Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR M-10144-01 December 2003 M-10144-01...
Page 2
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Refer to the Support Information Card that shipped with your FVL328 Prosafe High Speed VPN Firewall. World Wide Web NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.
Features of the HTML Version of this Manual ..............1-3 How to Print this Manual ....................1-4 Chapter 2 Introduction About the FVL328 ......................2-1 Summary of New Features in the FVL328 ..............2-1 Key Features ........................2-1 Virtual Private Networking ..................2-2 A Powerful, True Firewall ..................2-2 ICSA Small/Medium Business Category ..............2-3 Content Filtering .......................2-3...
Page 6
Worksheet for Recording Your Internet Connection Information ......3-3 Connecting the FVL328 to Your LAN ................3-4 How to Connect the FVL328 to Your LAN ..............3-4 Configuring for a Wizard-Detected Login Account ...........3-9 Configuring for a Wizard-Detected Dynamic IP Account ........3-11 Configuring for a Wizard-Detected Fixed IP (Static) Account ........3-12...
Page 7
Certificate Revocation List (CRL) ................6-14 Walk-Through of Configuration Scenarios ..............6-15 VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets ......6-15 FVL328 Scenario 1: How to Configure the IKE and VPN Policies ......6-17 How to Check VPN Connections ................6-21 FVL328 Scenario 2: Authenticating with RSA Certificates ........6-22...
Page 8
Enabling Security Event E-mail Notification ..............7-9 Backing Up, Restoring, or Erasing Your Settings ............7-10 How to Back Up the FVL328 Configuration to a File ..........7-10 How to Restore a Configuration from a File ............7-11 How to Erase the Configuration ................7-11 Running Diagnostic Utilities and Rebooting the Router ..........7-12...
Page 9
Subnet Addressing ....................B-4 Private IP Addresses ....................B-7 Single IP Address Operation Using NAT ..............B-7 MAC Addresses and Address Resolution Protocol ..........B-9 Related Documents ....................B-9 Domain Name Server ....................B-9 IP Configuration by DHCP ..................B-10 Internet Security and Firewalls ..................
Page 10
Appendix D Firewall Log Formats Action List ........................D-1 Field List ........................D-1 Outbound Log ........................ D-1 Inbound Log ........................D-2 Other IP Traffic ......................D-2 Router Operation ......................D-3 Other Connections and Traffic to this Router ..............D-4 DoS Attack/Scan ......................D-4 Access Block Site ......................
Page 11
Testing the VPN Connection ..................H-14 From the Client PC to the FVL328 ................ H-14 From the FVL328 to the Client PC ................ H-15 Monitoring the PC VPN Connection ................H-15 Viewing the FVL328 VPN Status and Log Information ..........H-17 Contents M-10144-01...
Page 12
Appendix I NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 Configuration Template ....................I-1 Using DDNS and Fully Qualified Domain Names (FQDN) ........I-2 Step-By-Step Configuration of FVS318 or FVM318 Gateway A ........I-3 Step-By-Step Configuration of FVL328 Gateway B ............I-7 Test the VPN Connection ....................I-12...
Chapter 1 About This Manual This chapter introduces the NETGEAR FVL328 Prosafe High Speed VPN Firewall manual. Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Typographical Conventions This guide uses the following typographical conventions: Table 1-2. Typographical conventions italics Emphasis. bold times roman User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Features of the HTML Version of this Manual The HTML version of this manual includes these features. Figure Preface 1-1: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the upper right side of the toolbar to print the currently displayed topic.
Network Address Translation (NAT) for security, the FVL328 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The 8-port FVL328 provides highly reliable Internet access for up to 253 users with up to 100 concurrent VPN tunnels.
• VPNC Certified A Powerful, True Firewall Unlike simple Internet sharing NAT routers, the FVL328 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: • DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack and IP Spoofing.
Internet sites. Configurable Auto Uplink™ Ethernet Connection With its internal 8-port 10/100 switch, the FVL328 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet WAN interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
(ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. This feature can also be turned off completely for using the FVL328 in settings where you want to manage the IP address scheme of your organization.
These functions allow you to test Internet connectivity and reboot the firewall. You can use these diagnostic functions directly from the FVL328 when your are connected on the LAN or when you are connected over the Internet via the remote management function.
• Support information card If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair. Note: Product updates are available on the NETGEAR, Inc. Web site at http:// www.netgear.com/support/main.asp.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Table 2-1: LED Descriptions On/Blinking The Local port is operating at 100 Mbps. LINK/ACT On/Blinking The Local port has detected a link with a LAN connection and is (Link/Activity) operating at 10 Mbps. Blinking indicates data transmission.
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configuration of your FVL328 Prosafe High Speed VPN Firewall using the Setup Wizard, or manually configure your Internet connection.
For Macintosh computers, open the TCP/IP or Network control panel. • You may also refer to the FVL328 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in “Worksheet for Recording Your Internet Connection...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Connecting the FVL328 to Your LAN This section provides instructions for connecting the FVL328 Prosafe High Speed VPN Firewall to your Local Area Network (LAN). Note: The Resource CD included with your firewall contains an animated Installation Assistant to help you through this procedure.
Page 29
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Connect the Ethernet cable (A) from your cable or DSL modem to the FVL328’s Internet port. Cable or DSL modem LO CA L 1 0 / 1 0 0 M IN TER N ET 1 2 V D C O .
Page 30
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 2. Log in to the FVL328. Note: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. Please refer to Appendix C, "Preparing Your Network"...
Page 31
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual A login window opens as shown in Figure 3-5 below: Figure 3-5: Login window For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall User Name and...
Page 32
Choose NAT or Classical Routing. NAT automatically assigns private IP addresses (192.168.0.x) to LAN connected devices. Classical routing lets you directly manage the IP addresses the FVL328 uses. Classical routing should be selected only by experienced users. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Configuring for a Wizard-Detected Login Account If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in...
Page 34
Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here.
This feature allows your firewall to masquerade as that computer by using its MAC address. Click Apply to save your settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.
Click Apply to save the settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Note: Disabling NAT will reboot the router and reset all the FVL328 configuration settings to the factory default. Disable NAT only if you plan to install the FVL328 in a setting where you will be manually administering the IP address space on the LAN side of the router.
Page 40
Note: Disabling NAT will reboot the router and reset all the FVL328 configuration settings to the factory default. Disable NAT only if you plan to install the FVL328 in a setting where you will be manually administering the IP address space on the LAN side of the router.
Chapter 4 WAN and LAN Configuration This chapter describes how to configure the WAN and LAN settings of your FVL328 Prosafe High Speed VPN Firewall v2. Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the Main Menu of the browser interface.
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual — When set to None, it will not send any RIP packets and will ignore any RIP packets received. • RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends.
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual The firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined • Subnet Mask • Gateway IP Address is the firewall’s LAN IP address •...
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Enter the LAN TCP/IP and DHCP parameters. Click Apply to save your changes. How to Configure Reserved IP Addresses When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall’s DHCP server.
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Connecting Automatically, as Required Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. However, if this causes high connection costs, you can disable this setting.
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Responding to Ping on Internet WAN Port If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered.
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual How to Configure Dynamic DNS Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of , default password of , or using whatever password and LAN address...
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses.
Page 49
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Click the Edit button to open the Edit Menu, shown below. Figure 4-3: Static Route Entry and Edit Menu Type a route name for this static route in the Route Name box under the table.
Page 50
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual 4-10 WAN and LAN Configuration M-10144-01...
Chapter 5 Protecting Your Network This chapter describes how to use the basic firewall features of the FVL328 Prosafe High Speed VPN Firewall to protect your network. Protecting Access to Your FVL328 Firewall For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Figure 5-1: Set Password menu To change the password, first enter the old password, then enter the new password twice. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration.
The section below explains how to configure your How to Block Keywords and Sites The FVL328 Firewall allows you to restrict access to Internet content based on functions such as Java or Cookies, Web addresses and Web address keywords. Log in to the firewall at its default LAN address of http://192.168.0.1...
Page 54
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Figure 5-2: Block Sites menu To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain in the Keyword box, click Add Keyword, then click Apply. Some examples of Keyword blocking follow: •...
You can also choose to log traffic that matches or does not match the rule you have defined. To access the Rules configuration of the FVL328, click the Rules link on the main menu, then click Add for either an Outbound or Inbound Service.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Figure 5-3: Rules menu • To edit an existing rule, select its button on the left side of the table and click Edit. • To delete an existing rule, select its button on the left side of the table and click Delete.
GRE. Note that these are packet types, not protocols. Using Inbound Rules (Port Forwarding) The FVL328 uses Network Address Translation (NAT), unless this feature is turned off. Using NAT, your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers.
Page 58
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual local public Web server Figure 5-4: Rule example: a The parameters are: • Service — select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Inbound Rule Example: Videoconferencing from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Using Outbound Rules (Service Blocking) The FVL328 allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local computer based on: •...
Page 61
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual The parameters are: • Service — select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Understanding the Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown below. Figure 5-7: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom.
Appendix B, “Networks, Routing, and Firewall Basics. Although the FVL328 already holds a list of many service port numbers, you are not limited to these choices. Use the procedure below to create your own service definitions. How to Define Services Log in to the firewall at its default LAN address of http://192.168.0.1...
Click Apply to save your changes. Setting Times and Scheduling Firewall Services The FVL328 Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. The FVL328 includes a battery-backed real-time clock so time will persist if power is removed.
Page 65
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Click the Schedule link of the Security menu to display the menu shown below. Figure 5-10: Schedule Services menu Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual • Set Clock - Use this to set a particular Date/Time to the RTC. This is only useful if “Synchronize to NTP Server” is disabled. Otherwise, your setting will be lost on the next synchronization.
FVL328 VPN Firewall FVL328 VPN Firewall FVL328 Figure 6-1: Secure access through VPN routers Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVL328. There are two kinds of policies: Virtual Private Networking M-10144-01...
VPN parameters on other end, and vice versa. When the network traffic enters into the FVL328 from the LAN network interface, if there is no VPN policy found for a type of network traffic, then that traffic passes through without any change.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
Page 70
These parameters apply to the Local FVL328 firewall. Local Identity Type Use this field to identify the local FVL328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.
Page 71
Field Description Remote Identity Type Use this field to identify the remote FVL328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) – your domain name.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Page 73
Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVL328’s Local Identity Data entered as its “Remote VPN Endpoint”: • By its IP Address.
Page 74
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Table 6-1. VPN Auto Policy Configuration Fields Field Description Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Table 6-1. VPN Auto Policy Configuration Fields Field Description Authentication If you enable AH, then use this menu to select which authentication algorithm Algorithm will be employed. The choices are: MD5 – the default, or SHA1 – more secure NetBIOS Enable Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
Page 77
The WAN Internet IP address or Fully Qualified Domain Name of the remote VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVL328’s WAN Internet IP address entered as its “Remote VPN Endpoint.”...
Page 78
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Table 6-1. VPN Manual Policy Configuration Fields Field Description Authenticating Header AH specifies the authentication protocol for the VPN header. These settings (AH) Configuration must match the remote VPN endpoint. Note: The "Incoming" settings must match the "Outgoing" settings on the remote VPN endpoint, and the "Outgoing"...
Page 79
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Table 6-1. VPN Manual Policy Configuration Fields Field Description SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Incoming SPI" field.
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added to the FVL328 and can then be used to form IKE policies for the user. Once a CA certificate is added to the FVL328 and a certificate is created for a user, the corresponding IKE policy is added to the FVL328.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Walk-Through of Configuration Scenarios There are a variety of configurations you might implement with the FVL328. The scenarios listed below illustrate typical configurations you might use in your organization. In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
Page 82
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual FVL328 Scenario 1: How to Configure the IKE and VPN Policies Note: This scenario assumes all ports are open on the FVL328. You can verify this by reviewing the security settings as seen in the “Rules menu”...
Page 84
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Select whether enable or disable NAT (Network Address Translation). NAT allows all LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. You should only disable NAT if you are sure you do not require it.
Page 85
Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVL328. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in Web-based configuration manager of the FVL328.
Page 86
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 4. Set up the FVL328 VPN -Auto Policy illustrated below. From the main menu VPN section, click the VPN Policies link, and then click the Add Auto Policy button. Figure 6-9: Scenario 1 VPN - Auto Policy Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
5. After applying these changes, you will see a table entry like the one below. Figure 6-10: VPN Policies table Now all traffic from the range of LAN IP addresses specified on FVL328 A and FVL328 B will flow over a secure VPN tunnel.
At this point the connection is established. Note: If you want to ping the FVL328 as a test of network connectivity, be sure the FVL328 is configured to respond to a ping on the Internet WAN port by checking the check box seen in “Rules menu”...
Page 89
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Note: The procedure for obtaining certificates differs between a CA like Verisign and a CA such as a Windows 2000 certificate server, which an organization operates for providing certificates for its members. For example, an administrator of a Windows 2000 certificate server might provide it to you via e-mail.
Page 90
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Click the Generate Request button to display the screen illustrated in Figure 6-12 below. Figure 6-12: Generate Self Certificate Request menu Fill in the fields on the Add Self Certificate screen. •...
Page 91
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Click the Next button to continue. The FVL328 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 6-13: Self Certificate Request data 4.
Page 92
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Figure 6-14: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file. Note: In the case of a Windows 2000 internal CA, the CA administrator might simply email it to back to you.
Page 93
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual You will now see the “FVL328” entry in the Active Self Certificates table and the pending “FVL328” Self Certificate Request is gone, as illustrated below. Figure 6-15: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVL328.
Page 94
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Now, the traffic from devices within the range of the LAN subnet addresses on FVL328 Gateway A and Gateway B will be authenticated using the certificates and generated keys rather than via a shared key.
This chapter describes how to perform network management tasks with your FVL328 Prosafe High Speed VPN Firewall. Network Management The FVL328 provides remote management access and a variety of status and usage information which is discussed below. How to Configure Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVL328 Prosafe High Speed VPN Firewall.
Page 96
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. Specify the Port Number that will be used for accessing the management interface.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Viewing Router Status and Usage Statistics From the main menu, under Maintenance, select Router Status to view the screen in Figure 7-1 below. Figure 7-1: Router Status screen The Router Status menu provides a limited amount of status and usage information.
Page 98
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Table 7-1. Router Status Fields Field Description DHCP If set to OFF, the firewall will not assign IP addresses to local computers on the LAN. If set to ON, the firewall is configured to assign IP addresses to local computers on the LAN.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual This screen shows the following statistics: Table 7-2. Router Statistics Fields Field Description System up Time The time elapsed since the last power cycle or reset. WAN or LAN Port The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Select the check box if you want to enable NetBIOS detection. If the NetBIOS name is not available, “Unknown” is listed as the Device Name. If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button.
Page 101
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Log entries are described below: Table 7-5: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Changing the Include in Log Settings You can choose to log additional information. Those optional selections are as follows: • Known DoS attacks and Port Scans • Attempted access to blocked sites •...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Enabling Security Event E-mail Notification In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-mail menu: Figure 7-7: E-mail notification menu To enable E-mail notification, configure the following fields: •...
Backing Up, Restoring, or Erasing Your Settings The configuration settings of the FVL328 Firewall are stored in a configuration file in the firewall. This file can be backed up to your computer, restored, or reverted to factory default settings. The procedures below explain how to do these tasks.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual From the Maintenance heading of the main menu, select the Settings Backup menu as seen below. Figure 7-8: Settings Backup menu Click Backup to save a copy of the current settings. Store the file on a computer on your network.
“How to Use the Default Reset Button” on page 8-7. Running Diagnostic Utilities and Rebooting the Router The FVL328 Firewall has a diagnostics feature. You can use the diagnostics menu to perform the following functions from the firewall: • Ping an IP Address to test connectivity to see if you can reach a remote host.
Figure 7-9: Diagnostics menu Upgrading the Router’s Firmware The software of the FVL328 Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from the NETGEAR Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN or .IMG) file before uploading it to the firewall.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual How to Upgrade the Router Download and unzip the new software file from NETGEAR. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of...
Chapter 8 Troubleshooting This chapter gives information about troubleshooting your FVL328 Prosafe High Speed VPN Firewall. For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions”...
• Check that you are using the 12VDC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Local or Internet Port Link LEDs Not On If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the firewall and at the hub or computer.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual • Try quitting the browser and launching it again. • Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.
A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. If you entered a DNS address during the firewall’s configuration, reboot your computer and verify the DNS address as described in “Verifying...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual How to Test the LAN Path to Your Firewall You can ping the firewall from your computer to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: From the Windows toolbar, click the Start button and select Run.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual PING -n 10 <IP address> where <IP address> is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: —...
Release the Default Reset button and wait for the firewall to reboot. Problems with Date and Time The E-mail menu in the Security section displays the current date and time of day. The FVL328 Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet.
Appendix A Technical Specifications This appendix provides technical specifications for the FVL328 Prosafe High Speed VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input...
Page 118
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T or 100BASE-Tx, RJ-45 Certifications Firewall: ICSA Certified, Small/Medium Business (SMB) Category version 4.0...
Appendix B Networks, Routing, and Firewall Basics This appendix provides an overview of IP networks, routing, and firewalls. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVL328 Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.
Page 121
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Class A Network Node Class B Network Node Class C Network Node Figure 8-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.
Page 123
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned.
Page 124
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets. When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.
Page 126
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual The router accomplishes this address sharing by translating the internal LAN IP addresses to a single address that is globally unique on the Internet. The internal LAN IP addresses can be either private addresses or registered addresses.
Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...
DHCP server stores a list or pool of IP addresses, along with other information (such as gateway and DNS addresses) that it may assign to the other devices on the network. The FVL328 Firewall has the capacity to act as a DHCP server.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Ethernet Cabling Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal "straight-through" UTP...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Cable Quality A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or "Cat 5", by the Electronic Industry Association (EIA).
Page 132
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual B-14 Networks, Routing, and Firewall Basics M-10144-01...
Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVL328 Prosafe High Speed VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
“Appendix B, “Networks, Routing, and Firewall Basics.” The FVL328 Firewall is shipped preconfigured as a DHCP server. The firewall assigns the following TCP/IP configuration information automatically when the computers are rebooted: • PC or workstation IP addresses—192.168.0.2 through 192.168.0.254 •...
Page 135
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.
The simplest way to configure this information is to allow the PC to obtain the information from the internal DHCP server of the FVL328 Firewall. To use DHCP with the recommended default addresses, follow these steps: Connect all computers to the firewall, then restart the firewall and allow it to boot.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Uncheck all boxes in the LAN Internet Configuration screen and click Next. Proceed to the end of the Wizard. Verifying TCP/IP Properties After your PC is configured and has rebooted, you can check the TCP/IP configuration using the utility winipcfg.exe:...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual The TCP/IP Control Panel opens: From the “Connect via” box, select your Macintosh’s Ethernet interface. From the “Configure” box, select Using DHCP Server. You can leave the DHCP Client ID box empty.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
As mentioned above, you may need to collect configuration information from your PC so that you can use this information when you configure the FVL328 Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.
As mentioned above, you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FVL328 Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.
Restart any computer that is connected to the firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVL328 Firewall, you are ready to access and configure the firewall.
Appendix D Firewall Log Formats Action List Drop: Packet dropped by Firewall current inbound or outbound rules. Reset: TCP session reset by Firewall. Forward: Packet forwarded by Firewall to the next hop based on matching the criteria in the rules table. Receive: Packet was permitted by the firewall rules and modified prior to being forwarded and/or replied to.
User Manual for the NETGEAR 7300 Series Layer 3 Managed Switch Software Other Connections and Traffic to this Router The format is: <DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION> [Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 - Destination: 192.168.0.1 - [Receive]...
Page 149
User Manual for the NETGEAR 7300 Series Layer 3 Managed Switch Software The format is: <DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT ><DST_PORT><ACTION><DESCRIPTION> <DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION> <DESCRIPTION> [Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN - Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan] [Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN -...
User Manual for the NETGEAR 7300 Series Layer 3 Managed Switch Software Access Block Site If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL contains a specified keyword are logged. The format is <DATE>...
Appendix E Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
This document provides case studies on how to configure secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table 8-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing...
Page 161
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Figure 8-8: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates.
LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the NETGEAR gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
Page 164
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993.
FVS318 or FVM318 to FVL328 This appendix provides a case study on how to configure a secure IPSec VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVL328v2. The configuration options and screens for the FVS318 and FVM318 are the same.
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual 10.5.6.0/24 172.23.9.0/24 VPNC Example Network Interface Addressing Gateway B Gateway A 14.15.16.17 22.23.24.25 LAN IP LAN IP WAN IP WAN IP 10.5.6.1 172.23.9.1 Figure F-1: Addressing and Subnet Used for Examples Step-By-Step Configuration of FVS318 or FVM318 Gateway A Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.
Page 167
VPN leg (all 8 links are available in the example). Click the Edit button below. This will take you to the VPN Settings – Main Mode Menu. Figure F-3: Figure 3 – NETGEAR FVS318 VPN Settings (part 1) – Main Mode –...
Page 168
Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure F-4: Figure 4 – NETGEAR FVS318 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.
When the screen returns to the VPN Settings, make sure the Enable check box is selected. Step-By-Step Configuration of FVL328 Gateway B Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1 with its...
Page 170
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Figure F-6: NETGEAR FVL328 IKE Policy Configuration – Part 1 – Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In our example we have used FVS318 as the Policy Name.
Page 171
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Figure F-7: NETGEAR FVL328 IKE Policy Configuration – Part 2 – From the Encryption Algorithm drop-down box, select 3DES. – From the Authentication Algorithm drop-down box, select MD5. – From the Authentication Method radio button, select Pre-shared Key.
Page 172
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Figure F-9: NETGEAR FVL328 VPN – Auto Policy (part 1) – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used “to318” as the Policy Name. In the Policy Name field type to318.
Page 173
Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field. Figure F-10: NETGEAR FVL328 VPN – Auto Policy (part 2) – From the Traffic Selector Remote IP drop-down box, select Subnet address.
Click the Apply button. Test the VPN Connection From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVL328v2 gateway B LAN Interface address (example address 172.23.9.1) From a PC behind the FVL328v2 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address (example address 10.5.6.1)
Appendix G FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration This appendix gives information on configuring FVL328 to Windows 2000 server VPN. Configuring FVL328 to Windows 2000 Server VPN 192.168.0.x---FVL328---172.16.6.97---172.16.9.10 ---Win2K---11.5.0.10 FVL328 LAN IP:192.168.0.1 WAN IP:172.16.6.97 Windows 2000 Server LAN IP: 11.5.0.10 WAN IP:172.16.9.10...
Page 178
Click Next, then type the policy name, for example, DUT To Win2K. DUT in this example refers to Device Under Test. Click Next. Clear the Activate to default response rule check box. Click Next, then click finish. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Create an IP Filter called To DUT Click Add. Type To DUT and then click Add. Type the Source IP address and the Destination IP address. Click OK, then close the window. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 180
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Click the Filter Action tab. Select the Require Security check box and click Edit. Click Edit. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 181
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Select High [ESP], then click OK and OK to go back to the Filter Action. Click the Tunnel Setting tab, then type the DUT WAN IP address. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 182
Click the Authentication Methods tab. Click Edit. Select the Use this string...(preshared key) check box, then type 12345678. Click OK, then close the window and go back to the DUT to Win2K properties. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Create an IP Filter Called To Win2K Click Add. Type To Win2K and click Add. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 184
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Type the Source IP address and the Destination IP address. Click OK, then close the window. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 185
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Click the Filter Action tab. Select the Require Security check box and click Edit. Click Edit. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 186
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Select High [ESP], then click OK. Click OK to return to the Filter Action tab. Click the Tunnel Setting tab, then type the Win2K WAN IP address. G-10 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 187
Click Authentication Methods and click Edit. Select the Use this string...(preshared key) check box, then type 12345678. Click OK, then close the window to return to the DUT to Win2K properties. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G-11 M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Configure the General Properties Click General. Click Advanced. Click Methods. G-12 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 189
Click Edit, select Integrity Algorithm SHA1 and Encryption algorithm 3DES, DH Low. Click OK, then OK again. Close the window. Right-click DUT to Win2K Policy and then click Assign to assign the Policy. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G-13 M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Configure the FVL328 IKE policy G-14 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Configure the FVL328 VPN policy FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G-15 M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual FVL328 to SSH Sentinel 1.3 Remote VPN PCa ----------FVL328------------ NAT router --------PC b with SSH 1.3 installed FVL328 LAN IP:192.168.0.1 WAN IP: 172.16.7.119/24 NAT router: support IPSec passthrough LAN IP: 192.168.10.1 WAN IP: 172.16.6.105/24 SSH Sentinel Version 1.3 Setting Procedures...
Page 193
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Select the Key Management tab. Click Add. Select Create a preshared key and click Next. Type the same preshared key as in the FVL328 and click Finish. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G-17 M-10144-01...
Page 194
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual You will see the FVL328 under My Keys. Click Apply. G-18 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 195
Select the Security Policy tab. Under VPN Connections, click Add. Click the IP button and type the Gateway IP Address. Select FVL328 for the Authentication key. Select the Use legacy proposal check box. Click the "..." button to bring up the Network Editor screen.
Page 196
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Click Properties and check the VPN policy settings. Click Settings. G-20 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Page 197
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Configure the settings below, then click OK. Click OK, and then OK again. Click Apply. FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G-21 M-10144-01...
Page 198
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Right-click on the icon, click Select VPN, and choose the one you just configured. G-22 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Create the FVL328 IKE Policy Create the FVL328 VPN Policy FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration G-23 M-10144-01...
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Ping a PC to Bring Up the Tunnel G-24 FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration M-10144-01...
NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVL328. This case study follows the Virtual Private Network Consortium (VPNC) interoperability profile guidelines. The configuration options for the FVS328 and FWAG114 are the same.
VPNC Interoperability guidelines can be found at http://www.vpnc.org/InteropProfiles. Step-By-Step Configuration of FVL328 or FWAG114 Gateway Log in to the FVL328 gateway as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1 with its default user name of...
Page 203
– From the Local Identity drop-down box, select Fully Qualified Domain Name (the actual WAN IP address of the FVL328 will also be used in the Connection ID Type fields of the NETGEAR ProSafe VPN Client as seen in “Security Policy Editor New Connection” on page H-8).
Page 204
In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both the FVL328 and the NETGEAR VPN Client. This will also be selected in the NETGEAR ProSafe VPN Client Security Policy Authentication Phase 1 Proposal 1 Encrypt Alg field, as seen in “Connection Identity Pre-Shared Key”...
Page 205
VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. Figure H-3: NETGEAR FVL328 VPN – Auto Policy General settings – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint.
Page 206
H-8. – Type the starting LAN IP Address of the FVL328 in the Local IP Start IP Address field. For this example, we used 192.168.0.0 which is the default LAN IP address of the FVL328. This will also be entered in the NETGEAR ProSafe VPN Client Connection Remote Party Identity and Addressing Subnet field, as seen in “Security Policy Editor...
To import this policy, use the Security Policy Editor File menu to select Import Policy, and select the FVL328.SPD file at D:\Software\Policies where D is the drive letter of your CD-ROM drive. NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router...
Page 208
This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet using an FVL328 with a static IP address. The PC can be directly connected to the Internet through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically assigned IP address.
Page 209
In this example, select IP Subnet as the ID Type, 192.168.0.0 in the Subnet field (the Subnet address is the LAN IP Address of the FVL328 with 0 as the last number), and 255.255.255.0 in the Mask field, which is the LAN Subnet Mask of the FVL328.
Page 210
Figure H-8: Connection Identity Pre-Shared Key Enter hr5xb84l6aa9r6 which is the same Pre-Shared Key entered in the FVL328. Click OK. Configure the Connection Identity Settings. In the Network Security Policy list, click the Security Policy subheading.
Page 211
In the Encrypt Alg menu, select Triple DES. – In the Hash Alg, select SHA-1. – In the SA Life, select Unspecified. – In the Key Group menu, select Diffie-Hellman Group 2. NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router H-11 202-10015-01...
Page 212
Check the Encapsulation Protocol (ESP) check box. – In the Encrypt Alg menu, select Triple DES. – In the Hash Alg, select SHA-1. – In the Encapsulation menu, select Tunnel. H-12 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router 202-10015-01...
Page 213
Note: Whenever you make changes to a Security Policy, save them first, then deactivate the security policy, reload the security policy, and finally activate the security policy. This ensures that your new settings will take effect. NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router H-13 202-10015-01...
Note: Virus protection or firewall software can interfere with VPN communications. Be sure such software is not running on the remote PC with the NETGEAR VPN Client and that the firewall features of the FVL328 are not set in such a way as to prevent VPN communications.
OK. ping -t 192.168.0.1 This will cause a continuous ping to be sent to the first FVL328. After a period of up to two minutes, the ping response should change from “timed out” to “reply.” To test the connection to a computer connected to the FVL328, simply ping the IP address of that computer.
Page 216
A sample Connection Monitor screen for a different connection is shown below: Figure H-15: Connection Monitor screen In this example the following connection options apply: • The FVL328 has a public IP WAN address of 66.120.188.153 • The FVL328 has a LAN IP address of 192.168.0.1 •...
Information on the status of the VPN client connection can be viewed by opening the FVL328 VPN Status screen. To view this screen, click the VPN Status link on the FVL328 main menu. The FVL328 VPN Status screen for a successful connection is shown below:...
Page 218
Reference Manual for the NETGEAR ProSafe VPN Client H-18 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router 202-10015-01...
This appendix provides a case study on how to configure a VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVL328 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers. The configurations screens and settings for the FVS318 and FVM318 are the same.
In this example, Gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname netgear.dyndns.org for Gateway A using the NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328...
Access the Web site of one of the dynamic DNS service providers whose names appear in the ‘Use a dynamic DNS service’ list, and register for an account. For example, for dyndns.org, click the link or go to www.dyndns.org. Figure I-2: Dynamic DNS Setup menu NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 M-10144-01...
Page 222
– Type the User Name for your dynamic DNS account. In this example we used netgear as the Host Name. This means that the complete FQDN we are using is netgear.dyndns.org and the Host Name is “netgear.”...
Page 223
NETGEAR devices. For this example we have used toFVL328. – Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.org (the FQDN) as the local identifier.
Page 224
Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure I-5: Figure 4 – NETGEAR FVS318 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.
When the screen returns to the VPN Settings, make sure the Enable check box is selected. Step-By-Step Configuration of FVL328 Gateway B Log in to the NETGEAR FVL328, labeled Gateway B in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1 with its...
Page 226
From the Remote Identity drop-down box, select Fully Qualified Domain Name. – Type the FQDN (netgear.dnydns.org in our example) in the Remote Identity Data field. Figure I-8: NETGEAR FVL328 IKE Policy Configuration – Part 2 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328...
Page 227
Click the VPN Policies link under the VPN category on the left side of the Settings management GUI. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 M-10144-01...
Page 228
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Figure I-10: NETGEAR FVL328 VPN – Auto Policy (part 1) – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318.
Page 229
Model FVL328 ProSafe High-Speed VPN Firewall v2 Reference Manual Figure I-11: NETGEAR FVL328 VPN – Auto Policy (part 2) – From the Traffic Selector Remote IP drop-down box, select Subnet address. – Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field.
Connection Status Screen. If the connection is functioning properly, the State fields will show “Estab.” 3. From the FVL328, click the VPN Status link under the VPN section of the main menu. The VPN Logs and status are displayed. I-12...
Glossary 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 802.11b IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio...
Page 232
Domain names are of the form of a registered entity name plus one of a number of predefined top level suffixes such as .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain.
Page 233
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual IP Address A four-position number uniquely defining each host on the Internet. Ranges of addresses are assigned by Internic, an organization formed for this purpose. Usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57).
Page 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual NetBIOS Network Basic Input Output System. An application programming interface for sharing services and information on l (API) ocal-area networks (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length.
Page 235
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Request For Comment. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org. See Routing Information Protocol.
Index daylight savings time 5-15 Default DMZ Server 4-5 Account Name 3-9, 3-11, 3-15 default reset button 8-7 Address Resolution Protocol B-9 Denial of Service (DoS) protection 2-2, 5-3 Addressing E-7 denial of service attack B-11 Austria 3-15 DHCP 2-4, 4-2, B-10 Authentication Header (AH) E-3, E-4 DHCP Client ID C-7 Auto Uplink 2-3...
Page 238
FLASH memory 7-13 IPSec SA negotiation E-9 FQDN 2-2 IPSec Security Features E-2 front panel 2-6 ISP 3-1 Fully Qualified Domain Name 2-2 LAN IP Setup Menu 4-3 gateway address C-11 LEDs description 2-6 General 6-4, 6-7, 6-11 troubleshooting 8-3 sending 7-9 host name 3-9, 3-11, 3-15 Log Viewer H-15...
Page 239
package contents 2-5 SA E-4 password Scope of Document 1-1 restoring 8-7 Secondary DNS Server 3-10, 3-11, 3-13, 3-15, 3-16 PC, using to configure C-12 service blocking 5-10 ping 4-6 service numbers 5-13 PKIX 6-22 Setup Wizard 3-1 port filtering 5-10 SMTP 7-9 port forwarding 5-7 spoof MAC address 8-5...
Page 240
Virtual Private Networking 2-3 VPN E-1 VPN Consortium E-6 VPN Process Overview E-7 VPNC IKE Phase I Parameters E-10 VPNC IKE Phase II Parameters E-11 Windows, configuring for IP routing C-2, C-5 winipcfg utility C-5 WinPOET C-9 World Wide Web 1-iii Index...