Sign in today to find solutions:

Don't have an account? Sign up

Netgear FVS318 - ProSafe VPN Firewall Router Reference Manual

Fvs318 reference manual.

 
Reference Manual for the
Model FVS318
Broadband ProSafe VPN
Firewall
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
M-10146-01
June 2003
M-10146-01
Next page ->

Summary of Contents

  • Page 1

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA M-10146-01 June 2003 M-10146-01...

  • Page 2

    In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

  • Page 3

    Refer to the Support Information Card that shipped with your FVS318 Broadband ProSafe VPN Firewall . World Wide Web NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.

  • Page 4

    M-10146-01...

  • Page 5: Table Of Contents

    Contents Chapter 1 About This Manual Audience .........................1-1 Scope ..........................1-1 Typographical Conventions ....................1-2 Special Message Formats ....................1-2 How to Use the HTML Version of this Manual ..............1-3 How to Print this Manual ....................1-4 Chapter 2 Introduction About the FVS318 ......................2-1 Key Features ........................2-1 Virtual Private Networking (VPN) ................2-1 A Powerful, True Firewall ..................2-2...

  • Page 6: Table Of Contents

    Where Do I Get the Internet Configuration Parameters? ........3-2 Worksheet for Recording Your Internet Connection Information ......3-3 How to Connect the FVS318 VPN Firewall ..............3-4 Wizard-Detected PPPoE Option ................3-9 Wizard-Detected Dynamic IP Option ..............3-10 Wizard-Detected Fixed IP (Static) Option .............. 3-11 Testing Your Internet Connection ..................3-12 How to Manually Configure Your Internet Connection ..........3-13 Chapter 4...

  • Page 7: Table Of Contents

    Setting the MTU Size ....................5-8 Using the Router as a DHCP Server ................5-8 How to Specify Reserved IP Addresses ..............5-9 How to Configure LAN TCP/IP Settings ..............5-10 How to Configure Dynamic DNS .................. 5-11 Using Static Routes ......................5-12 Static Route Example .....................5-12 How to Configure Static Routes ................5-13 Chapter 6 Virtual Private Networking...

  • Page 8: Table Of Contents

    Backing Up, Restoring, or Erasing Your Settings ............7-9 How to Back Up the Configuration to a File .............7-9 How to Restore a Configuration from a File ............7-10 How to Erase the Configuration ................7-11 Running Diagnostic Utilities and Rebooting the Router ..........7-11 How to Enable Remote Management ................7-12 How to Upgrade the Router’s Firmware ...............7-13 Chapter 8...

  • Page 9

    Related Documents ....................B-9 Domain Name Server ....................B-9 IP Configuration by DHCP ..................B-10 Internet Security and Firewalls ..................B-10 What is a Firewall? ....................B-11 Stateful Packet Inspection ..................B-11 Denial of Service Attack ..................B-11 Ethernet Cabling ......................B-11 Category 5 Cable Quality ..................B-12 Inside Twisted Pair Cables ..................

  • Page 10

    VPNC IKE Phase II Parameters ................D-11 Testing and Troubleshooting ..................D-11 Additional Reading ...................... D-11 Appendix E NETGEAR VPN Configuration of FVS318 or FVM318 to FVL328 Configuration Profile ...................... E-1 Step-By-Step Configuration of FVS318 or FVM318 Gateway A ........E-2 Step-By-Step Configuration of FVL328 Gateway B ............

  • Page 11

    Test the VPN Connection ..................F-8 Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 Configuration Profile ...................... G-1 The Use of a Fully Qualified Domain Name (FQDN) ..........G-2 Step-By-Step Configuration of FVS318 or FVM318 Gateway A ........G-3 Step-By-Step Configuration of FVL328 Gateway B ............

  • Page 12

    Contents M-10146-01...

  • Page 13: Audience, Scope

    This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the Netgear website. Scope This manual is written for the FVS318 VPN Firewall according to these specifications.: Table 1-1.

  • Page 14: Typographical Conventions, Special Message Formats

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Typographical Conventions This guide uses the following typographical conventions: Table 1. Typographical conventions italics Emphasis. bold times roman User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key.

  • Page 15: How To Use The Html Version Of This Manual

    The PDF button links to a PDF version of the full manual. – The E-mail button enables you to send feedback by e-mail to Netgear support. – The Print button prints the currently displayed topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer--you do not have to worry about specifying the correct range of pages.

  • Page 16: How To Print This Manual

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Print this Manual To print this manual you man choose one of the following several options, according to your needs. • A “How To ... ” Sequence of Steps in the HTML View. Use the Print button on the upper right of the toolbar to print the currently displayed topic.

  • Page 17: Key Features, Virtual Private Networking (vpn)

    Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS318 Broadband ProSafe VPN Firewall . About the FVS318 The FVS318 is a complete security solution that protects your network from attacks and intrusions. Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FVS318 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection.

  • Page 18: A Powerful, True Firewall, Content Filtering

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Supports 8 VPN connections. • Supports industry standard VPN protocols The FVS318 VPN Firewall supports standard Manual or IKE keying methods, standard MD5 and SHA-1 authentication methods, and standard DES, 3DES, and AES encryption methods. It is compatible with many other VPN products.

  • Page 19: Protocol Support

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The firewall incorporates Auto Uplink technology. Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration.

  • Page 20: Easy Installation And Management

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Easy Installation and Management You can install, configure, and operate the FVS318 within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux.

  • Page 21: What's In The Box?, The Firewall's Front Panel

    • Support information card If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair. The Firewall’s Front Panel...

  • Page 22: The Firewall's Rear Panel

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall These LEDs are green when lit, except for the TEST LED, which is amber. Table 2-1: LED Descriptions Label Activity Description POWER Power is supplied to the firewall. TEST The system is initializing. The system is ready and running.

  • Page 23: Lan Hardware Requirements, Computer Requirements, Cable Or Dsl Modem Requirement

    Chapter 3 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your Local Area Network (LAN), connect to the Internet, perform basic configuration of your FVS318 Broadband ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you can connect your firewall to the Internet: A computer properly connected to the firewall as explained below.

  • Page 24: Lan Configuration Requirements, Internet Configuration Requirements, Where Do I Get The Internet Configuration Parameters?

    For Macintosh computers, open the TCP/IP or Network control panel. • You may also refer to the FVS318 Resource CD (SW-10021-01) for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in “Worksheet for Recording Your Internet Connection...

  • Page 25: Worksheet For Recording Your Internet Connection Information

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.

  • Page 26: How To Connect The Fvs318 Vpn Firewall

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Connect the FVS318 VPN Firewall This section provides instructions for connecting the FVS318 Broadband ProSafe VPN Firewall to your Local Area Network (LAN). Note: The Resource CD included with your firewall contains an animated Installation Assistant to help you through this procedure.

  • Page 27

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Connect the Ethernet cable (A) from your Cable or DSL modem to the FVS318’s Internet port. Cable or DSL modem Figure 3-2: Connect the Cable or DSL Modem to the firewall Connect the Ethernet cable (B) which came with the firewall from a Local port on the router to your computer.

  • Page 28

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Turn on the Cable or DSL modem and wait about 30 seconds for the lights to stop blinking. 2. Log in to the Firewall Note: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP.

  • Page 29

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall A login window opens as shown in Figure 3-5 below: Figure 3-5: Login window Note: If you were unable to connect to the firewall, please refer to “Basic Functions” on page 8-1.

  • Page 30

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet. Note: If you choose not to use the Setup Wizard, you can manually configure your Internet connection settings by following the procedure “How to Manually Configure Your Internet Connection“...

  • Page 31: Wizard-detected Pppoe Option

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Wizard-Detected PPPoE Option If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 3-7: Figure 3-7: Setup Wizard menu for PPPoE login accounts...

  • Page 32: Wizard-detected Dynamic Ip Option

    If you enter an address here, after you finish configuring the firewall, reboot your PCs so that the settings take effect. Click on Apply to save your settings. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting”.

  • Page 33: Wizard-detected Fixed Ip (static) Option

    PC. This feature allows your firewall to masquerade as that PC by using its MAC address. Click on Apply to save your settings. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting”.

  • Page 34: Testing Your Internet Connection

    PCs after configuring the firewall for these settings to take effect. Click on Apply to save the settings. Click on the Test button to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 8, Troubleshooting.

  • Page 35: How To Manually Configure Your Internet Connection

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login ISP Does Require Login Figure 3-10: Browser-based configuration Basic Settings menu...

  • Page 36

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click the Basic Settings link under the Setup section of the main menu. If your Internet connection does not require a login, click No at the top of the Basic Settings menu and fill in the settings according to the instructions below.

  • Page 37

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Connections which require a login using protocols such as PPPoE, PPTP, Telstra Bigpond Cable broadband connections. Select your Internet service provider from the drop-down list. Figure 3-11: Basic Settings ISP list The screen will change according to the ISP settings requirements of the ISP you select.

  • Page 38

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3-16 Connecting the Firewall to the Internet M-10146-01...

  • Page 39: How To Change The Built-in Password

    Note: The user name and password are not the same as any user name or password your may use to log in to your Internet connection. NETGEAR recommends that you change this password to a more secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of both upper and lower case letters, numbers, and symbols.

  • Page 40: How To Change The Administrator Login Timeout, Using Basic Firewall Services

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall From the Main Menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown in Figure 4-1. Figure 4-1: Set Password menu To change the password, first enter the old password, and then enter the new password twice. Click Apply to save your changes.

  • Page 41: How To Block Keywords And Sites

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall firewall provides a variety of options for blocking Internet based content and communications services. With its content filtering feature, the FVS318 VPN Firewall prevents objectionable content from reaching your PCs. The FVS318 allows you to control access to Internet content by screening for keywords within Web addresses.

  • Page 42

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click on the Block Sites link of the Security menu. Figure 4-2: Block Sites menu To block ActiveX, Java, Cookies, or Web Proxy functions for all Internet sites, click the check box next to the function and then click Apply.

  • Page 43: How To Block Or Allow Services

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Up to 32 entries are supported in the Keyword list. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply. You may specify one Trusted User, which is a PC that will be exempt from blocking and logging.

  • Page 44

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • To edit an existing entry, select its button on the left side of the table and click Edit. • To delete an existing entry, select its button on the left side of the table and click Delete. Modify the menu shown below for defining or editing a service.

  • Page 45: How To Add To The List Of Services

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall You can select whether the traffic will be logged. The choices are: • Never - no log entries will be made for this service. • Always - any traffic for this service type will be logged. •...

  • Page 46

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click on the Add Service link of the Security menu to display the Services list shown in Figure 4-5: Figure 4-5: Services table • To create a new entry, click the Add Custom Service button. •...

  • Page 47

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Modify the menu shown below for defining or editing a service. Figure 4-6: Add Services menu The parameters are: • Name. This name will appear in the drop-down list services to be allowed or blocked in the Add Block Service menu as seen in Figure 4-4 above.

  • Page 48: Setting Times And Scheduling Firewall Services, How To Set Your Time Zone

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Setting Times and Scheduling Firewall Services The FVS318 VPN Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list.

  • Page 49: How To Schedule Firewall Services

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries. Check the Daylight Savings Time box if your time zone is currently in daylight savings time.

  • Page 50

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 4-12 Protecting Your Network M-10146-01...

  • Page 51: Setting Up A Default Dmz Server

    Chapter 5 Advanced WAN and LAN Configuration This chapter describes how to configure the advanced features of your FVS318 Broadband ProSafe VPN Firewall . Configuring Advanced WAN Settings The FVS318 Broadband ProSafe VPN Firewall provides a variety of advanced features, such as: •...

  • Page 52

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Incoming traffic from the Internet is normally discarded by the Firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network.

  • Page 53: Respond To Ping On Internet Wan Port, How To Support Internet Services, Applications, Or Games

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall From the Main Menu of the browser interface, under Advanced, click on Ports to view the port forwarding menu, shown in Figure 5-1 Figure 5-1: Port Forwarding Menu Respond to Ping on Internet WAN Port If you want the Firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’...

  • Page 54: How To Clear A Port Assignment, Local Web And Ftp Server Example

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Clear a Port Assignment To edit or eliminate a port assignment entry: Click the button next to that port in the table. Click Delete or Edit. Click Apply. Local Web and FTP Server Example If a local PC with a private IP address of 192.168.0.33 acts as a Web and FTP server, configure the Ports menu to forward HTTP (port 80) and FTP (port 21) to local address 192.168.0.33...

  • Page 55: Working With Lan Ip Settings, What Does Upnp Support Do For Me?

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Change the beginning port number in the Start Port box. For these games, use the supplied number in the default listing and add +1 for each additional computer. For example, if you've already configured one computer to play Hexen II (using port 26900), the second computer's port number would be 26901, and the third computer would be 26902.

  • Page 56: How To Enable Upnp

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Enable UPnP Log in to the Firewall at its default LAN address of http://192.168.0.1 with its default User Name of , default password of , or using whatever User Name, Password and admin password LAN address you have chosen for the Firewall.

  • Page 57: Understanding Lan Tcp/ip Setup Parameters

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Understanding LAN TCP/IP Setup Parameters The Firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The Firewall’s default LAN IP configuration is: •...

  • Page 58: Setting The Mtu Size, Using The Router As A Dhcp Server

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Note: If you change the LAN IP address of the Firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again.

  • Page 59: How To Specify Reserved Ip Addresses

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The Firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined • Subnet Mask • Gateway IP Address is the Firewall’s LAN IP address •...

  • Page 60: How To Configure Lan Tcp/ip Settings

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure LAN TCP/IP Settings Log in to the Firewall at its default LAN address of http://192.168.0.1 with its default User Name of , default password of , or using whatever User Name, Password and admin password LAN address you have chosen for the Firewall.

  • Page 61: How To Configure Dynamic Dns

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently.

  • Page 62: Using Static Routes, Static Route Example

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Access the website of one of the dynamic DNS service providers whose names appear in the ‘Use a dynamic DNS service’ list, and register for an account. For example, for oray.net, click the link or go to www.oray.net. Select the Use a dynamic DNS service radio button for the service you are using.

  • Page 63: How To Configure Static Routes

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall When you first configured your Firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses.

  • Page 64

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click the Edit button to open the Edit Menu, shown in Figure 5-6. Figure 5-6: Static Route Entry and Edit Menu Type a route name for this static route in the Route Name box under the table. This is for identification purpose only.

  • Page 65

    Secure access between networks, such as a branch or home office and a main office. A VPN between two or more NETGEAR VPN-enabled routers is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources when NAT is enabled and remote computers have been assigned private IP addresses.

  • Page 66: Understanding How Fvs318 Vpn Tunnels Are Configured

    8 and 9 of the SafeNet client. Although the FVS318 can interoperate with many other VPN products, it is not possible for NETGEAR to provide specific technical support for every other interconnection. Please see NETGEAR's web site for additional VPN information.

  • Page 67: Configuring Vpn Network Connection Parameters

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall — Manual Keys: Does not use IKE. Rather, you manually enter all the authentication and key parameters. You have more control over the process however the process is much more complex and there are more opportunities for errors or configuration mismatches between you FVS318 and the corresponding VPN endpoint gateway or client workstation.

  • Page 68

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The FVS318 VPN tunnel fields are defined in the following table. network connection Table 6-1. VPN network connection configuration fields Field Description Connection Name The descriptive name of the VPN tunnel. Each tunnel should have a unique name.

  • Page 69: Configuring A Sa Using Ike Main Mode

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Configuring a SA Using IKE Main Mode The most common configuration scenarios will use IKE to manage the authentication and encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to automatically generate required parameters.

  • Page 70: Configuring A Sa Using Ike Aggressive Mode

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table 6-1. Security Association Main Mode Configuration Fields Field Description Pre-Shared Key Specify the key. Any value is acceptable, provided the remote VPN endpoint has the same value in its Pre-Shared Key field. Key Life The default is 3600 seconds (one hour).

  • Page 71: Configuring A Sa Using Manual Key Management

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The Security Association IKE Aggressive Mode fields are defined in the following table. Table 6-1. Security Association Aggressive Mode Configuration Fields Field Description Secure Association Choose Aggressive Mode key exchange mode for this VPN tunnel: •...

  • Page 72

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-5: IKE - VPN Settings Manual Key Configuration Menu The Manual Keys configuration fields are defined in the following table. Table 6-1. VPN Manual Keys Configuration Fields Field Description Secure Association Choose Manual Keys key exchange mode for this VPN tunnel: •...

  • Page 73: Planning A Vpn

    These topics are discussed below. Note: NETGEAR will publish additional interoperability scenarios with various gateway and client software products. Look on the NETGEAR web site at www.netgear.com/docs/ for the HTML version of this manual. When you set up a VPN, it is helpful to plan the network configuration and record the configuration parameters on a worksheet.

  • Page 74

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Will the local end be any device on the LAN, a portion of the local network (as defined by a subnet or by a range of IP addresses), or a single PC? •...

  • Page 75: How To Configure A Network To Network Vpn Tunnel

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure a Network to Network VPN Tunnel VPN Tunnel FVS318 FVS318 Figure 6-6: LAN to LAN VPN access through an to an Follow this procedure to configure a VPN tunnel between two FVS318 VPN Firewalls. The worksheet below shows the settings for this example.

  • Page 76

    Note: The LAN IP address ranges of each connected network must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. This procedure uses the settings in the configuration worksheet above. A blank worksheet you...

  • Page 77

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Reboot all computers on network A and log back in to FVS318 A at the new address of http://192.168.3.1. The network configuration should now look like this: VPN Tunnel FVS318 A FVS318 B 10.0.0.1 24.0.0.1...

  • Page 78

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall For each FVS318, fill in the Connection Name VPN settings as illustrated above. • The Connection Names can be the same: VPNAB • Local IPSec Identifier name in the FVS318 on LAN A: LAN_A Note: The IPSec names must unique in this VPN network.

  • Page 79

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The IKE settings for each end point of the VPN tunnel must match exactly. To configure the IKE settings, enter the following settings in each FVS318: • Enable Perfect Forward Secrecy. •...

  • Page 80: How To Configure A Remote Pc To Network Vpn

    Note: If your situation is different, for example, if your remote PC is connected through a simple cable/DSL router, or if you wish to use different VPN client software, please refer to NETGEAR's web site for additional VPN applications information.

  • Page 81

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The worksheet below identifies the parameters used in the procedure below. A blank worksheet is “PC to Network IKE VPN Tunnel Settings Configuration Worksheet” on page 6-32. Table 6-2: PC to Network IKE VPN Tunnel Settings Configuration Worksheet IKE Security Association Settings Connection Name: VPNLANPC...

  • Page 82

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-13: VPN Edit menu for connecting with a VPN client Fill in the Connection Name VPN settings as illustrated. • Connection Name: VPNLANPC • Local IPSec Identifier: LANAPCIPSEC Note: This IPSec name must not be used in any other SA in this VPN network. •...

  • Page 83

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Remote WAN IP Address: 0.0.0.0 since the remote PC has a dynamically assigned IP address. Alternatively, you could use the FQDN of the PC. Note: If one side has a dynamic IP address and you do not use FQDN, that side must always initiate the connection.

  • Page 84

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-14: Security Policy Editor New Connection Add a new connection • Run the SafeNet Security Policy Editor program and, using the “PC to Network IKE VPN Tunnel Settings Configuration Worksheet” on page 6-17, create a VPN Connection.

  • Page 85

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Configure the Security Policy in the SafeNet VPN Client Software. • In the Network Security Policy list, expand the new connection by double clicking its name or clicking on the “+” symbol. My Identity and Security Policy subheadings appear below the connection name.

  • Page 86

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Configure the Global Policy Settings. Figure 6-16: Security Policy Editor Global Policy Options • From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. •...

  • Page 87

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure 6-17: Security Policy Editor My Identity • Choose None in the Select Certificate menu. • Select IP Address in the ID Type menu. If you are using a virtual fixed IP address, enter this address in the Internal Network IP Address box.

  • Page 88

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication. • In the Authentication Method menu, select Pre-Shared key. •...

  • Page 89

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall 3. Check the VPN Connection. To check the VPN Connection, you can initiate a request from the remote PC to the FVS318’s network by using the “Connect” option in the SafeNet menu bar. The SafeNet client will report the results of the attempt to connect.

  • Page 90: Monitoring The Pc Vpn Connection Using Safenet Tools

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Monitoring the PC VPN Connection Using SafeNet Tools Information on the progress and status of the VPN client connection can be viewed by opening the SafeNet Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then SafeNet SoftRemote, then either the Connection Monitor or Log Viewer.

  • Page 91

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • The FVS318 has a public IP WAN address of 134.177.100.11 • The FVS318 has a LAN IP address of 192.168.0.1 • The VPN client PC has a dynamically assigned address of 12.236.5.184 •...

  • Page 92: How To Configure Manual Keys As An Alternative To Ike

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Configure Manual Keys as an Alternative to IKE As an alternative to IKE, you may use Manual Keying, in which you must specify each phase of the connection. Follow the steps to configure Manual Keying. When editing an entry in the VPN Settings menu table, you may select manual keying.

  • Page 93

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The SPI should be a string of hexadecimal [0-9,A-F] characters, and should not be used in any other Security Association. Note: For simplicity or troubleshooting, the Incoming and Outgoing SPI can be identical. For Encryption Protocol, select one: Figure 6-23: VPN encryption options •...

  • Page 94: How To Delete A Security Association

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click the NETBIOS Enable check box to allow NETBIOS over the VPN tunnel. Click Apply to update the SA in the VPN Settings table. How to Delete a Security Association To delete a security association: Log in to the Firewall.

  • Page 95: Blank Vpn Tunnel Configuration Worksheets

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Blank VPN Tunnel Configuration Worksheets The blank configuration worksheets below are provided to aid you in collecting and recording the parameters used in the VPN configuration procedure. Table 6-3: Network to Network IKE VPN Tunnel Configuration Worksheet IKE Tunnel Security Association Settings Connection Name: Pre-Shared Key:...

  • Page 96

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table 6-4: PC to Network IKE VPN Tunnel Settings Configuration Worksheet IKE Tunnel Security Association Settings Connection Name: Pre-Shared Key: Secure Association -- Main Mode, Aggressive Mode, or Manual Keys: Perfect Forward Secrecy: Encryption Protocol -- Null, DES, 3DES, or AES -128, -192, or -256: Key Life in seconds:...

  • Page 97

    Chapter 7 Managing Your Network This chapter describes how to perform network management tasks with your FVS318 Broadband ProSafe VPN Firewall . Network Management Information The FVS318 provides a variety of status and usage information which is discussed below. Viewing Router Status and Usage Statistics From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 7-1.

  • Page 98

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The Router Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, under Maintenance, select Router Status to view the status screen, shown in Figure 7-1.

  • Page 99

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Click on the “Show Statistics” button to display firewall usage statistics, as shown in Figure 7-2 below: Figure 7-2. Router Statistics screen This screen shows the following statistics:. Table 7-2. Router Statistics Fields Field Description...

  • Page 100: Viewing Attached Devices

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown in Figure 7-3 Figure 7-3: Attached Devices menu...

  • Page 101: Viewing, Selecting, And Saving Logged Information

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Viewing, Selecting, and Saving Logged Information The firewall will log security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tried to access a blocked site.

  • Page 102: Selecting What Information To Log

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Log entries are described in Table 7-5 Table 7-5: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any. Action Source IP The IP address of the initiating device for this log entry.

  • Page 103: Saving Log Files On A Server, Examples Of Log Messages, Activation And Administration, Dropped Packets

    Following are examples of log messages. In all cases, the log entry shows the timestamp as: Day, Year-Month-Date Hour:Minute:Second Activation and Administration Tue, 2002-05-21 18:48:39 - NETGEAR activated [This entry indicates a power-up or reboot with initial time entry.] Tue, 2002-05-21 18:55:00 - Administrator login successful - IP:192.168.0.2 Thu, 2002-05-21 18:56:58 - Administrator logout - IP:192.168.0.2...

  • Page 104: Enabling Security Event E-mail Notification

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Enabling Security Event E-mail Notification In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading: Figure 7-7: E-mail menu • Turn e-mail notification on Check this box if you wish to receive e-mail logs and alerts from the firewall.

  • Page 105: Backing Up, Restoring, Or Erasing Your Settings

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program.

  • Page 106: How To Restore A Configuration From A File

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall From the Maintenance heading of the Main Menu, click the Settings Backup link to display the menu seen in Figure 7-8. Figure 7-8: Settings Backup menu Click Backup to save a copy of the current settings. Store the file on a computer on your network.

  • Page 107: How To Erase The Configuration, Running Diagnostic Utilities And Rebooting The Router

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall How to Erase the Configuration It is sometimes desirable to restore the firewall to the factory default settings. This can be done by using the Erase function. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase button on the screen.

  • Page 108: How To Enable Remote Management

    Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your NETGEAR Cable/DSL ProSafe VPN Firewall. Note: Be sure to change the router's default password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols.

  • Page 109: How To Upgrade The Router's Firmware

    The software of the FVS318 VPN Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from NETGEAR's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN or .IMG) file before uploading it to the firewall.

  • Page 110

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of , default password of , or using whatever User Name, Password and admin password LAN address you have chosen for the firewall.

  • Page 111

    Chapter 8 Troubleshooting This chapter gives information about troubleshooting your FVS318 Broadband ProSafe VPN Firewall . For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions”...

  • Page 112: Power Led Not On, Test Led Never Turns On Or Test Led Stays On

    • Check that you are using the 12VDC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 113: Troubleshooting The Web Configuration Interface

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Make sure that power is turned on to the connected hub or PC. • Be sure you are using the correct cable: — When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem.

  • Page 114: Troubleshooting The Isp Connection

    Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as www.netgear.com Access the Main Menu of the firewall’s configuration at http://192.168.0.1 Under the Maintenance heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.

  • Page 115: Troubleshooting A Tcp/ip Network Using A Ping Utility

    A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. If you entered a DNS address during the firewall’s configuration, reboot your PC and verify the DNS address as described in “DHCP...

  • Page 116: Testing The Lan Path To Your Firewall

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: From the Windows toolbar, click on the Start button and select Run.

  • Page 117: Restoring The Default Configuration And Password

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall PING -n 10 <IP address> where <IP address> is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: —...

  • Page 118: Problems With Date And Time

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Turn the firewall off. While pressing the Default Reset button, turn the firewall on. Keep holding the button until the TEST LED turns off (about 10 seconds later), then blinks (about 20 seconds total).

  • Page 119

    Appendix A Technical Specifications Technical Specifications The technical specifications for the FVS318 Broadband ProSafe VPN Firewall are presented in the following table. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia:...

  • Page 120

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications Local: 10BASE-T or 100BASE-Tx, RJ-45 Internet: 10BASE-T or 100BASE-Tx, RJ-45 Technical Specifications M-10146-01...

  • Page 121

    Appendix B Networks, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and firewalls. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.

  • Page 122

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table.

  • Page 123

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Class A Network Node Class B Network Node Class C Network Node 7261 Figure B-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number.

  • Page 124

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.

  • Page 125

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes.

  • Page 126

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits.

  • Page 127

    Table B-2. Netmask Formats 255.255.255.254 255.255.255.255 NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.

  • Page 128

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router.

  • Page 129

    Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...

  • Page 130

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.

  • Page 131

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.

  • Page 132

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Table B-1. UTP Ethernet cable wiring, straight-through Wire color Signal Orange/White Transmit (Tx) + Orange Transmit (Tx) - Green/White Receive (Rx) + Blue Blue/White Green Receive (Rx) - Brown/White Brown Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows:...

  • Page 133

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device.

  • Page 134

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure B-6: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.

  • Page 135

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The FVS318 VPN Firewall incorporates Auto Uplink technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub).

  • Page 136

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall B-16 Networks, Routing, and Firewall Basics M-10146-01...

  • Page 137

    Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS318 Broadband ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of...

  • Page 138

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • All versions of UNIX or Linux include TCP/IP components. Follow the instructions provided with your operating system or networking software to install TCP/IP on your computer. In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address.

  • Page 139

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.

  • Page 140

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect. Enabling DHCP to Automatically Configure TCP/IP Settings After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network.

  • Page 141

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Verify the following settings as shown: – Client for Microsoft Network exists – Ethernet adapter is present – TCP/IP is present – Primary Network Logon is set to Windows logon •...

  • Page 142

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it.

  • Page 143

    From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...

  • Page 144

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4 You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.

  • Page 145

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. Administrator logon access rights are needed to use this window.

  • Page 146

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/IP in Windows XP.

  • Page 147

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. •...

  • Page 148

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • With Internet Protocol (TCP/IP) selected, click on Properties button to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that – Obtain an IP address automatically is selected. –...

  • Page 149

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. •...

  • Page 150

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. •...

  • Page 151

    Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...

  • Page 152

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The TCP/IP Control Panel opens: From the “Connect via” box, select your Macintosh’s Ethernet interface. From the “Configure” box, select Using DHCP Server. You can leave the DHCP Client ID box empty. Close the TCP/IP Control Panel.

  • Page 153

    TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: •...

  • Page 154

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.

  • Page 155

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses •...

  • Page 156

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. Select the DNS Configuration tab.

  • Page 157

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall. Turn off the modem, router, and PCs.

  • Page 158

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall C-22 Preparing Your Network M-10146-01...

  • Page 159

    Appendix D Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.

  • Page 160

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.

  • Page 161

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.

  • Page 162

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.

  • Page 163

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.

  • Page 164

    This document provides case studies on how to configure secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.

  • Page 165

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.

  • Page 166

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table D-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address...

  • Page 167

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall VPN Tunnel VPN Gateway B VPN Gateway A Figure D-5: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.

  • Page 168

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates.

  • Page 169

    LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...

  • Page 170

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993.

  • Page 171

    NETGEAR VPN Configuration of FVS318 or FVM318 to FVL328 This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR FVS318 or FVM318 to a FVL328. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html).

  • Page 172

    10.5.6.1 172.23.9.1 Figure E-1: Addressing and Subnets Used for Examples Note: Product updates are available on the NETGEAR web site at www.netgear.com/support/main.asp. Documentation updates are available on the NETGEAR, Inc. web site at www.netgear.com/docs. Step-By-Step Configuration of FVS318 or FVM318 Gateway A Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.

  • Page 173

    NETGEAR devices. For this example we have used toFVL328. – Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used 14.15.16.17 as the local identifier.

  • Page 174

    Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure E-3: NETGEAR FVS318 vA1.4 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.

  • Page 175

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Step-By-Step Configuration of FVL328 Gateway B Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1...

  • Page 176

    From the Remote Identity drop-down box, select Remote WAN IP (WAN IP address will automatically be populated into the Local Identity Data field after policy is applied). Figure E-5: NETGEAR FVL328 v1.4 IKE Policy Configuration – Part 2 – From the Encryption Algorithm drop-down box, select 3DES.

  • Page 177

    This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. Figure E-7: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 1) – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint.

  • Page 178

    Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field. Figure E-8: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 2) – From the Traffic Selector Remote IP drop-down box, select “Subnet addresses”.

  • Page 179

    From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVS318 gateway B LAN Interface address (example address 172.23.9.1). Note: You can run ping tests from Diagnostics link on the NETGEAR main menu or from a DOS prompt on a PC.

  • Page 180

    13:19:48 - FVS318 IKE:[toFVL328] established with 22.23.24.25 successfully 13:19:48 - FVS318 IPsec:inserting event EVENT_SA_REPLACE, timeout in 3540 seconds for #2 13:19:48 - FVS318 IPsec:STATE_QUICK_I2: sent QI2, IPsec SA established End of Log ---------- E-10 NETGEAR VPN Configuration of FVS318 or FVM318 to FVL328 M-10146-01...

  • Page 181

    FVS318 or FVM318 to Cisco IOS This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR FVS318 or FVM318 to a Cisco IOS VPN product. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html).

  • Page 182

    10.5.6.1 172.23.9.1 Figure F-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR web site at www.netgear.com/support/main.asp. Documentation updates are available on the NETGEAR, Inc. web site at www.netgear.com/docs. Step-By-Step Configuration of FVS318 or FVM318 Gateway A Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.

  • Page 183

    NETGEAR devices. For this example we have used “toCiscoIOS”. – Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used 22.23.24.25 as the local identifier.

  • Page 184

    Type the WAN IP address (14.15.16.17 in our example) of Gateway A in the Remote WAN IP or FQDN field. Figure F-3: NETGEAR FVS318 vA1.4 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.

  • Page 185

    14.15.16.17. The address used is the WAN address of Gateway A in the example at the beginning of this tech note. Create a transform set by typing crypto ipsec transform-set netgear esp-3des esp-sha-hmac. Create an IPSec policy by typing crypto map netgearmap 10 ipsec-isakmp at the command prompt.

  • Page 186

    10 ipsec-isakmp description vpn tunnel to netgear firewall router set peer 14.15.16.17 set transform-set netgear set pfs group5 match address 115 NETGEAR VPN Configuration FVS318 or FVM318 to Cisco IOS M-10146-01...

  • Page 187

    172.23.9.1 0.0.0.15 10.5.60 0.0.0.255! route-map NONAT permit match ip address 110! ! line con 0 line aux 0 line vty 0 4 password pctg5tcd3 login! no scheduler allocate end NETGEAR VPN Configuration FVS318 or FVM318 to Cisco IOS M-10146-01...

  • Page 188

    From a PC behind the NETGEAR Gateway A attempt to ping the remote Cisco IOS Gateway B LAN Interface address (example address 172.23.9.1). Note: You can run ping tests from the Diagnostics link of the NETGEAR main menu or from a DOS prompt on a PC.

  • Page 189

    Thur, 04/24/2003 13:19:48 - FVS318 IPsec:****Install OUTBOUNDSA: Thur, 04/24/2003 13:19:48 - FVS318 IPsec: ESP(3DES-CBC SHA-1) Thur, 04/24/2003 13:19:48 - FVS318 IPsec:****Install INBOUND SA: Thur, 04/24/2003 13:19:48 - FVS318 IPsec: ESP(3DES-CBC SHA-1) NETGEAR VPN Configuration FVS318 or FVM318 to Cisco IOS M-10146-01...

  • Page 190

    Thur, 04/24/2003 13:19:48 - FVS318 IPsec:inserting event EVENT_SA_REPLACE, timeout in 3540 seconds for #2 Thur, 04/24/2003 13:19:48 - FVS318 IPsec:STATE_QUICK_I2: sent QI2, IPsec SA established End of Log ---------- F-10 NETGEAR VPN Configuration FVS318 or FVM318 to Cisco IOS M-10146-01...

  • Page 191

    FVS318 or FVM318 with FQDN to FVL328 This appendix is a case study on how to configure a VPN tunnel from a NETGEAR FVS318 or FVM318 to a FVL328 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers.

  • Page 192

    22.23.24.25 Figure G-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR web site at www.netgear.com/support/main.asp. Documentation updates are available on the NETGEAR, Inc. web site at www.netgear.com/docs. The Use of a Fully Qualified Domain Name (FQDN) Many ISPs (Internet Service Providers) provide connectivity to their customers using dynamic instead of static IP addressing.

  • Page 193

    In this example, Gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname netgear.dyndns.org for gateway A using the DynDNS service. Gateway B will use the DDNS Service Provider when establishing a VPN tunnel.

  • Page 194

    – Type the User Name for your dynamic DNS account. In this example we used netgear as the Host Name. This means that the complete FQDN we are using is netgear.dyndns.org and your Host Name is “netgear.”...

  • Page 195

    NETGEAR devices. For this example we have used toFVL328. – Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.org (the FQDN) as the local identifier.

  • Page 196

    Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure G-4: NETGEAR FVS318 vA1.4 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.

  • Page 197

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Step-By-Step Configuration of FVL328 Gateway B Log in to the NETGEAR FVL328 labeled Gateway B as in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1...

  • Page 198

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-6: NETGEAR FVL328 v1.4 IKE Policy Configuration – Part 2 – From the Encryption Algorithm drop-down box, select 3DES. – From the Authentication Algorithm drop-down box, select MD5. –...

  • Page 199

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-8: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 1) – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318.

  • Page 200

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-9: NETGEAR FVL328 VPN v1.4 – Auto Policy (part 2) – From the Traffic Selector Remote IP drop-down box, select “Subnet addresses”. – Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field.

  • Page 201

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Figure G-10: NETGEAR FVL328 v1.4 VPN Policies Menu (Post Configuration) When the screen returns to the VPN Policies, make sure the Enable checkbox is selected. Click the Apply button. NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328...

  • Page 202

    FVL328 gateway B LAN Interface address (example address 172.23.9.1). Note: You can run ping tests from NETGEAR main menu or from a DOS prompt on a PC. From a PC behind the FVL328 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address (example address 10.5.6.1).

  • Page 203

    Glossary Use the list below to find definitions for technical terms used in this manual. Numeric 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 10BASE-T The IEEE specification for 10 Mbps Ethernet over Category 3, 4, or 5 twisted-pair cable.

  • Page 204

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Advanced Network Device Layer/Software Term for the Device Driver level. Advanced Encryption Standard, a symmetric 128-bit block data encryption technique. It is an iterated block cipher with a variable block length and a variable key length. The block length and the key length can be independently specified to 128, 192 or 256 bits.The U.S government adopted the algorithm as its encryption technique in October 2000, replacing the DES encryption it used.

  • Page 205

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Bandwidth The information capacity, measured in bits per second, that a channel could transmit. Bandwidth examples include 10 Mbps for Ethernet, 100 Mbps for Fast Ethernet, and 1000 Mbps (I Gbps) for Gigabit Ethernet. Baud The signaling rate of a line, that is, the number of transitions (voltage or frequency changes) made per second.

  • Page 206

    .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. A hacker attack designed to prevent your computer or network from operating or communicating.

  • Page 207

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall DSLAM DSL Access Multiplexor. The piece of equipment at the telephone company central office that provides the ADSL signal. Dynamic Host Configuration Protocol. DHCP is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network.

  • Page 208

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Full-duplex A system that allows packets to be transmitted and received at the same time and, in effect, doubles the potential throughput of a link. Gateway A local device, usually a router, that connects hosts on a local network to other networks. Half-duplex A system that allows packets to transmitted and received, but not at the same time.

  • Page 209

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Internet Control Message Protocol ICMP is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection. Internet Protocol The method or protocol by which data is sent from one computer to another on the Internet.

  • Page 210

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Internet service provider. See “Local Area Network” on page 8. LDAP See “Lightweight Directory Access Protocol” on page 8. Lightweight Directory Access Protocol A set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler.

  • Page 211

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Maximum Receive Unit The size in bytes of the largest packet that can be sent or received. Maximum Transmit Unit The size in bytes of the largest packet that can be sent or received. Mbps Megabits per second.

  • Page 212

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall for sharing services Network Basic Input Output System. An application programming interface (API) and information on l ocal-area networks (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length. netmask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.

  • Page 213

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall PKIX PKIX. The most widely used standard for defining digital certificates. Point-to-Point Protocol PPP. A protocol allowing a computer using TCP/IP to connect directly to the Internet. A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPPoA PPPoA.

  • Page 214

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall See “Quality of Service” on page 12. Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is the amount of data transferred from one device to another or processed in a specified amount of time - typically, throughputs are measured in bytes per second (Bps).

  • Page 215

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall SSID A Service Set Identification is a thirty-two character (maximum) alphanumeric key identifying a wireless local area network. For the wireless devices in a network to communicate with each other, all devices must be configured with the same SSID.

  • Page 216

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Virtual Private Network. A method for securely transporting data between two private networks by using a public network such as the Internet as a connection. See “Wide Area Network” on page 14. Also known as World-Wide Web (WWW) or W3.

  • Page 217

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Glossary M-10146-01...

  • Page 218

    Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall Glossary M-10146-01...

  • Page 219

    Index Account Name 3-9, 3-10, 3-14 date and time 8-8 ActiveX 4-3 Daylight Savings Time 4-11, 8-8 Address Resolution Protocol B-9 daylight savings time 4-11 Addressing D-7 Default DMZ Server 5-1 Authentication Header (AH) D-3, D-4 Denial of Service (DoS) protection 2-2, 4-3 Auto MDI/MDI-X B-15, G-2 denial of service attack B-11 Auto Uplink 2-3, B-15, G-2...

  • Page 220

    firewall features 2-2 IPSec D-1 FLASH memory 7-13 IPSec Components D-2 FQDN 6-10, 6-14, 6-19 IPSec SA negotiation D-9 front panel 2-5 IPSec Security Features D-2 fully qualified domain name (FQDN) 6-2 Java 4-3 gateway address C-20 KALI 5-4 Half Life 5-4 Key Life 6-15, 6-19 host name 3-9, 3-10, 3-14 LAN IP Setup Menu 5-6, 5-10, 6-12...

  • Page 221

    requirements access device 3-1 NAT C-18 hardware 3-1 NAT. See Network Address Translation Reserved IP Addresses 5-9 netmask restore factory settings 7-11 translation table B-6 Network Address Translation 2-3, B-8, C-18 1466 B-7, B-9 Network Time Protocol 4-10, 8-8 1597 B-7, B-9 1631 B-8, B-9 NTP 4-10, 8-8 finding B-7...

  • Page 222

    Telstra 3-8, 3-15 Testing and Troubleshooting D-11 time of day 8-8 time zone 4-11 timeout, administrator login 4-2 time-stamping 4-11 Transport Mode D-5 troubleshooting 8-1 Trusted Host 4-5 Tunnel Mode D-5 typographical conventions 1-2 Uplink switch B-14 UPnP 5-5 URL 4-4 USB C-18 VPN 2-1, D-1 VPN Consortium D-6...

Comments to this Manuals

Symbols: 0

Latest comments:

×

Select the desired size and copy embed code

Copy your embed code and put on your site: