Configuring Vpn Policies - NETGEAR ProSafe FVS336Gv2 Reference Manual

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Configuring VPN Policies

You can create two types of VPN policies. When using the VPN Wizard to create a VPN
policy, only the Auto method is available.
• Manual. All settings (including the keys) for the VPN tunnel are manually entered at each
end (both VPN Endpoints). No third-party server or organization is involved.
• Auto. Some parameters for the VPN tunnel are generated automatically by using the IKE
(Internet Key Exchange) protocol to perform negotiations between the two VPN
Endpoints (the Local ID Endpoint and the Remote ID Endpoint).
In addition, a Certificate Authority (CA) can also be used to perform authentication (see
"Managing Certificates"
certificate from the CA. For each certificate, there is both a public key and a private key. The
public key is freely distributed, and is used by any sender to encrypt data intended for the
receiver (the key owner). The receiver then uses its private key to decrypt the data (without
the private key, decryption is impossible). The use of certificates for authentication reduces
the amount of data entry required on each VPN endpoint.
The VPN Policies Screen
The VPN Policies screen (see ) allows you to add additional policies—either Auto or
Manual—and to manage the VPN policies already created. You can edit policies, enable or
disable policies, or delete them entirely. The rules for VPN policy use are:
1. Traffic covered by a policy will automatically be sent via a VPN tunnel.
2. When traffic is covered by two or more policies, the first matching policy will be used. (In
this situation, the order of the policies is important. However, if you have only one policy
for each remote VPN Endpoint, then the policy order is not important.)
3. The VPN tunnel is created according to the parameters in the SA (Security Association).
4. The remote VPN endpoint must have a matching SA, or it will refuse the connection.
Only one client policy may configured at a time (noted by an "*" next to the policy name). The
List of VPN Policies table contains the following fields:
• ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle).
To Enable or Disable a Policy, check the box adjacent to the circle and click Enable or
Disable, as required.
• Name. Each policy is given a unique name (the Connection Name when using the VPN
Wizard).
• Type. The type is "Auto" or "Manual" as described previously (Auto is used during VPN
Wizard configuration).
• Local. IP address (either a single address, range of address or subnet address) on your
local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (The
subnet address is supplied as the default IP address when using the VPN Wizard).
• Remote. IP address or address range of the remote network. Traffic must be to (or from)
these addresses to be covered by this policy. (The VPN Wizard default requires the
remote LAN IP address and subnet mask).
on page 124). To use a CA, each VPN gateway must have a
Chapter 5: Virtual Private Networking Using IPsec | 85