NETGEAR ProSafe FVS114 Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. ProSafe FVS114
  6. Reference manual

NETGEAR ProSafe FVS114 Reference Manual

Vpn firewall
Hide thumbs Also See for ProSafe FVS114:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual
Reference Manual for the
ProSafe VPN Firewall
FVS114
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
202-10098-01
April 2005
202-10098-01, April 2005

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR ProSafe FVS114

Summary of Contents for NETGEAR ProSafe FVS114

  • Page 1 Reference Manual for the ProSafe VPN Firewall FVS114 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10098-01 April 2005 202-10098-01, April 2005...
  • Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: FVS114 April 2005 Router FVS114 ProSafe VPN Firewall Business English 202-10098-01, April 2005...
  • Page 4 202-10098-01, April 2005...

  • Page 5: Table Of Contents

    First, Connect the FVS114 ...3-1 Now, Configure the FVS114 for Internet Access ...3-4 Troubleshooting Tips ...3-6 Overview of How to Access the FVS114 VPN Firewall ...3-7 How to Log On to the FVS114 After Configuration Settings Have Been Applied ...3-8 How to Bypass the Configuration Assistant ...3-9...
  • Page 6 How to Set Up a Client-to-Gateway VPN Configuration ...5-5 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS114 ...5-6 Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC ...5-9 Monitoring the Progress and Status of the VPN Client Connection ...5-16 Transferring a Security Policy to Another Client ...5-17...
  • Page 7 Walk-Through of Configuration Scenarios on the FVS114 ...6-14 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets ...6-15 FVS114 Scenario 1: FVS114 to Gateway B IKE and VPN Policies ...6-16 How to Check VPN Connections ...6-21 Testing the Gateway A FVS114 LAN and the Gateway B LAN ...6-21 FVS114 Scenario 2: FVS114 to FVS114 with RSA Certificates ...6-22...
  • Page 8 Testing the Path from Your PC to a Remote Device ...9-6 Restoring the Default Configuration and Password ...9-7 Problems with Date and Time ...9-7 Appendix A Technical Specifications Appendix B Network, Routing, and Firewall Basics Related Publications ... B-1 Basic Router Concepts ... B-1 viii 202-10098-01, April 2005 Contents...
  • Page 9 What is a Router? ... B-2 Routing Information Protocol ... B-2 IP Addresses and the Internet ... B-2 Netmask ... B-4 Subnet Addressing ... B-5 Private IP Addresses ... B-7 Single IP Address Operation Using NAT ... B-8 MAC Addresses and Address Resolution Protocol ... B-9 Related Documents ...
  • Page 10 VPN Tunnel Between Gateways ... C-8 VPNC IKE Security Parameters ... C-10 VPNC IKE Phase I Parameters ... C-10 VPNC IKE Phase II Parameters ... C-11 Testing and Troubleshooting ... C-11 Additional Reading ... C-11 Appendix D Preparing Your Network Preparing Your Computers for TCP/IP Networking ...
  • Page 11 B ... G-2 C ... G-3 D ... G-3 E ... G-4 G ... G-5 I ... G-5 L ... G-6 M ... G-7 P ... G-7 Q ... G-8 R ... G-9 S ... G-9 T ... G-9 U ... G-10 W ...
  • Page 12 Contents 202-10098-01, April 2005...

  • Page 13: About This Manual

    This guide uses the following formats to highlight special messages: Note: This format is used to highlight information of importance or special interest. This manual is written for the FVS114 VPN Firewall according to these specifications.: Table 1-2. Manual Scope...

  • Page 14: How To Use This Manual

    • button to access the full NETGEAR, Inc. online Knowledge Base for the product model. • Links to PDF versions of the full manual and individual chapters.

  • Page 15: How To Print This Manual

    Click the print icon in the upper left of the window. Tip: If your printer supports printing two pages on a single sheet of paper, you can save paper and printer ink by selecting this feature. About This Manual Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...
  • Page 16 Reference Manual for the ProSafe VPN Firewall FVS114 About This Manual 202-10098-01, April 2005...

  • Page 17: Introduction

    FVS114 uses stateful packet inspection for Denial of Service attack (DoS) protection and intrusion detection. The FVS114 allows Internet access for up to 253 users. The FVS114 VPN Firewall provides you with multiple Web content filtering options, plus browsing activity reporting and instant alerts —...

  • Page 18: A Powerful, True Firewall With Content Filtering

    Reference Manual for the ProSafe VPN Firewall FVS114 A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT firewalls, the FVS114 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: •...

  • Page 19: Autosensing Ethernet Connections With Auto Uplink

    Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100 switch, the FVS114 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

  • Page 20: Easy Installation And Management

    • Visual monitoring The FVS114 VPN Firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVS114 VPN Firewall: •...

  • Page 21: Package Contents

    • Registration and Warranty Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. The FVS114 Front Panel The front panel of the FVS114 VPN Firewall contains the status LEDs described below.

  • Page 22: The Fvs114 Rear Panel

    LINK/ACT (Link/Activity) Blinking The FVS114 Rear Panel The rear panel of the FVS114 VPN Firewall contains the port connections listed below. FACTORY DEFAULTS Reset Button Figure 2-2: FVS114 rear panel Viewed from left to right, the rear panel contains the following features: •...

  • Page 23: Netgear-Related Products

    • DC power input • ON/OFF switch NETGEAR-Related Products NETGEAR products related to the FVS114 are listed in the following table: Table 2-2. NETGEAR-Related Products Category Wireless Notebooks WAG511 108 Mbps Dual Band PC Card WG511T 108 Mbps PC Card WG511 54 Mbps PC Card WG111 54 Mbps USB 2.0 Adapter...
  • Page 24 Reference Manual for the ProSafe VPN Firewall FVS114 Documentation is available on the Resource CD and at http://kbserver.netgear.com. When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router.

  • Page 25: Connecting The Firewall To The Internet

    Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your LAN, connect to the Internet, perform basic configuration of your FVS114 ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection.
  • Page 26 Disconnect the cable at the computer end only, point A in the diagram. Look at the label on the bottom of the VPN firewall router. Locate the Internet port. Securely insert the Ethernet cable from your modem (Cable 1 in the diagram below) into the Internet port of the VPN firewall router as shown in point B of the diagram.
  • Page 27 Securely insert the blue cable that came with your VPN firewall router (the blue NETGEAR cable in the diagram below) into a LOCAL port on the firewall such as LOCAL port 4 (point C in the diagram), and the other end into the Ethernet port of your computer (point D in the diagram).

  • Page 28: Now, Configure The Fvs114 For Internet Access

    • INTERNET: The Internet LINK/ACT light should be lit. If not, make sure the Ethernet cable is securely attached to the VPN firewall router Internet port and the modem, and the modem is powered on. •...
  • Page 29 Note: The Smart Wizard Configuration Assistant only appears when the firewall is in its factory default state. After you configure the VPN firewall router, it will not appear again. You can always connect to the firewall to change its settings. To do so, open a browser such as Internet Explorer and go to http://www.routerlogin.net.

  • Page 30: Troubleshooting Tips

    Use the status lights on the front of the FVS114 to verify correct firewall operation. If the FVS114 power light does not turn solid green or if the test light does not go off within two minutes after turning the firewall on, reset the firewall according to the instructions in “Backing Up the Configuration”...

  • Page 31: Overview Of How To Access The Fvs114 Vpn Firewall

    Overview of How to Access the FVS114 VPN Firewall The table below describes how you access the VPN firewall router, depending on the state of the VPN firewall router. Table 3-1. Ways to access the firewall Firewall State Access Options...

  • Page 32: How To Log On To The Fvs114 After Configuration Settings Have Been Applied

    Reference Manual for the ProSafe VPN Firewall FVS114 How to Log On to the FVS114 After Configuration Settings Have Been Applied Connect to the VPN firewall router by typing http://www.routerlogin.net in the address field of your browser, then press Enter.

  • Page 33: How To Bypass The Configuration Assistant

    Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router. If you do not click Logout, the VPN firewall router will wait five minutes after there is no activity before it automatically logs you out.

  • Page 34: Using The Smart Setup Wizard

    The browser then displays the FVS114 settings home page shown in home page” on page 3-9. If you do not click Logout, the VPN firewall router waits five minutes after there is no activity before it automatically logs you out. Using the Smart Setup Wizard You can use the Smart Setup Wizard to assist with manual configuration or to verify the Internet connection.

  • Page 35: How To Manually Configure Your Internet Connection

    If your Internet connection does require a login, click Yes, and skip to step 4. Connecting the Firewall to the Internet Reference Manual for the ProSafe VPN Firewall FVS114 ISP Does Require Login ®...
  • Page 36 Reference Manual for the ProSafe VPN Firewall FVS114 Account: Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use static IP address”.
  • Page 37 Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 3-10. Click Apply to save your settings. Connecting the Firewall to the Internet Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 3-13...
  • Page 38 Reference Manual for the ProSafe VPN Firewall FVS114 3-14 Connecting the Firewall to the Internet 202-10098-01, April 2005...

  • Page 39: Firewall Protection And Content Filtering

    Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVS114 ProSafe VPN Firewall to protect your network. These features can be found by clicking on the Security heading in the main menu of the browser interface.

  • Page 40: Block Sites

    Reference Manual for the ProSafe VPN Firewall FVS114 Block Sites The FVS114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is shown in Figure 4-1: Block Sites menu Web Components: You can use these to block undesirable Web componenents or behavior.

  • Page 41: Using Rules To Block Or Allow Specific Kinds Of Traffic

    Inbound: Block all access from outside except responses to requests from the LAN side. • Outbound: Allow all access from the LAN side to the outside. Firewall Protection and Content Filtering Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...
  • Page 42 Reference Manual for the ProSafe VPN Firewall FVS114 These default rules are shown in the Rules table of the Rules menu in Figure 4-2: Figure 4-2: Rules menu You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
  • Page 43 – Match — traffic of this type that matches the parameters and action will be logged. • Options. These options determine how certain types of packets are handled by the Router. Enable or disable each option as required. – Enable VPN Passthrough (IPSec, PPTP, L2TP) — The IPSec, PPTP, and L2TP protocols are used to establish a secure connection, and are widely used by VPN (Virtual Private Networking) programs.

  • Page 44: Inbound Rules (Port Forwarding)

    DNS directly. This setting should normally be enabled. Inbound Rules (Port Forwarding) Because the FVS114 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers.

  • Page 45: Inbound Rule Example: Allowing A Videoconference From Restricted Addresses

    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 4-3: Rule example: a local public Web server Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule.

  • Page 46: Considerations For Inbound Rules

    Outbound Rules (Service Blocking) The FVS114 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on: •...

  • Page 47: Outbound Rule Example: Blocking Instant Messenger

    Reference Manual for the ProSafe VPN Firewall FVS114 Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.

  • Page 48: Order Of Precedence For Rules

    Reference Manual for the ProSafe VPN Firewall FVS114 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules table, as shown below: Figure 4-6: Rules table For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom.

  • Page 49: Services

    1024 to 65535 by the authors of the application. Although the FVS114 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
  • Page 50 Reference Manual for the ProSafe VPN Firewall FVS114 To add a service: When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears as shown in Figure 4-8: Add Custom Service menu Enter a descriptive name for the service so that you will remember what it is.

  • Page 51: Using A Schedule To Block Or Allow Specific Traffic

    Reference Manual for the ProSafe VPN Firewall FVS114 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The...

  • Page 52: Time Zone

    Be sure to click Apply when you have finished configuring this page. Time Zone The FVS114 VPN Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must specify your Time Zone: •...

  • Page 53: Getting E-Mail Notifications Of Event Logs And Alerts

    – If a Denial of Service attack is detected. – If a Port Scan is detected. Firewall Protection and Content Filtering Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 4-15...
  • Page 54 Reference Manual for the ProSafe VPN Firewall FVS114 – If a user on your LAN attempts to access a Web site that you blocked using the Block Sites menu. • Send logs according to this schedule. You can specify that logs are sent to you according to a schedule.

  • Page 55: Viewing Logs Of Web Access Or Attempted Web Access

    Reference Manual for the ProSafe VPN Firewall FVS114 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site.

  • Page 56: Syslog

    Reference Manual for the ProSafe VPN Firewall FVS114 Log entries are described in Table 4-1 Table 4-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any.

  • Page 57: Basic Virtual Private Networking

    This chapter describes how to use the virtual private networking (VPN) features of the FVS114 VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. The VPN information is organized as follows: •...

  • Page 58: Overview Of Vpn Configuration

    Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways. The FVS114 supports both of these types of VPN configurations. The FVS114 VPN Firewall supports up to eight concurrent tunnels.

  • Page 59: Planning A Vpn

    VPN Gateway A Figure 5-2: Gateway-to-gateway VPN tunnel A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources across the Internet.
  • Page 60 Reference Manual for the ProSafe VPN Firewall FVS114 FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP address must always be the initiator.

  • Page 61: Vpn Tunnel Configuration

    Chapter 6, “Advanced Virtual Private defaults (see Table 5-1 How to Set Up a Client-to-Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway (see Figure 5-3) involves the following two steps: •...

  • Page 62: Step 1: Configuring The Client-To-Gateway Vpn Tunnel On The Fvs114

    Networking” to set up the VPN tunnel. Follow this procedure to configure a client-to-gateway VPN tunnel using the VPN Wizard. Log in to the FVS114 at its LAN address of admin and password of password. Click the VPN Wizard link in the main menu to display this screen.
  • Page 63 Figure 5-5: Connection Name and Remote IP Type The Summary screen below displays. Figure 5-6: VPN Wizard Summary Basic Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 Enter the new Connection Name: (RoadWarrior in this example) Enter the pre-shared key:...
  • Page 64 Reference Manual for the ProSafe VPN Firewall FVS114 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-7: VPNC Recommended Settings Click Done on the Summary screen (see The VPN Policies menu below displays showing that the new tunnel is enabled.

  • Page 65: Step 2: Configuring The Netgear Prosafe Vpn Client On The Remote Pc

    From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies. Rename the “New Connection” so that it matches the Connection Name you entered in the VPN Settings of the FVS114 on LAN A. Basic Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 ) in the system tray after rebooting.
  • Page 66 Reference Manual for the ProSafe VPN Firewall FVS114 Note: In this example, the Connection Name used on the client side of the VPN tunnel is NETGEAR_VPN_router and it does not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel (see Names are unrelated to how the VPN tunnel functions.
  • Page 67 Select the Connect using Secure Gateway Tunnel check box. Select IP Address in the ID Type menu below the check box. Enter the public WAN IP Address of the FVS114 in the field directly below the ID Type menu. In this example, The resulting Connection Settings are shown in Configure the Security Policy in the NETGEAR ProSafe VPN Client software.
  • Page 68 Click the Pre-Shared Key button. In the Pre-Shared Key dialog box, click the Enter Key button. Enter the FVS114's Pre-Shared Key and click OK. In this example, 12345678 is entered. This field is case sensitive.
  • Page 69 In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS114 configuration. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+”...
  • Page 70 In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS114 configuration. Expand the Key Exchange subheading by double clicking its name or clicking on the “+”...
  • Page 71 VPN firewall’s LAN. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVS114’s network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request.

  • Page 72: Monitoring The Progress And Status Of The Vpn Client Connection

    Once the connection is established, you can open the browser of the PC and enter the LAN IP address of the remote FVS114. After a short wait, you should see the login screen of the VPN Firewall (unless another PC already has the FVS114 management interface open).

  • Page 73: Transferring A Security Policy To Another Client

    Transferring a Security Policy to Another Client This section explains how to export and import a security policy as an .spd file so that an existing NETGEAR ProSafe VPN Client configuration can be copied to other PCs running the NETGEAR ProSafe VPN Client.

  • Page 74: Importing A Security Policy

    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 5-20: Exporting a security policy Importing a Security Policy The following procedure (Figure 5-18 Step 1: Select Export Security Policy from the File pulldown. Step 2: Click Export once you decide the name of the file and directory where you want to store the client policy.
  • Page 75 Policy from the File pulldown. Figure 5-21: Importing a security policy Basic Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 Step 2: Select the security policy to import. In this example, the security policy file is named FVS114_clientpolicy_direct.spd and located on the Desktop.

  • Page 76: How To Set Up A Gateway-To-Gateway Vpn Configuration

    Networking” to set up the VPN tunnel. Figure 5-22: Gateway-to-Gateway VPN Tunnel Follow the procedure below to set the LAN IPs on each FVS114 to different subnets and configure each properly for the Internet. The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x.

  • Page 77: Procedure To Configure A Gateway-To-Gateway Vpn Tunnel

    Procedure to Configure a Gateway-to-Gateway VPN Tunnel Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard. Log in to the FVS114 on LAN A at its default LAN address of default user name of admin main menu to display this screen. Click Next to proceed.
  • Page 78 Reference Manual for the ProSafe VPN Firewall FVS114 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Figure 5-25: Remote IP 4. Identify the IP addresses at the target endpoint that can use this tunnel, and click Next.
  • Page 79 Reference Manual for the ProSafe VPN Firewall FVS114 The Summary screen below displays. Figure 5-27: VPN Wizard Summary Basic Virtual Private Networking 5-23 202-10098-01, April 2005...
  • Page 80 Reference Manual for the ProSafe VPN Firewall FVS114 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-28: VPN Recommended Settings Click Done on the Summary screen (see procedure. The VPN Policies menu below displays showing that the new tunnel is enabled.
  • Page 81 Repeat for the FVS114 on LAN B. Pay special attention and use the following network settings as appropriate. • WAN IP of the remote VPN gateway (e.g., 14.15.16.17) • LAN IP settings of the remote VPN gateway: — IP Address (e.g, 192.168.0.1) —...

  • Page 82: Vpn Tunnel Control

    To use the VPN Status screen to activate a VPN tunnel, perform the following steps: Log in to the VPN Firewall. Open the FVS114 management interface and click on VPN Status under VPN to get the VPN Status/Log screen (Figure...

  • Page 83: Activate The Vpn Tunnel By Pinging The Remote Endpoint

    Client-to-Gateway Configuration—to check the VPN Connection, you can initiate a request from the remote PC to the FVS114’s network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect.
  • Page 84 Once the connection is established, you can open the browser of the PC and enter the LAN IP address of the remote FVS114. After a short wait, you should see the login screen of the VPN Firewall (unless another PC already has the FVS114 management interface open).

  • Page 85: Verifying The Status Of A Vpn Tunnel

    To use the VPN Status page to determine the status of a VPN tunnel, perform the following steps: Log in to the VPN Firewall. Open the FVS114 management interface and click VPN Status under VPN to get the VPN Status/Log screen...

  • Page 86: Deactivating A Vpn Tunnel

    Reference Manual for the ProSafe VPN Firewall FVS114 • Click Clear Log to delete all log entries. Click VPN Status (Figure Figure 5-38: Current VPN Tunnels (SAs) screen This page lists the following data for each active VPN Tunnel. •...

  • Page 87: Using The Vpn Status Page To Deactivate A Vpn Tunnel

    Log in to the VPN Firewall. Click VPN Status under VPN to get the VPN Status/Log screen Figure 5-40: VPN Status/Log screen Basic Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 (Figure 5-40). 5-31...

  • Page 88: Deleting A Vpn Tunnel

    Reference Manual for the ProSafe VPN Firewall FVS114 Click VPN Status (Figure Click Drop for the VPN tunnel you want to deactivate. Figure 5-41: Current VPN Tunnels (SAs) screen Note: When NETBIOS is enabled (which it is in the VPNC defaults implemented by the VPN Wizard), automatic traffic will reactivate the tunnel.

  • Page 89: Advanced Virtual Private Networking

    Overview of FVS114 Policy-Based VPN Configuration The FVS114 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity. Since the FVS114 strictly conforms to IETF standards, it is interoperable with devices from major network equipment vendors.

  • Page 90: Using Policies To Manage Vpn Traffic

    VPN policy that does not use an IKE policy but in which you manually enter all the authentication and key parameters. Since VPN policies use IKE policies, you define the IKE policy first. The FVS114 also allows you to manually input the authentication scheme and encryption key values. In the case of manual key management there will not be any IKE policies.

  • Page 91: Ike Policies' Automatic Key And Authentication Management

    Reference Manual for the ProSafe VPN Firewall FVS114 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
  • Page 92 These parameters apply to the Local FVS114 VPN Firewall. Local Identity Type Use this field to identify the local FVS114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.

  • Page 93: Vpn Policy Configuration For Auto Key Negotiation

    These parameters apply to the target remote FVS114, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVS114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.
  • Page 94 Reference Manual for the ProSafe VPN Firewall FVS114 Figure 6-3: VPN - Auto Policy menu Advanced Virtual Private Networking 202-10098-01, April 2005...
  • Page 95 Note: Create the IKE policy BEFORE creating a VPN - Auto policy. The address used to locate the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVS114’s Local IP values entered as its Remote VPN Endpoint.
  • Page 96 Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN – Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created.

  • Page 97: Vpn Policy Configuration For Manual Key Exchange

    Click the VPN Policies link from the VPN section of the main menu to display the menu shown below. Advanced Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 Description If you enable AH, then use this menu to select which authentication algorithm will be employed.
  • Page 98 Reference Manual for the ProSafe VPN Firewall FVS114 Figure 6-4: VPN - Manual Policy menu 6-10 Advanced Virtual Private Networking 202-10098-01, April 2005...
  • Page 99 VPN policies. The WAN Internet IP address of the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVS114’s WAN Internet IP address entered as its Remote VPN Endpoint.
  • Page 100 Reference Manual for the ProSafe VPN Firewall FVS114 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then select the authentication algorithm: • MD5 — the default • SHA1 — more secure Enter the keys in the fields provided. For MD5, the keys should be 16 characters.

  • Page 101: Using Digital Certificates For Ike Auto-Policy Authentication

    The CAs are authorized to issue these certificates by Policy Certification Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The FVS114 is able to use certificates to authenticate users at the end points during the IKE key exchange process.

  • Page 102: Certificate Revocation List (Crl)

    Reference Manual for the ProSafe VPN Firewall FVS114 Each CA has its own certificate. The certificates of a CA are added to the FVS114 and then can be used to form IKE policies for the user. Once a CA certificate is added to the FVS114 and a certificate is created for a user, the corresponding IKE policy is added to the FVS114.

  • Page 103: Vpn Consortium Scenario 1: Gateway-To-Gateway With Preshared Secrets

    The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client.

  • Page 104: Fvs114 Scenario 1: Fvs114 To Gateway B Ike And Vpn Policies

    Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets FVS114 Scenario 1: FVS114 to Gateway B IKE and VPN Policies Note: This scenario assumes all ports are open on the FVS114. You can verify this by reviewing the security settings as seen in the Gateway A FVS114 10.5.6.1/24...
  • Page 105 Reference Manual for the ProSafe VPN Firewall FVS114 WAN IP addresses ISP provides these addresses Figure 6-7: FVS114 Internet IP Address menu Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Settings topics, please see “How to Manually Configure Your Internet Connection”...
  • Page 106 Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVS114. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in Web-based configuration manager of the FVS114.
  • Page 107 3. Set up the IKE Policy illustrated below on the FVS114. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 6-9: Scenario 1 IKE Policy Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
  • Page 108 Apply to save your settings. For more information on IKE Policy topics, please see Policies’ Automatic Key and Authentication Management” on page After applying these changes, all traffic from the range of LAN IP addresses specified on FVS114 A and FVS114 B will flow over a secure VPN tunnel. 6-20 WAN IP...

  • Page 109: How To Check Vpn Connections

    5-26). Testing the Gateway A FVS114 LAN and the Gateway B LAN Using our example, from a PC attached to the FVS114 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run.

  • Page 110: Fvs114 Scenario 2: Fvs114 To Fvs114 With Rsa Certificates

    Reference Manual for the ProSafe VPN Firewall FVS114 FVS114 Scenario 2: FVS114 to FVS114 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in Scenario 1.
  • Page 111 IP Address. If you use “IP type” in the IKE policy, you should input the IP Address here. Otherwise, you should leave this blank. Advanced Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 FVS114 202-10098-01, April 2005 Figure 6-11 below.
  • Page 112 – E-mail Address. You can enter you e-mail address here. Click the Next button to continue. The FVS114 generates a Self Certificate Request as shown below. Figure 6-12: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA.
  • Page 113 When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FVS114” Self Certificate Request will be listed, as illustrated in FVS114 Figure 6-13: Self Certificate Requests table 5.
  • Page 114 Reference Manual for the ProSafe VPN Firewall FVS114 You will now see the “FVS114” entry in the Active Self Certificates table and the pending “FVS114” Self Certificate Request is gone, as illustrated below. FVS114 Figure 6-14: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVS114.
  • Page 115 Now, the traffic from devices within the range of the LAN subnet addresses on FVS114 A and Gateway B will be authenticated using the certificates rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. Get a copy of the CRL from the CA and save it as a text file.
  • Page 116 Reference Manual for the ProSafe VPN Firewall FVS114 6-28 Advanced Virtual Private Networking 202-10098-01, April 2005...

  • Page 117: Maintenance

    Chapter 7 Maintenance This chapter describes how to use the maintenance features of your FVS114 ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information.
  • Page 118 Reference Manual for the ProSafe VPN Firewall FVS114 This screen shows the following parameters: Table 7-1. FVS114 Status fields Field Description System Name The System Name assigned to the firewall. Firmware Version The firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall.
  • Page 119 The WAN (Internet) default gateway the firewall communicates with. Log action buttons are described in Table 7-2. Connection Status action buttons Button Description Renew Click the Renew button to renew the DHCP lease. Maintenance Reference Manual for the ProSafe VPN Firewall FVS114 Table 7-2 202-10098-01, April 2005...
  • Page 120 Reference Manual for the ProSafe VPN Firewall FVS114 Click Show Statistics to display firewall usage statistics. Figure 7-3: Router Statistics screen This screen shows the following statistics: Table 7-1. Router Statistics fields Field Description Interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces.

  • Page 121: Viewing A List Of Attached Devices

    Upgrading the Firewall Software The routing software of the FVS114 VPN Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from NETGEAR's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN) file before sending it to the firewall.

  • Page 122: Configuration File Management

    (.BIN) upgrade file Click Upload. Note: When uploading software to the FVS114 VPN Firewall, it is important not to interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it may corrupt the software. When the upload is complete, your firewall will automatically restart.

  • Page 123: Backing Up The Configuration

    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 7-6: Settings Backup menu You can use the Settings Backup menu to back up your configuration in a file, restore from that file, or erase the configuration settings. Backing Up the Configuration To save your settings, select the Backup tab.

  • Page 124: Changing The Administrator Password

    9-7. Changing the Administrator Password The default password for the firewall’s Web Configuration Manager is password. NETGEAR recommends that you change this password to a more secure password. From the main menu of the browser interface, under the Maintenance heading, select Set Password to bring up this menu.
  • Page 125 Perform a DNS Lookup: A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to fing the IP address.
  • Page 126 Reference Manual for the ProSafe VPN Firewall FVS114 Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be re-established when possible.

  • Page 127: Advanced Configuration

    This chapter describes how to configure the advanced features of your FVS114 ProSafe VPN Firewall. These features can be found under the Advanced heading in the main menu of the browser interface. WAN Setup Using the WAN Setup page, you can set up a Default DMZ Server and allow the router to respond to a 'ping' from the internet.

  • Page 128: Default Dmz Server

    Click Apply. • Respond To Ping On Internet Port: If you want the router to respond to a 'Ping' from the Internet, click this check box. This can be used as a diagnostic tool. Again, like the DMZ server, this can be a security problem. You shouldn't check this box unless you have a specific reason to do so.

  • Page 129: Respond To Ping On Internet Wan Port

    Note: For security, NETGEAR strongly recommends that you avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall, and is exposed to many exploits from the Internet.
  • Page 130 Reference Manual for the ProSafe VPN Firewall FVS114 The firewall contains a client that can connect to a dynamic DNS service provider. To use this feature, you must select a service provider and obtain an account with them. After you have...

  • Page 131: Using The Lan Ip Setup Options

    The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The firewall’s default LAN IP configuration is: • LAN IP addresses—192.168.0.1 • Subnet mask—255.255.255.0 Advanced Configuration Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...
  • Page 132 Reference Manual for the ProSafe VPN Firewall FVS114 These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications. If your network has a requirement to use a different IP addressing scheme, you can make those changes in this menu.

  • Page 133: Using The Firewall As A Dhcp Server

    IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the Use router as DHCP server check box. Otherwise, leave it checked.

  • Page 134: Configuring Static Routes

    Reference Manual for the ProSafe VPN Firewall FVS114 Figure 8-4: Reserved IP Address menu In the IP Address box, type the IP address to assign to the PC or server. (Choose an IP address from the firewall’s LAN subnet, such as 192.168.0.X.) Type the MAC Address of the PC or server.
  • Page 135 If the destination is a single host, type 255.255.255.255. Type the Gateway IP Address, which must be a firewall on the same LAN segment as the firewall. Advanced Configuration Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...

  • Page 136: Static Route Example

    Private is selected only as a precautionary security measure in case RIP is activated. Enabling Remote Management Access Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVS114 VPN Firewall. 8-10 202-10098-01, April 2005 Figure 8-6.
  • Page 137 To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. Specify the Port Number that will be used for accessing the management interface. Advanced Configuration Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 8-11...
  • Page 138 If you do not use the SSL https://address, but rather use http://address, the FVS114 will automatically attempt to redirect to https://address. Note: The first time you remotely connect the FVS114 with a browser via SSL, you may get a message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.

  • Page 139: Upnp

    Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The default setting for UPnP is disabled. If disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router.
  • Page 140 Reference Manual for the ProSafe VPN Firewall FVS114 Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP devices. 8-14 Advanced Configuration 202-10098-01, April 2005...

  • Page 141: Troubleshooting

    • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 142: Leds Never Turn Off

    Reference Manual for the ProSafe VPN Firewall FVS114 LEDs Never Turn Off When the firewall is turned on, the LEDs turn on briefly and then turn off. If all the LEDs stay on, there is a fault within the firewall.

  • Page 143: Troubleshooting The Web Configuration Interface

    Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration. Troubleshooting Reference Manual for the ProSafe VPN Firewall FVS114 “Restoring the Default Configuration and 202-10098-01, April 2005...

  • Page 144: Troubleshooting The Isp Connection

    Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as http://www.netgear.com Access the main menu of the firewall’s configuration at http://192.168.0.1 Under the Maintenance heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.

  • Page 145: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    In the field provided, type ping followed by the IP address of the firewall, as in this example: ping 192.168.0.1 Click on OK. You should see a message like this one: Pinging <IP address> with 32 bytes of data Troubleshooting Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...

  • Page 146: Testing The Path From Your Pc To A Remote Device

    Reference Manual for the ProSafe VPN Firewall FVS114 If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: •...

  • Page 147: Restoring The Default Configuration And Password

    The E-Mail menu in the Content Filtering section displays the current date and time of day. The FVS114 VPN Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day.
  • Page 148 Reference Manual for the ProSafe VPN Firewall FVS114 Troubleshooting 202-10098-01, April 2005...

  • Page 149: Technical Specifications

    This appendix provides technical specifications for the FVS114 ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: Power Adapter North America: United Kingdom, Australia: Europe: Japan: All regions (output): Physical Specifications Dimensions: Weight: Environmental Specifications Operating temperature:...
  • Page 150 Reference Manual for the ProSafe VPN Firewall FVS114 Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx, RJ-45...

  • Page 151: Network, Routing, And Firewall Basics

    (WAN) link such as a cable or DSL modem. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router. Network, Routing, and Firewall Basics...

  • Page 152: What Is A Router

    Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVS114 VPN Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.
  • Page 153 Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit network number and a 16-bit node number. Class B addresses are in this range: 128.1.x.x to 191.254.x.x. Network, Routing, and Firewall Basics Reference Manual for the ProSafe VPN Firewall FVS114 Node Node Node...

  • Page 154: Netmask

    Reference Manual for the ProSafe VPN Firewall FVS114 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x.

  • Page 155: Subnet Addressing

    Reference Manual for the ProSafe VPN Firewall FVS114 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.”...
  • Page 156 Reference Manual for the ProSafe VPN Firewall FVS114 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address.

  • Page 157: Private Ip Addresses

    172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Choose your private network number from this range. The DHCP server of the FVS114 VPN Firewall is preconfigured to automatically assign private addresses. Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines explained here.

  • Page 158: Single Ip Address Operation Using Nat

    The FVS114 VPN Firewall employs an address-sharing method called Network Address Translation (NAT). This method allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your ISP.

  • Page 159: Mac Addresses And Address Resolution Protocol

    Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...

  • Page 160: Ip Configuration By Dhcp

    IP addresses, along with other information (such as gateway and DNS addresses) that it may assign to the other devices on the network. The FVS114 VPN Firewall has the capacity to act as a DHCP server.

  • Page 161: What Is A Firewall

    A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.

  • Page 162: Category 5 Cable Quality

    Reference Manual for the ProSafe VPN Firewall FVS114 Table B-3. UTP Ethernet cable wiring, straight-through Wire color Orange/White Orange Green/White Blue Blue/White Green Brown/White Brown Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows:...

  • Page 163: Inside Twisted Pair Cables

    Figure B-4 illustrates straight-through twisted pair cable. Figure B-4: Straight-through twisted-pair cable Figure B-5 illustrates crossover twisted pair cable. Figure B-5: Crossover twisted-pair cable Network, Routing, and Firewall Basics Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 B-13...

  • Page 164: Uplink Switches, Crossover Cables, And Mdi/Mdix Switching

    Reference Manual for the ProSafe VPN Firewall FVS114 Figure B-6: Category 5 UTP cable with male RJ-45 plug at each end Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
  • Page 165 (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
  • Page 166 Reference Manual for the ProSafe VPN Firewall FVS114 B-16 Network, Routing, and Firewall Basics 202-10098-01, April 2005...

  • Page 167: Virtual Private Networking

    There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.

  • Page 168: What Is Ipsec And How Does It Work

    Reference Manual for the ProSafe VPN Firewall FVS114 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.

  • Page 169: Encapsulating Security Payload (Esp

    ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP header. Figure C-1: Original packet and packet with IPSec Encapsulated Security Payload Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...

  • Page 170: Authentication Header (Ah

    Reference Manual for the ProSafe VPN Firewall FVS114 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.

  • Page 171: Mode

    Note: AH and ESP can be used in both transport mode or tunnel mode. Figure C-3: Original packet and packet with IPSec ESP in Tunnel mode Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 Figure C-2 show a packet in transport mode.

  • Page 172: Key Management

    This appendix provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.

  • Page 173: Vpn Process Overview

    Reference Manual for the ProSafe VPN Firewall FVS114 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.

  • Page 174: Firewalls

    Reference Manual for the ProSafe VPN Firewall FVS114 Table C-1. WAN (Internet/public) and LAN (internal/private) addressing Gateway LAN or WAN Gateway A LAN (Private) Gateway A WAN (Public) Gateway B LAN (Private) Gateway B WAN (Public) You need to know the subnet mask of both gateway LAN Connections. Refer to “Technical...
  • Page 175 1. The IPSec software on Host A initiates the IPSec process in an attempt to communicate with Host B. The two computers then begin the Internet Key Exchange (IKE) process. Virtual Private Networking Reference Manual for the ProSafe VPN Firewall FVS114 VPN Tunnel 1) Communication...

  • Page 176: Vpnc Ike Security Parameters

    Reference Manual for the ProSafe VPN Firewall FVS114 IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates.

  • Page 177: Vpnc Ike Phase Ii Parameters

    LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
  • Page 178 Reference Manual for the ProSafe VPN Firewall FVS114 Relevant RFCs listed numerically: • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988.

  • Page 179: Appendix D Preparing Your Network

    This appendix describes how to prepare your network to connect to the Internet through the FVS114 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a...

  • Page 180: Configuring Windows 95, 98, And Me For Tcp/Ip Networking

    DHCP server during bootup. For a detailed explanation of the meaning and purpose of these configuration items, refer to The FVS114 VPN Firewall is shipped preconfigured as a DHCP server. The firewall assigns the following TCP/IP configuration information automatically when the PCs are rebooted: •...
  • Page 181 Select the manufacturer and model of your Ethernet adapter, and then click OK. If you need TCP/IP: Click the Add button. Select Protocol, and then click Add. Select Microsoft. Select TCP/IP, and then click OK. Preparing Your Network Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...

  • Page 182: Enabling Dhcp To Automatically Configure Tcp/Ip Settings

    Reference Manual for the ProSafe VPN Firewall FVS114 If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
  • Page 183 Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display. Preparing Your Network Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...

  • Page 184: Selecting Windows' Internet Access Method

    Reference Manual for the ProSafe VPN Firewall FVS114 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address.

  • Page 185: Configuring Windows Nt4, 2000 Or Xp For Ip Networking

    From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...

  • Page 186: Enabling Dhcp To Automatically Configure Tcp/Ip Settings

    Reference Manual for the ProSafe VPN Firewall FVS114 Then, restart your PC. Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.
  • Page 187 • The TCP/IP details are presented on the Support tab page. • Select Internet Protocol, and click Properties to view the configuration information. Preparing Your Network Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005...

  • Page 188: Dhcp Configuration Of Tcp/Ip In Windows 2000

    Reference Manual for the ProSafe VPN Firewall FVS114 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP.
  • Page 189 “Components checked are used by this connection:” • Client for Microsoft Networks and • Internet Protocol (TCP/IP) • Click OK. Preparing Your Network Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 D-11...
  • Page 190 Reference Manual for the ProSafe VPN Firewall FVS114 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected.

  • Page 191: Dhcp Configuration Of Tcp/Ip In Windows Nt4

    This will display Control Panel window. • Double-click the Network icon in the Control Panel window. The Network panel will display. • Select the Protocols tab to continue. Preparing Your Network Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 D-13...
  • Page 192 Reference Manual for the ProSafe VPN Firewall FVS114 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. D-14 202-10098-01, April 2005 Preparing Your Network...

  • Page 193: Verifying Tcp/Ip Properties For Windows Xp, 2000, And Nt4

    Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...

  • Page 194: Configuring The Macintosh For Tcp/Ip Networking

    Reference Manual for the ProSafe VPN Firewall FVS114 • The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP.

  • Page 195: Verifying Tcp/Ip Properties For Macintosh Computers

    If you do not see these values, you may need to restart your Macintosh or you may need to switch the “Configure” setting to a different option, then back again to “Using DHCP Server”. Preparing Your Network Reference Manual for the ProSafe VPN Firewall FVS114 202-10098-01, April 2005 D-17...

  • Page 196: Verifying The Readiness Of Your Internet Account

    WinPOET or EnterNet, then your account uses PPP over Ethernet (PPPoE). When you configure your router, you will need to enter your login name and password in the router’s configuration menus. After your network and firewall are configured, the firewall will perform the login task when needed, and you will no longer need to run the login program from your PC.

  • Page 197: Obtaining Isp Configuration Information For Windows Computers

    As mentioned above, you may need to collect configuration information from your PC so that you can use this information when you configure the FVS114 VPN Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.

  • Page 198: Obtaining Isp Configuration Information For Macintosh Computers

    As mentioned above, you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FVS114 VPN Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.

  • Page 199: Restarting The Network

    Restart any computer that is connected to the FVS114 VPN Firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVS114 VPN Firewall, you are ready to access and configure the firewall. Preparing Your Network...
  • Page 200 Reference Manual for the ProSafe VPN Firewall FVS114 D-22 Preparing Your Network 202-10098-01, April 2005...

  • Page 201: Glossary

    Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management.
  • Page 202 Reference Manual for the ProSafe VPN Firewall FVS114 AES stands for Advanced Encryption Standard. AES is a symmetric key encryption technique that will replace the commonly used Data Encryption Standard (DES). Not only does AES provide more security than DES and 3DES, it also has better performance, making AES highly attractive for use in constrained environments.
  • Page 203 Reference Manual for the ProSafe VPN Firewall FVS114 Broadcast A packet sent to all devices on a network. Class of Service A term to describe treating different types of traffic with different levels of service priority. Higher priority traffic gets faster treatment during times of switch congestion A Certificate Authority is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs.
  • Page 204 .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5...
  • Page 205 A LAN specification developed jointly by Xerox, Intel and Digital Equipment Corporation. Ethernet networks transmit packets at a rate of 10 Mbps. Gateway A local device, usually a router, that connects hosts on a local network to other networks. ICMP See “Internet Control Message Protocol”...
  • Page 206 Reference Manual for the ProSafe VPN Firewall FVS114 gateway then forwards the packet directly to the computer whose address is specified. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet.
  • Page 207 Media Dependant Interface (MDI). In MDI wiring, a PC transmits on pins 1 and 2. At the hub, switch, router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X).
  • Page 208 Reference Manual for the ProSafe VPN Firewall FVS114 A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPPoA PPPoA. PPP over ATM is a protocol for connecting remote hosts to the Internet over an always-on connection by simulating a dial-up connection.
  • Page 209 Request For Comment. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org . router A device that forwards data between networks. An IP router forwards data based on IP source and destination addresses. Segment A section of a LAN that is connected to the rest of the network using a switch, bridge, or repeater.
  • Page 210 Reference Manual for the ProSafe VPN Firewall FVS114 Universal Plug and Play UPnP. A networking architecture that provides compatibility among networking technology. UPnP compliant routers provide broadband users at home and small businesses with a seamless way to participate in online games, videoconferencing and other peer-to-peer services.
  • Page 211 Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 202-10098-01, April 2005...
  • Page 212 Reference Manual for the ProSafe VPN Firewall FVS114 Glossary 202-10098-01, April 2005...

This manual is also suitable for:

Fvs114na

Table of Contents