to set up a vpn connection, you must configure each endpoint with specific identification and connection information describing the other endpoint. this set of configuration information defines a security association (sa) between the two points. when planning your vpn, you must make a few choices first:
1 will the remote end be a network or a single pc?
2 at least one side must have a fixed ip address. if one side has a dynamic ip address, the side with a dynamic ip address must always be the initiator of the connection.
3 will you use the typical automated internet key exchange (ike) setup, or a manual keying setup in which you must specify each phase of the connection? ike is an automated method for establishing an sa.
4 for the wan connection, what level of ipsec vpn encryption will you use, 56 bit des, 168 bit 3des, aes (128, 192, or 256)? longer keys are more secure but the throughput will be slower if the other endpoint encrypts via software rather than the hardware-based encryption in the fvm318 firewall.
1 des - the data encryption standard (des) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. faster but less secure than 3des or aes.
2 3des - (triple des) achieves a higher level of security by encrypting the data three times using des with three different, unrelated keys.
3 aes - 128, - 192, or - 256. most secure. advanced encryption standard, a symmetric 128-bit block data encryption technique. it is an iterated block cipher with a variable block length and a variable key length. the block length and the key length can be independently specified to 128, 192 or 256 bits.the u.s government adopted the algorithm as its encryption technique in october 2000, replacing the des encryption it used. aes works at multiple network layers simultaneously.
5 for the wireless lan connection, what level of ipsec vpn encryption will you use, 56 bit des, 168 bit 3des, aes (128, 192, or 256)? longer keys are more secure but the throughput will be slower if the other endpoint encrypts via software rather than the hardware-based encryption in the fvm318 firewall. for instructions on configuring wireless vpn connections, please see “configuring ipsec wireless connections” on page 3-12.
procedure 5-1: configuring a network to network vpn tunnel
follow this procedure to configure a vpn tunnel between two lans via a fvm318 at each end.
figure 5-2: lan to lan vpn access from an fvm318 to an fvm318
the sample configuration worksheet below is filled in with the parameters used in this procedure. a blank worksheet is provided on page 5-22.
network to network vpn tunnel configuration worksheet
1.set up the two lans to have different ip address ranges.
this procedure uses the settings in the configuration worksheet above. to configure your network, print and fill out the blank “network to network ike vpn tunnel configuration worksheet” on page 5-22 for your network configuration. then follow the procedures below.
a.log in to the fvm318 on lan a at its default lan address of http://192.168.0.1 with its default user name of admin and password of password. click the lan ip setup link in the main menu advanced section to display the lan tcp/ip setup menu shown below.
b.for this example, configure the fvm318 settings on lans a and b as follows:
network configuration settings
if port forwarding, trusted user, or static routes are set up, you will need to change these configurations to match the 192.168.3.x network as well.
c.click apply. because you changed the firewall’s ip address, you are now disconnected.
d.reboot all pcs on network a.
2.configure the vpn settings on each fvm318.
a.from setup section of the main menu of the fvm318, click the vpn settings link. click add. the vpn settings - main mode window opens as shown below:
b.fill in the connection name vpn settings as illustrated.
1 the connection names of lans a and b can be the same: vpnab
2 local ipsec identifier name in the fvm318 on lan a: lan_a
this ipsec name must not be used in any other sa in this vpn network.
3 local ipsec identifier in the fvm318 on lan b: lan_b
4 remote ipsec identifier in the fvm318 on lan a: lan_b
5 remote ipsec identifier in the fvm318 on lan b: lan_a
6 remote lan ip address in the fvm318 on lan a: 192.168.0.1 and remote subnet mask in the fvm318 on lan a: 255.255.255.0 this is the lan ip address for the fvm318 on lan b.
with these ip settings, using this vpn tunnel, you can connect to any device on lan b. alternatively, you can specify the ip address of a single address on lan b and a subnet mask of 255.255.255.255 which will limit the vpn tunnel to connecting to just that device.
7 remote lan ip address in the fvm318 on lan b: 192.168.3.1 and remote subnet mask in the fvm318 on lan b: 255.255.255.0 this is the lan ip address for the fvm318 on lan a.
8 remote wan ip address in the fvm318 on lan a: 10.0.0.1 this is the wan ip address for the fvm318 on lan b.
you can look up the wan ip address of the fvm318 on lan b by viewing the its wan status screen. when the fvm318 on lan b is connected to the internet, log in, go to its maintenance menu router status link. if you find the wan port dhcp field says “dhcp client” or “pppoe,” then it is a dynamic address. for a dynamic address, you would enter 0.0.0.0 in the configuration screen of the fvm318 on lan a as the wan ip address for the fvm318 on lan b.
only one side may have a dynamic ip address, and that side must initiate the connection.
9 remote wan ip address in the fvm318 on lan b: 24.0.0.1 this is the wan ip address for the fvm318 on lan a.
c.under secure association, select main mode and fill in the settings below.
the ike settings for each end point of the vpn tunnel must match exactly. to configure the ike settings, enter the following settings in each fvm318:
1 enable perfect forward secrecy.
2 for encryption protocol, select: des.
3 enter the preshared key. in this example, enter r]t(h4&3@#kb as the preshared key. with ike, a preshared key that you make up is used for mutual identification. the preshared key should be between 8 and 80 characters, and the letters are case sensitive. entering a combination of letters, numbers and symbols, such as r]t(h4&3@#kb provides greater security.
4 key life - default is 3600 seconds (1 hour)
5 ike life time - default is 28800 seconds (8 hours). a shorter time increases security, but users will be temporarily disconnected upon renegotiation.
d.if you need to run microsoft networking functions such as network neighborhood, click the netbios enable check box to allow netbios traffic over the vpn tunnel.
e.click apply to save the security association tunnel settings into the table.
3.check the vpn connection
to check the vpn connection, you can initiate a request from one network to the other. if one fvm318 has a dynamically assigned wan ip address, you must initiate the request from that fvm318’s network. the simplest method is to ping the lan ip address of the other fvm318.
a.using our example, from a pc attached to the fvm318 on lan a, on the windows taskbar click the start button, and then click run.
b.type ping -t 192.168.0.1 , and then click ok.
figure 5-5: running a ping test from windows
c.this will cause a continuous ping to be sent to the first fvm318. after between several seconds and two minutes, the ping response should change from “timed out” to “reply.”
at this point the connection is established. now that your vpn connection is working, whenever a pc on the second lan needs to access an ip address on the first lan, the firewalls will automatically establish the connection.
procedure 5-2: configuring a remote pc to network vpn
this procedure describes linking a remote pc and a lan. the lan will connect to the internet using an fvm318 with a fixed ip address. the pc can be connected to the internet through dialup, cable or dsl modem, or other means, and we will assume it has a dynamically assigned ip address. the pc must have a vpn client program that supports ipsec. netgear recommends and supports the safenet softremote (or soft-pk) secure vpn client for windows, version 5 or later. the safenet vpn client can be purchased from safenet at http://www.safenet-inc.com.
if your situation is different, for example, if you wish to use different vpn client software, please see http://www.netgear.com/docs for additional vpn configuration information.
the sample configuration worksheet below is filled in with the parameters used in the procedure below. a blank worksheet is on page 5-23.
pc to network vpn tunnel configuration worksheet
1.configure the vpn tunnel on the fvm318 on lan a.
to configure the firewall, follow these steps:
a.from the setup menu, click the vpn settings link, then click add to configure a new vpn tunnel. the vpn settings - ike window opens as shown below:
b.fill in the connection name vpn settings as illustrated.
1 connection name: vpnlanpc
2 local ipsec identifier: lanapcipsec
this ipsec name must not be used in any other sa in this vpn network.
3 remote ipsec identifier: pcipsec
4 remote lan ip address: 192.168.100.2
since the remote network is a single pc, and its ip address is unknown, we will assume it is assigned dynamically. we will choose an arbitrary “fixed virtual” ip address to define this connection. this ip address will be used in the configuration of the vpn client. see “configure the vpn client identity” on page 5-14.
5 remote subnet mask: 255.255.255.255 since this is a single pc.
6 remote wan ip address: 0.0.0.0 since the remote pc has a dynamically assigned ip address.
only one side can have a dynamic ip address, and that side must always initiate the connection.
c.under secure association, select main mode and fill in the settings below.
1 enable perfect forward secrecy.
2 for encryption protocol, select: des
3 enter the case sensitive preshared key: r]t(h4&3@#kb
this combination of letters, numbers and symbols, provides greater security.
4 key life - default is 3600 seconds (1 hour)
5 ike life time - default is 28800 seconds (8 hours). a shorter time increases security, but users will be temporarily disconnected upon renegotiation.
d.if you need to run microsoft networking functions such as network neighborhood, click the netbios enable check box to allow netbios traffic over the vpn tunnel.
e.click apply to save the security association tunnel settings into the table.
2.install land configure the safenet vpn client software on the pc.
before installing the safenet softremote basic vpn client software, be sure to turn off any virus protection or firewall software you may be running on your pc.
a.install the safenet secure vpn client.
1 you may need to insert your windows cd to complete the installation.
2 if you do not have a modem or dial-up adapter installed in your pc, you may see the warning message stating “the safenet vpn component requires at least one dial-up adapter be installed.” you can disregard this message.
3 install the ipsec component. you may have the option to install either or both of the vpn adapter or the ipsec component. the vpn adapter is not necessary.
reboot your pc after installing the client software.s
b.add a new connection
1 run the safenet security policy editor program and, using the “pc to network vpn tunnel configuration worksheet” on page 5-9, create a vpn connection.
2 from the edit menu of the security policy editor, click add, then connection. a “new connection” listing appears in the list of policies. rename the “new connection” so that it matches the connection name you entered in the vpn settings of the fvm318 on lan a. in this example, it would be vpnlanpc.
3 select secure in the connection security box.
4 select ip subnet in the id type menu.
5 in this example, type 192.168.3.0 in the subnet field as the network address of the fvm318. the network address is the lan ip address of the fvm318 with 0 as the last number.
6 enter 255.255.255.0 in the mask field as the lan subnet mask of the fvm318
7 select all in the protocol menu to allow all traffic through the vpn tunnel.
8 check the connect using secure gateway tunnel checkbox.
9 select ip address in the id type menu below the checkbox.
10 enter the public wan ip address of the fvm318 in the field directly below the id type menu. in this example, 24.0.0.1 would be used.
c.configure the security policy in the safenet vpn client software.
1 in the network security policy list, expand the new connection by double clicking its name or clicking on the “+” symbol. my identity and security policy subheadings appear below the connection name.
2 click on the security policy subheading to show the security policy menu.
1 select main mode in the select phase 1 negotiation mode box.
2 check the enable perfect forward secrecy (pfs) checkbox.
3 select diffie-helman group 1 for the pfs key group.
4 check the enable replay detection checkbox.
d.configure the global policy settings.
1 from the options menu at the top of the security policy editor window, select global policy settings.
2 increase the retransmit interval period to 45 seconds.
3 check the allow to specify internal network address checkbox and click ok.
e.configure the vpn client identity
in this step, you will provide information about the remote vpn client pc. you will need to provide:
1 the preshared key that you configured in the fvm318.
2 either a fixed ip address or a “fixed virtual” ip address of the vpn client pc.
in the network security policy list on the left side of the security policy editor window, click on my identity.
1 choose none in the select certificate menu.
2 select ip address in the id type menu. if you are using a virtual fixed ip address, enter this address in the internal network ip address box. otherwise, leave this
3 empty. use 192.168.100.2 for this example.
4 in the internet interface box, select the adapter you use to access the internet. select ppp adapter in the name menu if you have a dial-up internet account. select your ethernet adapter if you have dedicated cable or dsl line. you may also choose
5 if you will be switching between adapters or if you have only one adapter.
6 click the pre-shared key button. in the pre-shared key dialog box, click the enter key button. enter the fvm318's pre-shared key and click ok. in this example, r]t(h4&3@#kb would entered. note that this field is case sensitive.
f.configure the vpn client authentication proposal.
in this step, you will provide the type of encryption (des or 3des) to be used for this connection. this selection must match your selection in the fvm318 configuration.
1 in the network security policy list on the left side of the security policy editor window, expand the security policy heading by double clicking its name or clicking on the “+” symbol.
2 expand the authentication subheading by double clicking its name or clicking on the “+” symbol. then select proposal 1 below authentication.
3 in the authentication method menu, select pre-shared key.
4 in the encrypt alg menu, select the type of encryption to correspond with what you configured for the encryption protocol in the fvm318 in “configuring a remote pc to network vpn“ on page 5-8. in this example, use des.
5 in the hash alg menu, select md5.
6 in the sa life menu, select unspecified.
7 in the key group menu, select diffie-hellman group 1.
g.configure the vpn client key exchange proposal.
1 in this step, you will provide the type of encryption (des or 3des) to be used for this connection. this selection must match your selection in the fvm318 configuration.
2 expand the key exchange subheading by double clicking its name or clicking on the “+” symbol. then select proposal 1 below key exchange.
3 in the sa life menu, select unspecified.
4 in the compression menu, select none.
5 check the encapsulation protocol (esp) checkbox.
6 in the encrypt alg menu, select the type of encryption to correspond with what you configured for the encryption protocol in the fvm318 in “configuring a remote pc to network vpn“ on page 5-8. in this example, use des.
7 in the hash alg menu, select md5.
8 in the encapsulation menu, select tunnel.
9 leave the authentication protocol (ah) checkbox unchecked.
h.save the vpn client settings.
from the file menu at the top of the security policy editor window, select save changes.
after you have configured and saved the vpn client information, your pc will automatically open the vpn connection when you attempt to access any ip addresses in
3.check the vpn connection.
to check the vpn connection, you can initiate a request from the remote pc to the fvm318’s network. since the remote pc has a dynamically assigned wan ip address, it must initiate the request. the simplest method is to ping from the remote pc to the lan ip address of the fvm318. using our example, start from the remote pc:
a.establish an internet connection from the pc.
b.on the windows taskbar, click the start button, and then click run.
c.type ping -t 192.168.3.1 , and then click ok.
this will cause a continuous ping to be sent to the first fvm318. after between several seconds and two minutes, the ping response should change from “timed out” to “reply.”
once the connection is established, you can open the browser of the remote pc and enter the lan ip address of the remote fvm318. after a short wait, you should see the login screen of the firewall.