Click Apply to save your settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.
Configuring for a Wizard-Detected Dynamic IP Account
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the Dynamic IP menu.
Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISPs services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually. If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select Use these DNS servers and enter the IP address of your ISPs Primary DNS Server. If a Secondary DNS Server address is available, enter it also. A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your computers after configuring the firewall.
The Routers MAC Address is the Ethernet MAC address that will be used by the firewall on the Internet port. If your ISP allows access from only one specific computers Ethernet MAC address, select Use this MAC address. The firewall will then capture and use the MAC address of the computer that you are now using. You must be using the one computer that is allowed by the ISP. Otherwise, you can type in a MAC address. Note: Some ISPs will register the Ethernet MAC address of the network interface card in your computer when your account is first opened. They will then only accept traffic from the MAC address of that computer. This feature allows your firewall to masquerade as that computer by using its MAC address.
Configuring for a Wizard-Detected Fixed IP (Static) Account
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the Fixed IP menu.
Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISPs gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in Worksheet for Recording Your Internet Connection Information on page C-3. Enter the IP address of your ISPs Primary DNS Server. If a Secondary DNS Server address is available, enter it also. DNS servers are required to perform the function of translating an Internet name such as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must obtain DNS server addresses from your ISP and enter them manually here. You should reboot your computers after configuring the firewall for these settings to take effect.

Using the Block Sites Menu to Screen Content
The FVL328 allows you to restrict access based on the following categories: Use of a proxy server Type of file (Java, ActiveX, Cookie) Web addresses Web address keywords
5-1 May 2004, 202-10030-02

Protecting Your Network

Many Web sites will not function correctly if these components are blocked. These options are discussed below. The Keyword Blocking menu is shown here.
Figure 5-1: Block Sites menu
To enable filtering, click the checkbox next to the type of filtering you want to enable. The filtering choices are:
5-2 May 2004, 202-10030-02
Proxy: blocks use of a proxy server Java: blocks use of Java applets ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows
Cookies: blocks all cookies
To enable keyword blocking, check Turn keyword blocking on, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples: If the keyword XXX is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX. If the keyword.com is specified, only Web sites with other domain suffixes (such as.edu or.gov) can be viewed. If you want to block all Internet browsing access, enter the keyword.
Up to 255 entries are supported in the Keyword list.
Apply Keyword Blocking to Groups
Select the Groups you wish to apply the Keyword Blocking to. To manage these groups, use the Network Database screen on the Maintenance menu. The Web Components settings always apply to all PCs.
Services and Rules Regulate Inbound and Outbound Traffic
The FVL328 Prosafe High Speed VPN Firewall firewall lets you regulate what ports are available to the various TCP/IP protocols. Follow these two steps to configure inbound or outbound traffic:
Define a Service Set up an Inbound or Outbound Rule that uses the Service
These steps are discussed below.
Protecting Your Network May 2004, 202-10030-02

Defining a Service

Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request. The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, Assigned Numbers. Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application. Although the FVL328 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined. To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu will appear. To add a service:

IKE Policy

Remote VPN Endpoint

IPSec PFS

PFS Key Group

Field Traffic Selector

Description These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security. Usually, this address will be from your network address space. The choices are: ANY for all valid IP addresses in the Internet address space Note: Choosing ANY sends all traffic through the tunnel, which will eliminate activities such as Web access. Single IP Address Range of IP Addresses Subnet Address The drop-down menu allows you to configure the destination IP address of the outbound network traffic for which this VPN policy will provide security. Usually, this address will be from the remote site's corporate network address space. The choices are: ANY for all valid IP addresses in the Internet address space Note: Choosing ANY sends all traffic to the WAN through the tunnel, preventing for example, remote management or response to ping. Single IP Address Range of IP Addresses Subnet Address AH specifies the authentication protocol for the VPN header. These settings must match the remote VPN endpoint. Use this check box to enable or disable AH for this VPN policy. If you enable AH, then select the authentication algorithm: MD5 the default, or SHA1 - more secure

Local IP

Remote IP
Authenticating Header (AH) Configuration Enable Authentication Authentication Algorithm
6-8 May 2004, 202-10030-02
Field Encapsulated Security Payload (ESP) Configuration
Description ESP provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication. Two ESP modes are available: Plain ESP encryption or ESP encryption with authentication These settings must match the remote VPN endpoint. Use this check box to enable or disable ESP Encryption. If you enable ESP encryption, then select the encryption algorithm: DES the default, or 3DES - more secure Use this check box to enable or disable ESP transform for this VPN policy. If you enable AH, then use this menu to select which authentication algorithm will be employed. The choices are: MD5 the default, or SHA1 more secure Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel. The NetBIOS protocol is used by Microsoft Networking for such features as Network Neighborhood.

You can assign PCs to Groups, and apply restrictions to each Group, using the Firewall Rules screen. You can also select the Groups to be covered by the Block Sites feature. If necessary, you can also create Firewall Rules to apply to a single PC. Because the MAC address is used to identify each PC, users cannot avoid these restrictions by changing their IP address.
7-6 May 2004, 202-10030-02

Known PCs and Devices

This table lists all current entries in the Network Database. For each PC or device, the following data is displayed. Radio button Use this to select a PC for editing or deletion. Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address. For DHCP clients, where the IP address is allocated by the DHCP Server in this device, this IP address will not change. Where the IP address is set on the PC (as a fixed IP address), you may need to update this entry manually if the IP address on the PC is changed. MAC Address The MAC address of the PC. The MAC address is a low-level network identifier which is fixed at manufacture. Group Each PC or device must be in a single group. The Group column indicates which group each entry is in. By default, all entries are in the Default group (the D column.)

Operations

Group Assignment You can select a group for any entry by clicking the desired radio button in the Group column. Adding a new Entry If a PC is not connected, using a fixed IP, or a different LAN segment, it may not be listed. In this case, you can add it by clicking the Add button. Editing an Entry You can edit an entry by selecting its radio button, and clicking the Edit button. Deleting an Entry If a PC or device has been removed from your network, you can delete it from the database by selecting its radio button, and clicking the Delete button.

Network Management

The FVL328 provides remote management access and a variety of status and usage information which is discussed below.
How to Configure Remote Management

Local or Internet Port Link LEDs Not On
If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following: Make sure that the Ethernet cable connections are secure at the firewall and at the hub or computer. Make sure that power is turned on to the connected hub or computer. Be sure you are using the correct cable: When connecting the firewalls Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.
Troubleshooting the Web Configuration Interface
If you are unable to access the firewalls Web Configuration interface from a computer on your local network, check the following: Check the Ethernet connection between the computer and the firewall as described in the previous section. Make sure your computers IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your computers address should be in the range of 192.168.0.2 to 192.168.0.254. Refer to Verifying TCP/IP Properties on page C-7 or Configuring the Macintosh for TCP/IP Networking on page C-9 to find your computers IP address. Follow the instructions in Appendix C to configure your computer.
Note: If your computers IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the computer to the firewall and reboot your computer.
If your firewalls IP address has been changed and you dont know the current IP address, clear the firewalls configuration to factory defaults. This will set the firewalls IP address to 192.168.0.1. This procedure is explained in How to Use the Default Reset Button on page 8-7. Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure the Java applet is loaded.
8-3 May 2004, 202-10030-02
Try quitting the browser and launching it again. Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.

What is a Firewall?

A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur. When an incident is detected, the firewall can log details of the attempt, and can optionally send e-mail to an administrator notifying them of the incident. Using information from the log, the administrator can take action with the ISP of the hacker. In some types of intrusions, the firewall can fend off the hacker by discarding all further packets from the hackers IP address for a period of time.
Stateful Packet Inspection
Unlike simple Internet sharing routers, a firewall uses a process called stateful packet inspection to ensure secure firewall filtering to protect your network from attacks and intrusions. Since user-level applications such as FTP and Web browsers can create complex patterns of network traffic, it is necessary for the firewall to analyze groups of network connection states. Using stateful packet inspection, an incoming packet is intercepted at the network layer and then analyzed for state-related information associated with all network connections. A central cache within the firewall keeps track of the state information associated with all network connections. All traffic passing through the firewall is analyzed against the state of these connections in order to determine whether or not it will be allowed to pass through or be rejected.

Denial of Service Attack

A hacker may be able to prevent your network from operating or communicating by launching a Denial of Service (DoS) attack. The method used for such an attack can be as simple as merely flooding your site with more requests than it can handle. A more sophisticated attack may attempt to exploit some weakness in the operating system used by your router or gateway. Some operating systems can be disrupted by simply sending a packet with incorrect length information.

Ethernet Cabling

Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring as described below in Table B-1

Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of your firewall. Write down this information before reconfiguring your computers. Refer to Worksheet for Recording Your Internet Connection Information on page C-3 for further information.
What You Will Need Before You Begin
You need to prepare these three things before you can connect your firewall to the Internet: A computer properly connected to the firewall as explained below. 2. Active Internet service such as that provided by a DSL or Cable modem account. 3. The Internet Service Provider (ISP) configuration information for your account.
LAN Hardware Requirements
The FVL328 Firewall connects to your LAN via twisted-pair Ethernet cables. To use the FVL328 Firewall on your network, each computer must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall. The broadband modem must provide a standard 10 Mbps 10BASE-T or 100 Mbps 100BASE-T Ethernet interface.
Preparing Your Network May 2004, 202-10030-02
LAN Configuration Requirements
For the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from the firewall via DHCP. The computer you use must have a Web browser such as Internet Explorer v5 or greater or Netscape Communicator v4.7 or greater.
Note: Please refer to Preparing Your Computers for TCP/IP Networking on page C-4 for assistance with DHCP configuration.
Internet Configuration Requirements
Depending on how your ISP or IT group set up your Internet access, you will need one or more of these configuration parameters to connect your firewall to the Internet: Host and Domain Names ISP Login Name and Password ISP Domain Name Server (DNS) Addresses Fixed or Static IP Address
Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. Your ISP should have provided you with all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISP to provide it or you can try one of the options below. If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer. For Windows 95/98/Me, open the Network control panel, select the TCP/IP entry for the Ethernet adapter, and click Properties. For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties. For Macintosh computers, open the TCP/IP or Network control panel. You may also refer to the FVL328 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs.

Field List

<DATE><TIME>: <EVENT>: <PKT_TYPE>: <SRC_IP><DST_IP>: <SRC_PORT><DST_PORT>: <SRC_INF><DST_INF>: <ACTION>: <DESCRIPTION>: <DIRECTION>: <SERVICE>: Log's date and time Event is that access the device or access other host via the device Packet type pass Firewall IP address in the packet Port in the packet Include `LAN` and `WAN` (optional) As `Action List` referenced A complement to the log (optional) Inbound and Outbound Firewall costumed service

Outbound Log

Outgoing packets that match the Firewall rules are logged.
Firewall Log Formats May 2004, 202-10030-02

The format is:

<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF> <ACTION><DESCRIPTION> [Fri, 2003-12-05 22:19:42] - UDP Packet - Source:172.31.12.233,138 ,WAN Destination:172.31.12.255,138 ,LAN [Drop] - [Inbound Default rule match] [Fri, 2003-12-05 22:35:04] - TCP Packet - Source:172.31.12.156,34239 ,WAN Destination:192.168.0.10,21[FTP Control] ,LAN [Forward] - [Inbound Rule(1) match] [Fri, 2003-12-05 22:35:11] - UDP Packet - Source:172.31.12.200,138 ,WAN Destination:172.31.12.255,138 ,LAN [Forward] - [Inbound Rule(1) not match] Notes: SRC_INF = WAN DST_INF = LAN DESCRIPTION = "Inbound rule match", "Inbound Default rule match" PKT_TYPE = "UDP packet", "TCP connection", "ICMP packet"

Inbound Log

Incoming packets that match the Firewall rules are logged. The format is:
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF> <ACTION><DESCRIPTION> [Fri, 2003-12-05 22:59:56] - ICMP Packet [Echo Request] - Source:192.168.0.10,LAN - Destination:192.168.0.1,WAN [Forward] - [Outbound Default rule match] [Fri, 2003-12-05 23:00:58] - ICMP Packet [Echo Request] - Source:192.168.0.10,LAN - Destination:172.31.12.200,WAN [Forward] - [Outbound Default rule match] [Fri, 2003-12-05 23:02:30] - TCP Packet - Source:192.168.0.10,3472 ,LAN Destination:216.239.39.99,80[HTTP] ,WAN [Forward] - [Outbound Default rule match] Notes: SRC_INF = LAN DST_INF = WAN DESCRIPTION = "Outbound rule match", "Outbound Default rule match" PKT_TYPE = "UDP packet", "TCP connection", "ICMP packet"

Other IP Traffic

Some special packets matching the Firewall rules, like VPN connection, etc. are logged.
D-2 May 2004, 202-10030-02

Firewall Log Formats

<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT ><DST_PORT><ACTION><DESCRIPTION> <DATE><TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION> <DESCRIPTION> [Wed, 2003-07-30 17:43:28] - IPSEC Packet - Source: 64.3.3.201, 37180 WAN Destination: 10.10.10.4,80[HTTP] LAN - [Drop] [VPN Packet] [Wed, 2003-07-30 18:44:50] - IP Packet [Type Field: 321] - Source 18.7.21.69 192.168.0.3 - [Drop] Notes: DESCRIPTION = "VPN Packet" PKT_TYPE = "GRE", "AH", "ESP", "IP packet [Type Field: Num]", "IPSEC" ACTION = "Forward", "Drop"

Router Operation

Operations that the router initiates are logged. The format is:
<DATE><TIME><EVENT> [Wed, 2003-07-30 16:30:59] - Log emailed [Wed, 2003-07-30 13:38:31] - NETGEAR activated [Wed, 2003-07-30 13:42:01] - NTP Reply Invalid
<DATE><TIME><EVENT><DST_IP> <DATE><TIME><EVENT><SRC_IP> [Wed, 2003-07-30 16:32:33] - Send out NTP Request to 207.46.130.100 [Wed, 2003-07-30 16:35:27] - Receive NTP Reply from 207.46.130.100
Other Connections and Traffic to this Router
<DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION> [Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 Destination: 192.168.0.1 - [Receive] [Wed, 2003-07-30 16:34:56] - ICMP Packet[Type: 238] - Source: 64.3.3.201 Destination: 192.168.0.3 - [Drop] [Fri, 2003-12-05 22:59:56] - ICMP Packet[Echo Request] - Source:192.168.0.10 Destination:192.168.0.1 - [Receive]
<DATE><TIME><EVENT>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT><DST_INF><ACTION> [Wed, 2003-07-30 16:24:23] Destination: 10.10.10.4,1234 [Wed, 2003-07-30 17:48:09] Destination: 10.10.10.4,1765 [Fri, 2003-12-05 22:07:11] 172.31.12.157 - [Drop] UDP Packet - Source: 207.46.130.100 WAN LAN - [Drop] TCP Packet[SYN] - Source: 64.3.3.201,65534 WAN LAN - [Receive] IP Packet [Type Field:8], from 20.97.173.18 to

IPSec Security Association IKE VPN Tunnel Negotiation Steps
1) Communication request sent to VPN Gateway VPN Gateway 2) IKE Phase I authentication 3) IKE Phase II negotiation 4) Secure data transfer 5) IPSec tunnel termination VPN Gateway
Figure E-6: IPSec SA negotiation
1. The IPSec software on Host A initiates the IPSec process in an attempt to communicate with Host B. The two computers then begin the Internet Key Exchange (IKE) process.
Virtual Private Networking May 2004, 202-10030-02 E-9

2. IKE Phase I.

The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties. The master key is also used in the second phase to derive IPSec keys for the SAs.

3. IKE Phase II.

The two parties negotiate the encryption and authentication algorithms to use in the IPSec SAs. The master key is used to derive the IPSec keys for the SAs. Once the SA keys are created and exchanged, the IPSec SAs are ready to protect user data between the two VPN gateways.
4. Data transfer. Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. 5. IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out.
VPNC IKE Security Parameters
It is important to remember that both gateways must have the identical parameters set for the process to work correctly. The settings in these examples follow the examples given for Scenario 1 of the VPN Consortium.
VPNC IKE Phase I Parameters
The IKE Phase 1 parameters used: Main mode TripleDES SHA-1 MODP group 1 Ppre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours)
E-10 May 2004, 202-10030-02
VPNC IKE Phase II Parameters
The IKE Phase 2 parameters used in Scenario 1 are: TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour)

Click Apply to save your changes. You will be taken back to the VPN Policies Menu page.
When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click Apply to save your changes.
Step-By-Step Configuration of the FVL328 Firewall B
Note: The FVL328 Prosafe High Speed VPN Firewall has the ability to Import a predefined configuration profile. The FVL328.SPD file on the FVL328 Prosafe High Speed VPN Firewall Resource CD (230-10061-02) includes all the settings identified in this procedure.
Whenever importing policy settings, you should first export any existing settings you may have configured to prevent the new imported settings from replacing an existing working configuration. To import this policy, use the Security Policy Editor File menu to select Import Policy, and select the FVL328.SPD file at D:\Software\Policies where D is the drive letter of your CD-ROM drive.
This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet using an FVL328 with a static IP address. The PC can be directly connected to the Internet through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically assigned IP address.
Install the FVL328 Firewall Software on the PC.
Note: Before installing the FVL328 Prosafe High Speed VPN Firewall software, be sure to turn off any virus protection or firewall software you may be running on your PC.
You may need to insert your Windows CD to complete the installation. Reboot your PC after installing the client software.
Configure the Connection Network Settings.
Figure G-4: Security Policy Editor New Connection a.
Run the Security Policy Editor program and create a VPN Connection.
Figure G-5: Security Policy Editor Options menu
Note: If the configuration settings on this screen are not available for editing, go to the Options menu, select Secure, and Specified Options to enable editing these settings. From the Edit menu of the Security Policy Editor, click Add, then Connection. A New Connection listing appears. Rename the New Connection to FVL328.
ensure that the following settings are configured: In the Connection Security box, Secure is selected. In the Protocol menu, All is selected. The Connect using Secure Gateway Tunnel check box is selected.
In this example, select IP Subnet as the ID Type, 192.168.0.0 in the Subnet field (the Subnet address is the LAN IP Address of the FVL328 with 0 as the last number), and 255.255.255.0 in the Mask field, which is the LAN Subnet Mask of the FVL328. In the ID Type menus, select Domain Name and Gateway IP Address. Enter FVL328 in the Domain Name field. In this example, 66.120.188.153 would be used for the Gateway IP Address, which is the static IP address for the FVL328 WAN port.

Click the Dynamic DNS link on the left side of the Settings management GUI. Access the Web site of one of the dynamic DNS service providers whose names appear in the Use a dynamic DNS service list, and register for an account. For example, for dyndns.org, click the link or go to www.dyndns.org.
Figure H-2: Dynamic DNS Setup menu
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 4.
Select the Use a dynamic DNS service radio button for the service you are using. In this example we are using www.DynDNS.org as the service provider. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. In this example we are using dyndns.org as the domain suffix. Type the User Name for your dynamic DNS account. In this example we used netgear as the Host Name. This means that the complete FQDN we are using is netgear.dyndns.org and the Host Name is netgear. Type the Password (or key) for your dynamic DNS account.
Click Apply to save your configuration.
Note: The router supports only basic DDNS and the login and password may not be secure. If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.
Click on the VPN Settings link on the left side of the Settings management GUI.
Figure H-3: NETGEAR FVS318 VPN Settings Pre-Configuration 7.
Figure H-4: NETGEAR FVS318 VPN Settings (part 1) Main Mode
In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used toFVL328. Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.org (the FQDN) as the local identifier. Enter a Remote IPSec Identifier name for the remote NETGEAR FVL328 Gateway B. This name must be entered in the other endpoint as Local IPSec Identifier. In this example we used 22.23.24.25 as the remote identifier. Choose a subnet from local address from the Tunnel can be accessed from pull-down menu. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Local IP Local LAN start IP Address field. Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Local IP Local LAN finish IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local LAN IP Subnetmask field. Choose a subnet from local address from the Tunnel can access pull-down menu.

Figure H-11: NETGEAR FVL328 VPN Auto Policy (part 2)
From the Traffic Selector Remote IP drop-down box, select Subnet address. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote IP Finish IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Remote IP Subnet Mask field. From the AH Configuration Authentication Algorithm drop-down box, select MD5. Select the Enable Encryption check box. From the ESP Configuration Encryption Algorithm drop-down box, select 3DES. Select the Enable Authentication check box. From the ESP Configuration Authentication Algorithm drop-down box, select MD5. Select the NETBIOS Enable check box.
Figure H-12: NETGEAR FVL328 VPN Policies Menu (Post Configuration) 6.
From a PC behind the NETGEAR FVS318 or FVM318 Gateway A, attempt to ping the remote FVL328 Gateway B LAN Interface address (example address 172.23.9.1).
2. From the FVS318 or FVM318, click the Router Status link on the left side of the Settings management menu. Click the Show VPN Status button. This will take you to the IPSec Connection Status Screen. If the connection is functioning properly, the State fields will show Estab. 3. From the FVL328, click the VPN Status link under the VPN section of the main menu. The VPN Logs and status are displayed.

Glossary

10BASE-T 100BASE-Tx 3DES
IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz. Authentication Header Certificate Authority. A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be. Certificate Revocation List. Each Certificate Authority (CA) maintains a revoked certificates list. DoS. A hacker attack designed to prevent your computer or network from operating or communicating. The Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. See also 3DES. Deffie Helman shared secret algorithm.Deffie Helman shared secret algorithm is a method for securely exchanging a shared secret between two parties, in real-time, over an untrusted network. A shared secret allows two parties, who may not have ever communicated previously, to encrypt their communications. As such, it is used by several protocols, including Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec).

iv M-10144-01

Subnet Addressing... B-4 Private IP Addresses.... B-7 Single IP Address Operation Using NAT... B-7 MAC Addresses and Address Resolution Protocol.. B-9 Related Documents.... B-9 Domain Name Server.... B-9 IP Configuration by DHCP... B-10 Internet Security and Firewalls... B-10 What is a Firewall?....B-11 Stateful Packet Inspection...B-11 Denial of Service Attack....B-11 Ethernet Cabling.... B-12 Uplink Switches and Crossover Cables... B-12 Cable Quality.... B-13 Appendix C Preparing Your Network Preparing Your Computers for TCP/IP Networking.. C-1 Configuring Windows 95, 98, and Me for TCP/IP Networking.. C-2 Install or Verify Windows Networking Components.. C-2 Enabling DHCP to Automatically Configure TCP/IP Settings.. C-4 Selecting Windows Internet Access Method.. C-4 Verifying TCP/IP Properties... C-5 Configuring Windows NT, 2000 or XP for IP Networking.. C-5 Installing or Verifying Windows Networking Components.. C-5 Verifying TCP/IP Properties... C-6 Configuring the Macintosh for TCP/IP Networking... C-6 MacOS 8.6 or 9.x.... C-6 MacOS X..... C-7 Verifying TCP/IP Properties for Macintosh Computers.. C-8 Verifying the Readiness of Your Internet Account.. C-9 Are Login Protocols Used?... C-9 What Is Your Configuration Information?... C-9 Obtaining ISP Configuration Information for Windows Computers.. C-10 Obtaining ISP Configuration Information for Macintosh Computers. C-11 Restarting the Network... C-12
Appendix D Firewall Log Formats Action List..... D-1 Field List.... D-1 Outbound Log.... D-1 Inbound Log.... D-2 Other IP Traffic.... D-2 Router Operation.... D-3 Other Connections and Traffic to this Router... D-4 DoS Attack/Scan.... D-4 Access Block Site.... D-6 All Web Sites and News Groups Visited.. D-6 System Admin Sessions... D-6 Policy Administration LOG... D-7 Appendix E Virtual Private Networking What is a VPN?.... E-1 What Is IPSec and How Does It Work?... E-2 IPSec Security Features.... E-2 IPSec Components.... E-2 Encapsulating Security Payload (ESP).. E-3 Authentication Header (AH)... E-4 IKE Security Association.... E-4 Mode..... E-5 Key Management.... E-6 Understand the Process Before You Begin.. E-6 VPN Process Overview.... E-7 Network Interfaces and Addresses... E-7 Interface Addressing.... E-7 Firewalls.... E-8 Setting Up a VPN Tunnel Between Gateways... E-8 VPNC IKE Security Parameters.... E-10 VPNC IKE Phase I Parameters.... E-10 VPNC IKE Phase II Parameters....E-11 Testing and Troubleshooting....E-11

vi M-10144-01

Additional Reading...E-11 Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVL328 Configuration Template....F-1 Step-By-Step Configuration of FVS318 or FVM318 Gateway A..F-2 Step-By-Step Configuration of FVL328 Gateway B...F-5 Test the VPN Connection...F-10 Appendix G FVL328 to Windows 2000 Server and SSH Sentinel VPN Configuration Configuring FVL328 to Windows 2000 Server VPN.. G-1 Windows 2000 Server configuration... G-1 Create an IP Security Policy called DUT To Win2K.. G-1 Create an IP Filter called To DUT... G-3 Create an IP Filter Called To Win2K... G-7 Configure the General Properties.. G-12 Configure the FVL328 IKE policy.. G-14 Configure the FVL328 VPN policy... G-15 FVL328 to SSH Sentinel 1.3 Remote VPN... G-16 Create the FVL328 IKE Policy.. G-23 Create the FVL328 VPN Policy... G-23 Ping a PC to Bring Up the Tunnel.. G-24 Appendix H NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router Configuration Profile.... H-1 Step-By-Step Configuration of FVL328 or FWAG114 Gateway.. H-2 Step-By-Step Configuration of the NETGEAR VPN Client B... H-7 Testing the VPN Connection... H-14 From the Client PC to the FVL328.. H-14 From the FVL328 to the Client PC.. H-15 Monitoring the PC VPN Connection... H-15 Viewing the FVL328 VPN Status and Log Information.. H-17

When the firewall successfully detects an active Internet service, the firewalls Internet LED goes on. The Setup Wizard reports which connection type it discovered, and displays the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physical connection between your firewall and the cable or DSL line. The Setup Wizard will report the type of connection it finds. The options are: Connections that require a login using protocols such as PPPoE, Telstra BigPond, or PPTP broadband Internet connections. Connections that use dynamic IP address assignment. Connections that use fixed IP address assignment.
The procedures for filling in the configuration menu for each type of connection follow below.

3-8 M-10144-01

Configuring for a Wizard-Detected Login Account
If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 3-7:
Figure 3-7: Setup Wizard menu for PPPoE login accounts 1.
Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISPs services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually. Enter the PPPoE login user name and password provided by your ISP. These fields are case sensitive. If you want to change the login timeout, enter a new value in minutes.
Note: You will no longer need to launch the ISPs login program on your computer in order to access the Internet. When you start an Internet application, the firewall will automatically log you in.
Enable or disable NAT (Network Address Translation). NAT allows all LAN computers to gain Internet access via this Router, by sharing this Router's WAN IP address. In most situations, NAT is essential for Internet access via this Router. You should only disable NAT if you are sure you do not require it. When NAT is disabled, only standard routing is performed by this Router.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 4.
Perform a DNS Lookup. A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select Use these DNS servers and enter the IP address of your ISPs Primary DNS Server. If a Secondary DNS Server address is available, enter it also. If you enter an address here, after you finish configuring the firewall, reboot your computers so that the settings take effect.
Enter the Router's MAC Address. Each computer or router on your network has a unique 32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. Usually, select Use default address. If your ISP requires MAC authentication, then select either Use this Computer's MAC address to have the router use the MAC address of the computer you are now using, or Use This MAC Address to manually type in the MAC address that your ISP expects.
Click Apply to save your settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.

3-10 M-10144-01

Configuring for a Wizard-Detected Dynamic IP Account
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the menu shown in Figure 3-8 below:
Figure 3-8: Setup Wizard menu for Dynamic IP address 1.
Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISPs services such as mail or news servers. If you leave the Domain Name field blank, the firewall will attempt to learn the domain automatically from the ISP. If this is not successful, you may need to enter it manually. If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select Use these DNS servers and enter the IP address of your ISPs Primary DNS Server. If a Secondary DNS Server address is available, enter it also. A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your computers after configuring the firewall.

The Routers MAC Address is the Ethernet MAC address that will be used by the firewall on the Internet port.
If your ISP allows access from only one specific computers Ethernet MAC address, select Use this MAC address. The firewall will then capture and use the MAC address of the computer that you are now using. You must be using the one computer that is allowed by the ISP. Otherwise, you can type in a MAC address. Note: Some ISPs will register the Ethernet MAC address of the network interface card in your computer when your account is first opened. They will then only accept traffic from the MAC address of that computer. This feature allows your firewall to masquerade as that computer by using its MAC address.
Configuring for a Wizard-Detected Fixed IP (Static) Account
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you will be directed to the menu shown in Figure 3-9 below:
Figure 3-9: Setup Wizard menu for Fixed IP address 1.
Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISPs gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in Worksheet for Recording Your Internet Connection Information on page 3-3.

3-12 M-10144-01

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 2.
Enter the IP address of your ISPs Primary DNS Server. If a Secondary DNS Server address is available, enter it also. DNS servers are required to perform the function of translating an Internet name such as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must obtain DNS server addresses from your ISP and enter them manually here. You should reboot your computers after configuring the firewall for these settings to take effect.
Click Apply to save the settings. Click the Test button to test your Internet connection. If the NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting.
Testing Your Internet Connection
After completing the Internet connection configuration, your can test your Internet connection. Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the NETGEAR Web site does not appear within one minute, refer to Chapter 8, Troubleshooting. Your firewall is now configured to provide Internet access for your network. Your firewall automatically connects to the Internet when one of your computers requires access. It is not necessary to run a dialer or login application such as Dial-Up Networking or Enternet to connect, log in, or disconnect. These functions are performed by the firewall as needed. To access the Internet from any computer connected to your firewall, launch a browser such as Microsoft Internet Explorer or Netscape Navigator. You should see the firewalls Internet LED blink, indicating communication to the ISP. The browser should begin to display a Web page. The following chapters describe how to configure the advanced features of your firewall, and how to troubleshoot problems that may occur.

Configuring Dynamic DNS

If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently. In this case, you can use a commercial dynamic DNS service, which will allow you to register your domain to their IP address, and will forward traffic directed to your domain to your frequently-changing IP address. The firewall contains a client that can connect to a dynamic DNS service provider. To use this feature, you must select a service provider and obtain an account with them. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.

4-6 M-10144-01

How to Configure Dynamic DNS
Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. From the Main Menu of the browser interface, under Advanced, click Dynamic DNS. Click the radio button for the dynamic DNS service you will use. Access the website of the dynamic DNS service providers whose, and register for an account. For example, for TZO.com, go to www.TZO.com. Click Apply to save your configuration.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.

Using Static Routes

Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network.

Click the Show Statistics button to display firewall usage statistics, as shown in Figure 7-2 below:

Figure 7-2. 7-4

Router Statistics screen Managing Your Network M-10144-01
This screen shows the following statistics:

Table 7-2.

Field System up Time WAN or LAN Port Status TxPkts RxPkts Collisions Tx B/s Rx B/s Up Time Poll Interval

Router Statistics Fields

Description The time elapsed since the last power cycle or reset. The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen displays: The link status of the port. The number of packets transmitted on this port since reset or manual clear. The number of packets received on this port since reset or manual clear. The number of collisions on this port since reset or manual clear. The current line utilizationpercentage of current bandwidth used on this port. The average line utilization average CLU for this port. The time elapsed since this port acquired the link. Specifies the intervals at which the statistics are updated in this window. Click Stop to freeze the display. Click Set Interval to set the polling refresh interval.

Viewing Attached Devices

The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the main menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown in Figure 7-3
Figure 7-3: Attached Devices menu
For each device, the table shows the IP address, Device Name (NetBIOS Host Name, if available), and the Ethernet MAC address.
Select the check box if you want to enable NetBIOS detection. If the NetBIOS name is not available, Unknown is listed as the Device Name. If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button.
Viewing, Selecting, and Saving Logged Information
The firewall logs security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tries to access a blocked site. If you enabled e-mail notification, you will receive these logs in an e-mail message. If you do not have e-mail notification enabled, you can view the logs here. An example is shown below.
Figure 7-4: Security Logs menu 7-6 M-10144-01 Managing Your Network

Log entries are described below:

Table 7-5:

Security Log entry descriptions

Description

Date and Time Description or Action Source IP Source port and interface Destination Destination port and interface
The date and time the log entry was recorded. The type of event and what action was taken if any. The IP address of the initiating device for this log entry. The service port number of the initiating device, and whether it originated from the LAN or WAN. The name or IP address of the destination device or Web site. The service port number of the destination device, and whether its on the LAN or WAN.
Log action buttons are described below:

Table 7-6:

Security Log action buttons
Refresh Clear Log Send Log Apply Cancel
Click this button to refresh the log screen. Click this button to clear the log entries. Click this button to e-mail the log immediately. Click this button to apply any changed settings. Click this button to clear any changed settings.
Changing the Include in Log Settings You can choose to log additional information. Those optional selections are as follows: Known DoS attacks and Port Scans Attempted access to blocked sites All Web sites and news groups visited All Incoming TCP/UDP/ICMP traffic All Outgoing TCP/UDP/ICMP traffic Other IP traffic if selected, all other traffic (IP packets which are not TCP, UDP, or ICMP) is logged Router operation (start up, get time, etc.) if selected, Router operations, such as starting up and getting the time from the Internet Time Server, are logged. Connection to the Web-based interface of this Router Other connections and traffic to this Router if selected, this will log traffic sent to this Router (rather than through this Router to the Internet). Allow duplicate log entries if selected, events or packets that fall within more than one (1) category above will have a log entry for each category in which they belong. This will generate a large number of log entries. If not selected, then events or packets will only be logged once. Usually, you should not allow duplicate log entries. Enabling the Syslog Feature You can choose to write the logs to a computer running a SYSLOG program. To use this feature, check the box under Syslog and enter the IP address of the server where the log file will be written. Then click Apply to activate the Syslog feature. For a detailed description of the log files, see Appendix D, Firewall Log Formats.

Networks, Routing, and Firewall Basics M-10144-01 B-1
Routing Information Protocol
One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The FVL328 Firewall supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.
IP Addresses and the Internet
Because TCP/IP networks are interconnected across the world, every machine on the Internet must have a unique address to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP). You can contact IANA at www.iana.org. The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points. For example, the following binary address:

00001100 00000111

is normally written as:

195.34.12.7

The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address. The follow figure shows the three main address classes, including network and host sections of the address for each address type.

B-2 M-10144-01

Networks, Routing, and Firewall Basics

Class A

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 5. 6.
Uncheck all boxes in the LAN Internet Configuration screen and click Next. Proceed to the end of the Wizard.
Verifying TCP/IP Properties
After your PC is configured and has rebooted, you can check the TCP/IP configuration using the utility winipcfg.exe:
On the Windows taskbar, click the Start button, and then click Run. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway.
From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: The IP address is between 192.168.0.2 and 192.168.0.254 The subnet mask is 255.255.255.0 The default gateway is 192.168.0.1
Configuring Windows NT, 2000 or XP for IP Networking
Installing or Verifying Windows Networking Components
On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel. Double-click the Network and Dialup Connections icon. If an Ethernet adapter is present in your PC, you should see an entry for Local Area Connection. Double-click that entry. Select Properties.

C-5 M-10144-01

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 5. 6. 7. 8.
Verify that Client for Microsoft Networks and Internet Protocol (TCP/IP) are present. If not, select Install and add them. Select Internet Protocol (TCP/IP), click Properties, and verify that Obtain an IP address automatically is selected. Click OK and close all Network and Dialup Connections windows. Make sure your PC is connected to the firewall, then reboot your PC.
To check your PCs TCP/IP configuration:
On the Windows taskbar, click the Start button, and then click Run. The Run window opens.
Type cmd and then click OK. A command window opens
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: The IP address is between 192.168.0.2 and 192.168.0.254 The subnet mask is 255.255.255.0 The default gateway is 192.168.0.1

E-6 M-10144-01

VPN Process Overview
Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Network Interfaces and Addresses
The VPN gateway is aptly named because it functions as a gatekeeper for each of the computers connected on the Local Area Network behind it. In most cases, each Gateway will have a public facing address (WAN side) and a private facing address (LAN side). These addresses are referred to as the network interface in documentation regarding the construction of VPN communication. Please note that the addresses used in the example do not use full TCP/IP notation. Interface Addressing This TechNote uses example addresses provided the VPN Consortium. It is important to understand that you will be using addresses specific to the devices that you are attempting to connect via IPSec VPN.

10.5.6.0/24

VPNC Example Network Interface Addressing

Gateway A

14.15.16.17

172.23.9.0/24

Gateway B

22.23.24.25

LAN IP

10.5.6.1

WAN IP

172.23.9.1

Figure 8-7: VPNC Example Network Interface Addressing
It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct.
Gateway Gateway A Gateway A Gateway B Gateway B
WAN (Internet/Public) and LAN (Internal/Private) Addressing
LAN or WAN LAN (Private) WAN (Public) LAN (Private) WAN (Public) VPNC Example Address 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1
It will also be important to know the subnet mask of both gateway LAN Connections.
Gateway Gateway A Gateway B
LAN or WAN LAN (Private) LAN (Private) Interface Name Subnet Mask A Subnet Mask B Example Subnet Mask 255.255.255.0 255.255.255.0
Firewalls It is important to understand that many gateways are also firewalls. VPN tunnels cannot function properly if firewall settings disallow all incoming traffic. Please refer to the firewall instructions for both gateways to understand how to open specific protocols, ports, and addresses that you intend to allow.

Setting Up a VPN Tunnel Between Gateways
An SA, frequently called a tunnel, is the set of information that allows two entities (networks, PCs, routers, firewalls, gateways) to trust each other and communicate securely as they pass information over the Internet.

E-8 M-10144-01

Figure 8-8: VPN Tunnel SA
The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a tunnel. The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways. Each gateway must negotiate its Security Association with another gateway using the parameters and processes established by IPSec. As illustrated below, the most common method of accomplishing this process is via the Internet Key Exchange (IKE) protocol which automates some of the negotiation procedures. Alternatively, you can configure your gateways using manual key exchange, which involves manually configuring each paramter on both gateways.
IPSec Security Association IKE VPN Tunnel Negotiation Steps
1) Communication request sent to VPN Gateway VPN Gateway 2) IKE Phase I authentication 3) IKE Phase II negotiation 4) Secure data transfer 5) IPSec tunnel termination VPN Gateway
Figure 8-9: IPSec SA negotiation
1. The IPSec software on Host A initiates the IPSec process in an attempt to communicate with Host B. The two computers then begin the Internet Key Exchange (IKE) process.
Virtual Private Networking M-10144-01 E-9

2. IKE Phase I.

The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties. The master key is also used in the second phase to derive IPSec keys for the SAs.

Create an IP Filter Called To Win2K
Click Add. Type To Win2K and click Add.
Select High [ESP], then click OK. Click OK to return to the Filter Action tab.
Click the Tunnel Setting tab, then type the Win2K WAN IP address.
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual 8.
Click Authentication Methods and click Edit. Select the Use this string.(preshared key) check box, then type 12345678.
Click OK, then close the window to return to the DUT to Win2K properties.
Configure the General Properties

Click General.

Click Advanced.

Click Methods.

Click Edit, select Integrity Algorithm SHA1 and Encryption algorithm 3DES, DH Low. Click OK, then OK again. Close the window.
Right-click DUT to Win2K Policy and then click Assign to assign the Policy.
Configure the FVL328 IKE policy
Configure the FVL328 VPN policy
FVL328 to SSH Sentinel 1.3 Remote VPN
LAN WAN LAN PCa ----------FVL328------------ NAT router --------PC b with SSH 1.3 installed FVL328 LAN IP:192.168.0.1 WAN IP: 172.16.7.119/24 NAT router: support IPSec passthrough LAN IP: 192.168.10.1 WAN IP: 172.16.6.105/24 SSH Sentinel Version 1.3 Setting Procedures
Right-click on the SSH icon and click Run Policy Editor.
Select the Key Management tab.

Click Add.

Select Create a preshared key and click Next.
Type the same preshared key as in the FVL328 and click Finish.
You will see the FVL328 under My Keys. Click Apply.
Select the Security Policy tab.
Under VPN Connections, click Add.
Click the IP button and type the Gateway IP Address. Select FVL328 for the Authentication key. Select the Use legacy proposal check box. Click the "." button to bring up the Network Editor screen.
Click New and type a Network name, the remote intranet network IP address and Subnet mask. Click OK.
Click Properties and check the VPN policy settings.

Click Settings.

Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field. Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field.
Figure I-5: Figure 4 NETGEAR FVS318 VPN Settings (part 2) Main Mode
Figure I-6: NETGEAR FVS318 VPN Settings After Inputting Configuration Info 9.
Log in to the NETGEAR FVL328, labeled Gateway B in the illustration. Out of the box, the FVL328 is set for its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 172.23.9.1 for Gateway B.
Click IKE Policies link under the VPN category and click Add on the IKE Policies Menu.
Figure I-7: NETGEAR FVL328 IKE Policy Configuration Part 1
Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In our example we have used FVS318 as the Policy Name. In the Policy Name field type FVS318. From the Direction/Type drop-down box, select Both Directions. From the Exchange Mode drop-down box, select Main Mode. From the Local Identity drop-down box, select WAN IP Address (WAN IP address will automatically be populated into the Local Identity Data field after policy is applied). From the Remote Identity drop-down box, select Fully Qualified Domain Name. Type the FQDN (netgear.dnydns.org in our example) in the Remote Identity Data field.
Figure I-8: NETGEAR FVL328 IKE Policy Configuration Part 2 I-8 NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 M-10144-01
Click Apply. This will bring you back to the IKE Policies Menu.
Figure I-9: NETGEAR FVL328 IKE Policies (Post Configuration)
Click the VPN Policies link under the VPN category on the left side of the Settings management GUI. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN Auto Policy.
Figure I-10: NETGEAR FVL328 VPN Auto Policy (part 1)
Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step the FVS318 IKE Policy. From the Remote VPN Endpoint Address Type drop-down box, select IP Address. Type the WAN IP Address of Gateway A (14.15.16.17 in our example) in the Remote VPN Endpoint Address Data field. Type 300 in the SA Life Time (Seconds) field. Type 0 in the SA Life Time (Kbytes) field. Check the IPSec PFS check box. From the PFS Key Group drop-down box, select Group 2 (1024 Bit). From the Traffic Selector Local IP drop-down box, select Subnet address. Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Start IP Address field. Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field.