Page 1 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR 202-10031-01 May 2004 May 2004, 202-10031-01...
Page 2 EN 55 022 Declaration of Conformance This is to certify that the FVS328 ProSafe VPN Firewall with Dial Back-up is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).
Page 3: Technical Support
Read instructions for correct handling. Technical Support Refer to the Support Information Card that shipped with your FVS328 ProSafe VPN Firewall with Dial Back-up. World Wide Web NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com.
Page 4 May 2004, 202-10031-01...
Page 5: Table Of Contents
What’s in the Box? ...2-5 The Firewall’s Front Panel ...2-5 The Firewall’s Rear Panel ...2-7 Chapter 3 Connecting the FVS328 to the Internet What You Will Need Before You Begin ...3-1 LAN Hardware Requirements ...3-1 LAN Configuration Requirements ...3-1 Internet Configuration Requirements ...3-2 Where Do I Get the Internet Configuration Parameters? ...3-2...
Page 6 Worksheet for Recording Your Internet Connection Information ...3-3 Connecting the FVS328 to Your LAN ...3-4 How to Connect the FVS328 to Your LAN ...3-4 Configuring a Wizard-Detected Login Account ...3-8 Configuring a Wizard-Detected Dynamic IP Account ...3-9 Configuring a Wizard-Detected Fixed IP (Static) Account ...3-10 How to Configure the Serial Port for an Internet Connection ...3-10...
Page 7 Static Route Example ...5-7 How to Configure Static Routes ...5-8 Chapter 6 Protecting Your Network Protecting Access to Your FVS328 Firewall ...6-1 How to Change the Built-In Password ...6-1 How to Change the Administrator Login Timeout ...6-2 Configuring Basic Firewall Services ...6-2 Using the Block Sites Menu to Screen Content ...6-3...
Page 8 How to Use the VPN Wizard to Configure a VPN Tunnel ...7-15 Walk-Through of Configuration Scenarios ...7-17 VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets ...7-18 FVS328 Scenario 1: How to Configure the IKE and VPN Policies ...7-20 How to Check VPN Connections ...7-24 FVS328 Scenario 2: Authenticating with RSA Certificates ...7-25...
Page 9 Inbound Log ... B-2 Other IP Traffic ... B-2 Router Operation ... B-3 Other Connections and Traffic to this Router ... B-4 DoS Attack/Scan ... B-4 Access Block Site ... B-6 All Web Sites and News Groups Visited ... B-6 System Admin Sessions ...
Page 10 Domain Name Server ... C-9 IP Configuration by DHCP ... C-10 Internet Security and Firewalls ... C-10 What is a Firewall? ... C-11 Stateful Packet Inspection ... C-11 Denial of Service Attack ... C-11 Ethernet Cabling ... C-12 Uplink Switches and Crossover Cables ... C-12 Cable Quality ...
Page 11 Configuration Profile ... G-1 Using DDNS and Fully Qualified Domain Names (FQDN) ... G-2 Step-By-Step Configuration of FVS318 or FVM318 Gateway A ... G-3 Step-By-Step Configuration of FVS328 Gateway B ... G-7 Test the VPN Connection ... G-11 Appendix H...
Page 12 Testing the VPN Connection ... H-14 From the Client PC to the FVS328 ... H-14 From the FVS328 to the Client PC ... H-15 Monitoring the PC VPN Connection ... H-15 Viewing the FVS328 VPN Status and Log Information ... H-16 Glossary Index viii...
Page 13: About This Manual
This chapter introduces the NETGEAR FVS328 ProSafe VPN Firewall with Dial Back-up manual. Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technology tutorial information is provided in the Appendices and on the NETGEAR Web site.
Page 14: Typographical Conventions
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Typographical Conventions This guide uses the following typographical conventions: Table 1-2. Typographical conventions italics Emphasis. bold times roman User input. [Enter] Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key.
Page 15: How To Use This Manual
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Use this Manual This manual includes both PDF and HTML versions. Use the topics below to identify how to take advantage of these document formats when you need to view or print information from this manual.
Page 16: How To Print This Manual
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the upper right side of the toolbar to print the currently displayed topic.
Page 17: Introduction
Network Address Translation (NAT) for security, the FVS328 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The 8-port FVS328 provides highly reliable Internet access for up to 253 users with up to 50 concurrent VPN tunnels.
Page 18: Virtual Private Networking
A Powerful, True Firewall Unlike simple Internet sharing NAT routers, the FVS328 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: •...
Page 19: Content Filtering
Internet sites. Configurable Auto Uplink™ Ethernet Connection With its internal 8-port 10/100 switch, the FVS328 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the local LAN and the Internet WAN interfaces are 10/100 Mbps, autosensing, and capable of full-duplex or half-duplex operation.
Page 20: Easy Installation And Management
Dynamic DNS services to register your dynamic IP address. See Dynamic DNS” on page 5-6. Easy Installation and Management You can install, configure, and operate the FVS328 within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux.
Page 21: What's In The Box
The Firewall’s Front Panel The front panel of the FVS328 contains status LEDs. You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall.
Page 22 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 2-1: FVS328 Front Panel These LEDs are green when lit, except for the TEST LED, which is amber.These LEDs are green when lit, except for the TEST LED, which is amber.
Page 23: The Firewall's Rear Panel
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The Firewall’s Rear Panel The rear panel of the FVS328 contains the connections identified below. M O DEM Figure 2-2: FVS328 Rear Panel Viewed from left to right, the rear panel contains the following elements: •...
Page 24 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Introduction May 2004, 202-10031-01...
Page 25: Connecting The Fvs328 To The Internet
This chapter describes how to set up the firewall on your Local Area Network (LAN) and connect to the Internet. You can perform basic configuration of your FVS328 ProSafe VPN Firewall with Dial Back-up using the Setup Wizard, or manually configure your Internet connection.
Page 26: Internet Configuration Requirements
For Macintosh computers, open the TCP/IP or Network control panel. • You may also refer to the FVS328 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below according to the instructions in Information”...
Page 27: Worksheet For Recording Your Internet Connection Information
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
Page 28: Connecting The Fvs328 To Your Lan
Turn off your computer. Turn off your broadband modem. Connect a Cat 5 Ethernet cable from the Internet port of the FVS328 to the broadband modem. Connect the Cat 5 Ethernet cable which came with the firewall from your computer to a Local port on the router.
Page 29 • Local: A Local light on the router is lit. If no Local lights are lit, check that the Ethernet cable connecting the powered on computer to the router is securely attached at both ends. Connecting the FVS328 to the Internet...
Page 30 Note: The router user name and password are not the same as any user name or password you may use to log in to your Internet connection. A login window like the one shown below opens:...
Page 31 IZARD TO CONNECT TO THE Figure 3-3: Setup Wizard You are now connected to the router. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses (192.168.0.x) to LAN connected devices.
Page 32: Configuring A Wizard-Detected Login Account
Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 33: Configuring A Wizard-Detected Dynamic Ip Account
Address to manually type in the MAC address that your ISP expects. Click Apply to save your settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to...
Page 34: Configuring A Wizard-Detected Fixed Ip (Static) Account
Follow the steps below to configure a serial port Internet connection on your firewall. Connect the Firewall to your ISDN or dial-up modem Turn off your modem and connect the cable from the serial port of the FVS328 to the modem.
Page 35 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual From the Setup Basic Settings menu, click Serial Port. Figure 3-4: Serial Internet Connection configuration menu Fill in the ISDN or analog ISP Internet configuration parameters as appropriate: • For a Dial-up Account, enter the Account information. Check “Connect as required”...
Page 36 PC, establishing a connection to your ISP, and then copying the modem string settings from the PC configuration and pasting them into the FVS328 Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR web site.
Page 37: Testing Your Internet Connection
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Testing Your Internet Connection After completing the Internet connection configuration, your can test your Internet connection. Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the...
Page 38: Manually Configuring Your Internet Connection
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Page 39: How To Manually Configure The Primary Internet Connection
Note: Disabling NAT will reboot the router and reset all the FVS328 configuration settings to the factory default. Disable NAT only if you plan to install the FVS328 in a setting where you will be manually administering the IP address space on the LAN side of the router.
Page 40 PC that you are now using. You must be using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and enter it. Click Apply to save your settings. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 9, 3-16 Troubleshooting.
Page 41: Serial Port Configuration
(WAN), LAN, and serial network interfaces. Note: If you configure the serial port of the FVS328 as the primary Internet connection, you will not be able to configure the other serial port options. For instructions on configuring the serial port as the primary Internet connection, please see Connection“...
Page 42: Configuring A Serial Port Modem
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Configuring a Serial Port Modem You can configure a serial port modem for any of the features described above. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Page 43: Configuring Auto-Rollover
Click Apply to save your settings. Configuring Auto-Rollover You can configure the serial port of the FVS328 to provide an auto-rollover backup connection for your broadband service. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Page 44: Configuring Dial-In On The Serial Port
Click Apply for the changes to take effect. Configuring Dial-in on the Serial Port Dial-in lets a single remote computer connect to the FVS328 through the serial port to gain access to LAN resources or a remote access server. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Page 45: Basic Requirements For Dial-In
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Basic Requirements for Dial-in Dial-in requires these elements: A broadband connection to the FVS328. An analog phone line. A serial modem properly configured and attached to the DB9 connector on the serial port.
Page 46: Configuring Lan-To-Lan Settings
An ISDN or analog phone line with an active ISDN or dial-up ISP account. A serial modem properly configured and attached to the DB9 connector on the serial port. A broadband connection to one FVS328 for LAN-to-LAN auto-rollover Internet access. The LAN-to-LAN settings configured and applied to the two FVS328 firewalls.
Page 47 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 4-5: LAN-to-LAN configuration menu Configure the LAN-to-LAN settings. Note: The LAN subnet address of each FVS328 must be different. Click Apply for the changes to take effect. Serial Port Configuration...
Page 48 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Serial Port Configuration May 2004, 202-10031-01M-10207-01, Reference Manual v2...
Page 49: Wan And Lan Configuration
This chapter describes how to configure the WAN and LAN settings of your FVS328 ProSafe VPN Firewall with Dial Back-up. Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the Main Menu of the browser interface.
Page 50: Using The Router As A Dhcp Server
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual — When set to None, it will not send any RIP packets and will ignore any RIP packets received. • RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends.
Page 51: How To Configure Lan Tcp/Ip Setup Settings
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined • Subnet Mask • Gateway IP Address is the firewall’s LAN IP address •...
Page 52: How To Configure Reserved Ip Addresses
Click Apply to enter the reserved address into the table. Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
Page 53: Connecting Automatically, As Required
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Connecting Automatically, as Required Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. However, if this causes high connection costs, you can disable this setting.
Page 54: Responding To Ping On Internet Wan Port
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Responding to Ping on Internet WAN Port If you want the firewall to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your firewall to be discovered.
Page 55: How To Configure Dynamic Dns
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Configure Dynamic DNS Log in to the firewall at its default LAN address of name of admin , default password of you have chosen for the firewall. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS.
Page 56: How To Configure Static Routes
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses.
Page 57 Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255. Type the Gateway IP Address, which must be a router on the same LAN segment as the firewall. Type a number between 1 and 15 as the Metric value.
Page 58 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 5-10 WAN and LAN Configuration May 2004, 202-10031-01...
Page 59: Protecting Your Network
This chapter describes how to use the basic firewall features of the FVS328 ProSafe VPN Firewall with Dial Back-up to protect your network. Protecting Access to Your FVS328 Firewall For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the administrator login will automatically disconnect.
Page 60: How To Change The Administrator Login Timeout
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 6-1: Set Password menu To change the password, first enter the old password, then enter the new password twice. Click Apply to save your changes. Note: After changing the password, you will be required to log in again to continue the configuration.
Page 61: Using The Block Sites Menu To Screen Content
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Using the Block Sites Menu to Screen Content The FVS328 allows you to restrict access based on the following categories: • Use of a proxy server • Type of file (Java, ActiveX, Cookie) •...
Page 62: Services And Rules Regulate Inbound And Outbound Traffic
IP address. Services and Rules Regulate Inbound and Outbound Traffic The FVS328 ProSafe VPN Firewall with Dial Back-up firewall lets you regulate what ports are available to the various TCP/IP protocols. Follow these two steps to configure inbound or...
Page 63: Defining A Service
1024 to 65535 by the authors of the application. Although the FVS328 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
Page 64: Using Inbound/Outbound Rules To Block Or Allow Services
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Using Inbound/Outbound Rules to Block or Allow Services Firewall rules are used to block or allow specific traffic passing through from one side of the firewall to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources.
Page 65 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual You can define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 66: Examples Of Using Services And Rules To Regulate Traffic
Inbound Rules (Port Forwarding) Because the FVS328 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule, also known as port forwarding, you can make a local server (for example, a Web server or game server) visible and available to the Internet.
Page 67: Example: Port Forwarding To A Local Public Web Server
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Example: Port Forwarding to a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server any time of day.
Page 68: Example: Port Forwarding For Vpn Tunnels When Nat Is Off
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters. Figure 6-5: Rule example: Videoconference from Restricted Addresses...
Page 69: Outbound Rules (Service Blocking Or Port Filtering)
Outbound Rules (Service Blocking or Port Filtering) The FVS328 allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local computer based on: •...
Page 70: Outbound Rule Example: Blocking Instant Messaging
IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the router log any attempt to use Instant Messenger during that blocked period.
Page 71: Rules Menu Options
Setting Times and Scheduling Firewall Services The FVS328 Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list.
Page 72: How To Set Your Time Zone
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Set Your Time Zone In order to localize the time for your log entries, you must specify your Time Zone: Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User...
Page 73: How To Schedule Firewall Services
Enabling Daylight Savings Time will cause one hour to be added to the standard time. Choose your NTP server. The firewall uses Netgear NTP servers by default. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server.
Page 74 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 6-16 Protecting Your Network May 2004, 202-10031-01...
Page 75: Virtual Private Networking
VPN Firewall Figure 7-1: Secure access through FVS328 VPN routers Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVS328. There are two kinds of policies: Virtual Private Networking Virtual Private Networking...
Page 76: Using Automatic Key Management
VPN parameters on other end, and vice versa. When the network traffic enters into the FVS328 from the LAN network interface, if there is no VPN policy found for a type of network traffic, then that traffic passes through without any change.
Page 77: Ike Policies' Automatic Key And Authentication Management
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.
Page 78 These parameters apply to the Local FVS328 firewall. Local Identity Type Use this field to identify the local FVS328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address.
Page 79 Field Description Remote Identity Type Use this field to identify the remote FVS328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) – your domain name.
Page 80: Vpn Policy Configuration For Auto Key Negotiation
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Page 81 Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVS328’s Local Identity Data entered as its “Remote VPN Endpoint”: • By its IP Address.
Page 82 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Auto Policy Configuration Fields Field Description Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security.
Page 83: Vpn Policy Configuration For Manual Key Exchange
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Auto Policy Configuration Fields Field Description Authentication If you enable AH, then use this menu to select which authentication algorithm Algorithm will be employed. The choices are: MD5 –...
Page 84 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 7-4: VPN - Manual Policy Menu 7-10 Virtual Private Networking May 2004, 202-10031-01...
Page 85 The WAN Internet IP address or Fully Qualified Domain Name of the remote VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVS328’s WAN Internet IP address entered as its “Remote VPN Endpoint.”...
Page 86 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Manual Policy Configuration Fields Field Description Authenticating Header AH specifies the authentication protocol for the VPN header. These settings (AH) Configuration must match the remote VPN endpoint.
Page 87 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 7-1. VPN Manual Policy Configuration Fields Field Description SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Incoming SPI" field.
Page 88: Using Digital Certificates For Ike Auto-Policy Authentication
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added to the FVS328.
Page 89: How To Use The Vpn Wizard To Configure A Vpn Tunnel
Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. Log in to the FVS318 on LAN A at its default LAN address of...
Page 90 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 7-6: Connection Name and Remote IP Type 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Figure 7-7: Remote IP 4.
Page 91: Walk-Through Of Configuration Scenarios
To view or modify the tunnel settings, select the radio button next to the tunnel entry and click Edit. Walk-Through of Configuration Scenarios There are a variety of configurations you might implement with the FVS328. The scenarios listed below illustrate typical configurations you might use in your organization. Virtual Private Networking...
Page 92: Vpnc Scenario 1: Gateway-To-Gateway With Preshared Secrets
In order to help make it easier to set up an IPsec system, the following two scenarios are provided. These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to make it easier to get the systems from different vendors to interoperate. NETGEAR is providing you with both of these scenarios in the following two formats: •...
Page 93 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A.
Page 94: Fvs328 Scenario 1: How To Configure The Ike And Vpn Policies
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual FVS328 Scenario 1: How to Configure the IKE and VPN Policies Note: This scenario assumes all ports are open on the FVS328. You can verify this by reviewing the security settings as seen in the on page 6-6.
Page 95 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Select whether enable or disable NAT (Network Address Translation). NAT allows all LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. You should only disable NAT if you are sure you do not require it.
Page 96 Note: After you click Apply to change the LAN IP address settings, your workstation will be disconnected from the FVS328. You will have to log on with http://10.5.6.1 which is now the address you use to connect to the built-in Web-based configuration manager of the FVS328.
Page 97 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 4. Set up the FVS328 VPN -Auto Policy illustrated below. From the main menu VPN section, click the VPN Policies link, and then click the Add Auto Policy button. Figure 7-14: Scenario 1 VPN - Auto Policy Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Page 98: How To Check Vpn Connections
5. After applying these changes, you will see a table entry like the one below. Figure 7-15: VPN Policies table Now all traffic from the range of LAN IP addresses specified on FVS328 A and FVS328 B will flow over a secure VPN tunnel.
Page 99: Fvs328 Scenario 2: Authenticating With Rsa Certificates
At this point the connection is established. Note: If you want to ping the FVS328 as a test of network connectivity, be sure the FVS328 is configured to respond to a ping on the Internet WAN port. However, to preserve a high degree of security, you should turn off this feature when you are finished with testing.
Page 100 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: The procedure for obtaining certificates differs between a CA like Verisign and a CA such as a Windows 2000 certificate server, which an organization operates for providing certificates for its members. For example, an administrator of a Windows 2000 certificate server might provide it to you via e-mail.
Page 101 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click the Generate Request button to display the screen illustrated in Figure 7-17: Generate Self Certificate Request menu Fill in the fields on the Add Self Certificate screen. • Required –...
Page 102 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click the Next button to continue. The FVS328 generates a Self Certificate Request as shown below. Figure 7-18: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA.
Page 103 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure 7-19: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file. Note: In the case of a Windows 2000 internal CA, the CA administrator might simply email it to back to you.
Page 104 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual You will now see the “FVS328” entry in the Active Self Certificates table and the pending “FVS328” Self Certificate Request is gone, as illustrated below. Figure 7-20: Self Certificates table 7.
Page 105 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Now, the traffic from devices within the range of the LAN subnet addresses on FVS328 Gateway A and Gateway B will be authenticated using the certificates and generated keys rather than via a shared key.
Page 106 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 7-32 Virtual Private Networking May 2004, 202-10031-01...
Page 107: Managing Your Network
This chapter describes how to perform network management tasks with your FVS328 ProSafe VPN Firewall with Dial Back-up. Network Management The FVS328 provides remote management access and a variety of status and usage information which is discussed below. How to Configure Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVS328 Firewall.
Page 108 134.177.0.123 and you use port number 8080, enter in your browser: https://134.177.0.123:8080 Note: When you remotely connect to the FVS328 with a browser via SSL, you may get a message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.
Page 109: Viewing Router Status And Usage Statistics
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Viewing Router Status and Usage Statistics From the Main Menu, under Maintenance, select Router Status to view the screen in Figure 8-1. Figure 8-1: Router Status screen The Router Status menu provides a limited amount of status and usage information. From the...
Page 110 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual This screen shows the following parameters: Table 8-1. Menu 3.2 - Router Status Fields Field System Name Firmware Version LAN Port MAC Address IP Address IP Subnet Mask DHCP WAN Port...
Page 111 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click the “Show Statistics” button to display firewall usage statistics, as shown in below: Figure 8-2. Router Statistics screen This screen shows the following statistics: Table 8-2. Router Statistics Fields...
Page 112: Viewing Attached Devices
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading,...
Page 113: Viewing, Selecting, And Saving Logged Information
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Viewing, Selecting, and Saving Logged Information The firewall logs security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tries to access a blocked site.
Page 114 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Log entries are described below: Table 8-5: Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any.
Page 115: Changing The Include In Log Settings
• Connection to the Web-based interface of this Router • Other connections and traffic to this Router — if selected, this will log traffic sent to this Router (rather than through this Router to the Internet). • Allow duplicate log entries — if selected, events or packets that fall within more than one (1) category above will have a log entry for each category in which they belong.
Page 116: Enabling Security Event E-Mail Notification
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Enabling Security Event E-mail Notification In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-mail menu: Figure 8-7: E-mail notification menu To enable E-mail notification, configure the following fields: •...
Page 117: Backing Up, Restoring, Or Erasing Your Settings
Backing Up, Restoring, or Erasing Your Settings The configuration settings of the FVS328 Firewall are stored in a configuration file in the firewall. This file can be backed up to your computer, restored, or reverted to factory default settings. The procedures below explain how to do these tasks.
Page 118: How To Restore A Configuration From A File
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual From the Maintenance heading of the main menu, select the Settings Backup menu as seen below. Figure 8-8: Settings Backup menu Click Backup to save a copy of the current settings.
Page 119: How To Erase The Configuration
IP address, you must use the Default Reset button on the rear panel of the firewall. See “How to Use the Default Reset Button” on page Running Diagnostic Utilities and Rebooting the Router The FVS328 Firewall has a diagnostics feature. You can use the diagnostics menu to perform the following functions from the firewall: •...
Page 120: Upgrading The Router's Firmware
Figure 8-9: Diagnostics menu Upgrading the Router’s Firmware The software of the FVS328 Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from the NETGEAR Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN or .IMG) file before uploading it to the firewall.
Page 121: How To Upgrade The Router
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Upgrade the Router Download and unzip the new software file from NETGEAR. Log in to the firewall at its default LAN address of name of , default password of admin you have chosen for the firewall.
Page 122 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 8-16 Managing Your Network May 2004, 202-10031-01...
Page 123: Troubleshooting
This chapter gives information about troubleshooting your FVS328 ProSafe VPN Firewall with Dial Back-up. For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to “Basic Functions” on page •...
Page 124: Power Led Not On
• Check that you are using the 12VDC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 125: Local Or Internet Port Link Leds Not On
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Local or Internet Port Link LEDs Not On If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following: •...
Page 126: Troubleshooting The Isp Connection
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Try quitting the browser and launching it again. • Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.
Page 127: Troubleshooting A Tcp/Ip Network Using A Ping Utility
A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. If you entered a DNS address during the firewall’s configuration, reboot your computer and verify the DNS address as described in TCP/IP Properties”...
Page 128: How To Test The Lan Path To Your Firewall
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual How to Test the LAN Path to Your Firewall You can ping the firewall from your computer to verify that the LAN path to your firewall is set up correctly.
Page 129: Restoring The Default Configuration And Password
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual PING -n 10 <IP address> where <IP address> is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: —...
Page 130: Problems With Date And Time
Release the Default Reset button and wait for the firewall to reboot. Problems with Date and Time The E-mail menu in the Security section displays the current date and time of day. The FVS328 Firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet.
Page 131: Technical Specifications
This appendix provides technical specifications for the FVS328 ProSafe VPN Firewall with Dial Back-up. Network Protocol and Standards Compatibility Data and Routing Protocols: Power Adapter North America: United Kingdom, Australia: Europe: Japan: All regions (output): Physical Specifications Dimensions: Weight: Environmental Specifications...
Page 132 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Electromagnetic Emissions Meets requirements of: Interface Specifications Local: Internet: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx, RJ-45...
Page 133: Appendix B Firewall Log Formats
Action List Drop: Reset: Forward: Receive: Field List <DATE><TIME>: <EVENT>: <PKT_TYPE>: <SRC_IP><DST_IP>: <SRC_PORT><DST_PORT>: Port in the packet <SRC_INF><DST_INF>: <ACTION>: <DESCRIPTION>: <DIRECTION>: <SERVICE>: Outbound Log Outgoing packets that match the Firewall rules are logged. Firewall Log Formats Firewall Log Formats Packet dropped by Firewall current inbound or outbound rules. TCP session reset by Firewall.
Page 134: Inbound Log
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is: <DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF> <ACTION><DESCRIPTION> [Fri, 2003-12-05 22:19:42] - UDP Packet - Source:172.31.12.233,138 ,WAN - Destination:172.31.12.255,138 ,LAN [Drop] - [Inbound Default rule match] [Fri, 2003-12-05 22:35:04] - TCP Packet - Source:172.31.12.156,34239 ,WAN -...
Page 135: Router Operation
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is: <DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT ><DST_PORT><ACTION><DESCRIPTION> <DATE><TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION> <DESCRIPTION> [Wed, 2003-07-30 17:43:28] - IPSEC Packet - Source: 64.3.3.201, 37180 WAN - Destination: 10.10.10.4,80[HTTP] LAN - [Drop] [VPN Packet] [Wed, 2003-07-30 18:44:50] - IP Packet [Type Field: 321] - Source 18.7.21.69...
Page 136: Other Connections And Traffic To This Router
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Other Connections and Traffic to this Router The format is: <DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION> [Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 - Destination: 192.168.0.1 - [Receive] [Wed, 2003-07-30 16:34:56] - ICMP Packet[Type: 238] - Source: 64.3.3.201 -...
Page 137 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is: <DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT ><DST_PORT><ACTION><DESCRIPTION> <DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION> <DESCRIPTION> [Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN - Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan] [Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN -...
Page 138: Access Block Site
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Access Block Site If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL contains a specified keyword are logged. The format is <DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>...
Page 139: Policy Administration Log
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The format is: <DATE><TIME><EVENT ><SRC_IP> <DATE><TIME><EVENT ><SRC_IP><SRC_PORT><DST_IP><DST_PORT><ACTION> [Fri, 2003-12-05 21:07:43] - Administrator login successful - IP:192.168.0.10 [Fri, 2003-12-05 21:09:16] - Administrator logout - IP:192.168.0.10 [Fri, 2003-12-05 21:09:31] - Administrator login fail, Username error - IP:192.168.0.10...
Page 140 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Firewall Log Formats May 2004, 202-10031-01...
Page 141: What Is A Router?
A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network.
Page 142: Routing Information Protocol
Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVS328 Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.
Page 143 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Class A Network Class B Network Class C Network Figure 9-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number.
Page 144: Netmask
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.
Page 145 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead.
Page 146 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits.
Page 147: Private Ip Addresses
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets.
Page 148 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The router accomplishes this address sharing by translating the internal LAN IP addresses to a single address that is globally unique on the Internet. The internal LAN IP addresses can be either private addresses or registered addresses.
Page 149: Mac Addresses And Address Resolution Protocol
Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...
Page 150: Ip Configuration By Dhcp
DHCP server stores a list or pool of IP addresses, along with other information (such as gateway and DNS addresses) that it may assign to the other devices on the network. The FVS328 Firewall has the capacity to act as a DHCP server.
Page 151: What Is A Firewall
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.
Page 152: Ethernet Cabling
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Ethernet Cabling Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring as described in Table 9-1.
Page 153: Cable Quality
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Cable Quality A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or "Cat 5", by the Electronic Industry Association (EIA).
Page 154 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual C-14 Networks, Routing, and Firewall Basics May 2004, 202-10031-01...
Page 155: Appendix D Preparing Your Network
This appendix describes how to prepare your network to connect to the Internet through the FVS328 ProSafe VPN Firewall with Dial Back-up and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a...
Page 156: Configuring Windows 95, 98, And Me For Tcp/Ip Networking
DHCP server during bootup. For a detailed explanation of the meaning and purpose of these configuration items, refer to The FVS328 Firewall is shipped preconfigured as a DHCP server. The firewall assigns the following TCP/IP configuration information automatically when the computers are rebooted: •...
Page 157 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.
Page 158: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
The simplest way to configure this information is to allow the PC to obtain the information from the internal DHCP server of the FVS328 Firewall. To use DHCP with the recommended default addresses, follow these steps: Connect all computers to the firewall, then restart the firewall and allow it to boot.
Page 159: Verifying Tcp/Ip Properties
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Uncheck all boxes in the LAN Internet Configuration screen and click Next. Proceed to the end of the Wizard. Verifying TCP/IP Properties After your PC is configured and has rebooted, you can check the TCP/IP configuration using the utility winipcfg.exe:...
Page 160: Verifying Tcp/Ip Properties
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected.
Page 161: Macos X
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The TCP/IP Control Panel opens: From the “Connect via” box, select your Macintosh’s Ethernet interface. From the “Configure” box, select Using DHCP Server. You can leave the DHCP Client ID box empty.
Page 162: Verifying Tcp/Ip Properties For Macintosh Computers
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
Page 163: Verifying The Readiness Of Your Internet Account
WinPOET or EnterNet, then your account uses PPP over Ethernet (PPPoE). When you configure your router, you will need to enter your login name and password in the router’s configuration menus. After your network and firewall are configured, the firewall will perform the login task when needed, and you will no longer need to run the login program from your PC.
Page 164: Obtaining Isp Configuration Information For Windows Computers
As mentioned above, you may need to collect configuration information from your PC so that you can use this information when you configure the FVS328 Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.
Page 165: Obtaining Isp Configuration Information For Macintosh Computers
As mentioned above, you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FVS328 Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information.
Page 166: Restarting The Network
Restart any computer that is connected to the firewall. After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FVS328 Firewall, you are ready to access and configure the firewall.
Page 167: Virtual Private Networking
There have been many improvements in the Internet, including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Page 168: What Is Ipsec And How Does It Work
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Page 169: Encapsulating Security Payload (Esp
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Page 170: Authentication Header (Ah
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.
Page 171: Mode
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
Page 172: Key Management
This document provides case studies on how to configure secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.
Page 173: Vpn Process Overview
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into the specifics.
Page 174: Firewalls
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Table 9-2. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN Gateway A LAN (Private) Gateway A WAN (Public) Gateway B LAN (Private) Gateway B WAN (Public) It will also be important to know the subnet mask of both gateway LAN Connections.
Page 175 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure E-5: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Page 176: Vpnc Ike Security Parameters
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates.
Page 177: Vpnc Ike Phase Ii Parameters
LAN side of the other gateway. You can troubleshoot connections using the VPN status and log details on the NETGEAR gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
Page 178 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993.
Page 179: Netgear Vpn Configuration Fvs318 Or Fvm318 To Fvs328
This appendix provides a case study on how to configure a secure IPSec VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVS328. The configuration options and screens for the FVS318 and FVM318 are the same. Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Page 180: Step-By-Step Configuration Of Fvs318 Or Fvm318 Gateway A
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual 10.5.6.0/24 Gateway A LAN IP 10.5.6.1 Figure F-1: Addressing and Subnet Used for Examples Step-By-Step Configuration of FVS318 or FVM318 Gateway A Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration.
Page 181 VPN leg (all 8 links are available in the example). Click the Edit button below. This will take you to the VPN Settings – Main Mode Menu. Figure F-3: Figure 3 – NETGEAR FVS318 VPN Settings (part 1) – Main Mode –...
Page 182 Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure F-4: Figure 4 – NETGEAR FVS318 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.
Page 183: Step-By-Step Configuration Of Fvs328 Gateway B
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Step-By-Step Configuration of FVS328 Gateway B Log in to the NETGEAR FVS328 labeled Gateway B as in the illustration. Out of the box, the FVS328 is set for its default LAN address of default user name of admin assume you have set the local LAN address as 172.23.9.1 for Gateway B and have set your...
Page 184 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure F-6: NETGEAR FVS328 IKE Policy Configuration – Part 2 – From the Encryption Algorithm drop-down box, select 3DES. – From the Authentication Algorithm drop-down box, select MD5. – From the Authentication Method radio button, select Pre-shared Key.
Page 185 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure F-8: NETGEAR FVS328 VPN – Auto Policy (part 1) – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used “to318” as the Policy Name. In the Policy Name field type to318.
Page 186 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual – Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field. Figure F-9: NETGEAR FVS328 VPN – Auto Policy (part 2) –...
Page 187: Test The Vpn Connection
From a PC behind the NETGEAR FVS318 or FVM318 gateway A attempt to ping the remote FVS328 gateway B LAN Interface address (example address 172.23.9.1) From a PC behind the FVS328 gateway B attempt to ping the remote NETGEAR FVS318 or FVM318 gateway A LAN Interface address (example address 10.5.6.1) 3.
Page 188 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual F-10 NETGEAR VPN Configuration FVS318 or FVM318 to FVS328 May 2004, 202-10031-01...
Page 189: Netgear Vpn Configuration Fvs318 Or Fvm318 With Fqdn To Fvs328
This appendix provides a case study on how to configure a VPN tunnel between a NETGEAR FVS318 or FVM318 to a FVS328 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers. The configurations screens and settings for the FVS318 and FVM318 are the same.
Page 190: Using Ddns And Fully Qualified Domain Names (Fqdn
In this example, Gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname netgear.dyndns.org for Gateway A using the NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328...
Page 191: Step-By-Step Configuration Of Fvs318 Or Fvm318 Gateway A
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual DynDNS service. Gateway B will use the DDNS Service Provider when establishing a VPN tunnel. In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS, and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider.
Page 192 – Type the User Name for your dynamic DNS account. In this example we used netgear as the Host Name. This means that the complete FQDN we are using is netgear.dyndns.org and the Host Name is “netgear.”...
Page 193 NETGEAR devices. For this example we have used toFVS328. – Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.org (the FQDN) as the local identifier.
Page 194 Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field. Figure G-5: Figure 4 – NETGEAR FVS318 VPN Settings (part 2) – Main Mode – From the Secure Association drop-down box, select Main Mode.
Page 195: Step-By-Step Configuration Of Fvs328 Gateway B
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Step-By-Step Configuration of FVS328 Gateway B Log in to the NETGEAR FVS328, labeled Gateway B in the illustration. Out of the box, the FVS328 is set for its default LAN address of default user name of admin assume you have set the local LAN address as 172.23.9.1 for Gateway B.
Page 196 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-7: NETGEAR FVS328 IKE Policy Configuration – Part 2 – From the Encryption Algorithm drop-down box, select 3DES. – From the Authentication Algorithm drop-down box, select MD5. – From the Authentication Method radio button, select Pre-shared Key.
Page 197 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-9: NETGEAR FVS328 VPN – Auto Policy (part 1) – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318.
Page 198 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure G-10: NETGEAR FVS328 VPN – Auto Policy (part 2) – From the Traffic Selector Remote IP drop-down box, select Subnet address. – Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field.
Page 199: Test The Vpn Connection
Connection Status Screen. If the connection is functioning properly, the State fields will show “Estab.” 3. From the FVS328, click the VPN Status link under the VPN section of the main menu. The VPN Logs and status are displayed. NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328...
Page 200 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual G-12 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 May 2004, 202-10031-01...
Page 201: Appendix Hnetgear Vpn Client To Netgear The Fvs328
Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVS328. This case study follows the Virtual Private Network Consortium (VPNC) interoperability profile guidelines. The menu options for the FVS328, FVL328, and FWAG114 are the same.
Page 202: Step-By-Step Configuration Of Fvs328 Gateway
Step-By-Step Configuration of FVS328 Gateway Log in to the FVS328 gateway as in the illustration. Out of the box, the FVS328 is set for its default LAN address of default user name of admin this document will refer to the FVS328, the login procedures and configuration menu screens are the same for the FVS328 and the FWAG114.
Page 203 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click IKE Policies under the VPN menu and click Add on the IKE Policies Menu. Figure H-2: NETGEAR FVS328 IKE Policy Configuration – Enter a descriptive name for the policy in the Policy Name field. This name is not supplied to the remote VPN endpoint.
Page 204 – From the Local Identity drop-down box, select Fully Qualified Domain Name (the actual WAN IP address of the FVS328 will also be used in the Connection ID Type fields of the VPN Client as seen in Note: Selecting Remote Access as the Direction Type, Aggressive Mode as the...
Page 205 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click the VPN Policies link under the VPN category on the left side of the main menu. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN –...
Page 206 “Security Policy Editor New Connection” on page – Type the starting LAN IP Address of the FVS328 in the Local IP Start IP Address field. For this example, we used 192.168.0.0 which is the default LAN IP address of the FVS328.
Page 207: Step-By-Step Configuration Of The Netgear Vpn Client B
This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet using an FVS328 with a static IP address. The PC can be directly connected to the Internet through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically assigned IP address.
Page 208 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Note: Before installing the Netgear VPN Client software, be sure to turn off any virus protection or firewall software you may be running on your PC. • You may need to insert your Windows CD to complete the installation.
Page 209 In this example, select IP Subnet as the ID Type, 192.168.0.0 in the Subnet field (the Subnet address is the LAN IP Address of the FVS328 with 0 as the last number), and 255.255.255.0 in the Mask field, which is the LAN Subnet Mask of the FVS328.
Page 210 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Click Pre-Shared Key. Figure H-8: Connection Identity Pre-Shared Key Enter hr5xb84l6aa9r6 which is the same Pre-Shared Key entered in the FVS328. Click OK. Configure the Connection Identity Settings. In the Network Security Policy list, click the Security Policy subheading.
Page 211 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Configure the Connection Security Policy In this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange (Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines.
Page 212 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Figure H-11: Connection Security Policy Key Exchange (Phase 2) Configure the Key Exchange (Phase 2). • Expand the Key Exchange (Phase 2) heading, and click on Proposal 1. • For this example, ensure that the following settings are configured: –...
Page 213 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Configure the Global Policy Settings. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. Figure H-12: Security Policy Editor Global Policy Options Increase the Retransmit Interval period to 45 seconds.
Page 214: Testing The Vpn Connection
On the Windows taskbar, click the Start button, and then click Run. Type ping -t 192.168.0.1 This will cause a continuous ping to be sent to the first FVS328. After a period of up to two minutes, the ping response should change from “timed out” to “reply.” H-14 and click OK.
Page 215: From The Fvs328 To The Client Pc
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual To test the connection to a computer connected to the FVS328, simply ping the IP address of that computer. Once connected, you can open a browser on the remote PC and enter the LAN IP Address of the FVS328, which is http://192.168.0.1 in this example.
Page 216: Viewing The Fvs328 Vpn Status And Log Information
Viewing the FVS328 VPN Status and Log Information Information on the status of the VPN client connection can be viewed by opening the FVS328 VPN Status screen. To view this screen, click the VPN Status link on the FVS328 main menu. H-16...
Page 217 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual The FVS328 VPN Status screen for a successful connection is shown below: Figure H-15: FVS328 VPN Status screen NETGEAR VPN Client to NETGEAR the FVS328 H-17 May 2004, 202-10031-01...
Page 218 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual H-18 NETGEAR VPN Client to NETGEAR the FVS328 May 2004, 202-10031-01...
Page 219: Glossary
10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. 802.11b IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio...
Page 220 Domain names are of the form of a registered entity name plus one of a number of predefined top level suffixes such as .com, .edu, .uk, and so forth. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain.
Page 221 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual IP Address A four-position number uniquely defining each host on the Internet. Ranges of addresses are assigned by Internic, an organization formed for this purpose. Usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57).
Page 222 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual NetBIOS Network Basic Input Output System. An application programming interface (API) (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length.
Page 223 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Request For Comment. Refers to documents published by the Internet Engineering Task Force (IETF) proposing standard protocols and procedures for the Internet. RFCs can be found at www.ietf.org. See Routing Information Protocol.
Page 224 Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual Glossary May 2004, 202-10031-01...
Page 225 Cabling C-12 Cat5 cable 3-1, C-13 Certificate Authority 7-25 configuration automatic by DHCP 2-3 backup 8-11 erasing 8-13 router, initial 3-1 Connection Monitor H-15 content filtering 2-3 conventions typography 1-1, 1-2 crossover cable 2-3, 9-3, C-12 customer support 1-iii date and time 9-8...
Page 226 firewall features 2-2 FLASH memory 8-14 FQDN 2-2 Fully Qualified Domain Name 2-2 gateway address D-11 General 7-4, 7-7, 7-11 host name 3-8, 3-9, 3-15 IANA contacting C-2 IETF C-1 Web site address C-7 IKE Security Association E-4 inbound rules 6-8 installation 2-4 Internet account address information D-9...
Page 227 9-7 restore factory settings 8-13 1466 C-7, C-9 1597 C-7, C-9 1631 C-8, C-9 finding C-7 RIP (Router Information Protocol) 5-1 router concepts C-1 Routing Information Protocol 2-3, C-2 RTS Threshold 4-3, 4-5, 4-6 rules Index...
Page 228 Uplink switch C-12 USB D-9 Virtual Private Networking 2-3 VPN E-1 VPN Consortium E-6 VPN Process Overview E-7 VPNC IKE Phase I Parameters E-10 VPNC IKE Phase II Parameters E-11 Windows, configuring for IP routing D-2, D-5 winipcfg utility D-5 WinPOET D-9 World Wide Web 1-iii Index...

NETGEAR FVS328 Reference Manual

Chapter 1 About this Manual

Chapter 2 Introduction

Chapter 3 Connecting the FVS328 to the Internet

Chapter 4 Serial Port Configuration

Chapter 5 WAN and LAN Configuration

Chapter 6 Protecting Your Network

Chapter 7 Virtual Private Networking

Chapter 8 Managing Your Network

Chapter 9 Troubleshooting

Appendix A

Technical Specifications

Appendix B Firewall Log Formats

Appendix C Networks, Routing, and Firewall Basics

Appendix D Preparing Your Network

Appendix E Virtual Private Networking

Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVS328

Appendix G NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328

Appendix Hnetgear VPN Client to NETGEAR the FVS328

Glossary

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for NETGEAR FVS328

Summary of Contents for NETGEAR FVS328