1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. ProSafe FWAG114
  6. Reference manual

NETGEAR ProSafe FWAG114 Reference Manual

Prosafe dual band wireless vpn firewall
Hide thumbs Also See for ProSafe FWAG114:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Installation Manual
Reference Manual for the
ProSafe Dual Band
Wireless VPN Firewall
FWAG114
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
SM-FWAG114NA-0
Version 1.0
June 2003

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR ProSafe FWAG114

Summary of Contents for NETGEAR ProSafe FWAG114

  • Page 1 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA SM-FWAG114NA-0 Version 1.0 June 2003...

  • Page 2: Fcc Caution

    In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 Certificate of the Manufacturer/Importer It is hereby certified that the ProSafe Dual Band Wireless VPN Firewall FWAG114 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions.

  • Page 5: Table Of Contents

    Computer Network Configuration Requirements ...3-1 Internet Configuration Requirements ...3-2 Where Do I Get the Internet Configuration Parameters? ...3-2 Record Your Internet Connection Information ...3-3 Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN ...3-4 PPPoE Wizard-Detected Option ...3-8 Contents Contents...
  • Page 6 Dynamic IP Wizard-Detected Option ...3-10 Fixed IP Account Wizard-Detected Option ... 3-11 Manually Configuring Your Internet Connection ...3-12 Chapter 4 Wireless Configuration Observe Performance, Placement, and Range Guidelines ...4-1 Implement Appropriate Wireless Security ...4-2 Understanding Wireless Settings ...4-4 Common Wireless Settings ...4-5 Understanding WEP Authentication and Encryption ...4-6 Authentication Type ...4-6 WEP ...4-7...
  • Page 7 Walk-Through of Configuration Scenarios on the FWAG114 ...6-15 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets ...6-16 FWAG114 Scenario 1: FWAG114 to Gateway B IKE and VPN Policies ...6-17 How to Check VPN Connections ...6-20 FWAG114 Scenario 2: FWAG114 to FWAG114 with RSA Certificates ...6-22...
  • Page 8 Enabling Remote Management Access ...6-8 Chapter 9 Troubleshooting Basic Functioning ...7-1 Power LED Not On ...7-1 LEDs Never Turn Off ...7-2 LAN or Internet Port LEDs Not On ...7-2 Troubleshooting the Web Configuration Interface ...7-3 Troubleshooting the ISP Connection ...7-4 Troubleshooting a TCP/IP Network Using a Ping Utility ...7-5 Testing the LAN Path to Your Router ...7-5 Testing the Path from Your PC to a Remote Device ...7-6...
  • Page 9 Ethernet Cabling ... B-12 Uplink Switches, Crossover Cables, and MDI/MDIX Switching ... B-12 Cable Quality ... B-13 Appendix C Preparing Your Network Preparing Your Computers for TCP/IP Networking ... C-1 Configuring Windows 95, 98, and Me for TCP/IP Networking ... C-2 Install or Verify Windows Networking Components ...
  • Page 10 802.11 Authentication ... D-3 Open System Authentication ... D-4 Shared Key Authentication ... D-4 Overview of WEP Parameters ... D-5 Key Size ... D-6 WEP Configuration Options ... D-7 Wireless Channels ... D-7 802/11b/g Wireless Channels ... D-8 802/11a Legal Power Output and Wireless Channels ... D-9 Appendix E Virtual Private Networking What is a VPN? ...

  • Page 11: About This Manual

    Congratulations on your purchase of the NETGEAR FWAG114. The FWAG114 wireless firewall provides connection for multiple personal computers (PCs) to the Internet through an external broadband access device (such as a cable modem or DSL modem) that is normally intended for use by a single PC.

  • Page 12: Features Of The Html Version Of This Manual

    The PDF button links to a PDF version of the full manual. – The E-mail button enables you to send feedback by e-mail to Netgear support. – The Print button prints the currently displayed topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer--you do not have to worry about specifying the correct range of pages.

  • Page 13: Introduction

    FWAG114. Key Features of the VPN Firewall The ProSafe Dual Band Wireless VPN Firewall FWAG114 with 4-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.

  • Page 14: 802.11G And 802.11B Wireless Networking

    Wireless network name broadcast can be turned off so that only devices that have the network name (SSID) can connect. A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FWAG114 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: •...

  • Page 15: Security

    Autosensing Ethernet Connections with Auto Uplink With its internal 8-port 10/100 switch, the FWAG114 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

  • Page 16: Easy Installation And Management

    Entersys or WinPOET on your PC. Easy Installation and Management You can install, configure, and operate the ProSafe Dual Band Wireless VPN Firewall FWAG114 within minutes after connecting it to the network. The following features simplify installation and management tasks: •...

  • Page 17: Maintenance And Support

    • Visual monitoring The FWAG114 wireless firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FWAG114 wireless firewall: •...

  • Page 18: The Fwag114'S Front Panel

    The FWAG114’s Front Panel The front panel of the FWAG114 wireless firewall contains the status LEDs described below. Broadband Figure 2-1: FWAG114 Front Panel You can use some of the LEDs to verify connections. Viewed from left to right, describes the LEDs on the front panel of the router. These LEDs are green when lit.

  • Page 19: The Fwag114'S Rear Panel

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114’s Rear Panel The rear panel of the FWAG114 wireless firewall contains the port connections listed below. 12VDC, 1.2A Reset Figure 1-2: FWAG114 Rear Panel Viewed from left to right, the rear panel contains the following features: •...
  • Page 20 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Introduction...

  • Page 21: Connecting The Fwag114 To The Internet

    This chapter describes how to set up the router on your local area network (LAN) and connect to the Internet. You find out how to configure your ProSafe Dual Band Wireless VPN Firewall FWAG114 for Internet access using the Setup Wizard, or how to manually configure your Internet connection.

  • Page 22: Internet Configuration Requirements

    • You may also refer to the FWAG114 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below.

  • Page 23: Record Your Internet Connection Information

    Your ISP might call this your account, user, host, computer, or system name. • If your ISP’s mail server is ISP Host Name: _________________________ ISP Domain Name: _______________________ Connecting the FWAG114 to the Internet aaa@yyy.com , then use mail.xxx.yyy.com CCA7324-A , then use as your host name.

  • Page 24: Connecting The Prosafe Dual Band Wireless Vpn Firewall Fwag114 To Your Lan

    Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN This section provides instructions for connecting the FWAG114 wireless firewall. Also, the Resource CD for ProSafe Dual Band Wireless VPN Firewall included with your router contains an animated Installation Assistant to help you through this procedure.
  • Page 25 5 - 1 2 V D C R E S E T Broadband Modem Figure 3-3: Connect the computers on your network to the router Connecting the FWAG114 to the Internet L A N L A N L A N...
  • Page 26 Note: The FWAG114 wireless firewall incorporates Auto Uplink LOCAL Ethernet port will automatically sense if the cable should have a normal connection or an uplink connection. This feature eliminates the need to worry about crossover cables because Auto Uplink will make the right connection either type of cable.
  • Page 27 Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP as you recorded them previously in “Record Your Internet Connection Information” on page Connecting the FWAG114 to the Internet “Manually Configuring Your 3-12.

  • Page 28: Pppoe Wizard-Detected Option

    The procedures for filling in the configuration menu for each type of connection follow below. PPPoE Wizard-Detected Option If the Setup Wizard discovers that your ISP uses PPPoE, you will see this menu: Figure 3-7: Setup Wizard menu for PPPoE accounts Connecting the FWAG114 to the Internet...
  • Page 29 Usually, it is not necessary to change the MAC address setting. • Click Apply to save your settings. • Click Test to verify that your Internet connection works. If the NETGEAR website does not appear within one minute, refer to Connecting the FWAG114 to the Internet Chapter 9,...

  • Page 30: Dynamic Ip Wizard-Detected Option

    Usually, it is not necessary to change the MAC address setting. • Click Apply to save your settings. • Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 9, 3-10 “Troubleshooting.”...

  • Page 31: Fixed Ip Account Wizard-Detected Option

    Usually, it is not necessary to change the MAC address setting. • Click Apply to save the settings. • Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 9, Connecting the FWAG114 to the Internet 3-3.

  • Page 32: Manually Configuring Your Internet Connection

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Manually Configuring Your Internet Connection You can manually configure your router using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
  • Page 33 PC that is allowed by the ISP. Or, select “Use this MAC address” and enter Click Apply to save your settings. If your Internet connection does require a login, fill in the settings according to the instructions below. Connecting the FWAG114 to the Internet Figure 3-10 using 3-13...
  • Page 34 The screen will change according to the ISP settings requirements of the ISP you select. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 3-8. Click Apply to save your settings. 3-14 Connecting the FWAG114 to the Internet...

  • Page 35: Wireless Configuration

    Observe Performance, Placement, and Range Guidelines In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your FWAG114 in order to maximize the network speed. For further information on wireless networking, refer to in Basics.”...

  • Page 36: Implement Appropriate Wireless Security

    For this reason, use the security features of your wireless equipment. The FWAG114 wireless firewall provides highly effective security features which are covered in detail in this chapter. Deploy the security features appropriate to your needs.
  • Page 37 Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the FWAG114. Restricting access by MAC address adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.

  • Page 38: Understanding Wireless Settings

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Understanding Wireless Settings To configure the wireless settings of your FWAG114, click the Wireless 11a or Wireless 11b/g link in the Setup section of the main menu. The wireless settings menu will appear, as shown below.

  • Page 39: Common Wireless Settings

    Regulatory Domain. For the Wireless 802.11a settings, unless you select a regulatory domain, the 802.11a radio is turned off. This field identifies the region where the FWAG114 can be used. It may not be legal to operate the wireless features of the VPN firewall in a region other than one of those identified in this field.

  • Page 40: Understanding Wep Authentication And Encryption

    Access Point Connections. Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses. When the Trusted PCs Only radio button is selected, the FWAG114 checks the MAC address of the wireless station and only allows connections to PCs identified on the trusted PCs list.

  • Page 41: Wep

    Clicking the radio button selects which of the four keys will be the default. Default Factory Settings When you first receive your FWAG114, the default factory settings are shown below. You can restore these defaults with the Factory Default Restore button on the rear panel. After you install the FWAG114 wireless firewall, use the procedures below to customize any of the settings to better meet your networking needs.

  • Page 42: Before You Change The Ssid And Wep Settings

    • SSID: The Service Set Identification (SSID) identifies the wireless local area network. NETGEAR is the default FWAG114 SSID. However, you may customize it by using up to 32 alphanumeric characters. Write your customized SSID on the line below. Note: The SSID in the VPN firewall is the SSID you configure in the wireless adapter card.

  • Page 43: How To Set Up And Test Basic Wireless Connectivity

    Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________ Use the procedures described in the following sections to configure the FWAG114. Store this information in a safe place. How to Set Up and Test Basic Wireless Connectivity Follow the instructions below to set up and test basic wireless connectivity. Once you have established basic wireless connectivity, you can enable security settings appropriate to your needs.

  • Page 44: How To Restrict Wireless Access By Mac Address

    Program the wireless adapter of your PCs to have the same SSID that you configured in the FWAG114. Check that they have a wireless link and are able to obtain an IP address by DHCP from the VPN firewall .
  • Page 45 PC or from a wireless PC which is on the access control list to make any further changes. Be sure to click Apply to save your trusted wireless PCs list settings. Now, only devices on this list will be allowed to wirelessly connect to the FWAG114. Wireless Configuration 4-11...

  • Page 46: How To Configure Wep

    LAN address and password you have set up. Click the Wireless 11a or 11b link in the main menu of the FWAG114. Click the Configure WEP button. Choose the Authentication Type and WEP option.

  • Page 47: Firewall Protection And Content Filtering

    This chapter describes how to use the content filtering features of the ProSafe Dual Band Wireless VPN Firewall FWAG114 to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface.

  • Page 48: Block Sites

    Block Sites The FWAG114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Keyword Blocking menu is shown in Figure 5-1: Figure 5-1: Block Sites menu To enable keyword blocking, check “Turn keyword blocking on”, then click Apply.

  • Page 49: Using Rules To Block Or Allow Specific Kinds Of Traffic

    A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FWAG114 are: • Inbound: Block all access from outside except responses to requests from the LAN side.
  • Page 50 You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined.

  • Page 51: Inbound Rules (Port Forwarding)

    Inbound Rules (Port Forwarding) Because the FWAG114 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and available to the Internet.

  • Page 52: Inbound Rule Example: Allowing Videoconference From Restricted Addresses

    Inbound Rule Example: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown Figure 5-4, CU-SeeMe connections are allowed only from a specified range of external IP addresses.

  • Page 53: Outbound Rules (Service Blocking)

    Outbound Rules (Service Blocking) The FWAG114 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on: •...

  • Page 54: Order Of Precedence For Rules

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 5-6: Figure 5-6: Rules table with examples...

  • Page 55: Respond To Ping On Internet Wan Port

    In some cases, one local PC can run the application properly if that PC’s IP address is entered as the Default DMZ Server. Note: For security, NETGEAR strongly recommends that you avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall, and is exposed to many exploits from the Internet.

  • Page 56: Services

    1024 to 65535 by the authors of the application. Although the FWAG114 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
  • Page 57 To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, go the Services menu and click on the Add Custom Service button.

  • Page 58: Using A Schedule To Block Or Allow Specific Traffic

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The...

  • Page 59: Time Zone

    Be sure to click Apply when you have finished configuring this menu. Time Zone The FWAG114 wireless firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must specify your Time Zone: •...

  • Page 60: Getting E-Mail Notifications Of Event Logs And Alerts

    Getting E-Mail Notifications of Event Logs and Alerts In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading: Figure 5-10: E-mail menu • Turn e-mail notification on. Check this box if you wish to receive e-mail logs and alerts from the router.
  • Page 61 – If a user on your LAN attempts to access a website that you blocked using Keyword blocking. • Send logs according to this schedule. You can specify that logs are sent to you according to a schedule. Select whether you would like to receive the logs None, Hourly, Daily, Weekly, or When Full.

  • Page 62: Viewing Logs Of Web Access Or Attempted Web Access

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Viewing Logs of Web Access or Attempted Web Access The router will log security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site.

  • Page 63: Syslog

    Log entries are described in Table 5-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any. Action Source IP The IP address of the initiating device for this log entry.
  • Page 64 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 5-18 Firewall Protection and Content Filtering...

  • Page 65: Viewing Vpn Firewall Status Information

    Maintenance This chapter describes how to use the maintenance features of your ProSafe Dual Band Wireless VPN Firewall FWAG114. These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information.
  • Page 66 This screen shows the following parameters: Table 6-1. Menu 3.2 - FWAG114 Status Fields Field System Name Firmware Version WAN Port MAC Address IP Address IP Subnet Mask DHCP LAN Port MAC Address IP Address IP Subnet Mask DHCP IEEE802.11a/b/g Interface...
  • Page 67 Click “Show WAN Status” to display the WAN connection status. Figure 6-2: Connection Status screen This screen shows the following statistics:. Table 6-1. Connection Status Fields Field Description Connection Time The length of time the router has been connected to your Internet service provider’s network.
  • Page 68 Click “Show Statistics” to display router usage statistics. Figure 6-3: Router Statistics screen This screen shows the following statistics: Table 6-1. Router Statistics Fields Field Description interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces. For each interface, the screen displays: Status The link status of the interface.

  • Page 69: Viewing A List Of Attached Devices

    To force the router to look for attached devices, click the Refresh button. Upgrading the Router Software The routing software of the FWAG114 wireless firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from Netgear's website.

  • Page 70: Configuration File Management

    Note: The Web browser used to upload new firmware into the FWAG114 wireless firewall must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape Navigator 3.0 or above. From the Main Menu of the browser interface, under the Maintenance heading, select the Router Upgrade heading to display the menu shown below.

  • Page 71: Restoring And Backing Up The Configuration

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 From the Main Menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown below. Figure 6-6: Settings Backup menu Three options are available, and are described in the following sections.

  • Page 72: Erasing The Configuration

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Erasing the Configuration It is sometimes desirable to restore the router to a known blank condition. This can be done by using the Erase function, which will restore all factory settings. After an erase, the router's password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client...

  • Page 73: Virtual Private Networking

    This chapter describes how to use the virtual private networking (VPN) features of the FWAG114 wireless firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Overview of FWAG114 Policy-Based VPN Configuration The FWAG114 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity.

  • Page 74: Using Policies To Manage Vpn Traffic

    VPN policy which does not use an IKE policy but in which you manually enter all the authentication and key parameters. Since the VPN policies use the IKE policies, you define the IKE policy first. The FWAG114 also allows you to manually input the authentication scheme and encryption key values. In the case of manual key management there will not be any IKE policies.

  • Page 75: Ike Policies' Automatic Key And Authentication Management

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.
  • Page 76 (host name, domain name, email address, etc.) instead of by IP address. These parameters apply to the Local FWAG114 wireless firewall. Use this field to identify the local FWAG114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.
  • Page 77 These parameters apply to the target remote FWAG114, VPN gateway, or VPN client. Use this field to identify the remote FWAG114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.

  • Page 78: Vpn Policy Configuration For Auto Key Negotiation

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
  • Page 79 Note: Create the IKE policy BEFORE creating a VPN - Auto policy. The address used to locate the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FWAG114’s Local IP values entered as its “Remote VPN Endpoint.”...
  • Page 80 Table 7-1. VPN Auto Policy Configuration Fields Field Traffic Selector Local IP Remote IP Authenticating Header (AH) Configuration Enable Authentication Authentication Algorithm Encapsulated Security Payload (ESP) Configuration Enable Encryption Encryption Algorithm Description These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created.

  • Page 81: Vpn Policy Configuration For Manual Key Exchange

    Table 7-1. VPN Auto Policy Configuration Fields Field Enable Authentication Authentication Algorithm NETBIOS Enable VPN Policy Configuration for Manual Key Exchange With Manual Key Management, you will not use an IKE policy. You must manually type in all the required key information. Click the VPN Policies link from the VPN section of the main menu to display the menu shown below.
  • Page 82 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 7-4: VPN - Manual Policy Menu 7-10 Virtual Private Networking...
  • Page 83 The WAN Internet IP address of the remote VPN firewall or client to which you wish to connect. The remote VPN endpoint must have this FWAG114’s WAN Internet IP address entered as its “Remote VPN Endpoint.” These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created.
  • Page 84 Table 7-1. VPN Manual Policy Configuration Fields Field SPI - Outgoing Enable Authentication Authentication Algorithm Key - In Key - Out Encapsulated Security Payload (ESP) Configuration SPI - Incoming SPI - Outgoing Enable Encryption Encryption Algorithm 7-12 Description Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Incoming SPI"...
  • Page 85 Table 7-1. VPN Manual Policy Configuration Fields Field Key - In Key - Out Enable Authentication Authentication Algorithm Key - In Key - Out NETBIOS Enable Virtual Private Networking Description Enter the key in the fields provided. • For DES, the key should be 8 characters. •...

  • Page 86: Using Digital Certificates For Ike Auto-Policy Authentication

    Each CA has its own certificate. The certificates of a CA are added to the FWAG114 and can then be used to form IKE policies for the user. Once a CA certificate is added to the FWAG114 and a certificate is created for a user, the corresponding IKE policy is added to the FWAG114. Whenever the user tries to send traffic through the FWAG114, the certificates are used in place of pre-shared keys during initial key exchange as the authentication and key generation mechanism.

  • Page 87: Walk-Through Of Configuration Scenarios On The Fwag114

    Walk-Through of Configuration Scenarios on the FWAG114 There are a variety of configurations you might implement with the FWAG114. The scenarios listed below illustrate typical configurations you might use in your organization. In order to help make it easier to set up an IPsec system, the following two scenarios are provided.

  • Page 88: Vpn Consortium Scenario 1: Gateway-To-Gateway With Preshared Secrets

    VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication. 10.5.6.0/24 Gateway A 10.5.6.1 14.15.16.17 Figure 7-5: VPN Consortium Scenario 1 Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.

  • Page 89: Fwag114 Scenario 1: Fwag114 To Gateway B Ike And Vpn Policies

    FWAG114 Scenario 1: FWAG114 to Gateway B IKE and VPN Policies Note: This scenario assumes all ports are open on the FWAG114. You can verify this by reviewing the security settings as seen in the 10.5.6.1/24 LAN IP Figure 7-6: LAN to LAN VPN access from an Use this scenario illustration and configuration screens as a model to build your configuration.
  • Page 90 Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FWAG114. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in web-based configuration manager of the FWAG114.
  • Page 91 3. Set up the IKE Policy illustrated below on the FWAG114. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 7-9: Scenario 1 IKE Policy Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.

  • Page 92: How To Check Vpn Connections

    Policies’ Automatic Key and Authentication Management” on page 5. After applying these changes, all traffic from the range of LAN IP addresses specified on FWAG114 A and FWAG114 B will flow over a secure VPN tunnel. How to Check VPN Connections You can test connectivity and view VPN status information on the FWAG114.
  • Page 93 To test connectivity between the Gateway A FWAG114 LAN and the Gateway B LAN, follow these steps: Using our example, from a PC attached to the FWAG114 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run.

  • Page 94: Fwag114 Scenario 2: Fwag114 To Fwag114 With Rsa Certificates

    FWAG114 Scenario 2: FWAG114 to FWAG114 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in scenario 1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in scenario 1, with the exception that the identification is done with signatures authenticated by PKIX certificates.
  • Page 95 Address here. Otherwise, you should leave this blank. – Domain Name. If you have a domain name, you can enter it here. Otherwise, you should leave this blank. – E-mail Address. You can enter you e-mail address here. Virtual Private Networking FWAG114 Figure 7-11 below. 7-23...
  • Page 96 Click the Next button to continue. The FWAG114 generates a Self Certificate Request as shown below. Figure 7-12: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.
  • Page 97 When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FWAG114” Self Certificate Request will be listed, as illustrated in FWAG114 Figure 7-13: Self Certificate Requests table 5.
  • Page 98 You will now see the “FWAG114” entry in the Active Self Certificates table and the pending “FWAG114” Self Certificate Request is gone, as illustrated below. FWAG Figure 7-14: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FWAG114.
  • Page 99 Now, the traffic from devices within the range of the LAN subnet addresses on FWAG114 A and Gateway B will be authenticated using the certificates rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. Get a copy of the CRL from the CA and save it as a text file.
  • Page 100 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 7-28 Virtual Private Networking...

  • Page 101: Advanced Configuration

    Advanced Configuration This chapter describes how to configure the advanced features of your ProSafe Dual Band Wireless VPN Firewall FWAG114. These features can be found under the Advanced heading in the Main Menu of the browser interface. How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
  • Page 102 Log in to the router at its default LAN address of , default password of admin have chosen for the router. From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS. Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’...

  • Page 103: Using The Lan Ip Setup Options

    Using the LAN IP Setup Options The second feature category under the Advanced heading is LAN IP Setup. This menu allows configuration of LAN IP services such as DHCP and RIP. From the Main Menu of the browser interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown below. Figure 8-1: LAN IP Setup Menu Configuring LAN TCP/IP Setup Parameters The router is shipped preconfigured to use private IP addresses on the LAN side, and to act.as a...

  • Page 104: Using The Router As A Dhcp Server

    The LAN IP parameters are: • IP Address This is the LAN IP address of the router. • IP Subnet Mask This is the LAN Subnet Mask of the router. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.

  • Page 105: Using Address Reservation

    For most applications, the default DHCP and TCP/IP settings of the router are satisfactory. See Configuration by DHCP” on assign IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the ‘Use router as DHCP server’...

  • Page 106: Configuring Static Routes

    Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. To edit or delete a reserved address entry: Click the button next to the reserved address you want to edit or delete.
  • Page 107 Figure 8-3. Static Route Entry and Edit Menu Type a route name for this static route in the Route Name box under the table. (This is for identification purpose only.) Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP.

  • Page 108: Enabling Remote Management Access

    Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FWAG114 wireless firewall. Note: Be sure to change the router's default configuration password to a very secure password.
  • Page 109 To allow access from any IP address on the Internet, select Everyone. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. To allow access from a single IP address on the Internet, select Only this PC.
  • Page 110 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 8-10 Advanced Configuration...

  • Page 111: Troubleshooting

    • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 112: Leds Never Turn Off

    LEDs Never Turn Off When the router is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the router. If all LEDs are still on one minute after power up: •...

  • Page 113: Troubleshooting The Web Configuration Interface

    Troubleshooting the Web Configuration Interface If you are unable to access the router’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the router as described in the previous section.

  • Page 114: Troubleshooting The Isp Connection

    Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as www.netgear.com Access the Main Menu of the router’s configuration at http://192.168.0.1 Under the Maintenance heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your router has not obtained an IP address from your ISP.

  • Page 115: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    Configure your router to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page If your router can obtain an IP address, but your PC is unable to load any web pages from the Internet: •...

  • Page 116: Testing The Path From Your Pc To A Remote Device

    If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: •...

  • Page 117: Restoring The Default Configuration And Password

    The E-Mail menu in the Content Filtering section displays the current date and time of day. The FWAG114 wireless firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day.
  • Page 118 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Troubleshooting...

  • Page 119: Technical Specifications

    This appendix provides technical specifications for the ProSafe Dual Band Wireless VPN Firewall FWAG114. Network Protocol and Standards Compatibility Data and Routing Protocols: Power Adapter North America: United Kingdom, Australia: Europe: Japan: All regions (output): Physical Specifications Dimensions: Weight: Environmental Specifications...
  • Page 120 Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Wireless Data Encoding: Maximum Computers Per Wireless Network: 802.11b and g Radio Data Rate 802.11b and g Operating Frequencies 802.11b and g Operating Range 802.11b and g Encryption 802.11a Radio Data Rate 802.11a Operating Frequency 802.11a...

  • Page 121: Network, Routing, Firewall, And Basics

    Appendix B Network, Routing, Firewall, and Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.

  • Page 122: What Is A Router

    Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The ProSafe Dual Band Wireless VPN Firewall FWAG114 is a small office router that routes the IP protocol over a single-user broadband connection.
  • Page 123 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application.

  • Page 124: Netmask

    128.1.x.x to 191.254.x.x. • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. •...

  • Page 125: Subnet Addressing

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.”...
  • Page 126 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address.

  • Page 127: Private Ip Addresses

    172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Choose your private network number from this range. The DHCP server of the FWAG114 wireless firewall is preconfigured to automatically assign private addresses. Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines explained here.

  • Page 128: Single Ip Address Operation Using Nat

    The FWAG114 wireless firewall employs an address-sharing method called Network Address Translation (NAT). This method allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your ISP.

  • Page 129: Mac Addresses And Address Resolution Protocol

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system.

  • Page 130: Domain Name Server

    IP addresses, along with other information (such as gateway and DNS addresses) that it may assign to the other devices on the network. The FWAG114 wireless firewall has the capacity to act as a DHCP server.

  • Page 131: What Is A Firewall

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.

  • Page 132: Ethernet Cabling

    Ethernet Cabling Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring and pinout as described in Table 9-1.

  • Page 133: Cable Quality

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114 wireless firewall incorporates Auto Uplink technology (also called MDI/ MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g.
  • Page 134 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 B-14 Network, Routing, Firewall, and Basics...

  • Page 135: Appendix C Preparing Your Network

    This appendix describes how to prepare your network to connect to the Internet through the ProSafe Dual Band Wireless VPN Firewall FWAG114 and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a...

  • Page 136: Configuring Windows 95, 98, And Me For Tcp/Ip Networking

    DHCP server during bootup. For a detailed explanation of the meaning and purpose of these configuration items, refer to The FWAG114 wireless firewall is shipped preconfigured as a DHCP server. The firewall assigns the following TCP/IP configuration information automatically when the PCs are rebooted: •...
  • Page 137 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.

  • Page 138: Enabling Dhcp To Automatically Configure Tcp/Ip Settings

    If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect. Enabling DHCP to Automatically Configure TCP/IP Settings After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network.
  • Page 139 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.

  • Page 140: Selecting Windows' Internet Access Method

    • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address.

  • Page 141: Configuring Windows Nt4, 2000 Or Xp For Ip Networking

    From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...

  • Page 142: Enabling Dhcp To Automatically Configure Tcp/Ip Settings

    Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.
  • Page 143 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection.

  • Page 144: Dhcp Configuration Of Tcp/Ip In Windows 2000

    • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
  • Page 145 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. •...
  • Page 146 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties.

  • Page 147: Dhcp Configuration Of Tcp/Ip In Windows Nt4

    DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window.
  • Page 148 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. C-14 Preparing Your Network...

  • Page 149: Verifying Tcp/Ip Properties For Windows Xp, 2000, And Nt4

    Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...

  • Page 150: Configuring The Macintosh For Tcp/Ip Networking

    • The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x From the Apple menu, select Control Panels, then TCP/IP.

  • Page 151: Verifying Tcp/Ip Properties For Macintosh Computers

    TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: •...

  • Page 152: Verifying The Readiness Of Your Internet Account

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.

  • Page 153: Obtaining Isp Configuration Information For Windows Computers

    As mentioned above, you may need to collect configuration information from your PC so that you can use this information when you configure the FWAG114 wireless firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.

  • Page 154: Obtaining Isp Configuration Information For Macintosh Computers

    As mentioned above, you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FWAG114 wireless firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.

  • Page 155: Restarting The Network

    Restart any computer that is connected to the FWAG114 wireless firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FWAG114 wireless firewall, you are ready to access and configure the firewall. Preparing Your Network...
  • Page 156 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 C-22 Preparing Your Network...

  • Page 157: Wireless Networking Basics

    (IEEE) 802.11b standard for wireless LANs (WLANs) and a product update will bring the FWAG114 into conformance to the 802.11g standard when it is ratified. On an 802.11b or g wireless link, data is encoded using direct-sequence spread-spectrum (DSSS) technology and is transmitted in the unlicensed radio spectrum at 2.5GHz.

  • Page 158: Infrastructure Mode

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Infrastructure Mode With a wireless Access Point, you can operate the wireless LAN in the infrastructure mode. This mode provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage, interacting with wireless nodes via an antenna.

  • Page 159: Authentication And Wep Data Encryption

    The 802.11 standard defines several services that govern how two 802.11 devices communicate. The following events must occur before an 802.11 Station can communicate with an Ethernet network through an access point such as the one built in to the FWAG114: Turn on the wireless station.

  • Page 160: Open System Authentication

    An access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of authentication: Open System and Shared Key. • Open System Authentication allows any device to join the network, assuming that the device SSID matches the access point SSID.

  • Page 161: Overview Of Wep Parameters

    The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and sends the encrypted text to the access point. The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key. The access point compares the decrypted text with the original challenge text.

  • Page 162: Key Size

    128-bit encryption is stronger than 40-bit encryption, but 128-bit encryption may not be available outside of the United States due to U.S. export regulations. In NETGEAR’s 802.11a solutions, there are three shared key methods implemented: the standards based 40-bit and 128-bit WEP data encryption; and an extended 152-bit WEP data encryption.

  • Page 163: Wep Configuration Options

    When configured for 128-bit encryption, 802.11 products typically support four WEP Keys but some manufacturers support only one 128-bit key. The 128-bit WEP Key is expressed as 13 sets of two hexadecimal digits (0-9 and A-F). For example, “12 34 56 78 90 AB CD EF 12 34 56 78 90” is a 128-bit WEP Key.

  • Page 164: 802/11B/G Wireless Channels

    802/11b/g Wireless Channels IEEE 802.11b/g wireless nodes communicate with each other using radio frequency signals in the ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz. Neighboring channels are 5 MHz apart. However, due to spread spectrum effect of the signals, a node sending signals using a particular channel will utilize frequency spectrum 12.5 MHz above and below the center channel frequency.

  • Page 165: 802/11A Legal Power Output And Wireless Channels

    The preferred channel separation between the channels in neighboring wireless networks is 25 MHz (5 channels). This means that you can apply up to three different channels within your wireless network. There are only 11 usable wireless channels in the United States. It is recommended that you start using channel 1 and grow to use channel 6, and 11 when necessary, as these three channels do not overlap.
  • Page 166 Figure 4-6: IEEE 802.11a Channel Allocations The FWAG114 user can use thirteen channels in non-turbo mode. Table D-1: 802.11a Turbo Mode Off Radio Frequency Channels Turbo Mode OFF Channel Frequency 5.745 GHz 5.765 GHz 5.785 GHz 5.805 GHz 5.825 GHz The FWAG114 user can use five channels in turbo mode.

  • Page 167: Virtual Private Networking

    Appendix E Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.

  • Page 168: What Is Ipsec And How Does It Work

    • Intranets: Intranets connect an organization’s locations. These locations range from the headquarters offices, to branch offices, to a remote employee’s home. Often this connectivity is used for e-mail and for sharing applications and files. While Frame Relay, ATM, and MPLS accomplish these tasks, the shortcomings of each limits connectivity.

  • Page 169: Ipsec Components

    • Confidentiality: Conceals the message content through encryption. IPSec Components IPSec contains the following elements: • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.

  • Page 170: Authentication Header (Ah

    Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 4-7: Original packet and packet with IPSec Encapsulated Security Payload The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.

  • Page 171: Ike Security Association

    Figure 4-8: Original packet and packet with IPSec Authentication Header IKE Security Association IPSec introduces the concept of the Security Association (SA). An SA is a logical connection between two devices transferring data. An SA provides data protection for unidirectional traffic by using the defined IPSec protocols.

  • Page 172: Key Management

    • Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The entire packet becomes the payload of the packet that is processed with IPSec. A new IP header is created that contains the two IPSec gateway addresses. The gateways perform the encapsulation/decapsulation on behalf of the hosts.

  • Page 173: Understand The Process Before You Begin

    This TechNote provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.

  • Page 174: Network Interfaces And Addresses

    Network Interfaces and Addresses The VPN gateway is aptly named because it functions as a “gatekeeper” for each of the computers connected on the Local Area Network behind it. In most cases, each Gateway will have a “public” facing address (WAN side) and a “private” facing address (LAN side).

  • Page 175: Firewalls

    Table 4-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN Gateway B LAN (Private) Gateway B WAN (Public) It will also be important to know the subnet mask of both gateway LAN Connections. Use the worksheet in Appendix A to gather the necessary address and subnet mask information to aid in the configuration and troubleshooting process.
  • Page 176 VPN Gateway A Figure 4-11: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.

  • Page 177: Vpnc Ike Security Parameters

    IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.

  • Page 178: Vpnc Ike Phase Ii Parameters

    LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
  • Page 179 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993.
  • Page 180 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 E-14 Virtual Private Networking...

  • Page 181: Glossary

    Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management.
  • Page 182 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Address Resolution Protocol, a TCP/IP protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.
  • Page 183 .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5...
  • Page 184 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Internet Protocol is the main internetworking protocol used in the Internet. Used in conjunction with the Transfer Control Protocol (TCP) to form TCP/IP. IP Address A four-byte number uniquely defining each host on the Internet, usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57).
  • Page 185 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 A technique by which several hosts share a single IP address for access to the Internet. NetBIOS for sharing services Network Basic Input Output System. An application programming interface (API) and information on l ocal-area networks (LANs).
  • Page 186 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 SSID A Service Set Identification is a thirty-two character (maximum) alphanumeric key identifying a wireless local area network. For the wireless devices in a network to communicate with each other, all devices must be configured with the same SSID.
  • Page 187 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 If a remote network contains a WINS server, your Windows PCs can gather information from that WINS server about its local hosts. This allows your PCs to browse that remote network using the Windows Network Neighborhood feature.
  • Page 188 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Glossary...

  • Page 189: Index

    Numerics 64 or 128 bit WEP 4-7 802.11b D-1 Account Name 3-10, 3-13 Address Resolution Protocol B-9 Addressing E-8 ad-hoc mode D-2 Authentication Header (AH) E-3, E-4 Auto MDI/MDI-X B-13, G-2 Auto Uplink 2-3, B-13, G-2 backup configuration 5-7 Basic Wireless Connectivity 4-9 BSSID D-2 CA 6-22 cables, pinout B-12...
  • Page 190 factory settings, restoring 5-8 firewall features 2-2 Flash memory, for firmware upgrade 2-2 front panel 2-6, 2-7 fully qualified domain name (FQDN) 4-6 gateway address C-20 General 6-4, 6-7, 6-11 host name 3-10, 3-13 IANA contacting B-2 IETF B-1 Web site address B-7 IKE Security Association E-5 inbound rules 5-5 infrastructure mode D-2...
  • Page 191 Open System authentication D-3 order of precedence 5-8 outbound rules 5-7 package contents 2-5 Passphrase 4-7, 4-12 passphrase 2-2 password restoring 7-7 PC, using to configure C-21 ping 5-9 pinout, Ethernet cable B-12 PKIX 6-22 port filtering 5-7 port forwarding 5-5 port forwarding behind NAT B-9 port numbers 5-10 PPP over Ethernet 2-4, C-18...
  • Page 192 time zone 5-13 time-stamping 5-13 Transport Mode E-5 troubleshooting 7-1 Trusted Host 5-3 Tunnel Mode E-6 typographical conventions 1-1 Uplink switch B-12 USB C-18 VPN E-1 VPN Consortium E-7 VPN Process Overview E-7 VPNC IKE Phase I Parameters E-11 VPNC IKE Phase II Parameters E-12 WEP D-3 Wi-Fi D-1 Windows, configuring for IP routing C-2, C-7...

Table of Contents