refer to Chapter 6, “Advanced Virtual Private Networking” to set up the VPN tunnel.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Procedure to Configure a Gateway-to-Gateway VPN Tunnel Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard. 1. Log in to the FVS318v3 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the VPN Wizard link in the main menu to display this screen. Click Next to proceed. Figure 5-23: VPN Wizard start screen 2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Enter the WAN IP address of the remote VPN gateway: (22.23.24.25 in this example) Figure 5-25: Remote IP 4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next. Enter the LAN IP settings of the remote VPN gateway: • IP Address (192.168.3.1 in this example) • Subnet Mask (255.255.255.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The Summary screen below displays.
Reference Manual for the ProSafe VPN Firewall FVS318v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-27). Click Back to return to the Summary screen. Figure 5-28: VPN Recommended Settings 5. Click Done on the Summary screen (see Figure 5-27) to complete the configuration procedure. The VPN Policies menu below displays showing that the new tunnel is enabled.
Reference Manual for the ProSafe VPN Firewall FVS318v3 6. Repeat for the FVS318v3 on LAN B. Pay special attention and use the following network settings as appropriate. • WAN IP of the remote VPN gateway (e.g., 14.15.16.17) • LAN IP settings of the remote VPN gateway: — IP Address (e.g, 192.168.0.1) — Subnet Mask (e.g., 255.255.255.0) — Preshared Key (e.g., 12345678) 7.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-31: Current VPN Tunnels (SAs) Screen c. Look at the VPN Status/Log screen (Figure 5-30) to verify that the tunnel is connected. VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel: • • • Start using the VPN tunnel. Use the VPN Status page. Activate the VPN tunnel by pinging the remote endpoint.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-32: VPN Status/Log screen 3. Click VPN Status (Figure 5-32) to get the Current VPN Tunnels (SAs) screen (Figure 5-33). Click Connect for the VPN tunnel you want to activate. Figure 5-33: Current VPN Tunnels (SAs) screen Activate the VPN Tunnel by Pinging the Remote Endpoint Note: This section uses 192.168.3.1 for an example remote endpoint LAN IP address. To activate the VPN tunnel by pinging the remote endpoint (192.168.3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 a. Establish an Internet connection from the PC. b. On the Windows taskbar, click the Start button, and then click Run. c. Type ping -t 192.168.3.1 and then click OK. Figure 5-34: Running a Ping test to the LAN from the PC This will cause a continuous ping to be sent to the first FVS318v3. Within two minutes, the ping response should change from “timed out” to “reply.” Note: Use Ctrl-C to stop the pinging.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-36: Pinging test results Note: The pings may fail the first time. If so, then try the pings a second time. Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel, perform the following steps: 1. Log in to the VPN Firewall. 2. Open the FVS318v3 management interface and click VPN Status under VPN to get the VPN Status/Log screen (Figure 5-37).
Reference Manual for the ProSafe VPN Firewall FVS318v3 • 3. Click Clear Log to delete all log entries. Click VPN Status (Figure 5-37) to get the Current VPN Tunnels (SAs) screen (Figure 5-38). Figure 5-38: Current VPN Tunnels (SAs) screen This page lists the following data for each active VPN Tunnel. • SPI—each SA has a unique SPI (Security Parameter Index) for traffic in each direction. For Manual key exchange, the SPI is specified in the Policy definition.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-39: VPN Policies 3. Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply. (To reactivate the tunnel, check the Enable box and click Apply.) Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel, perform the following steps: 1. Log in to the VPN Firewall. 2. Click VPN Status under VPN to get the VPN Status/Log screen (Figure 5-40).
Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Click VPN Status (Figure 5-40) to get the Current VPN Tunnels (SAs) screen (Figure 5-41). Click Drop for the VPN tunnel you want to deactivate. Figure 5-41: Current VPN Tunnels (SAs) screen Note: When NETBIOS is enabled (which it is in the VPNC defaults implemented by the VPN Wizard), automatic traffic will reactivate the tunnel.
Chapter 6 Advanced Virtual Private Networking This chapter describes how to use the advanced virtual private networking (VPN) features of the FVS318v3 VPN Firewall. See Chapter 5, “Basic Virtual Private Networking” for a description on how to use the basic VPN features. Overview of FVS318v3 Policy-Based VPN Configuration The FVS318v3 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVS318v3. There are two kinds of policies: • IKE Policies: Define the authentication scheme and automatically generate the encryption keys. As an alternative option, to further automate the process, you can create an IKE policy that uses a trusted certificate authority to provide the authentication while the IKE policy still handles the encryption.
Reference Manual for the ProSafe VPN Firewall FVS318v3 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the IKE policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. IKE Policy Configuration fields Field Description Remote These parameters apply to the target remote FVS318v3, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVS318v3. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) — your domain name.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 6-3: VPN - Auto Policy menu 6-6 Advanced Virtual Private Networking January 2005
Reference Manual for the ProSafe VPN Firewall FVS318v3 The VPN – Auto Policy fields are defined in the following table. Table 6-1. VPN – Auto Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify VPN policies.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN – Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security. Usually, this address is from your network address space.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN – Auto Policy Configuration Fields Field Authentication Algorithm NETBIOS Enable Description If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: • MD5 — the default • SHA1 — more secure Check this if you wish NETBIOS traffic to be forwarded over the VPN tunnel. The NETBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 6-4: VPN - Manual Policy menu 6-10 Advanced Virtual Private Networking January 2005
Reference Manual for the ProSafe VPN Firewall FVS318v3 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then select the authentication algorithm: • MD5 — the default • SHA1 — more secure Enter the keys in the fields provided. For MD5, the keys should be 16 characters. For SHA-1, the keys should be 20 characters. Key - In Enter the keys. • For MD5, the keys should be 16 characters. • For SHA-1, the keys should be 20 characters.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN Manual Policy Configuration Fields Field Description Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy. Authentication Algorithm If you enable authentication, then use this menu to select the algorithm: • MD5 — the default • SHA1 — more secure Key - In Enter the key. • For MD5, the key should be 16 characters. • For SHA-1, the key should be 20 characters.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Each CA has its own certificate. The certificates of a CA are added to the FVS318v3 and then can be used to form IKE policies for the user. Once a CA certificate is added to the FVS318v3 and a certificate is created for a user, the corresponding IKE policy is added to the FVS318v3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client. Note: Before installing the NETGEAR ProSafe VPN Client software, be sure to turn off any virus protection or firewall software you may be running on your PC.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kilobytes rekeying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets FVS318v3 Scenario 1: FVS318v3 to Gateway B IKE and VPN Policies Note: This scenario assumes all ports are open on the FVS318v3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 WAN IP addresses ISP provides these addresses Figure 6-7: FVS318v3 Internet IP Address menu b. Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Settings topics, please see “How to Manually Configure Your Internet Connection” on page 3-12.
Reference Manual for the ProSafe VPN Firewall FVS318v3 c. From the main menu Advanced section, click the LAN IP Setup link. The following menu appears Figure 6-8: LAN IP Setup menu d. Configure the LAN IP address according to the settings above and click Apply to save your settings. For more information on LAN TCP/IP setup topics, please see “Configuring LAN TCP/IP Setup Parameters” on page 8-3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Set up the IKE Policy illustrated below on the FVS318v3. a. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 6-9: Scenario 1 IKE Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Reference Manual for the ProSafe VPN Firewall FVS318v3 4. Set up the FVS318v3 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click on the VPN Policies link, and then click on the Add Auto Policy button. WAN IP address LAN IP addresses Figure 6-10: Scenario 1 VPN - Auto Policy b. 5. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Check VPN Connections You can test connectivity and view VPN status information on the FVS318v3 (see also “VPN Tunnel Control” on page 5-26). Testing the Gateway A FVS318v3 LAN and the Gateway B LAN 1. Using our example, from a PC attached to the FVS318v3 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run. 2. Type ping -t 172.23.9.1, and then click OK. 3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 FVS318v3 Scenario 2: FVS318v3 to FVS318v3 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in Scenario 1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1, with the exception that the identification is done with signatures authenticated by PKIX certificates.
Reference Manual for the ProSafe VPN Firewall FVS318v3 b. Click the Generate Request button to display the screen illustrated in Figure 6-11 below. . FVS318v3 Figure 6-11: Generate Self Certificate Request menu c. Fill in the fields on the Add Self Certificate screen. • • Required – Name. Enter a name to identify this certificate. – Subject. This is the name that other organizations will see as the holder (owner) of this certificate.
Reference Manual for the ProSafe VPN Firewall FVS318v3 d. – Domain Name. If you have a domain name, you can enter it here. Otherwise, you should leave this blank. – E-mail Address. You can enter you e-mail address here. Click the Next button to continue. The FVS318v3 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 6-12: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA. a.
Reference Manual for the ProSafe VPN Firewall FVS318v3 c. When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FVS318v3” Self Certificate Request will be listed, as illustrated in Figure 6-13 below. FVS318v3 Figure 6-13: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file.
Reference Manual for the ProSafe VPN Firewall FVS318v3 f. You will now see the “FVS318v3” entry in the Active Self Certificates table and the pending “FVS318v3” Self Certificate Request is gone, as illustrated below. FVS318v Figure 6-14: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVS318v3. a.
Reference Manual for the ProSafe VPN Firewall FVS318v3 b. Create a new VPN Auto Policy called scenario2a with all the same properties as scenario1a except that it uses the IKE policy called Scenario_2. Now, the traffic from devices within the range of the LAN subnet addresses on FVS318v3 A and Gateway B will be authenticated using the certificates rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. a. Get a copy of the CRL from the CA and save it as a text file.
Reference Manual for the ProSafe VPN Firewall FVS318v3 6-28 Advanced Virtual Private Networking January 2005
Chapter 7 Maintenance This chapter describes how to use the maintenance features of your FVS318v3 ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information. From the main menu of the browser interface, click Maintenance, then select Router Status to view this screen.
Reference Manual for the ProSafe VPN Firewall FVS318v3 This screen shows the following parameters: Table 7-1. FVS318v3 Status fields Field Description System Name The System Name assigned to the firewall. Firmware Version The firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall. MAC Address The MAC address used by the Internet (WAN) port of the firewall. IP Address The IP address used by the Internet (WAN) port of the firewall.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Click Show WAN Status to display the WAN connection status. Figure 7-2: WAN Connection Status screen This screen shows the following statistics:. Table 7-1. Connection Status fields Field Description Connection Time The length of time the firewall has been connected to your Internet service provider’s network. Connection Method The method used to obtain an IP address from your Internet service provider.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Click Show Statistics to display firewall usage statistics. Figure 7-3: Router Statistics screen This screen shows the following statistics: Table 7-1. Router Statistics fields Field Description Interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces. For each interface, the screen displays: Status The link status of the interface.
Reference Manual for the ProSafe VPN Firewall FVS318v3 WAN Status action buttons are described in the table below: Table 7-2. Connection Status action buttons Field Description Set Interval Enter a time and click the button to set the polling frequency. Stop Click the Stop button to freeze the polling information. Viewing a List of Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The routing software of the FVS318v3 VPN Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from NETGEAR's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN) file before sending it to the firewall. The upgrade file can be sent to the firewall using your browser.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configuration File Management The configuration settings of the FVS318v3 VPN Firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings. From the main menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown below.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Erasing the Configuration It is sometimes desirable to restore the firewall to a known blank condition. To do this, see the Erase function, which will restore all factory settings. After an erase, the firewall's password will be password, the LAN IP address will be 192.168.0.1, and the firewall's DHCP client will be enabled. To erase the configuration, click the Erase button.
Chapter 8 Advanced Configuration This chapter describes how to configure the advanced features of your FVS318v3 ProSafe VPN Firewall. These features can be found under the Advanced heading in the main menu of the browser interface. How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
Reference Manual for the ProSafe VPN Firewall FVS318v3 7. Type the password (or key) for your dynamic DNS account. 8. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 9. Click Apply to save your configuration. Note: If your ISP assigns a private WAN IP address such as 192.168.x.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configuring LAN TCP/IP Setup Parameters The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The firewall’s default LAN IP configuration is: • • LAN IP addresses—192.168.0.1 Subnet mask—255.255.255.0 These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. Using the Firewall as a DHCP server By default, the firewall functions as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the firewall's LAN.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using Address Reservation When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings. To reserve an IP address: 1. Click the Add button. 2. In the IP Address box, type the IP address to assign to the PC or server.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 8-2: Static Routes table To add or edit a Static Route: 1. Click the Add button to open the Add/Edit menu, shown below. Figure 8-3: Static Route Entry and Edit menu 2. Type a route name for this static route in the Route Name box. (This is for identification purpose only.) 3. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. 4. Select Active to make this route effective. 5.
Reference Manual for the ProSafe VPN Firewall FVS318v3 8. Type a number between 1 and 15 as the Metric value. This represents the number of firewalls between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1. 9. Click Apply to have the static route entered into the table. Static Route Example As an example of when a static route is needed, consider the following case: • Your primary Internet access is through a cable modem to an ISP.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: Be sure to change the firewall’s default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters. To configure your firewall for Remote Management: 1. Select the Turn Remote Management On check box. 2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Tip: If you are using a dynamic DNS service such as TZO, you can always identify the IP address of your FVS318v3 by running TRACERT from the Windows Start menu Run option. For example, type tracert yourFVS318v3.mynetgear.net and you will see the IP address your ISP assigned to the FVS318v3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 8-10 Advanced Configuration January 2005
Chapter 9 Troubleshooting This chapter gives information about troubleshooting your FVS318v3 ProSafe VPN Firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functioning After you turn on power to the firewall, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 30 seconds, verify that: a. The TEST LED is not lit. b.
Reference Manual for the ProSafe VPN Firewall FVS318v3 LEDs Never Turn Off When the firewall is turned on, the LEDs turn on briefly and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.0.1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 OR Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “How to Manually Configure Your Internet Connection” on page 3-12. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses.
Reference Manual for the ProSafe VPN Firewall FVS318v3 If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections — Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 9-2”.
Reference Manual for the ProSafe VPN Firewall FVS318v3 — If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Reference Manual for the ProSafe VPN Firewall FVS318v3 9-8 Troubleshooting January 2005
Appendix A Technical Specifications This appendix provides technical specifications for the FVS318v3 ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx, RJ-45 A-2 Technical Specifications January 2005
Appendix B Network, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Reference Manual for the ProSafe VPN Firewall FVS318v3 What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255. • Class E Class E addresses are for experimental use.
Reference Manual for the ProSafe VPN Firewall FVS318v3 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address. The new netmask (or subnet mask) is 255.255.255.128.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table B-2. Netmask formats 255.255.0.0 /16 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 255.255.255.254 /31 255.255.255.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS318v3 VPN Firewall employs an address-sharing method called Network Address Translation (NAT).
Reference Manual for the ProSafe VPN Firewall FVS318v3 MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer.
Reference Manual for the ProSafe VPN Firewall FVS318v3 When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses. IP Configuration by DHCP When an IP-based local area network is installed, each PC must be configured with an IP address.
Reference Manual for the ProSafe VPN Firewall FVS318v3 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table B-3. UTP Ethernet cable wiring, straight-through Pin Wire color Signal 1 Orange/White Transmit (Tx) + 2 Orange Transmit (Tx) - 3 Green/White Receive (Rx) + 4 Blue 5 Blue/White 6 Green 7 Brown/White 8 Brown Receive (Rx) - Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows: 20 ft.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. Computers and workstation adapter cards are usually media-dependent interface ports, called MDI or uplink ports.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure B-6: Category 5 UTP cable with male RJ-45 plug at each end Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3 VPN Firewall incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration.
Reference Manual for the ProSafe VPN Firewall FVS318v3 B-16 Network, Routing, and Firewall Basics January 2005
Appendix C Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table C-1. WAN (Internet/public) and LAN (internal/private) addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 You need to know the subnet mask of both gateway LAN Connections.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Tunnel VPN Gateway B VPN Gateway A PCs PCs Figure C-5: VPN tunnel Security Associaton (SA) The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Reference Manual for the ProSafe VPN Firewall FVS318v3 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties. The master key is also used in the second phase to derive IPSec keys for the SAs. 3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Relevant RFCs listed numerically: • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
Appendix D Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS318v3 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
Reference Manual for the ProSafe VPN Firewall FVS318v3 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup.
Reference Manual for the ProSafe VPN Firewall FVS318v3 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
Reference Manual for the ProSafe VPN Firewall FVS318v3 If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address. • Click OK to continue. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Selecting Windows’ Internet Access Method 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 1. On the Windows taskbar, click the Start button, and then click Run. 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter.
Reference Manual for the ProSafe VPN Firewall FVS318v3 8. Then, restart your PC. Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows. DHCP Configuration of TCP/IP in Windows XP Locate your Network Neighborhood icon.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection. • The TCP/IP details are presented on the Support tab page. • Select Internet Protocol, and click Properties to view the configuration information.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. • Verify that you have the correct Ethernet card selected in the Connect using: box.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties. • Click OK again to complete the configuration process for Windows 2000. Restart the PC.
Reference Manual for the ProSafe VPN Firewall FVS318v3 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window. • Double-click the Network icon in the Control Panel window. The Network panel will display.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Verifying TCP/IP Properties for Windows XP, 2000, and NT4 To check your PC’s TCP/IP configuration: 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • 4. The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x 1. From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens: 2. From the “Connect via” box, select your Macintosh’s Ethernet interface.
Reference Manual for the ProSafe VPN Firewall FVS318v3 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save. Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer. Your firewall does not support a USB-connected broadband modem.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
Reference Manual for the ProSafe VPN Firewall FVS318v3 If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS318v3 VPN Firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVS318v3 VPN Firewall, you are ready to access and configure the firewall.
Reference Manual for the ProSafe VPN Firewall FVS318v3 D-22 Preparing Your Network January 2005
Appendix E VPN Configuration of NETGEAR FVS318v3 This is a case study on how to configure a secure IPSec VPN tunnel on a NETGEAR FVS318v3. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html).
Reference Manual for the ProSafe VPN Firewall FVS318v3 10.5.6.0/24 172.23.9.0/24 VPN Consortium Example Network Interface Addressing Gateway A LAN IP 10.5.6.1 14.15.16.17 22.23.24.25 WAN IP WAN IP Gateway B LAN IP 172.23.9.1 Figure E-1: Addressing and subnets used for this case study Configuring the Gateways Configure each gateway as summarized in Figure E-2 and Figure E-3: 1. Configure Gate A. a. Log in to the router at Gateway A. b. Use the VPN Wizard to configure this router.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Step 1: Click VPN Wizard on the Side Menu Bar Step 2: Enter the following: o Connection name o Pre-Shared Key (must be the same for each end) o Select “A remote VPN Gateway” Step 3: Enter the remote WAN’s IP address Step 4: Enter the following: o Remote LAN IP Address o Remote LAN Subnet Mask to Figure E-3 Figure E-2: NETGEAR’s VPN Wizard for the router at each gateway (part 1 of 2) VPN Configuration of NETGEAR FVS318v3 January 2005 E-3
Reference Manual for the ProSafe VPN Firewall FVS318v3 Step 5: Verify the information (example screen) Example screen Figure E-3: NETGEAR’s VPN Wizard for the router at a gateway A (part 2 of 2) Note: The default log in address for the FVS318v3 router is http://192.168.0.1 with the default user name of admin and default password of password. The login address will change to the local LAN IP subnet address after you configure the router.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Activating the VPN Tunnel You can activate the VPN tunnel by testing connectivity and viewing the VPN tunnel status information as described in the following flowchart: Start Fail Fail Test Step 1 Pass Ping Remote LAN IP Address Test Step 2 Pass Ping Remote WAN IP Address Fix the Router Network and then Retest Fix the VPN Tunnel and then Retest Test Step 3 View VPN Tunnel Status End Figure E-4: Testing Flowchart All traffic from the range of LA
Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3-to-FVS318v3 Case Table E-1. Policy Summary VPN Consortium Scenario: Scenario 1 Type of VPN LAN-to-LAN or Gateway-to-Gateway Security Scheme: IKE with Preshared Secret/Key Date Tested: November 2004 Model/Firmware Tested: NETGEAR-Gateway A FVS318v3 with firmware version v3.0_14 NETGEAR-Gateway B FVS318v3 with firmware version v3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: Based on the network addresses used in this example, you would log in to the LAN IP address of http://10.5.6.1 at Gateway A. 2. Use the VPN Wizard to configure the FVS318v3 at Gateway A. Follow the steps listed in Figure E-2 and Figure E-3 using the following parameters as illustrated in Figure E-6: • • • • 3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Remote LAN IP Subnet – IP Address: 10.5.6.1 (in this example), must be unique at each VPN tunnel endpoint – Subnet Mask: 255.255.255.0 (in this example) All traffic from the range of LAN IP addresses specified on FVS318v3 A and FVS318v3 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated (see “Initiating and Checking the VPN Connections” on page 11).
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic on the FVS318v3 are presented in Figure E-7 and Figure E-8.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Gateway A IKE Parameters Gateway B IKE Parameters Figure E-8: IKE parameters at Gateway A (FVS318v3) and Gateway B (FVS318v3) Note: The Pre-Shared Key must be the same at both VPN tunnel endpoints. The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Initiating and Checking the VPN Connections You can test connectivity and view VPN status information on the FVS318v3 according to the testing flowchart shown in Figure E-4. To test the VPN tunnel from the Gateway A LAN, do the following: 1. Test 1: Ping Remote LAN IP Address: To establish the connection between the FVS318v3 Gateway A and Gateway B tunnel endpoints, perform these steps at Gateway A: a.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Status at Gateway A (FVS318v3) Status of VPN tunnel from Gateway B 22.23.24.25 Status of VPN tunnel to Gateway B 22.23.24.25 VPN Status at Gateway B (FVS318v3) Status of VPN tunnel from Gateway A 22.23.24.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3-to-FVS318v2 Case Table E-2. Policy Summary VPN Consortium Scenario: Scenario 1 Type of VPN LAN-to-LAN or Gateway-to-Gateway Security Scheme: IKE with Preshared Secret/Key Date Tested: November 2004 Model/Firmware Tested: NETGEAR-Gateway A FVS318v3 with firmware version v3.0_14 NETGEAR-Gateway B FVS318v2 with firmware version V2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: Based on the network addresses used in this example, you would log in to the LAN IP address of http://10.5.6.1 at Gateway A. 2. Use the VPN Wizard to configure the FVS318v3 at Gateway A. Follow the steps listed in Figure E-2 and Figure E-3 using the following parameters as illustrated in Figure E-11: • • • • 3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Remote LAN IP Subnet – IP Address: 10.5.6.1 (in this example), must be unique at each VPN tunnel endpoint – Subnet Mask: 255.255.255.0 (in this example) All traffic from the range of LAN IP addresses specified on FVS318v3 A and FVS318v3 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated (see “Initiating and Checking the VPN Connections” on page 18).
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic are presented in Figure E-12.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Gateway A VPN Parameters (FVS318v3) Gateway B VPN Parameters (FVS318v2) Figure E-12: VPN Parameters at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 January 2005 E-17
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: The Pre-Shared Key must be the same at both VPN tunnel endpoints. The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints.
Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Test 3: View VPN Tunnel Status: To view the FVS318v3 and FVS318v2 event log and status of Security Associations, go to the FVS318v3 main menu VPN section and click the VPN Status link. For the FVS318v2, click Show VPN Status from the Router Status screen. VPN Status at Gateway A (FVS318v3) Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B 22.23.24.25 22.23.24.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3-to-FVL328 Case Table E-3. Policy Summary VPN Consortium Scenario: Scenario 1 Type of VPN LAN-to-LAN or Gateway-to-Gateway Security Scheme: IKE with Preshared Secret/Key Date Tested: November 2004 Model/Firmware Tested: NETGEAR-Gateway A FVS318v3 with firmware version v3.0_14 NETGEAR-Gateway B FVL328 with firmware version V2.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: Based on the network addresses used in this example, you would log in to the LAN IP address of http://10.5.6.1 at Gateway A. 2. Use the VPN Wizard to configure the FVS318v3 at Gateway A. Follow the steps listed in Figure E-2 and Figure E-3 using the following parameters as illustrated in Figure E-15: • • • • 3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Remote LAN IP Subnet – IP Address: 10.5.6.1 (in this example), must be unique at each VPN tunnel endpoint – Subnet Mask: 255.255.255.0 (in this example) All traffic from the range of LAN IP addresses specified on FVS318v3 A and FVL328 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated (see “Initiating and Checking the VPN Connections” on page 25).
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic on the FVS318v3 and FVL328 are presented in Figure E-16 and Figure E-17.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Gateway A IKE Parameters Gateway B IKE Parameters Figure E-17: IKE parameters at Gateway A (FVS318v3) and Gateway B (FVL328) Note: The Pre-Shared Key must be the same at both VPN tunnel endpoints. The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Initiating and Checking the VPN Connections You can test connectivity and view VPN status information on the FVS318v3 and FVL328 according to the testing flowchart shown in Figure E-4. To test the VPN tunnel from the Gateway A LAN, do the following: 1. Test 1: Ping Remote LAN IP Address: To establish the connection between the FVS318v3 Gateway A and FVL328 Gateway B tunnel endpoints, perform these steps at Gateway A: a.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Status at Gateway A (FVS318v3) Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B 22.23.24.25 22.23.24.
Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3-to-VPN Client Case Table E-4. Policy Summary VPN Consortium Scenario: Scenario 1 Type of VPN PC/Client-to-Gateway Security Scheme: IKE with Preshared Secret/Key Date Tested: November 2004 Model/Firmware Tested: NETGEAR-Gateway A FVS318v3 with firmware version v3.0_14 NETGEAR-Client B NETGEAR ProSafe VPN Client v10.3.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configuring the VPN Tunnel Note: This scenario assumes all ports are open on the FVS318v3. 10.5.6.0/24 Scenario 1 Gateway A LAN IP 10.5.6.1 Client B WAN IP WAN IP 14.15.16.17 0.0.0.0 Router PC (running NETGEAR ProSafe VPN Client) Figure E-19: LAN to PC VPN access from an FVS318v3 to a VPN Client Use this scenario illustration and configuration screens as a model to build your configuration. 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Pre-Shared Key must be the same at both ends of the VPN tunnel Select “A Remote VPN Client” Figure E-20: VPN Wizard at Gateway A (FVS318v3) VPN Configuration of NETGEAR FVS318v3 January 2005 E-29
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure E-21: VPN parameters at Gateway A (FVS318v3) E-30 VPN Configuration of NETGEAR FVS318v3 January 2005
Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Set up the VPN Client at Gateway B as in the illustration (Figure E-19). a. Right-mouse-click the ProSafe icon ( ) in the system tray and select the Security Policy Editor. If you need to install the NETGEAR ProSafe VPN Client on your PC, consult the documentation that came with your software. b. Add a new connection using the Edit/Add/Connection menu and rename it Scenario_1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 c. Program the Scenario_1 connection screen as follows (see Figure E-23): • • • • Connection Security: Secure Remote Party Identity and Addressing: Select IP Subnet from the ID Type menu and then enter 10.5.6.1 for Subnet, 255.255.255.0 for Mask, and leave All for Protocol.
Reference Manual for the ProSafe VPN Firewall FVS318v3 d. Select Security Policy on the left hierarchy menu and then select Aggressive Mode under Select Phase 1 Negotiation Mode (see Figure E-24). (The Select Phase 1 Negotiation Mode choice must match the Exchange Mode setting for the General IKE Policy Configuration parameters shown in Figure E-21 for the gateway router.
Reference Manual for the ProSafe VPN Firewall FVS318v3 e. Select My Identity on the left hierarchy menu and program the screen as follows (see Figure E-25): • • Under My Identity, select None for Select Certificate (since we are using a Pre-Shared Key in this scenario). Then enter 12345678 for the Pre-Shared Key value. (The Preshared-Key value must match the value you entered in the VPN Wizard for the gateway Pre-Shared Key value shown in Figure E-20.
Reference Manual for the ProSafe VPN Firewall FVS318v3 f. Verify the Authentication (Phase 1) and Key Exchange (Phase 1) Proposal 1 screen parameters (see Figure E-26) match the IKE SA Parameters of the IKE Policy Configuration screen shown in Figure E-21 for the gateway router. Figure E-26: Scenario_1 Proposal 1 parameters for Authentication and Key Exchange g. Save the Scenario_1 connection using Save under the File menu.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Initiating and Checking the VPN Connections You can test connectivity and view VPN status information on the FVS318v3 and VPN Client according to the testing flowchart shown in Figure E-4. To test the VPN tunnel from the Gateway A LAN, do the following: 1.
Reference Manual for the ProSafe VPN Firewall FVS318v3 2. 3. Test 2: Ping Remote WAN IP Address (if Test 1 fails): To test connectivity between the Gateway A and Gateway B WAN ports, follow these steps: a. From a Windows Client PC, click the Start button on the taskbar and then click Run. b. Type ping -t 14.151.6.17, and then click OK. c. This causes a ping to be sent to the WAN interface of Gateway A. Within two minutes, the ping response should change from timed out to reply.
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Status at Gateway A (FVS318v3) Status of VPN tunnel from Gateway B Status of VPN tunnel to Gateway B 22.23.24.25 22.23.24.
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.
Reference Manual for the ProSafe VPN Firewall FVS318v3 ARP Address Resolution Protocol, a TCP/IP protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address. There is also Reverse ARP (RARP) which can be used by a host to discover its IP address.
Reference Manual for the ProSafe VPN Firewall FVS318v3 printed on the cable jacket. Cat 5 cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. In addition, there are restrictions on maximum cable length for both 10 and 100 Mbits/second networks. Certificate Authority A Certificate Authority is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs.
Reference Manual for the ProSafe VPN Firewall FVS318v3 to 9 Mbps when receiving data (known as the downstream rate) and from 16 to 640 Kbps when sending data (known as the upstream rate). ADSL requires a special ADSL modem. ADSL is growing in popularity as more areas around the world gain access. DSLAM DSL Access Multiplexor. The piece of equipment at the telephone company central office that provides the ADSL signal. Dynamic Host Configuration Protocol DHCP.
Reference Manual for the ProSafe VPN Firewall FVS318v3 IEEE Institute of Electrical and Electronics Engineers. This American organization was founded in 1963 and sets standards for computers and communications. IETF Internet Engineering Task Force. An organization responsible for providing engineering solutions for TCP/ IP networks. In the network management area, this group is responsible for the development of the SNMP protocol. IKE Internet Key Exchange.
Reference Manual for the ProSafe VPN Firewall FVS318v3 IP Address A four-byte number uniquely defining each host on the Internet, usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57). Ranges of addresses are assigned by Internic, an organization formed for this purpose. ISP Internet service provider. L LAN See “Local Area Network” Local Area Network A communications network serving users within a limited area, such as one floor of a building.
Reference Manual for the ProSafe VPN Firewall FVS318v3 Mbps Megabits per second. MDI/MDIX In cable wiring, the concept of transmit and receive are from the perspective of the PC, which is wired as a Media Dependant Interface (MDI). In MDI wiring, a PC transmits on pins 1 and 2. At the hub, switch, router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X).
Reference Manual for the ProSafe VPN Firewall FVS318v3 PPTP Point-to-Point Tunneling Protocol. A method for establishing a virtual private network (VPN) by embedding Microsoft’s network protocol into Internet packets. Protocol A set of rules for communication between devices on a network. PSTN Public Switched Telephone Network. Q QoS See “Quality of Service” Quality of Service QoS is a networking term that specifies a guaranteed level of throughput.
Reference Manual for the ProSafe VPN Firewall FVS318v3 S Segment A section of a LAN that is connected to the rest of the network using a switch, bridge, or repeater. Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router. T TCP/IP The main internetworking protocols used in the Internet.
Reference Manual for the ProSafe VPN Firewall FVS318v3 A Web proxy server is a specialized HTTP server that allows clients access to the Internet from behind a firewall. The proxy server listens for requests from clients within the firewall and forwards these requests to remote Internet servers outside the firewall. The proxy server reads responses from the external servers and then sends them to internal client clients.
