Page 1 Reference Manual for the ProSafe VPN Firewall FVS318v3 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10059-02 Version 3 January 2005 January 2005...
Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das FVS318v3 ProSafe VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung. Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß...
Page 4 Product and Publication Details Model Number: FVS318v3 Publication Date: January 2005 Product Family: Router Product Name: FVS318v3 ProSafe VPN Firewall Home or Business Product: Business Language: English January 2005...
Page 5: Table Of Contents
Package Contents ......................2-5 The FVS318v3 Front Panel ..................2-5 The FVS318v3 Rear Panel ..................2-6 NETGEAR-Related Products ..................2-7 NETGEAR Product Registration, Support, and Documentation ........2-7 Chapter 3 Connecting the Firewall to the Internet Prepare to Install Your FVS318v3 ProSafe VPN Firewall ..........3-1 First, Connect the FVS318v3 ..................3-1...
Page 6 How to Set Up a Client-to-Gateway VPN Configuration ..........5-5 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS318v3 ....5-6 Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC ...5-9 Monitoring the Progress and Status of the VPN Client Connection .......5-16 Transferring a Security Policy to Another Client ............5-18...
Page 7 Importing a Security Policy ................5-19 How to Set Up a Gateway-to-Gateway VPN Configuration ..........5-20 Procedure to Configure a Gateway-to-Gateway VPN Tunnel ........5-21 VPN Tunnel Control ......................5-26 Activating a VPN Tunnel ..................5-26 Start Using a VPN Tunnel to Activate It ............5-26 Using the VPN Status Page to Activate a VPN Tunnel ........5-26 Activate the VPN Tunnel by Pinging the Remote Endpoint ......5-27 Verifying the Status of a VPN Tunnel ..............5-29...
Page 8 Backing Up the Configuration ..................7-7 Restoring the Configuration ..................7-7 Erasing the Configuration ..................7-8 Changing the Administrator Password ................7-8 Chapter 8 Advanced Configuration How to Configure Dynamic DNS ..................8-1 Using the LAN IP Setup Options ..................8-2 Configuring LAN TCP/IP Setup Parameters ............8-3 Using the Firewall as a DHCP server ...............8-4 Using Address Reservation ..................8-5 Configuring Static Routes ....................8-5...
Page 9 Netmask ........................B-4 Subnet Addressing ....................B-5 Private IP Addresses ....................B-7 Single IP Address Operation Using NAT ............... B-8 MAC Addresses and Address Resolution Protocol ..........B-9 Related Documents ....................B-9 Domain Name Server ....................B-9 IP Configuration by DHCP ................... B-10 Internet Security and Firewalls ..................
Page 10 Obtaining ISP Configuration Information for Windows Computers ....... D-19 Obtaining ISP Configuration Information for Macintosh Computers ..... D-20 Restarting the Network ....................D-21 Appendix E VPN Configuration of NETGEAR FVS318v3 Case Study Overview ....................E-1 Gathering the Network Information ................. E-1 Configuring the Gateways ..................E-2 Activating the VPN Tunnel ..................
Page 11 Configuring the VPN Tunnel ................... E-6 Viewing and Editing the VPN Parameters ............... E-9 Initiating and Checking the VPN Connections ............E-11 The FVS318v3-to-FVS318v2 Case ................E-13 Configuring the VPN Tunnel ................. E-13 Viewing and Editing the VPN Parameters ............. E-16 Initiating and Checking the VPN Connections ............
Page 12 Contents January 2005...
Page 13: About This Manual
This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the NETGEAR Web site. This guide uses the following typographical conventions: Table 1-1.
Page 14: How To Use This Manual
• button to access the full NETGEAR, Inc. online Knowledge Base for the product model. • Links to PDF versions of the full manual and individual chapters.
Page 15: How To Print This Manual
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents.
Page 16 Reference Manual for the ProSafe VPN Firewall FVS318v3 About This Manual January 2005...
Page 17: Introduction
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS318v3 ProSafe VPN Firewall. Key Features of the VPN Firewall The FVS318v3 ProSafe VPN Firewall with eight-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.
Page 18: A Powerful, True Firewall With Content Filtering
Reference Manual for the ProSafe VPN Firewall FVS318v3 A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT firewalls, the FVS318v3 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: •...
Page 19: Autosensing Ethernet Connections With Auto Uplink
Reference Manual for the ProSafe VPN Firewall FVS318v3 Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100 switch, the FVS318v3 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
Page 20: Easy Installation And Management
The FVS318v3 VPN Firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVS318v3 VPN Firewall: • Flash memory for firmware upgrade.
Page 21: Package Contents
• Registration and Warranty Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. The FVS318v3 Front Panel The front panel of the FVS318v3 VPN Firewall contains the status LEDs described below.
Page 22: The Fvs318V3 Rear Panel
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 2-1. LED Descriptions LED Label Activity Description Power is supplied to the firewall. TEST The system is initializing. The system is ready and running. INTERNET 100 (100 Mbps) The Internet (WAN) port is operating at 100 Mbps. The Internet (WAN) port is operating at 10 Mbps.
Page 23: Netgear-Related Products
Reference Manual for the ProSafe VPN Firewall FVS318v3 • DC power input • ON/OFF switch NETGEAR-Related Products NETGEAR products related to the FVS318v3 are listed in the following table: Table 2-2. NETGEAR-Related Products Category Wireless Wired Notebooks WAG511 108 Mbps Dual Band PC Card...
Page 24 Reference Manual for the ProSafe VPN Firewall FVS318v3 When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router. Introduction January 2005...
Page 25: Connecting The Firewall To The Internet
Chapter 3 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your LAN, connect to the Internet, perform basic configuration of your FVS318v3 ProSafe VPN Firewall using the Setup Wizard, or how to manually configure your Internet connection.
Page 26 Reference Manual for the ProSafe VPN Firewall FVS318v3 Locate the Ethernet cable (Cable 1 in the diagram) that connects your PC to the modem. Figure 3-1: Disconnect the Ethernet cable from the computer Disconnect the cable at the computer end only, point A in the diagram. Look at the label on the bottom of the VPN firewall router.
Page 27 Securely insert the blue cable that came with your VPN firewall router (the blue NETGEAR cable in the diagram below) into a LOCAL port on the firewall such as LOCAL port 8 (point C in the diagram), and the other end into the Ethernet port of your computer (point D in the diagram).
Page 28: Now, Configure The Fvs318V3 For Internet Access
Reference Manual for the ProSafe VPN Firewall FVS318v3 Power Test Internet Local Port 8 Figure 3-4: Status lights Check the VPN firewall router status lights to verify the following: • PWR: The power light should turn solid green. If it does not, see “Troubleshooting Tips”...
Page 29 Reference Manual for the ProSafe VPN Firewall FVS318v3 With the VPN firewall router in its factory default state, your browser will automatically display the NETGEAR Smart Wizard Configuration Assistant welcome page. Figure 3-5: NETGEAR Smart Wizard Configuration Assistant welcome screen Note: If you do not see this page, type http://www.routerlogin.net in the browser address bar...
Page 30: Troubleshooting Tips
Tips” on page 3-6 to correct basic problems. Figure 3-6: NETGEAR Smart Wizard Configuration Assistant success screen Note: The Smart Wizard Configuration Assistant only appears when the firewall is in its factory default state. After you configure the VPN firewall router, it will not appear again. You can always connect to the firewall to change its settings.
Page 31 Reference Manual for the ProSafe VPN Firewall FVS318v3 Make sure the Ethernet cables are securely plugged in. • The Internet link light on the VPN firewall router will be lit if the Ethernet cable to the VPN firewall router from the modem is plugged in securely and the modem and VPN firewall router are turned on.
Page 32: Overview Of How To Access The Fvs318V3 Vpn Firewall
Reference Manual for the ProSafe VPN Firewall FVS318v3 Overview of How to Access the FVS318v3 VPN Firewall The table below describes how you access the VPN firewall router, depending on the state of the VPN firewall router. Table 3-1. Ways to access the firewall Firewall State Access Options Description...
Page 33: How To Log On To The Fvs318V3 After Configuration Settings Have Been Applied
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Log On to the FVS318v3 After Configuration Settings Have Been Applied Connect to the VPN firewall router by typing http://www.routerlogin.net in the address field of your browser, then press Enter. Figure 3-7: Login URL For security reasons, the firewall has its own user name and password.
Page 34: How To Bypass The Configuration Assistant
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 3-9: Login result: FVS318v3 home page When the VPN firewall router is connected to the Internet, click the Knowledge Base or the Documentation link under the Web Support menu to view support information or the documentation for the VPN firewall router.
Page 35: Using The Smart Setup Wizard
Reference Manual for the ProSafe VPN Firewall FVS318v3 If you do not click Logout, the VPN firewall router waits five minutes after there is no activity before it automatically logs you out. Using the Smart Setup Wizard You can use the Smart Setup Wizard to assist with manual configuration or to verify the Internet connection.
Page 36: How To Manually Configure Your Internet Connection
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Manually Configure Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login ISP Does Require Login Figure 3-10: Browser-based configuration Basic Settings menu...
Page 37 Reference Manual for the ProSafe VPN Firewall FVS318v3 You can manually configure the firewall using the Basic Settings menu shown in Figure 3-10 using these steps: Log in to the firewall at its default address of http://www.routerlogin.net using a browser like ®...
Page 38 Reference Manual for the ProSafe VPN Firewall FVS318v3 If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet.
Page 39: Firewall Protection And Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVS318v3 ProSafe VPN Firewall to protect your network. These features can be found by clicking on the Security heading in the main menu of the browser interface. Firewall Protection and Content Filtering Overview The FVS318v3 ProSafe VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail.
Page 40: Block Sites
Reference Manual for the ProSafe VPN Firewall FVS318v3 Block Sites The FVS318v3 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is shown in Figure 4-1: Figure 4-1: Block Sites menu...
Page 41: Using Rules To Block Or Allow Specific Kinds Of Traffic
Reference Manual for the ProSafe VPN Firewall FVS318v3 To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply. You may specify one Trusted User, which is a PC that will be exempt from blocking and logging.
Page 42 Reference Manual for the ProSafe VPN Firewall FVS318v3 You may define additional rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 43: Inbound Rules (Port Forwarding)
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inbound Rules (Port Forwarding) Because the FVS318v3 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet.
Page 44: Inbound Rule Example: Allowing A Videoconference From Restricted Addresses
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inbound Rule Example: Allowing a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown Figure 4-4, CU-SEEME connections are allowed only from a specified range of external IP addresses.
Page 45: Outbound Rules (Service Blocking)
Reference Manual for the ProSafe VPN Firewall FVS318v3 Outbound Rules (Service Blocking) The FVS318v3 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on: •...
Page 46: Order Of Precedence For Rules
Reference Manual for the ProSafe VPN Firewall FVS318v3 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules table, as shown below: Figure 4-6: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom.
Page 47: Respond To Ping On Internet Wan Port
In some cases, one local PC can run the application properly if that PC’s IP address is entered as the Default DMZ Server. Note: For security, NETGEAR strongly recommends that you avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall, and is exposed to many exploits from the Internet.
Page 48: Services
Reference Manual for the ProSafe VPN Firewall FVS318v3 Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
Page 49 Reference Manual for the ProSafe VPN Firewall FVS318v3 To add a service: When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu appears as shown in Figure 4-8: Figure 4-8: Add Custom Service menu Enter a descriptive name for the service so that you will remember what it is.
Page 50: Using A Schedule To Block Or Allow Specific Traffic
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring the Schedule page shown below: Figure 4-9: Schedule page...
Page 51: Time Zone
Reference Manual for the ProSafe VPN Firewall FVS318v3 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time.
Page 52: Getting E-Mail Notifications Of Event Logs And Alerts
Reference Manual for the ProSafe VPN Firewall FVS318v3 Getting E-Mail Notifications of Event Logs and Alerts In order to receive logs and alerts by e-mail, you must provide your e-mail information in the Send alerts and logs by e-mail area: Figure 4-10: E-mail menu •...
Page 53 Reference Manual for the ProSafe VPN Firewall FVS318v3 – If a user on your LAN attempts to access a Web site that you blocked using the Block Sites menu. • Send logs according to this schedule. You can specify that logs are sent to you according to a schedule.
Page 54: Viewing Logs Of Web Access Or Attempted Web Access
Reference Manual for the ProSafe VPN Firewall FVS318v3 Viewing Logs of Web Access or Attempted Web Access The firewall logs security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site.
Page 55: Syslog
Reference Manual for the ProSafe VPN Firewall FVS318v3 Log entries are described in Table 4-1 Table 4-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any. Action Source IP The IP address of the initiating device for this log entry.
Page 56 Reference Manual for the ProSafe VPN Firewall FVS318v3 4-18 Firewall Protection and Content Filtering January 2005...
Page 57: Basic Virtual Private Networking
Appendix E, “VPN Configuration of NETGEAR FVS318v3” presents a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR FVS318v3 to a FVL328. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html).
Page 58: Overview Of Vpn Configuration
Reference Manual for the ProSafe VPN Firewall FVS318v3 Overview of VPN Configuration Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways. The FVS318v3 supports both of these types of VPN configurations.
Page 59: Planning A Vpn
VPN Gateway A Figure 5-2: Gateway-to-gateway VPN tunnel A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch or home offices and business partners over the Internet. VPN tunnels also enable access to network resources across the Internet.
Page 60 What level of authentication will you use? — MDS — 128 bits, faster but less secure. — SHA-1 — 160 bits, slower but more secure. Note: NETGEAR publishes additional interoperability scenarios with various gateway and client software products. Basic Virtual Private Networking...
Page 61: Vpn Tunnel Configuration
5-4) are not appropriate for your special circumstances. How to Set Up a Client-to-Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway (see Figure 5-3) involves the following two steps: •...
Page 62: Step 1: Configuring The Client-To-Gateway Vpn Tunnel On The Fvs318V3
Reference Manual for the ProSafe VPN Firewall FVS318v3 Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVS318v3 Note: This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 5-1 on page 5-4.
Page 63 Reference Manual for the ProSafe VPN Firewall FVS318v3 Enter the new Connection Name: (RoadWarrior in this example) Enter the pre-shared key: (12345678 in this example) Select the radio button: A remote VPN client (single PC) Figure 5-5: Connection Name and Remote IP Type The Summary screen below displays.
Page 64 Reference Manual for the ProSafe VPN Firewall FVS318v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-6). Click Back to return to the Summary screen. Figure 5-7: VPNC Recommended Settings Click Done on the Summary screen (see Figure 5-6) to complete the configuration procedure.
Page 65: Step 2: Configuring The Netgear Prosafe Vpn Client On The Remote Pc
This procedure describes how to configure the NETGEAR ProSafe VPN Client. This example assumes the PC running the client has a dynamically assigned IP address. The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop-down menu for information on how to purchase the NETGEAR ProSafe VPN Client.
Page 66 Reference Manual for the ProSafe VPN Firewall FVS318v3 From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New Connection” listing appears in the list of policies. Rename the “New Connection” so that it matches the Connection Name you entered in the VPN Settings of the FVS318v3 on LAN A.
Page 67 Figure 5-10. Configure the Security Policy in the NETGEAR ProSafe VPN Client software. In the Network Security Policy list, expand the new connection by double clicking its name or clicking on the “+” symbol. My Identity and Security Policy subheadings appear below the connection name.
Page 68 Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-11: Security Policy Editor Security Policy Select the Main Mode in the Select Phase 1 Negotiation Mode check box. Configure the VPN Client Identity. In this step, you will provide information about the remote VPN client PC. You will need to provide: —...
Page 69 Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-12: Security Policy Editor My Identity Choose None in the Select Certificate box. Select IP Address in the ID Type box. If you are using a virtual fixed IP address, enter this address in the Internal Network IP Address box.
Page 70 Reference Manual for the ProSafe VPN Firewall FVS318v3 Configure the VPN Client Authentication Proposal. In this step, you will provide the type of encryption (DES or 3DES) to be used for this connection. This selection must match your selection in the FVS318v3 configuration. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+”...
Page 71 FVS318v3’s network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request.
Page 72: Monitoring The Progress And Status Of The Vpn Client Connection
Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer. To launch this function, click on the Windows Start button, then select Programs, then NETGEAR ProSafe VPN Client, then Log Viewer. 5-16 Basic Virtual Private Networking...
Page 73 Reference Manual for the ProSafe VPN Firewall FVS318v3 The Log Viewer screen for a similar successful connection is shown below: Figure 5-18: Log Viewer screen Note: Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel. The Connection Monitor screen for a similar connection is shown below: Figure 5-19: Connection Monitor screen In this example you can see the following:...
Page 74: Transferring A Security Policy To Another Client
Transferring a Security Policy to Another Client This section explains how to export and import a security policy as an .spd file so that an existing NETGEAR ProSafe VPN Client configuration can be copied to other PCs running the NETGEAR ProSafe VPN Client.
Page 75: Importing A Security Policy
The following procedure (Figure 5-21) enables you to import an existing security policy. Step 1: Invoke the NETGEAR ProSafe Step 2: Select the security policy to import. VPN Client and select Import Security In this example, the security policy file is Policy from the File pulldown.
Page 76: How To Set Up A Gateway-To-Gateway Vpn Configuration
Internet. The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. In this example, LAN A uses 192.168.0.1 and LAN B uses 192.168.3.1.
Page 77: Procedure To Configure A Gateway-To-Gateway Vpn Tunnel
Reference Manual for the ProSafe VPN Firewall FVS318v3 Procedure to Configure a Gateway-to-Gateway VPN Tunnel Follow this procedure to configure a gateway-to-gateway VPN tunnel using the VPN Wizard. Log in to the FVS318v3 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of...
Page 78 Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Enter the WAN IP address of the remote VPN gateway: (22.23.24.25 in this example) Figure 5-25: Remote IP 4.
Page 79 Reference Manual for the ProSafe VPN Firewall FVS318v3 The Summary screen below displays. Figure 5-27: VPN Wizard Summary Basic Virtual Private Networking 5-23 January 2005...
Page 80 Reference Manual for the ProSafe VPN Firewall FVS318v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard, click the here link (see Figure 5-27). Click Back to return to the Summary screen. Figure 5-28: VPN Recommended Settings Click Done on the Summary screen (see Figure 5-27) to complete the configuration...
Page 81 Reference Manual for the ProSafe VPN Firewall FVS318v3 Repeat for the FVS318v3 on LAN B. Pay special attention and use the following network settings as appropriate. • WAN IP of the remote VPN gateway (e.g., 14.15.16.17) • LAN IP settings of the remote VPN gateway: —...
Page 82: Vpn Tunnel Control
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-31: Current VPN Tunnels (SAs) Screen Look at the VPN Status/Log screen (Figure 5-30) to verify that the tunnel is connected. VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel: •...
Page 83: Activate The Vpn Tunnel By Pinging The Remote Endpoint
PC to the FVS318v3’s network by using the “Connect” option in the NETGEAR ProSafe menu bar. The NETGEAR ProSafe client will report the results of the attempt to connect. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request.
Page 84 Reference Manual for the ProSafe VPN Firewall FVS318v3 Establish an Internet connection from the PC. On the Windows taskbar, click the Start button, and then click Run. Type ping -t 192.168.3.1 and then click OK. Figure 5-34: Running a Ping test to the LAN from the PC This will cause a continuous ping to be sent to the first FVS318v3.
Page 85: Verifying The Status Of A Vpn Tunnel
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-36: Pinging test results Note: The pings may fail the first time. If so, then try the pings a second time. Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel, perform the following steps: Log in to the VPN Firewall.
Page 86: Deactivating A Vpn Tunnel
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Click Clear Log to delete all log entries. Click VPN Status (Figure 5-37) to get the Current VPN Tunnels (SAs) screen (Figure 5-38). Figure 5-38: Current VPN Tunnels (SAs) screen This page lists the following data for each active VPN Tunnel. •...
Page 87: Using The Vpn Status Page To Deactivate A Vpn Tunnel
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 5-39: VPN Policies Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply. (To reactivate the tunnel, check the Enable box and click Apply.) Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel, perform the following steps: Log in to the VPN Firewall.
Page 88: Deleting A Vpn Tunnel
Reference Manual for the ProSafe VPN Firewall FVS318v3 Click VPN Status (Figure 5-40) to get the Current VPN Tunnels (SAs) screen (Figure 5-41). Click Drop for the VPN tunnel you want to deactivate. Figure 5-41: Current VPN Tunnels (SAs) screen Note: When NETBIOS is enabled (which it is in the VPNC defaults implemented by the VPN Wizard), automatic traffic will reactivate the tunnel.
Page 89: Advanced Virtual Private Networking
Chapter 6 Advanced Virtual Private Networking This chapter describes how to use the advanced virtual private networking (VPN) features of the FVS318v3 VPN Firewall. See Chapter 5, “Basic Virtual Private Networking” for a description on how to use the basic VPN features. Overview of FVS318v3 Policy-Based VPN Configuration The FVS318v3 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity.
Page 90: Using Policies To Manage Vpn Traffic
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVS318v3. There are two kinds of policies: • IKE Policies: Define the authentication scheme and automatically generate the encryption keys.
Page 91: Ike Policies' Automatic Key And Authentication Management
Reference Manual for the ProSafe VPN Firewall FVS318v3 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 6-2.
Page 92 Reference Manual for the ProSafe VPN Firewall FVS318v3 The IKE Policy Configuration fields are defined in the following table. Table 6-1. IKE Policy Configuration fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the IKE policy.
Page 93: Vpn Policy Configuration For Auto Key Negotiation
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. IKE Policy Configuration fields Field Description Remote These parameters apply to the target remote FVS318v3, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVS318v3. You can choose one of the following four options from the drop-down list: •...
Page 94 Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 6-3: VPN - Auto Policy menu Advanced Virtual Private Networking January 2005...
Page 95 Reference Manual for the ProSafe VPN Firewall FVS318v3 The VPN – Auto Policy fields are defined in the following table. Table 6-1. VPN – Auto Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the VPN policy.
Page 96 Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN – Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security.
Page 97: Vpn Policy Configuration For Manual Key Exchange
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN – Auto Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: • MD5 — the default •...
Page 98 Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 6-4: VPN - Manual Policy menu 6-10 Advanced Virtual Private Networking January 2005...
Page 99 Reference Manual for the ProSafe VPN Firewall FVS318v3 The VPN Manual Policy fields are defined in the following table. Table 6-1. VPN Manual Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The name of the VPN policy.
Page 100 Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authentication Algorithm If you enable AH, then select the authentication algorithm: • MD5 — the default • SHA1 — more secure Enter the keys in the fields provided. For MD5, the keys should be 16 characters.
Page 101: Using Digital Certificates For Ike Auto-Policy Authentication
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table 6-1. VPN Manual Policy Configuration Fields Field Description Enable Authentication Use this check box to enable or disable ESP authentication for this VPN policy. Authentication Algorithm If you enable authentication, then use this menu to select the algorithm: •...
Page 102: Certificate Revocation List (Crl)
In order to help make it easier to set up an IPsec system, the following two scenarios are provided. These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to make it easier to get the systems from different vendors to interoperate. NETGEAR is providing you with both of these scenarios in the following two formats: •...
Page 103: Vpn Consortium Scenario 1: Gateway-To-Gateway With Preshared Secrets
Reference Manual for the ProSafe VPN Firewall FVS318v3 The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go to the NETGEAR Web site (http://www.netgear.com) and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client.
Page 104: Fvs318V3 Scenario 1: Fvs318V3 To Gateway B Ike And Vpn Policies
Reference Manual for the ProSafe VPN Firewall FVS318v3 The IKE Phase 2 parameters used in Scenario 1 are: • TripleDES • SHA-1 • ESP tunnel mode • MODP group 2 (1024 bits) • Perfect forward secrecy for rekeying • SA lifetime of 3600 seconds (one hour) with no kilobytes rekeying •...
Page 105 Reference Manual for the ProSafe VPN Firewall FVS318v3 WAN IP addresses ISP provides these addresses Figure 6-7: FVS318v3 Internet IP Address menu Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Settings topics, please see “How to Manually Configure Your Internet Connection”...
Page 106 Reference Manual for the ProSafe VPN Firewall FVS318v3 From the main menu Advanced section, click the LAN IP Setup link. The following menu appears Figure 6-8: LAN IP Setup menu Configure the LAN IP address according to the settings above and click Apply to save your settings.
Page 107 Reference Manual for the ProSafe VPN Firewall FVS318v3 3. Set up the IKE Policy illustrated below on the FVS318v3. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 6-9: Scenario 1 IKE Policy Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Page 108 Reference Manual for the ProSafe VPN Firewall FVS318v3 4. Set up the FVS318v3 VPN -Auto Policy illustrated below. From the main menu VPN section, click on the VPN Policies link, and then click on the Add Auto Policy button. WAN IP address LAN IP addresses...
Page 109: How To Check Vpn Connections
Reference Manual for the ProSafe VPN Firewall FVS318v3 How to Check VPN Connections You can test connectivity and view VPN status information on the FVS318v3 (see also “VPN Tunnel Control” on page 5-26). Testing the Gateway A FVS318v3 LAN and the Gateway B LAN Using our example, from a PC attached to the FVS318v3 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run.
Page 110: Fvs318V3 Scenario 2: Fvs318V3 To Fvs318V3 With Rsa Certificates
Reference Manual for the ProSafe VPN Firewall FVS318v3 FVS318v3 Scenario 2: FVS318v3 to FVS318v3 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in Scenario 1.
Page 111 Reference Manual for the ProSafe VPN Firewall FVS318v3 Click the Generate Request button to display the screen illustrated in Figure 6-11 below. FVS318v3 Figure 6-11: Generate Self Certificate Request menu Fill in the fields on the Add Self Certificate screen. •...
Page 112 Reference Manual for the ProSafe VPN Firewall FVS318v3 – Domain Name. If you have a domain name, you can enter it here. Otherwise, you should leave this blank. – E-mail Address. You can enter you e-mail address here. Click the Next button to continue. The FVS318v3 generates a Self Certificate Request as shown below.
Page 113 Reference Manual for the ProSafe VPN Firewall FVS318v3 When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FVS318v3” Self Certificate Request will be listed, as illustrated in Figure 6-13 below.
Page 114 Reference Manual for the ProSafe VPN Firewall FVS318v3 You will now see the “FVS318v3” entry in the Active Self Certificates table and the pending “FVS318v3” Self Certificate Request is gone, as illustrated below. FVS318v Figure 6-14: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FVS318v3. Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1 (see “Scenario 1 IKE Policy”...
Page 115 Reference Manual for the ProSafe VPN Firewall FVS318v3 Create a new VPN Auto Policy called scenario2a with all the same properties as scenario1a except that it uses the IKE policy called Scenario_2. Now, the traffic from devices within the range of the LAN subnet addresses on FVS318v3 A and Gateway B will be authenticated using the certificates rather than via a shared key.
Page 116 Reference Manual for the ProSafe VPN Firewall FVS318v3 6-28 Advanced Virtual Private Networking January 2005...
Page 117: Maintenance
Chapter 7 Maintenance This chapter describes how to use the maintenance features of your FVS318v3 ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the main menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information.
Page 118 Reference Manual for the ProSafe VPN Firewall FVS318v3 This screen shows the following parameters: Table 7-1. FVS318v3 Status fields Field Description System Name The System Name assigned to the firewall. Firmware Version The firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall. MAC Address The MAC address used by the Internet (WAN) port of the firewall.
Page 119 Reference Manual for the ProSafe VPN Firewall FVS318v3 Click Show WAN Status to display the WAN connection status. Figure 7-2: WAN Connection Status screen This screen shows the following statistics:. Table 7-1. Connection Status fields Field Description Connection Time The length of time the firewall has been connected to your Internet service provider’s network.
Page 120 Reference Manual for the ProSafe VPN Firewall FVS318v3 Click Show Statistics to display firewall usage statistics. Figure 7-3: Router Statistics screen This screen shows the following statistics: Table 7-1. Router Statistics fields Field Description Interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces. For each interface, the screen displays: Status The link status of the interface.
Page 121: Viewing A List Of Attached Devices
Reference Manual for the ProSafe VPN Firewall FVS318v3 WAN Status action buttons are described in the table below: Table 7-2. Connection Status action buttons Field Description Set Interval Enter a time and click the button to set the polling frequency. Stop Click the Stop button to freeze the polling information.
Page 122 NETGEAR. Upgrade files can be downloaded from NETGEAR's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN) file before sending it to the firewall. The upgrade file can be sent to the firewall using your browser.
Page 123: Configuration File Management
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configuration File Management The configuration settings of the FVS318v3 VPN Firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings.
Page 124: Erasing The Configuration
9-7. Changing the Administrator Password The default password for the firewall’s Web Configuration Manager is password. NETGEAR recommends that you change this password to a more secure password. From the main menu of the browser interface, under the Maintenance heading, select Set Password to bring up this menu.
Page 125: Advanced Configuration
Chapter 8 Advanced Configuration This chapter describes how to configure the advanced features of your FVS318v3 ProSafe VPN Firewall. These features can be found under the Advanced heading in the main menu of the browser interface. How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
Page 126: Using The Lan Ip Setup Options
Reference Manual for the ProSafe VPN Firewall FVS318v3 Type the password (or key) for your dynamic DNS account. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org Click Apply to save your configuration.
Page 127: Configuring Lan Tcp/Ip Setup Parameters
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configuring LAN TCP/IP Setup Parameters The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The firewall’s default LAN IP configuration is: •...
Page 128: Using The Firewall As A Dhcp Server
Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. Using the Firewall as a DHCP server By default, the firewall functions as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to...
Page 129: Using Address Reservation
Reference Manual for the ProSafe VPN Firewall FVS318v3 Using Address Reservation When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings.
Page 130 Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure 8-2: Static Routes table To add or edit a Static Route: Click the Add button to open the Add/Edit menu, shown below. Figure 8-3: Static Route Entry and Edit menu Type a route name for this static route in the Route Name box. (This is for identification purpose only.) Select Private if you want to limit access to the LAN only.
Page 131: Static Route Example
Reference Manual for the ProSafe VPN Firewall FVS318v3 Type a number between 1 and 15 as the Metric value. This represents the number of firewalls between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1. Click Apply to have the static route entered into the table.
Page 132 Reference Manual for the ProSafe VPN Firewall FVS318v3 Note: Be sure to change the firewall’s default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters.
Page 133 Reference Manual for the ProSafe VPN Firewall FVS318v3 Tip: If you are using a dynamic DNS service such as TZO, you can always identify the IP address of your FVS318v3 by running from the Windows Start menu Run option. TRACERT For example, type tracert yourFVS318v3.mynetgear.net and you will see the IP address your ISP assigned to the FVS318v3.
Page 134 Reference Manual for the ProSafe VPN Firewall FVS318v3 8-10 Advanced Configuration January 2005...
Page 135: Troubleshooting
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 136: Leds Never Turn Off
Reference Manual for the ProSafe VPN Firewall FVS318v3 LEDs Never Turn Off When the firewall is turned on, the LEDs turn on briefly and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: •...
Page 137: Troubleshooting The Web Configuration Interface
Reference Manual for the ProSafe VPN Firewall FVS318v3 Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section.
Page 138: Troubleshooting The Isp Connection
Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as http://www.netgear.com Access the main menu of the firewall’s configuration at http://192.168.0.1 Under the Maintenance heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
Page 139: Troubleshooting A Tcp/Ip Network Using A Ping Utility
Reference Manual for the ProSafe VPN Firewall FVS318v3 Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “How to Manually Configure Your Internet Connection” on page 3-12. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: •...
Page 140: Testing The Path From Your Pc To A Remote Device
Reference Manual for the ProSafe VPN Firewall FVS318v3 If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: •...
Page 141: Restoring The Default Configuration And Password
Reference Manual for the ProSafe VPN Firewall FVS318v3 — If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Page 142 Reference Manual for the ProSafe VPN Firewall FVS318v3 Troubleshooting January 2005...
Page 143: Technical Specifications
Appendix A Technical Specifications This appendix provides technical specifications for the FVS318v3 ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe:...
Page 144 Reference Manual for the ProSafe VPN Firewall FVS318v3 Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx, RJ-45 Technical Specifications January 2005...
Page 145: Network, Routing, And Firewall Basics
Appendix B Network, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Page 146: What Is A Router
Reference Manual for the ProSafe VPN Firewall FVS318v3 What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network.
Page 147 Reference Manual for the ProSafe VPN Firewall FVS318v3 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network.
Page 148: Netmask
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x.
Page 149: Subnet Addressing
Reference Manual for the ProSafe VPN Firewall FVS318v3 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.”...
Page 150 Reference Manual for the ProSafe VPN Firewall FVS318v3 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address.
Page 151: Private Ip Addresses
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table B-2. Netmask formats 255.255.0.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255 Configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.
Page 152: Single Ip Address Operation Using Nat
Reference Manual for the ProSafe VPN Firewall FVS318v3 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router.
Page 153: Mac Addresses And Address Resolution Protocol
Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...
Page 154: Ip Configuration By Dhcp
Reference Manual for the ProSafe VPN Firewall FVS318v3 When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.
Page 155: What Is A Firewall
Reference Manual for the ProSafe VPN Firewall FVS318v3 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.
Page 156: Category 5 Cable Quality
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table B-3. UTP Ethernet cable wiring, straight-through Wire color Signal Orange/White Transmit (Tx) + Orange Transmit (Tx) - Green/White Receive (Rx) + Blue Blue/White Green Receive (Rx) - Brown/White Brown Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows: 20 ft.
Page 157: Inside Twisted Pair Cables
Reference Manual for the ProSafe VPN Firewall FVS318v3 Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device.
Page 158: Uplink Switches, Crossover Cables, And Mdi/Mdix Switching
Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure B-6: Category 5 UTP cable with male RJ-45 plug at each end Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Page 159 Reference Manual for the ProSafe VPN Firewall FVS318v3 The FVS318v3 VPN Firewall incorporates Auto Uplink technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub).
Page 160 Reference Manual for the ProSafe VPN Firewall FVS318v3 B-16 Network, Routing, and Firewall Basics January 2005...
Page 161: Virtual Private Networking
Appendix C Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Page 162: What Is Ipsec And How Does It Work
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Page 163: Encapsulating Security Payload (Esp
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management. Encapsulating Security Payload (ESP) ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection.
Page 164: Authentication Header (Ah
Reference Manual for the ProSafe VPN Firewall FVS318v3 The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Page 165: Mode
Reference Manual for the ProSafe VPN Firewall FVS318v3 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
Page 166: Key Management
This appendix provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.
Page 167: Vpn Process Overview
Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Page 168: Firewalls
Reference Manual for the ProSafe VPN Firewall FVS318v3 Table C-1. WAN (Internet/public) and LAN (internal/private) addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 You need to know the subnet mask of both gateway LAN Connections.
Page 169 Reference Manual for the ProSafe VPN Firewall FVS318v3 VPN Tunnel VPN Gateway B VPN Gateway A Figure C-5: VPN tunnel Security Associaton (SA) The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Page 170: Vpnc Ike Security Parameters
Reference Manual for the ProSafe VPN Firewall FVS318v3 IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Page 171: Vpnc Ike Phase Ii Parameters
LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
Page 172 Reference Manual for the ProSafe VPN Firewall FVS318v3 Relevant RFCs listed numerically: • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. •...
Page 173: Appendix D Preparing Your Network
Appendix D Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS318v3 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of...
Page 174: Configuring Windows 95, 98, And Me For Tcp/Ip Networking
Reference Manual for the ProSafe VPN Firewall FVS318v3 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address.
Page 175 Reference Manual for the ProSafe VPN Firewall FVS318v3 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.
Page 176: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
Reference Manual for the ProSafe VPN Firewall FVS318v3 If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect. Enabling DHCP to Automatically Configure TCP/IP Settings After the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network.
Page 177 Reference Manual for the ProSafe VPN Firewall FVS318v3 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
Page 178: Selecting Windows' Internet Access Method
Reference Manual for the ProSafe VPN Firewall FVS318v3 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address.
Page 179: Configuring Windows Nt4, 2000 Or Xp For Ip Networking
From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...
Page 180: Enabling Dhcp To Automatically Configure Tcp/Ip Settings
Reference Manual for the ProSafe VPN Firewall FVS318v3 Then, restart your PC. Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.
Page 181 Reference Manual for the ProSafe VPN Firewall FVS318v3 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. •...
Page 182: Dhcp Configuration Of Tcp/Ip In Windows 2000
Reference Manual for the ProSafe VPN Firewall FVS318v3 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP.
Page 183 Reference Manual for the ProSafe VPN Firewall FVS318v3 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. •...
Page 184 Reference Manual for the ProSafe VPN Firewall FVS318v3 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected.
Page 185: Dhcp Configuration Of Tcp/Ip In Windows Nt4
Reference Manual for the ProSafe VPN Firewall FVS318v3 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. •...
Page 186 Reference Manual for the ProSafe VPN Firewall FVS318v3 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. D-14 Preparing Your Network January 2005...
Page 187: Verifying Tcp/Ip Properties For Windows Xp, 2000, And Nt4
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...
Page 188: Configuring The Macintosh For Tcp/Ip Networking
Reference Manual for the ProSafe VPN Firewall FVS318v3 • The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x From the Apple menu, select Control Panels, then TCP/IP.
Page 189: Verifying Tcp/Ip Properties For Macintosh Computers
TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: •...
Page 190: Verifying The Readiness Of Your Internet Account
Reference Manual for the ProSafe VPN Firewall FVS318v3 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Page 191: Obtaining Isp Configuration Information For Windows Computers
Reference Manual for the ProSafe VPN Firewall FVS318v3 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is...
Page 192: Obtaining Isp Configuration Information For Macintosh Computers
Reference Manual for the ProSafe VPN Firewall FVS318v3 If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses.
Page 193: Restarting The Network
Reference Manual for the ProSafe VPN Firewall FVS318v3 Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS318v3 VPN Firewall.
Page 194 Reference Manual for the ProSafe VPN Firewall FVS318v3 D-22 Preparing Your Network January 2005...
Page 195: Vpn Configuration Of Netgear Fvs318V3
Appendix E VPN Configuration of NETGEAR FVS318v3 This is a case study on how to configure a secure IPSec VPN tunnel on a NETGEAR FVS318v3. This case study follows the VPN Consortium interoperability profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html). This study covers the following situations: •...
Page 196: Configuring The Gateways
Use the VPN Wizard to configure this router. Enter the requested information as prompted by the VPN Wizard. Note: The WAN and LAN IP addresses must be unique at each end of the VPN tunnel. VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 197 IP address Step 4: Enter the following: o Remote LAN IP Address o Remote LAN Subnet Mask Figure E-3 Figure E-2: NETGEAR’s VPN Wizard for the router at each gateway (part 1 of 2) VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 198 Reference Manual for the ProSafe VPN Firewall FVS318v3 Step 5: Verify the information (example screen) Example screen Figure E-3: NETGEAR’s VPN Wizard for the router at a gateway A (part 2 of 2) Note: The default log in address for the FVS318v3 router is http://192.168.0.1 with the default user name of admin and default password of password.
Page 199: Activating The Vpn Tunnel
Figure E-4: Testing Flowchart All traffic from the range of LAN IP addresses specified on the router at Gateway A and the router at Gateway B will now flow over a secure VPN tunnel. VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 200: The Fvs318V3-To-Fvs318V3 Case
1. Log in to the FVS318v3 labeled Gateway A as in the illustration (Figure E-5). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 201 • Pre-Shared Key: 12345678 (in this example), must be the same at both VPN tunnel endpoints • Remote WAN IP address: 14.15.16.17 (in this example), must be unique at each VPN tunnel endpoint VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 202 Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure E-3 Continue as shown in Figure E-3 Figure E-6: VPN parameter entry at Gateway A (FVS318v3) and Gateway B (FVS318v3) VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 203: Viewing And Editing The Vpn Parameters
(VPNC). The policy definitions to manage VPN traffic on the FVS318v3 are presented in Figure E-7 Figure E-8. Gateway A VPN Policy Parameters Gateway B VPN Policy Parameters Figure E-7: VPN policies at Gateway A (FVS318v3) and Gateway B (FVS318v3) VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 204 The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints. E-10 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 205: Initiating And Checking The Vpn Connections
The log screen displays a history of the VPN connections, and the IPSec SA and IKE SA tables report the status and data transmission statistics of the VPN tunnels for each policy. VPN Configuration of NETGEAR FVS318v3 E-11 January 2005...
Page 206 VPN Status at Gateway B (FVS318v3) Status of VPN tunnel from Gateway A 22.23.24.25 Status of VPN tunnel to Gateway A Figure E-9: VPN Status for the FVS318v3 routers at Gateway A and Gateway B E-12 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 207: The Fvs318V3-To-Fvs318V2 Case
(Figure E-10). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). VPN Configuration of NETGEAR FVS318v3 E-13 January 2005...
Page 208 Pre-Shared Key: 12345678 (in this example), must be the same at both VPN tunnel endpoints • Remote WAN IP address: 14.15.16.17 (in this example), must be unique at each VPN tunnel endpoint E-14 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 209 Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure E-3 Continue as shown in Figure E-3 Figure E-11: VPN parameter entry at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 E-15 January 2005...
Page 210: Viewing And Editing The Vpn Parameters
Viewing and Editing the VPN Parameters The VPN Wizard sets up a VPN tunnel using the default parameters from the VPN Consortium (VPNC). The policy definitions to manage VPN traffic are presented in Figure E-12. E-16 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 211 Reference Manual for the ProSafe VPN Firewall FVS318v3 Gateway A VPN Parameters (FVS318v3) Gateway B VPN Parameters (FVS318v2) Figure E-12: VPN Parameters at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 E-17 January 2005...
Page 212: Initiating And Checking The Vpn Connections
You may have to run this test several times before you get the reply message back from the target FVS318v2. At this point the gateway-to-gateway connection is verified. E-18 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 213 22.23.24.25 IPSec Connection Status at Gateway B (FVS318v2) Status of VPN tunnel to and from Gateway A Figure E-13: VPN Status for the routers at Gateway A (FVS318v3) and Gateway B (FVS318v2) VPN Configuration of NETGEAR FVS318v3 E-19 January 2005...
Page 214: The Fvs318V3-To-Fvl328 Case
(Figure E-14). Log in at the default address of http://192.168.0.1 with the default user name of admin and default password of password (or using whatever password and LAN address you have chosen). E-20 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 215 Pre-Shared Key: 12345678 (in this example), must be the same at both VPN tunnel endpoints • Remote WAN IP address: 14.15.16.17 (in this example), must be unique at each VPN tunnel endpoint VPN Configuration of NETGEAR FVS318v3 E-21 January 2005...
Page 216 Gateway A VPN Parameter Entry Gateway B VPN Parameter Entry Continue as shown in Figure E-3 Continue as shown in Figure E-3 Figure E-15: VPN parameter entry at Gateway A (FVS318v3) and Gateway B (FVL328) E-22 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 217: Viewing And Editing The Vpn Parameters
(VPNC). The policy definitions to manage VPN traffic on the FVS318v3 and FVL328 are presented in Figure E-16 Figure E-17. Gateway A VPN Policy Parameters Gateway B VPN Policy Parameters Figure E-16: VPN policies at Gateway A (FVS318v3) and Gateway B (FVL328) VPN Configuration of NETGEAR FVS318v3 E-23 January 2005...
Page 218 The remote WAN and LAN IP addresses for one VPN tunnel endpoint will be the local WAN and LAN IP addresses for the other VPN tunnel endpoint. The VPN Wizard ensures the other VPN parameters are the same at both VPN tunnel endpoints. E-24 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 219: Initiating And Checking The Vpn Connections
Test 3: View VPN Tunnel Status: To view the FVS318v3 and FVL328 event log and status of Security Associations, go to the FVS318v3 main menu VPN section and click the VPN Status link. For the FVL328, click VPN Status on the VPN Status/Log screen. VPN Configuration of NETGEAR FVS318v3 E-25 January 2005...
Page 220 22.23.24.25 IPSec Connection Status at Gateway B (FVL328) Status of VPN tunnel to and from Gateway A Figure E-18: VPN Status for the routers at Gateway A (FVS318v3) and Gateway B (FVL328) E-26 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 221: The Fvs318V3-To-Vpn Client Case
IKE with Preshared Secret/Key Date Tested: November 2004 Model/Firmware Tested: NETGEAR-Gateway A FVS318v3 with firmware version v3.0_14 NETGEAR-Client B NETGEAR ProSafe VPN Client v10.3.5 IP Addressing: NETGEAR-Gateway A Static IP address NETGEAR-Client B Dynamic IP address Client-to-Gateway VPN Tunnel Overview...
Page 222: Configuring The Vpn Tunnel
Figure E-20): • Connection Name: Scenario_1 (in this example) • Pre-Shared Key: 12345678 (in this example), must be the same at both VPN tunnel endpoints • Connection Type: A Remote VPN Client E-28 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 223 Reference Manual for the ProSafe VPN Firewall FVS318v3 Pre-Shared Key must be the same at both ends of the VPN tunnel Select “A Remote VPN Client” Figure E-20: VPN Wizard at Gateway A (FVS318v3) VPN Configuration of NETGEAR FVS318v3 E-29 January 2005...
Page 224 Reference Manual for the ProSafe VPN Firewall FVS318v3 Figure E-21: VPN parameters at Gateway A (FVS318v3) E-30 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 225 Right-mouse-click the ProSafe icon ( ) in the system tray and select the Security Policy Editor. If you need to install the NETGEAR ProSafe VPN Client on your PC, consult the documentation that came with your software. Add a new connection using the Edit/Add/Connection menu and rename it Scenario_1.
Page 226 Expand the Scenario_1 screen hierarchy by clicking the + sign in front of Scenario_1. Then expand the rest of the screen hierarchies by clicking the rest of the + signs. Figure E-23: Scenario_1 connection screen parameters E-32 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 227 E-24). (The Select Phase 1 Negotiation Mode choice must match the Exchange Mode setting for the General IKE Policy Configuration parameters shown in Figure E-21 for the gateway router.) Figure E-24: Scenario_1 Security Policy screen parameters VPN Configuration of NETGEAR FVS318v3 E-33 January 2005...
Page 228 (Domain Name must match the Remote Identity Data parameter of the IKE Policy Configuration screen shown in Figure E-21 for the gateway router.) Pre-Shared Key must be the same at both ends of the VPN tunnel Figure E-25: Scenario_1 My Identity screen parameters E-34 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 229 You are new ready to activate the tunnel, but you must do it from the client endpoint (see “Initiating and Checking the VPN Connections” on page 36). In the client-to-gateway scenario, the gateway router will not know the client’s IP address until the client initiates the traffic. VPN Configuration of NETGEAR FVS318v3 E-35 January 2005...
Page 230: Initiating And Checking The Vpn Connections
This will cause a continuous ping to be sent to the LAN interface of Gateway A. Within two minutes, the ping response should change from timed out to reply. At this point the VPN-tunnel-endpoint-to-VPN-tunnel-endpoint connection is established. Figure E-27: Scenario_1 connection launch from VPN Client PC E-36 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 231 For the VPN Client, click VPN Status on the VPN Status/Log screen. Open the popup menu by right-clicking on the system tray icon. Select Connection Monitor. Figure E-28 for the resulting status screens. VPN Configuration of NETGEAR FVS318v3 E-37 January 2005...
Page 232 Gateway B 22.23.24.25 Connection Monitor at Gateway B (remote VPN Client) Status of VPN tunnel to and from Gateway A Figure E-28: VPN Status for Gateway A (FVS318v3) and Gateway B (VPN Client) E-38 VPN Configuration of NETGEAR FVS318v3 January 2005...
Page 233: Glossary
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management.
Page 234 Reference Manual for the ProSafe VPN Firewall FVS318v3 Address Resolution Protocol, a TCP/IP protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network.
Page 235 .com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5...
Page 236 Reference Manual for the ProSafe VPN Firewall FVS318v3 to 9 Mbps when receiving data (known as the downstream rate) and from 16 to 640 Kbps when sending data (known as the upstream rate). ADSL requires a special ADSL modem. ADSL is growing in popularity as more areas around the world gain access.
Page 237 Reference Manual for the ProSafe VPN Firewall FVS318v3 IEEE Institute of Electrical and Electronics Engineers. This American organization was founded in 1963 and sets standards for computers and communications. IETF Internet Engineering Task Force. An organization responsible for providing engineering solutions for TCP/ IP networks.
Page 238 Reference Manual for the ProSafe VPN Firewall FVS318v3 IP Address A four-byte number uniquely defining each host on the Internet, usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57). Ranges of addresses are assigned by Internic, an organization formed for this purpose. Internet service provider.
Page 239 Reference Manual for the ProSafe VPN Firewall FVS318v3 Mbps Megabits per second. MDI/MDIX In cable wiring, the concept of transmit and receive are from the perspective of the PC, which is wired as a Media Dependant Interface (MDI). In MDI wiring, a PC transmits on pins 1 and 2. At the hub, switch, router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2.
Page 240 Reference Manual for the ProSafe VPN Firewall FVS318v3 PPTP Point-to-Point Tunneling Protocol. A method for establishing a virtual private network (VPN) by embedding Microsoft’s network protocol into Internet packets. Protocol A set of rules for communication between devices on a network. PSTN Public Switched Telephone Network.
Page 241 Reference Manual for the ProSafe VPN Firewall FVS318v3 Segment A section of a LAN that is connected to the rest of the network using a switch, bridge, or repeater. Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.
Page 242 Reference Manual for the ProSafe VPN Firewall FVS318v3 A Web proxy server is a specialized HTTP server that allows clients access to the Internet from behind a firewall. The proxy server listens for requests from clients within the firewall and forwards these requests to remote Internet servers outside the firewall.

This manual is also suitable for:

Prosafe fvs318v3

NETGEAR FVS318 - ProSafe VPN Firewall Router Reference Manual

Chapter 1 About this Manual

Chapter 2 Introduction

Chapter 3 Connecting the Firewall to the Internet

Chapter 4 Firewall Protection and Content Filtering

Chapter 5 Basic Virtual Private Networking

Chapter 6 Advanced Virtual Private Networking

Chapter 7 Maintenance

Chapter 8 Advanced Configuration

Chapter 9 Troubleshooting

Appendix A

Technical Specifications

Appendix B Network, Routing, and Firewall Basics

Appendix C Virtual Private Networking

Appendix D Preparing Your Network

Appendix E VPN Configuration of NETGEAR Fvs318V3

Glossary

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for NETGEAR FVS318 - ProSafe VPN Firewall Router

Summary of Contents for NETGEAR FVS318 - ProSafe VPN Firewall Router