NETGEAR ProSafe FVG318 Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. FVG318 - ProSafe 802.11g Wireless VPN Firewall 8...
  6. Reference manual

NETGEAR ProSafe FVG318 Reference Manual

Wireless 802.11g vpn firewall
Hide thumbs Also See for ProSafe FVG318:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Feature Manual, Configuration Manual
Reference Manual for the
ProSafe Wireless 802.11g
VPN Firewall Model
FVG318
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
202-10121-01
October 2005

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR ProSafe FVG318

Summary of Contents for NETGEAR ProSafe FVG318

  • Page 1 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10121-01 October 2005...
  • Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 Declaration Of Conformity We NETGEAR, Inc., 4500 Great America Parkway, Santa Clara, CA 95054, declare under our sole responsibility that the model FVG318 Cardbus Card Wireless Adapter complies with Part 15 of FCC Rules. Operation is subject to the following two conditions: •...
  • Page 4 Canadian Department of Communications Radio Interference Regulations This digital apparatus (ProSafe Wireless 802.11g VPN Firewall Model FVG318) does not exceed the Class B limits for radio-noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian Department of Communications.

  • Page 5: Table Of Contents

    NETGEAR Product Registration, Support, and Documentation ........2-9 Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVG318 ..................3-1 First, Connect the FVG318 .....................3-1 Now, Configure the FVG318 for Internet Access and Wireless Connectivity ....3-4 v1.0, October 2005...
  • Page 6 Troubleshooting Tips ......................3-6 Overview of How to Access the FVG318 wireless VPN firewall ........3-7 How to Log On to the FVG318 After Configuration Settings Have Been Applied ..............3-9 How to Bypass the Configuration Assistant ............3-10 Using the Smart Setup Wizard ..................3-11 How to Manually Configure Your Internet Connection ..........3-12...
  • Page 7 How to Set Up a Client-to-Gateway VPN Configuration ..........6-5 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVG318 ....6-6 Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC ..6-10 Monitoring the Progress and Status of the VPN Client Connection .......6-18 Transferring a Security Policy to Another Client ............6-19...
  • Page 8 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets ............7-15 FVG318 Scenario 1: FVG318 to Gateway B IKE and VPN Policies ......7-16 How to Check VPN Connections ................7-20 FVG318 Scenario 2: FVG318 to FVG318 with RSA Certificates ......7-22 Chapter 8 Maintenance Viewing Wireless VPN Firewall Status Information ............8-1...
  • Page 9 Configuring the VPN Tunnel ................... B-6 Viewing and Editing the VPN Parameters ............. B-10 Initiating and Checking the VPN Connections ............B-13 The FVG318-to-VPN Client Case ................B-15 Client-to-Gateway VPN Tunnel Overview ............. B-15 Configuring the VPN Tunnel ................. B-16 Initiating and Checking the VPN Connections ............
  • Page 10 v1.0, October 2005...

  • Page 11: About This Manual

    This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the Netgear website. This guide uses the following typographical conventions: Table 1-1.

  • Page 12: How To Use This Manual

    Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. This manual is written for the FVG318 wireless VPN firewall according to these specifications: Table 1-2. Manual Scope Product Version ProSafe Wireless 802.11g VPN Firewall Model FVG318...

  • Page 13: How To Print This Manual

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View.
  • Page 14 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 About This Manual v1.0, October 2005...

  • Page 15: Introduction

    Unlike simple Internet sharing firewalls that rely on Network Address Translation (NAT) for security, the FVG318 uses stateful packet inspection for Denial of Service attack (DoS) protection and intrusion detection. The FVG318 allows Internet access for up to 253 users. The FVG318 wireless VPN firewall provides you with multiple Web content filtering options, plus browsing activity reporting and instant alerts —...

  • Page 16: 802.11G And 802.11B Wireless Networking

    For WMM to function correctly, wireless clients must also support WMM. A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT firewalls, the FVG318 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: •...

  • Page 17: Security

    Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100 switch, the FVG318 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

  • Page 18: Easy Installation And Management

    • IP Address Sharing by NAT The FVG318 wireless VPN firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.

  • Page 19: Maintenance And Support

    • Visual monitoring The FVG318 wireless VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVG318 wireless VPN firewall: •...

  • Page 20: The Fvg318 Front Panel

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The FVG318 Front Panel The front panel of the FVG318 wireless VPN firewall contains the status LEDs described below. Figure 2-1 You can use some of the LEDs to verify connections. Viewed from left to right, Table 2-1 describes the LEDs on the front panel of the firewall.
  • Page 21 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Table 2-1. LED Descriptions LED Label Activity Description Power is supplied to the firewall. TEST The system is initializing. The system is ready and running. INTERNET 100 (100 Mbps) The Internet (WAN) port is operating at 100 Mbps.

  • Page 22: The Fvg318 Rear Panel

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The FVG318 Rear Panel The rear panel of the FVG318 wireless VPN firewall contains the port connections listed below. LOCAL Antenna INTERNET Power FACTORY Ports Port Reset Button Figure 2-2 Viewed from left to right, the rear panel contains the following features: •...

  • Page 23: Netgear-Related Products

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 NETGEAR-Related Products NETGEAR products related to the FVG318 are listed in the following table: Table 2-1. NETGEAR-Related Products Category Wireless Wired Notebooks WAG511 108 Mbps Dual Band PC Card...
  • Page 24 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2-10 Introduction v1.0, October 2005...

  • Page 25: Connecting The Firewall To The Internet

    This chapter describes how to set up the firewall on your LAN, connect to the Internet, perform basic configuration of your ProSafe Wireless 802.11g VPN Firewall Model FVG318 using the Setup Wizard, or how to manually configure your Internet connection.
  • Page 26 At the computer end only, disconnect the Ethernet cable (point A in the illustration) that connects your computer to the cable or DSL modem. Figure 3-1 Securely insert the Ethernet cable from your modem into the FVG318 Internet port (point B in the illustration). Figure 3-2 Connecting the Firewall to the Internet v1.0, October 2005...
  • Page 27 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 d. Securely insert one end of the blue NETGEAR cable that came with your FVG318 into a Local port on the router such as port 4 (point C in the illustration), and the other end into...

  • Page 28: Now, Configure The Fvg318 For Internet Access And Wireless Connectivity

    Power: The power light should be lit. If after 2 minutes the power light turns solid amber, see the Troubleshooting Tips in this guide. • Test: The test light blinks when the FVG318 is first turned on. If after 2 minutes it is still on, see the Troubleshooting Tips in this guide. •...
  • Page 29 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Figure 3-5 Note: If you do not see this page, type http://www.routerlogin.net in the browser address bar and press Enter. If you still cannot see this screen, see “How to Bypass the Configuration Assistant”...

  • Page 30: Troubleshooting Tips

    Be sure to restart your network in the correct sequence. Always follow this sequence: 1) Unplug and turn off the modem, FVG318, and computer; 2) plug in and turn on the modem, wait two minutes; 3) plug in the FVG318 and wait 30 seconds; 4) turn on the computer.

  • Page 31: Overview Of How To Access The Fvg318 Wireless Vpn Firewall

    • The Internet port status light on the wireless VPN firewall will be lit if the Ethernet cable from the FVG318 to the modem is plugged in securely and the modem and wireless VPN firewall are turned on. Make sure the computer & router wireless settings match exactly.

  • Page 32: Connecting The Firewall To The Internet

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Table 3-1. Ways to access the firewall Firewall State Access Options Description Factory Default Automatic Access via Any time a browser is opened on any computer connected to the Smart Wizard...

  • Page 33: How To Log On To The Fvg318 After Configuration Settings Have Been Applied

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 How to Log On to the FVG318 After Configuration Settings Have Been Applied 1. Connect to the wireless VPN firewall by typing http://www.routerlogin.net in the address field of your browser, then press Enter.

  • Page 34: How To Bypass The Configuration Assistant

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Once you have entered your user name and password, your Web browser should find the FVG318 wireless VPN firewall and display the home page as shown below. Figure 3-9...

  • Page 35: Using The Smart Setup Wizard

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. The browser then displays the FVG318 settings home page shown in Figure 3-9. If you do not click Logout, the wireless VPN firewall waits five minutes after there is no activity before it automatically logs you out.

  • Page 36: How To Manually Configure Your Internet Connection

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
  • Page 37 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 You can manually configure the firewall using the Basic Settings menu shown in Figure 3-10 using these steps: 1. Log in to the firewall at its default address of http://www.routerlogin.net using a browser like ®...
  • Page 38 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 e. Click Apply to save your settings. 4. If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet.

  • Page 39: Wireless Configuration

    Observing Performance, Placement, and Range Guidelines In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your FVG318 in order to maximize the network speed. For further information on wireless networking, refer to “Wireless Communications:”...

  • Page 40: Implementing Appropriate Wireless Security

    Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the FVG318. Restricting access by MAC address adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.

  • Page 41: Understanding Wireless Settings

    Understanding Wireless Settings To configure the wireless settings of your FVG318, click the Wireless link in the Setup section of the main menu. The wireless settings menu will appear, as shown below.
  • Page 42 SSID for that network. The FVG318 default SSID is: NETGEAR. — Region. This field identifies the region where the FVG318 can be used. It may not be legal to operate the wireless features of the wireless VPN firewall in a region other than one of those identified in this field.
  • Page 43 Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses. When the Trusted PCs Only radio button is selected, the FVG318 checks the MAC address of the wireless station and only allows connections to PCs identified on the trusted PCs list.

  • Page 44: Default Factory Settings

    Default Restore button on the rear panel as seen in the illustration Figure 2-2 on page 2-8. After you install the FVG318 wireless VPN firewall, use the procedures below to customize any of the settings to better meet your networking needs. Table 4-1.

  • Page 45: How To Set Up And Test Basic Wireless Connectivity

    Server Name/IP Address: Primary _________________ Secondary __________________ Port: ___________________________________ Shared Key: ___________________________________ Use the procedures described in the following sections to configure the FVG318. Store this information in a safe place. How to Set Up and Test Basic Wireless Connectivity Follow the instructions below to set up and test basic wireless connectivity.
  • Page 46 The SSID for any wireless device communicating with the access point must match the SSID configured in the ProSafe Wireless 802.11g VPN Firewall Model FVG318. If they do not match, you will not get a wireless connection to the FVG318.

  • Page 47: How To Restrict Wireless Access By Mac Address

    Program the wireless adapter of your PCs to have the same SSID that you configured in the FVG318. Check that they have a wireless link and are able to obtain an IP address by DHCP from the wireless VPN firewall.

  • Page 48: How To Configure Wep

    4. Click Add to open the Wireless Card Access Setup menu. You can select a device from the list of available wireless cards the FVG318 has discovered in your area, or you can manually enter the MAC address and Device Name (usually the NetBIOS name).
  • Page 49 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Click Wireless Settings in the main menu of the FVG318. Figure 4-5 3. Select WEP on the Wireless Security pulldown menu. The WEP options menu will open. 4. Choose the Authentication Type and Encryption Strength options. You can manually or automatically program the four data encryption keys.

  • Page 50: How To Configure Wpa With Radius

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 – WEP Keys: If using WEP, you can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network.
  • Page 51 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Click Wireless Settings in the main menu of the FVG318. Figure 4-6 3. Select WPA with Radius on the pulldown menu. The WPA with Radius menu will open.

  • Page 52: How To Configure Wpa2 With Radius

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 How to Configure WPA2 with Radius Note: Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA2.

  • Page 53: How To Configure Wpa And Wpa2 With Radius

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 3. Select WPA2 with Radius on the pulldown menu. The WPA2 with Radius menu will open. Encryption: There is no choice for encryption; this is displayed for your information. For WPA2 with Radius, AES is used.
  • Page 54 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Click Wireless Settings in the main menu of the FVG318. Figure 4-8 3. Select WPA and WPA2 with Radius on the pulldown menu. The WPA and WPA2 with Radius menu will open.

  • Page 55: How To Configure Wpa-Psk

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 5. Click Apply to save your settings. How to Configure WPA-PSK Note: Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA.

  • Page 56: How To Configure Wpa2-Psk

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 3. Select WPA-PSK on the pulldown menu. The WPA-PSK menu will open. 4. Select the desired Encryption method. For WPA-PSK, you can choose TKIP or AES. 5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters in the Passphrase box.
  • Page 57 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Click Wireless Settings in the main menu of the FVG318. Figure 4-10 3. Select WPA2-PSK on the pulldown menu. The WPA2-PSK menu will open. 4. Select the desired Encryption method. For WPA2-PSK, the only option is AES.

  • Page 58: How To Configure Wpa-Psk And Wpa2-Psk

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 How to Configure WPA-PSK and WPA2-PSK Note: Not all wireless adapters support WPA and WPA2. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA and WPA2.

  • Page 59: Enter The Pre-Shared Key In The Passphrase Field. Enter A Word Or Group Of Printable Characters

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 3. Select WPA-PSK and WPA2-PSK on the pulldown menu. The WPA-PSK and WPA2-PSK menu will open. 4. Select the desired Encryption method. For WPA-PSK and WPA2-PSK, the only option is TKIP + AES.
  • Page 60 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 4-22 Wireless Configuration v1.0, October 2005...

  • Page 61: Firewall Protection And Content Filtering

    This chapter describes how to use the content filtering features of the ProSafe Wireless 802.11g VPN Firewall Model FVG318 to protect your network. These features can be found by clicking on the Security heading in the main menu of the browser interface.

  • Page 62: Block Sites

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Block Sites The FVG318 allows you to restrict access based on Web components and Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is shown below.
  • Page 63 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 If you want to block any Web components, select those Web components. For example, if you select Java, then Java files will be blocked. Click Apply. To enable keyword blocking, check Turn keyword blocking on, then click Apply.

  • Page 64: Using Rules To Block Or Allow Specific Kinds Of Traffic

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Keyword application examples: • If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
  • Page 65 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 These default rules are shown in the Rules table of the Rules menu. Figure 5-3 You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.

  • Page 66: Inbound Rules (Port Forwarding)

    Match — traffic of this type that matches the parameters and action will be logged. Inbound Rules (Port Forwarding) Because the FVG318 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers.
  • Page 67 If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember that allowing inbound services opens holes in your FVG318 wireless VPN firewall. Only enable those ports that are necessary for your network. Following are two application...
  • Page 68 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown below, CU-SEEME connections are allowed only from a specified range of external IP addresses.

  • Page 69: Outbound Rules (Service Blocking)

    Outbound Rules (Service Blocking) The FVG318 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on: •...
  • Page 70 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Following is an application example of an outbound rule: Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.

  • Page 71: Order Of Precedence For Rules

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Order of Precedence for Rules Figure 5-8 Firewall Protection and Content Filtering 5-11 v1.0, October 2005...
  • Page 72 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 As you define new rules, they are added to the tables in the Rules table, as shown below: Figure 5-9 5-12 Firewall Protection and Content Filtering v1.0, October 2005...

  • Page 73: Default Dmz Server

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom.

  • Page 74: Attack Checks

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well.

  • Page 75: Services

    1024 to 65535 by the authors of the application. Although the FVG318 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
  • Page 76 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 1. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears. Figure 5-12 2. Enter a descriptive name for the service so that you will remember what it is.

  • Page 77: Using A Schedule To Block Or Allow Specific Traffic

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring the Schedule page.

  • Page 78: Time Zone

    Be sure to click Apply when you have finished configuring this page. Time Zone The FVG318 wireless VPN firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must specify your Time Zone: •...

  • Page 79: Getting E-Mail Notifications Of Event Logs And Alerts

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Getting E-Mail Notifications of Event Logs and Alerts In order to receive logs and alerts by e-mail, you must provide your e-mail information in the Send alerts and logs by e-mail area: Figure 5-14 •...
  • Page 80 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Send E-mail alerts immediately. You can specify that logs are immediately sent to the specified e-mail address when any of the following events occur: – If a Denial of Service attack is detected.

  • Page 81: Viewing Logs Of Web Access Or Attempted Web Access

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site.

  • Page 82: Syslog

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Log entries are described in Table 5-1 Table 5-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any.

  • Page 83: Basic Virtual Private Networking

    Chapter 6 Basic Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVG318 wireless VPN firewall. VPN communications paths are called tunnels. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer.

  • Page 84: Overview Of Vpn Configuration

    Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways. The FVG318 supports both of these types of VPN configurations. The FVG318 wireless VPN firewall supports up to eight concurrent tunnels.

  • Page 85: Gateway-To-Gateway Vpn Tunnels

    VPN Gateway A Figure 6-2 A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources across the Internet. In this case, use FVG318s on each end of the tunnel to form the VPN tunnel end points.
  • Page 86 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Will either endpoint use Fully Qualified Domain Names (FQDNs)? Many DSL accounts are provisioned with DHCP addressing, where the IP address of the WAN port can change from time to time.

  • Page 87: Vpn Tunnel Configuration

    6-4) are not appropriate for your special circumstances. How to Set Up a Client-to-Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway (see figure below) involves the following two steps: •...

  • Page 88: Step 1: Configuring The Client-To-Gateway Vpn Tunnel On The Fvg318

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • “Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC” on page 6-10 configures the NETGEAR ProSafe VPN Client endpoint. VPN Tunnel FVS318v3 24.0.0.1 192.168.3.1 (Running NETGEAR...
  • Page 89 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 1. Log in to the FVG318 at its LAN address of http://192.168.1.1 with its default user name of admin and password of password. Click the VPN Wizard link in the main menu to display this screen.
  • Page 90 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The Summary screen below displays. Figure 6-6 Basic Virtual Private Networking v1.0, October 2005...
  • Page 91 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 6-6). Click Back to return to the Summary screen.

  • Page 92: Step 2: Configuring The Netgear Prosafe Vpn Client On The Remote Pc

    This procedure describes how to configure the NETGEAR ProSafe VPN Client. This example assumes the PC running the client has a dynamically assigned IP address. The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop-down menu for information on how to purchase the NETGEAR ProSafe VPN Client.
  • Page 93 From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies. Rename the “New Connection” so that it matches the Connection Name you entered in the VPN Settings of the FVG318 on LAN A.
  • Page 94 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Tip: Choose Connection Names that make sense to the people using and administrating the VPN. Figure 6-9 Figure 6-10 c. Select Secure in the Connection Security check box. d. Select IP Subnet in the ID Type menu.
  • Page 95 Select the Connect using Secure Gateway Tunnel check box. h. Select IP Address in the ID Type menu below the check box. Enter the public WAN IP Address of the FVG318 in the field directly below the ID Type menu. In this example, would be used.
  • Page 96 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 — The Pre-Shared Key that you configured in the FVG318. — Either a fixed IP address or a “fixed virtual” IP address of the VPN client PC. a. In the Network Security Policy list on the left side of the Security Policy Editor window, click on My Identity.
  • Page 97 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 e. Click the Pre-Shared Key button. In the Pre-Shared Key dialog box, click the Enter Key button. Enter the FVG318's Pre-Shared Key and click OK. In this example, 12345678 is entered. This field is case sensitive.
  • Page 98 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 c. In the Authentication Method menu, select Pre-Shared key. d. In the Encrypt Alg menu, select the type of encryption. In this example, use Triple DES. e. In the Hash Alg menu, select SHA-1.
  • Page 99 VPN firewall’s LAN. 1. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVG318’s network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect.

  • Page 100: Monitoring The Progress And Status Of The Vpn Client Connection

    Once the connection is established, you can open the browser of the PC and enter the LAN IP address of the remote FVG318. After a short wait, you should see the login screen of the Wireless VPN Firewall (unless another PC already has the FVG318 management interface open).

  • Page 101: Transferring A Security Policy To Another Client

    Transferring a Security Policy to Another Client This section explains how to export and import a security policy as an .spd file so that an existing NETGEAR ProSafe VPN Client configuration can be copied to other PCs running the NETGEAR ProSafe VPN Client.
  • Page 102 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Exporting a Security Policy The following procedure (Figure 6-20) enables you to export a security policy as an .spd file. Step 1: Select Export Security Policy from the File pulldown.
  • Page 103 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Importing a Security Policy The following procedure (Figure 6-21) enables you to import an existing security policy. Step 1: Invoke the NETGEAR ProSafe Step 2: Select the security policy to import.

  • Page 104: How To Set Up A Gateway-To-Gateway Vpn Configuration

    FVS318v3 VPN Firewall Figure 6-22 Follow the procedure below to set the LAN IPs on each FVG318 to different subnets and configure each properly for the Internet. The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x.
  • Page 105 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 1. Log in to the FVG318 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of and password of . Click the VPN Wizard link in the...
  • Page 106 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Enter the WAN IP address of the remote VPN gateway: (22.23.24.25 in this example) Figure 6-25 4.
  • Page 107 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The Summary screen below displays. Figure 6-27 Basic Virtual Private Networking 6-25 v1.0, October 2005...
  • Page 108 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 6-27). Click Back to return to the Summary screen.
  • Page 109 6-27) to complete the configuration procedure. The VPN Policies menu below displays showing that the new tunnel is enabled. Figure 6-29 6. Repeat for the FVG318 on LAN B. Pay special attention and use the following network settings as appropriate. •...
  • Page 110 Note: The VPN Status screen is only one of three ways to active a VPN tunnel. See “Activating a VPN Tunnel” on page 6-29 for information on the other ways. a. Open the FVG318 management interface and click on VPN Status under VPN to get the VPN Status/Log screen shown below. Figure 6-30 b.

  • Page 111: Vpn Tunnel Control

    To use the VPN Status screen to activate a VPN tunnel, perform the following steps: 1. Log in to the Wireless VPN Firewall. 2. Open the FVG318 management interface and click on VPN Status under VPN to get the VPN Status/Log screen shown below.
  • Page 112 Client-to-Gateway Configuration—to check the VPN Connection, you can initiate a request from the remote PC to the FVG318’s network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect.
  • Page 113 Type ping -t 192.168.3.1 and then click OK. Figure 6-34 This will cause a continuous ping to be sent to the first FVG318. Within two minutes, the ping response should change from “timed out” to “reply.” Note: Use Ctrl-C to stop the pinging.

  • Page 114: Verifying The Status Of A Vpn Tunnel

    To use the VPN Status page to determine the status of a VPN tunnel, perform the following steps: 1. Log in to the Wireless VPN Firewall. 2. Open the FVG318 management interface and click VPN Status under VPN to get the VPN Status/Log screen shown below.

  • Page 115: Deactivating A Vpn Tunnel

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Log—this log shows the details of recent VPN activity, including the building of the VPN tunnel. If there is a problem with the VPN tunnel, refer to the log for information about what might be the cause of the problem.
  • Page 116 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • VPN Status page Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel To use the VPN Policies page to deactivate a VPN tunnel, perform the following steps: 1.
  • Page 117 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Click VPN Status under VPN to get the VPN Status/Log screen shown below. Figure 6-40 3. Click VPN Status (Figure 6-40) to get the IPSEC Connection Status screen (Figure 6-41).

  • Page 118: Deleting A Vpn Tunnel

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Note: When NETBIOS is enabled (which it is in the VPNC defaults implemented by the VPN Wizard), automatic traffic will reactivate the tunnel. To prevent reactivation from happening, either disable NETBIOS or disable the policy for the tunnel (see “Using the Policy Table on the VPN Policies Page to...

  • Page 119: Advanced Virtual Private Networking

    FVS318v3 VPN Firewall FVS318v3 VPN Firewall Figure 7-1 Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVG318. There are two kinds of policies: Advanced Virtual Private Networking v1.0, October 2005...

  • Page 120: Using Automatic Key Management

    VPN policy that does not use an IKE policy but in which you manually enter all the authentication and key parameters. Since VPN policies use IKE policies, you define the IKE policy first. The FVG318 also allows you to manually input the authentication scheme and encryption key values. In the case of manual key management there will not be any IKE policies.

  • Page 121: Ike Policies' Automatic Key And Authentication Management

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown below.
  • Page 122 These parameters apply to the Local FVG318 wireless VPN firewall. Local Identity Type Use this field to identify the local FVG318. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.
  • Page 123 These parameters apply to the target remote FVG318, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVG318. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.

  • Page 124: Vpn Policy Configuration For Auto Key Negotiation

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
  • Page 125 Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVG318’s Local IP values entered as its Remote VPN Endpoint. • By its Fully Qualified Domain Name (FQDN) — your domain name.
  • Page 126 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Table 7-1. VPN – Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created.

  • Page 127: Vpn Policy Configuration For Manual Key Exchange

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Table 7-1. VPN – Auto Policy Configuration Fields Field Description Enable Authentication Use this check box to enable or disable ESP transform for this VPN policy. You can select the ESP mode also with this menu.
  • Page 128 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Figure 7-4 7-10 Advanced Virtual Private Networking v1.0, October 2005...
  • Page 129 Remote VPN Endpoint The WAN Internet IP address of the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FVG318’s WAN Internet IP address entered as its Remote VPN Endpoint. Traffic Selector These settings determine if and when a VPN tunnel will be established.
  • Page 130 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Table 7-1. VPN Manual Policy Configuration Fields Field Description SPI - Outgoing Enter a hexadecimal value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its Incoming SPI field.
  • Page 131 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Table 7-1. VPN Manual Policy Configuration Fields Field Description Encryption Algorithm If you enable ESP Encryption, then select the Encryption Algorithm: • DES — the default • 3DES — more secure Key - In Enter the key in the fields provided.

  • Page 132: Using Digital Certificates For Ike Auto-Policy Authentication

    ID, and domain name. Each CA has its own certificate. The certificates of a CA are added to the FVG318 and then can be used to form IKE policies for the user. Once a CA certificate is added to the FVG318 and a certificate is created for a user, the corresponding IKE policy is added to the FVG318.

  • Page 133: Vpn Consortium Scenario 1: Gateway-To-Gateway With Preshared Secrets

    In order to help make it easier to set up an IPsec system, the following two scenarios are provided. These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to make it easier to get the systems from different vendors to interoperate. NETGEAR is providing you with both of these scenarios in the following two formats: •...

  • Page 134: Fvg318 Scenario 1: Fvg318 To Gateway B Ike And Vpn Policies

    FVG318 Scenario 1: FVG318 to Gateway B IKE and VPN Policies Note: This scenario assumes all ports are open on the FVG318. You can verify this by reviewing the security settings as seen in the Figure 5-3 on page 5-5.
  • Page 135 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Configure the WAN (Internet) and LAN IP addresses of the FVG318. a. From the main menu Setup section, click the Basic Setup link to go back to the Basic Settings menu.
  • Page 136 9-3. Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVG318. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in Web-based configuration manager of the FVG318.
  • Page 137 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 a. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 7-9 b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.

  • Page 138: How To Check Vpn Connections

    5. After applying these changes, all traffic from the range of LAN IP addresses specified on FVG318 A and FVG318 B will flow over a secure VPN tunnel. How to Check VPN Connections You can test connectivity and view VPN status information on the FVG318 (see also “VPN Tunnel Control” on page 6-29).
  • Page 139 Testing the Gateway A FVG318 LAN and the Gateway B LAN 1. Using our example, from a PC attached to the FVG318 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run.

  • Page 140: Fvg318 Scenario 2: Fvg318 To Fvg318 With Rsa Certificates

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 FVG318 Scenario 2: FVG318 to FVG318 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in Scenario 1.
  • Page 141 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 b. Click the Generate Request button to display the screen illustrated below. Figure 7-11 c. Fill in the fields on the Add Self Certificate screen. Required fields: – Name. Enter a name to identify this certificate.
  • Page 142 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 d. Click the Next button to continue. The FVG318 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 7-12 4.
  • Page 143 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 c. When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FVG318” Self Certificate Request will be listed, as illustrated below.
  • Page 144 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 You will now see the “FVG318” entry in the Active Self Certificates table and the pending “FVG318” Self Certificate Request is gone, as illustrated below. FVG318 Figure 7-14 7. Associate the new certificate and the Trusted Root CA certificate on the FVG318.
  • Page 145 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Now, the traffic from devices within the range of the LAN subnet addresses on FVG318 A and Gateway B will be authenticated using the certificates rather than via a shared key.
  • Page 146 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 7-28 Advanced Virtual Private Networking v1.0, October 2005...

  • Page 147: Maintenance

    Maintenance This chapter describes how to use the maintenance features of your ProSafe Wireless 802.11g VPN Firewall Model FVG318. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing Wireless VPN Firewall Status Information The Router Status menu provides status and usage information.
  • Page 148 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 This screen shows the following parameters: Table 8-1. FVG318 Status fields Field Description System Name The System Name assigned to the firewall. Firmware Version The firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall.
  • Page 149 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 This screen shows the following statistics:. Table 8-1. Connection Status fields Field Description IP Address The WAN (Internet) IP address assigned to the firewall. Subnet Mask The WAN (Internet) subnet mask assigned to the firewall.
  • Page 150 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 This screen shows the following statistics: Table 8-1. Router Statistics fields Field Description Interface The statistics for the WAN (Internet), LAN (local), and WLAN interfaces. For each interface, the screen displays: Status The link status of the interface.

  • Page 151: Viewing A List Of Attached Devices

    Upgrading the Firewall Software The routing software of the FVG318 wireless VPN firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from NETGEAR's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN) file before sending it to the firewall.

  • Page 152: Configuration File Management

    In some cases, you may need to reconfigure the firewall after upgrading. Configuration File Management The configuration settings of the FVG318 wireless VPN firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings.

  • Page 153: Backing Up The Configuration

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 From the main menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown below. Figure 8-6 You can use the Settings Backup menu to back up your configuration in a file, restore from that file, or erase the configuration settings.

  • Page 154: Changing The Administrator Password

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 To restore the factory default configuration settings without knowing the login password or IP address, you must use the reset button on the rear panel of the firewall. See “Restoring the Default...

  • Page 155: Advanced Configuration

    Advanced Configuration This chapter describes how to configure the advanced features of your ProSafe Wireless 802.11g VPN Firewall Model FVG318. These features can be found under the Advanced heading in the main menu of the browser interface. How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
  • Page 156 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 8. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org...

  • Page 157: Using The Lan Ip Setup Options

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. From the main menu of the browser interface, under Advanced, click on LAN Setup to view the menu shown below.

  • Page 158: Using The Firewall As A Dhcp Server

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The LAN IP parameters are: • IP Address This is the LAN IP address of the firewall. • IP Subnet Mask This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or firewall.

  • Page 159: Using Address Reservation

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the Use router as DHCP server check box.

  • Page 160: Configuring Static Routes

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 1. Click the button next to the reserved address you want to edit or delete. 2. Click Edit or Delete. Configuring Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes.

  • Page 161: Static Route Example

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 2. Type a route name for this static route in the Route Name box. (This is for identification purpose only.) 3. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP.

  • Page 162: Enabling Remote Management Access

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100. • A Metric value of 1 will work since the ISDN firewall is on the LAN.
  • Page 163 134.177.0.123 and you use port number 8080, type the following in your browser: https://134.177.0.123:8080 If you do not use the SSL https://address, but rather use http://address, the FVG318 will automatically attempt to redirect to https://address. Note: The first time you remotely connect the FVG318 with a browser via SSL, you may get a message regarding the SSL certificate.
  • Page 164 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 9-10 Advanced Configuration v1.0, October 2005...

  • Page 165: Troubleshooting

    • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 166: Leds Never Turn Off

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 LEDs Never Turn Off When the firewall is turned on, the LEDs turn on briefly and then turn off. If all the LEDs stay on, there is a fault within the firewall.

  • Page 167: Troubleshooting The Isp Connection

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x.
  • Page 168 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 4. Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP. If your firewall is unable to obtain an IP address from the ISP, you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure: 1.

  • Page 169: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Your PC may not have the firewall configured as its TCP/IP gateway. If your PC obtains its information from the firewall by DHCP, reboot the PC and verify the gateway address.

  • Page 170: Testing The Path From Your Pc To A Remote Device

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Wrong network configuration — Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your PC or workstation. — Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet.

  • Page 171: Restoring The Default Configuration And Password

    The E-Mail menu in the Content Filtering section displays the current date and time of day. The FVG318 wireless VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day.
  • Page 172 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 10-8 Troubleshooting v1.0, October 2005...

  • Page 173: Technical Specifications

    Appendix A Technical Specifications This appendix provides technical specifications for the ProSafe Wireless 802.11g VPN Firewall Model FVG318. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input...
  • Page 174 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Technical Specifications v1.0, October 2005...

  • Page 175: Appendix B Related Documents

    Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP http://documentation.netgear.com/reference/enu/tcpip/index.htm Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
  • Page 176 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Related Documents v1.0, October 2005...

  • Page 177: Vpn Configuration Of Netgear Fvg318

    Appendix C VPN Configuration of NETGEAR FVG318 This is a case study on how to configure a secure IPSec VPN tunnel on a NETGEAR FVG318. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html). This study covers the following situations: •...

  • Page 178: Gathering The Network Information

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Gathering the Network Information The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium. Gather all the necessary information before you begin the configuration process.
  • Page 179 Enter the requested information as prompted by the VPN Wizard. Note: The WAN and LAN IP addresses must be unique at each end of the VPN tunnel. The figure below shows the first part of NETGEAR’s VPN Wizard for the router at each gateway (Figure B-3 shows the other part).
  • Page 180 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The figure below shows the second part of NETGEAR’s VPN Wizard for the router at a gateway A (Figure B-2 shows the other part). Step 5: Verify the information...

  • Page 181: Activating The Vpn Tunnel

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Note: The default log in address for the FVG318 router is http://192.168.1.1 with the default user name of admin and default password of password. The login address will change to the local LAN IP subnet address after you configure the router.

  • Page 182: The Fvg318-To-Fvg318 Case

    LAN IP Figure B-5 Use this scenario illustration and configuration screens as a model to build your configuration. 1. Log in to the FVG318 labeled Gateway A as in the illustration above. VPN Configuration of NETGEAR FVG318 v1.0, October 2005...
  • Page 183 Note: Based on the network addresses used in this example, you would log in to the LAN IP address of http://172.23.9.1 at Gateway B. 4. Repeat the process using the VPN Wizard to configure the FVG318 at Gateway B. Figure 2-6 VPN Configuration of NETGEAR FVG318 v1.0, October 2005...
  • Page 184 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Follow the steps listed in Figure B-2 Figure B-3, but use the following parameters instead as illustrated in Figure 2-6: • Connection Name: Scenario_1 (in this example) • Pre-Shared Key: 12345678 (in this example), must be the same at both VPN tunnel endpoints •...
  • Page 185 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 All traffic from the range of LAN IP addresses specified on FVG318 A and FVG318 B will now flow over a secure VPN tunnel once the VPN tunnel is initiated (see “Initiating and Checking the...

  • Page 186: Viewing And Editing The Vpn Parameters

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic on the FVG318 are presented in Figure B-8 Figure B-9.
  • Page 187 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Gateway A IKE Parameters Gateway B IKE Parameters VPN Configuration of NETGEAR FVG318 C-11 v1.0, October 2005...
  • Page 188 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Gateway A IKE Parameters Gateway B IKE Parameters Figure B-9 Note: The Pre-Shared Key must be the same at both VPN tunnel endpoints. The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint.

  • Page 189: Initiating And Checking The Vpn Connections

    1. Test 1: Ping Remote LAN IP Address: To establish the connection between the FVG318 Gateway A and Gateway B tunnel endpoints, perform these steps at Gateway A: a. From a Windows PC attached to the FVG318 on LAN A, click the Start button on the taskbar and then click Run.
  • Page 190 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 b. The log screen displays a history of the VPN connections, and the IPSec SA and IKE SA tables report the status and data transmission statistics of the VPN tunnels for each policy.

  • Page 191: The Fvg318-To-Vpn Client Case

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The FVG318-to-VPN Client Case Table B-1. Policy Summary VPN Consortium Scenario: Scenario 1 Type of VPN PC/Client-to-Gateway Security Scheme: IKE with Preshared Secret/Key Date Tested: Model/Firmware Tested: NETGEAR-Gateway A FVG318 with firmware version v1.0...

  • Page 192: Configuring The Vpn Tunnel

    Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Configuring the VPN Tunnel Note: This scenario assumes all ports are open on the FVG318. The figure below shows LAN to PC VPN access from an FVG318 to a VPN Client. 10.5.6.0/24 Scenario 1...
  • Page 193 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Pre-Shared Key: 12345678 (in this example), must be the same at both VPN tunnel endpoints • Connection Type: A Remote VPN Client The figure below shows the VPN Wizard at Gateway A (FVG318).
  • Page 194 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 The figure below shows theVPN parameters at Gateway A (FVG318). Figure B-13 3. Set up the VPN Client at Gateway B as in the illustration (Figure B-11). C-18 VPN Configuration of NETGEAR FVG318...
  • Page 195 Right-mouse-click the ProSafe icon ( ) in the system tray and select the Security Policy Editor. If you need to install the NETGEAR ProSafe VPN Client on your PC, consult the documentation that came with your software. b. Add a new connection using the Edit/Add/Connection menu and rename it Scenario_1.
  • Page 196 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Expand the Scenario_1 screen hierarchy by clicking the + sign in front of Scenario_1. Then expand the rest of the screen hierarchies by clicking the rest of the + signs.
  • Page 197 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 d. Select Security Policy on the left hierarchy menu and then select Aggressive Mode under Select Phase 1 Negotiation Mode (see Figure B-16). (The Select Phase 1 Negotiation Mode choice must match the Exchange Mode setting for the General IKE Policy...
  • Page 198 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 • Under My Identity, select Domain Name for the ID Type and then enter fvs_remote. (Domain Name must match the Remote Identity Data parameter of the IKE Policy Configuration screen shown in Figure B-13 for the gateway router.)

  • Page 199: Initiating And Checking The Vpn Connections

    IP address until the client initiates the traffic. Initiating and Checking the VPN Connections You can test connectivity and view VPN status information on the FVG318 and VPN Client according to the testing flowchart shown in Figure B-4.
  • Page 200 At this point the gateway-to-gateway connection is verified. 3. Test 3: View VPN Tunnel Status: To view the FVG318 event log and status of Security Associations, go to the FVG318 main menu VPN section and click the VPN Status link. For the For the VPN Client, click VPN Status on the VPN Status/Log screen.
  • Page 201 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 Status of VPN VPN Status at Gateway A (FVG318) tunnel from Gateway B Status of VPN 22.23.24.25 tunnel to Gateway B 22.23.24.25 Connection Monitor at Gateway B (remote VPN Client)
  • Page 202 Reference Manual for the ProSafe Wireless 802.11g VPN Firewall Model FVG318 C-26 VPN Configuration of NETGEAR FVG318 v1.0, October 2005...
  • Page 203 Index exposed host 5-14 Account Name 3-13 Auto Uplink 2-3 factory settings, restoring 8-7 firewall features 2-2 Flash memory, for firmware upgrade 2-1 backup configuration 8-7 Basic Wireless Connectivity 4-7 Bigpond 3-14 General 7-4, 7-7, 7-11 CA 7-22 host name 3-13 Certificate Authority 7-22 configuration automatic by DHCP 2-4...
  • Page 204 Network Address Translation 2-4 outbound 5-9 Network Time Protocol 5-18, 10-7 newsgroup 5-4 NTP 5-18, 10-7 SA 6-3 Scope of Document 1-1 Secondary DNS Server 3-13 order of precedence 5-11 security 2-1, 2-3 outbound rules 5-9 security association 6-3 service blocking 5-9 service numbers 5-15 Setup Wizard 3-1 package contents 2-5...

Table of Contents