User manual NETGEAR FVS336G

[. . . ] ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA October 2007 202-10257-01 v1. 0 © 2007 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. [. . . ] From your PC, right-click on the VPN client icon in your Windows toolbar and choose Connect. . . , then My Connections\to_FVG. Within 30 seconds you should receive the message "Successfully connected to My Connections\to_FVG" and the VPN client icon in the toolbar should say On: Virtual Private Networking Using IPsec v1. 0, October 2007 5-19 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. For additional status and troubleshooting information, right-click on the VPN client icon Logs and Connection Status screens in the FVS336G. Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the FVS336G, the ModeConfig module can be used to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the VPN firewall. Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network. In the following example, we configured the VPN firewall using ModeConfig, and then configured a PC running ProSafe VPN Client software using these IP addresses. · NETGEAR FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN ­ ­ · WAN IP address: 172. 21. 4. 1 LAN IP address/subnet: 192. 168. 2. 1/255. 255. 255. 0 NETGEAR ProSafe VPN Client software IP address: 192. 168. 1. 2 Mode Config Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The Mode Config module will allocate an IP address from the configured IP address pool and will activate a temporary IPsec policy using the template security proposal information configured in the Mode Config record. Note: After configuring a Mode Config record, you must go to the IKE Policies menu and configure an IKE policy using the newly-created Mode Config record as the Remote Host Configuration Record. The VPN Policies menu does not need to be edited. Configuring the VPN Firewall Two menus must be configured--the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 5-20 v1. 0, October 2007 Virtual Private Networking Using IPsec ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. The Mode Config tab is displayed. . Figure 5-12 4. The Add Mode Config Record screen is displayed. Figure 5-13 5. Enter a descriptive Record Name such as "Sales". Virtual Private Networking Using IPsec v1. 0, October 2007 5-21 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172. 20. xx. xx. If you have a WINS Server on your local network, enter its IP address. Enter one or two DNS Server IP addresses to be used by remote VPN clients. If you enable Perfect Forward Secrecy (PFS), choose DH Group 1 or 2. This setting must match exactly the configuration of the remote VPN client, 10. Specify the Local IP Subnet to which the remote client will have access. Typically, this is your VPN firewall's LAN subnet, such as 192. 168. 2. 1/255. 255. 255. 0. [. . . ] If the IP address is fixed, a fully-qualified domain name is optional. VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall (Figure C-18), the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. Figure C-18 C-18 v1. 0, October 2007 Network Planning for Dual WAN Ports ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i. e. , the IP address of the active WAN port is not known in advance). After a rollover of the gateway WAN port (Figure C-19), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel. [. . . ]