Reference Manual for the NETGEAR ProSafe VPN Client NETGEAR, Inc.
Regulatory Approvals FCC Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
© 2003 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Contents Chapter 1 About This Manual Audience, Versions, Conventions ...................................................................................1-1 How to Use this Manual ..................................................................................................1-2 How to Print this Manual .................................................................................................1-3 Chapter 2 Introduction What's Included? ................................................................
Chapter 5 Using the Security Policy Editor What is the Security Policy Editor? .................................................................................5-1 Basic Steps to Configure a Security Policy .....................................................................5-1 How to Secure All Connections ......................................................................................5-2 How to Configure Global Policy Settings ........................................................................
Import a Security Policy .........................................................................................5-28 Reload the Security Policy .....................................................................................5-28 Deactivate the Security Policy ................................................................................5-29 Reactivate the Security Policy ................................................................................
Export a CA Certificate ...........................................................................................6-19 Delete a Certificate .................................................................................................6-20 RA Certificates .......................................................................................................6-21 Personal Certificates ..............................................................................................
Configure Global Policy Settings ....................................................................................9-4 Network Address Translation (NAT) ...............................................................................9-6 Connection Monitor ........................................................................................................9-7 Manual keys ...................................................................................................................
IKE Security Association ......................................................................................... B-4 Mode ................................................................................................................. B-5 Key Management .................................................................................................... B-6 Understand the Process Before You Begin ................................................................... B-6 VPN Process Overview .................
Viewing the FVL328 VPN Status and Log Information ................................................ D-19 Glossary Numeric ......................................................................................................................... G-1 A .................................................................................................................................... G-1 C ............................................................................................................................
x Contents 202-10015-01M-10207-01, Reference Manual v2
Chapter 1 About This Manual Thank your for purchasing the NETGEAR ProSafe VPN Client. This chapter describes the target audience, versions, conventions, and features of this manual. Audience, Versions, Conventions This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, and firewall technologies tutorial information is provided in the Appendices and on the NETGEAR Web site.
Reference Manual for the NETGEAR ProSafe VPN Client 4 About This Manual 202-10015-01
Chapter 2 Introduction This chapter describes the features of the NETGEAR ProSafe VPN Client. The NETGEAR ProSafe VPN Client is a remote access and end-point security product that secures communications over the Internet and other public networks to create a virtual private network (VPN) between users. The NETGEAR VPN Client secures data communications sent from a desktop or portable computer across a public or private TCP/IP network.
Reference Manual for the NETGEAR ProSafe VPN Client What’s in the Box? The product package should contain the following items: • • NETGEAR ProSafe VPN Client Resource CD (230-10007-01), including: — This manual — Application Notes, Tools, and other helpful information • Warranty and support information card 2-2 Introduction 202-10015-01
Chapter 3 Installation This chapter describes how to install your NETGEAR ProSafe VPN Client. What You Need Before You Begin You need to verify that your computer meets the minimum system requirements.
Reference Manual for the NETGEAR ProSafe VPN Client Installing Use the procedure below to install the NETGEAR ProSafe VPN Client. 1. If you're installing this product on Windows NT or Windows 2000 or XP, log on as administrator or its equivalent. 2. Run the setup.exe file on the installation CD-ROM or in the installation package. 3. Work through the installation wizard. Unless otherwise instructed, accept the defaults.
Reference Manual for the NETGEAR ProSafe VPN Client Upgrading To upgrade to this version of the NETGEAR ProSafe VPN Client, take these steps: 1. 2. Uninstall the current version on your computer through the Control Panel Add/Remove Programs application: a. In the uninstall wizard, on the Maintenance dialog box, click Remove. This removes all the client product's components, but not your security policy. b.
Reference Manual for the NETGEAR ProSafe VPN Client Table 3-1. Icon Explanation • The Windows operating system did not start the IREIKE service properly. To start this service, restart your computer. If this icon continues to display, you may need to reinstall the client. or • Your security policy is deactivated—that is, disabled. To reactivate it, go to Reactivate the security polity. Your computer is ready to establish connections or transmit data.
Reference Manual for the NETGEAR ProSafe VPN Client b. When prompted to remove all installed components, click Yes. Note: This does not remove the IPSec security policy, certificates, or private keys. c. When prompted to remove the IPSec security policy, which includes certificates and private keys, in most cases, click No. You can import this policy after you reinstall this client version or upgrade to a newer client version; this can save a lot of time. d.
Reference Manual for the NETGEAR ProSafe VPN Client 3-6 Installation 202-10015-01
Chapter 4 Configuring L2TP Connections This chapter describes how to use configure VPN tunnels using the NETGEAR ProSafe VPN Client. Basic Steps The client supports Layer 2 Tunneling Protocol (L2TP) connections through a virtual adapter: the SafeNet VPN Adapter. The specific steps required vary with the Windows operating system installed on your computer.
Reference Manual for the NETGEAR ProSafe VPN Client 2. d. Note: If this is the first dial-up connection for your computer, the Welcome to Dial-Up Networking page opens instead. Follow the prompts to start the Make New Connection wizard. e. In the Type a name for the computer you are using box, type the name for the connection. f. In the Select a device box, click SafeNet_VPN x Adapter, where x is the number of the VPN adapter. g. Click Next. h.
Reference Manual for the NETGEAR ProSafe VPN Client 6. In the Phone number box, type the IP address of the remote party's LNS. 7. In the Dial using box, click SafeNet_VPN x Adapter, where x is the number of the VPN adapter. 8. Click the Server tab. 9. Click OK. For Windows 2000 1. On the Windows desktop, click Start>Settings>Network and Dial-up Connections. The Network and Dial-up Connections window opens. 2. Double-click Make New Connection. The Network Connection Wizard opens.
Reference Manual for the NETGEAR ProSafe VPN Client 8. a. Ask your network administrator which option to select, and then click that option. b. Click Next. On the Completing the Network Connection Wizard page, take these steps: a. Type the name for this connection; the default is Virtual Private Connection. b. Click Finish. For Windows XP 1. On the Windows desktop, click Start>Settings>Network Connections. The Network Connections window opens. 2. Double-click Make New Connection.
Reference Manual for the NETGEAR ProSafe VPN Client How to Configure a Security Policy 1. In the Security Policy Editor, in the Network Security Policy list, click the specific secure connection . 2. In the Remote Party Identity and Addressing group, configure the remote party's information. Note: When configuring security for L2TP, the remote party is the L2TP network server (LNS). a.
Reference Manual for the NETGEAR ProSafe VPN Client • One for the physical dial-up connection Therefore, you must add another dial-up connection through Windows. The specific steps required to add a second dial-up connection differ among the various Windows operating systems. This is the general procedure: 1. On your computer, in Windows help, look up network adapters, network connections, or add a connection. 2. In Control Panel, open the Network or Network and Dial-up Connections application. 3.
Chapter 5 Using the Security Policy Editor This chapter describes how to use the Security Policy Editor of the NETGEAR VPN Client. What is the Security Policy Editor? The Security Policy Editor is the client module in which you (or your network security administrator) create, import, and export security policies. Only one security policy is in effect at any time.
Reference Manual for the NETGEAR ProSafe VPN Client Table 5-1.
Reference Manual for the NETGEAR ProSafe VPN Client 4. Configure My Identity for this connection. 5. Exit the Security Policy Editor. How to Configure Global Policy Settings Global policy settings are program preferences that apply to all secure IP communications. You can change these at any time to match to your security policy. 1. In the Security Policy Editor, click Options, and then click Global Policy Settings. The Global Policy Settings dialog box opens. 2.
Reference Manual for the NETGEAR ProSafe VPN Client • The maximum size for the isakmp.log file is 100 KB. When the client computer, the client, and the IKE service restart and the isakmp.log file size exceeds 100 KB, this isakmp.log file is deleted and a new one created. • On computers running Windows 95 and 98, when the isakmp.log file size exceeds 64 KB, Notepad prompts the user to try WordPad instead because of the file's size.
Reference Manual for the NETGEAR ProSafe VPN Client 3. 4. In the Connection Security group, click a security level: • Secure secures communications for this connection. • Non-secure , the default, allows communications for this connection to pass through unsecured, or not encrypted. • Block prohibits all communications for this connection from passing through. If you selected Non-secure or Block in the Connection Security group, the Internet Interface group is available: a.
Reference Manual for the NETGEAR ProSafe VPN Client 2. In the Network Security Policy list, if the My Connections folder does not appear, click Options, point to Secure, and then click Specified Connections. 3. Click (or Edit>Add Connection). A highlighted New Connection entry displays in the Network Security Policy list. 4. Rename the new connection. 5. In the Connection Security group, take these steps: a. Click the security level: • • Secure secures communications for this connection.
Reference Manual for the NETGEAR ProSafe VPN Client IP Subnet subnet address and mask IP Address Range first and last IP addresses for the range Distinguished Name IP address To edit a distinguished name, go to edit a distinguished name Any (default) IP address To create a generic security policy for multiple users, select Any. 7. In the Protocol box, click the protocol for the remote party to use to connect with you. The default, All, secures all protocol ports.
Reference Manual for the NETGEAR ProSafe VPN Client How to Enter a Preshared Key A preshared key is an alphanumeric character string that can be used instead of certificates to authenticate the identity of communicating parties during Phase 1 IKE negotiations. This character string, which can contain from 8 through 255 characters, is called preshared because the remote party needs it before you can communicate with it.
Reference Manual for the NETGEAR ProSafe VPN Client How to Configure a Gateway When configuring a secure connection—Other Connections, All Connections, or a Specific connection—in the Security Policy Editor, and your network or, for specific connections only, the remote party's network routes secure IP communications through a gateway device, such as a firewall or router, you must identify the gateway and its addressing. 1.
Reference Manual for the NETGEAR ProSafe VPN Client Configure My Identity The remote party that you want to communicate securely with uses the information in My Identity to verify that you really are who you indicate that you are. This is done with either a preshared key that you and the remote party have or a certificate. This information also distinguishes you from the remote party during the key exchange process.
Reference Manual for the NETGEAR ProSafe VPN Client 6. In the Virtual Adapter box, you can configure the client to use a virtual adapter to handle private IP addressing. If certain programs that work with the client are “IP address-aware,” your computer is assigned a private Windows Internet Naming Service (WINS) server address, or both, you may need to do this. In the Virtual Adapter box, click an option: • Disabled—No virtual adapter is used. This is the default.
Reference Manual for the NETGEAR ProSafe VPN Client Configure Security Policy Connection Options Before you configure the options for Security Policy in a connection, take these steps: • Make sure that the connection is secure: In the Connection Security group, click Secure • Configure My Identity for this connection. . The Phase 1 negotiation mode selected for Security Policy determines how the security association (SA) is established for each connection through IKE negotiations. 1.
Reference Manual for the NETGEAR ProSafe VPN Client Configure Authentication (Phase 1) After you configure Security Policy for a secure connection, the next step is to configure authentication proposals for this policy, one connection at a time. Note: If you are using manual keys, skip this topic, and go to Configure Key Exchange (Phase 2). 1. In the Security Policy Editor, in the Network Security Policy list, expand a secure connection . 2. For the selected connection, expand Security Policy.
Reference Manual for the NETGEAR ProSafe VPN Client d. In the SA Life box, click an option. Unspecified is the default. e. If you clicked Seconds for SA Life, in the adjacent box, type the number of seconds. f. In the Key Group box, click Diffie-Hellman Group 1, Group 2 (the default), or Group 5. 6. Click Save. 7. Configure Key Exchange (Phase 2).
Reference Manual for the NETGEAR ProSafe VPN Client • To encrypt and authenticate the data, select the Encapsulation Protocol (ESP) check box. a. In the Encryption Algorithm box, click an option: b. c.
Reference Manual for the NETGEAR ProSafe VPN Client Edit a Distinguished Name When you identify yourself (your computer) or a remote party in a connection, and you select the distinguished name identifier as the ID type, the client typically retrieves your distinguished name information from your personal certificate. The distinguished name that the remote party identifies itself with must match the distinguished name entered in the Remote Party Identity and Addressing group.
Reference Manual for the NETGEAR ProSafe VPN Client b. RDN Information Example CN First and last name CN=Kerry Smith OU Department; there can be multiple OUs OU=HR OU=New York office O Company O=ispname Company S State (two-letter abbreviation) S=MD C Country C=US postalCode ZIP or postal code postalCode=21210 E Email address E=ksmith@ispname.com c. 3. In the Subject Name in LDAP Format box, enter the relevant personal information, from specific to general.
Reference Manual for the NETGEAR ProSafe VPN Client 3. Click (or Edit>Add Connection). A highlighted New Connection entry displays in the Network Security Policy list. 4. Rename the new connection. 5. In the Connection Security group, take these steps: a. b. Click the security level: • Secure secures communications for this connection. This is the default. • Non-secure allows communications for this connection to pass through unsecured, or not encrypted.
Reference Manual for the NETGEAR ProSafe VPN Client 6. In the Remote Party Identity and Addressing group, in the ID Type box at the top of the group, click an identifier for the other party.
Reference Manual for the NETGEAR ProSafe VPN Client b. In the Port box, click the protocol port for your computer to connect to the remote party through. The default, All, secures all protocol ports. The number displayed next to the Port box is the port's standard designation. 10. Click Save. 11. Configure My Identity for this connection. Copy a Connection 1. In the Security Policy Editor, in the Network Security Policy list, click the connection to copy. 2. Click .
Reference Manual for the NETGEAR ProSafe VPN Client 3. Press . 4. Click Save. Delete a Connection 1. In the Security Policy Editor, in the Network Security Policy list, click the connection to delete. 2. Click 3. When a confirmation message opens, click Yes. 4. Click Save. . Manage Proposals When you add a connection and configure its Security Policy, the Security Policy Editor provides one proposal (Proposal 1) for Authentication (Phase 1) and Key Exchange (Phase 2).
Reference Manual for the NETGEAR ProSafe VPN Client Copy a Proposal You can copy proposals for Authentication (Phase 1) or Key Exchange (Phase 2) in the selected connection only. You cannot copy proposals to another phase or connection. 1. In the Security Policy Editor, in the Network Security Policy list, expand a secure connection . 2. Expand Security Policy for the secure connection. Authentication (Phase 1) and Key Exchange (Phase 2) appear. 3.
Reference Manual for the NETGEAR ProSafe VPN Client 6. Repeat steps 4 and 5 as necessary. 7. Click Save. Delete a Proposal In the Network Security Policy list in the Security Policy Editor, there must be at least one proposal each for Authentication (Phase 1) and Key Exchange (Phase 2). 1. In the Security Policy Editor, in the Network Security Policy list, expand a secure connection . 2. Expand Security Policy for the secure connection. Authentication (Phase 1) and Key Exchange (Phase 2) display. 3.
Reference Manual for the NETGEAR ProSafe VPN Client The client selects the alternates in the sequence in which they are listed for the particular connection in the Network Security Policy list. The client “rolls over” to a redundant gateway only when the primary gateway does not respond. If the client receives a response from the primary gateway, it continues trying to establish a connection. When the security association (SA) times out, the client tries to connect with the primary gateway.
Reference Manual for the NETGEAR ProSafe VPN Client Copy a Redundant Gateway A quick way to add redundant gateways to a connection is to copy another redundant gateway in the same connection. You can copy redundant gateway within a connection only, not between connections. 1. In the Security Policy Editor, in the Network Security Policy list, expand a secure connection . 2. Right-click a redundant gateway , and then click Copy.
Reference Manual for the NETGEAR ProSafe VPN Client 4. Click OK. 5. Click Save. Delete a Redundant Gateway 1. In the Security Policy Editor, in the Network Security Policy list, expand a secure connection . 2. Click the redundant gateway 3. Click 4. When a confirmation dialog box opens, click Yes. 5. Click Save. to delete. . Disable Redundant Gateways You can disable all redundant gateways for a selected secure connection without deleting them. You can also enable them again later. 1.
Reference Manual for the NETGEAR ProSafe VPN Client 3. 4. To password-protect this policy file during the export/import process only, take these steps: a. Select the Protect Exported Policy check box. b. In the Password box, enter a password that contains at least eight alphanumeric characters. c. In the Confirm box, retype the password.
Reference Manual for the NETGEAR ProSafe VPN Client Import a Security Policy Caution: When you import a security policy, it overwrites the existing policy on your computer. 1. Obtain the name and location of the policy file to import (an .spd file). 2. In the Security Policy Editor, click File>Import Security Policy. The Import Policy From dialog box opens. 3. Navigate to the .spd file to import; when its file name displays in the File name box, click Open. 4.
Reference Manual for the NETGEAR ProSafe VPN Client When the client doesn't appear to be working properly, try performing this task. It disconnects all connections and loads the current security policy from scratch.
Reference Manual for the NETGEAR ProSafe VPN Client Configure the Client to Retrieve a New Policy from a Policy Server or Web Address The client can be configured to periodically check for and then retrieve a new security policy from a Web address, or uniform resource locator (URL). Or, if the client is managed by a policy management application, the client registers with its policy server, and then polls this policy server to look for and retrieve new security policies.
Reference Manual for the NETGEAR ProSafe VPN Client b. In the Policy URL box, type the Web address, starting with http://, to poll. 6. Click OK. 7. Click Save. When the client finds and retrieves a new policy for you, a confirmation message box opens. Register with a Policy Management Application Perform this task only if your network security administrator instructs you to do so. The client can be managed by enterprise VPN policy management applications.
Reference Manual for the NETGEAR ProSafe VPN Client Retrieve a New Policy Manually When the client is configured to automatically check for and retrieve new security policies from a policy management product or a policy server on a Web site, you can manually check this source for a new or updated policy. • In the Security Policy Editor, click File>Retrieve Policy. The client checks the Web address or LDAP server configured on the Policy Management dialog box.
Chapter 6 Using the Certificate Manager This chapter describes how to configure the advanced features of your NETGEAR ProSafe VPN Client. What is the Certificate Manager? The Certificate Manager is the client module where you obtain and manage the certificates you receive from certificate authorities (CAs), set the trust policy, and view certificate revocation lists (CRLs).To learn how to perform all the various certificate-related tasks, refer to the topics in the Certificate Manager book in the help.
Reference Manual for the NETGEAR ProSafe VPN Client Getting Started with the Certificate Manager If you are using preshared keys for authentication in your VPN, or secure connection, to the other party, you don't have to open the Certificate Manager; skip all the topics in the Certificate Manager book in the help. If you are using certificates for authentication with the remote party to your VPN, and don't already have a CA and personal certificate, you need to obtain these.
Reference Manual for the NETGEAR ProSafe VPN Client There are two types of CA certificates: • A root CA certificate is signed by and issued to itself—that is, the issuer and subject are the same. • A subordinate or intermediate CA certificate is issued by a CA other than itself. A subordinate certificate can be issued by a root CA or another subordinate CA. Also required for the client user is a personal certificate, which contains information about the user (client) that uniquely identifies it.
Reference Manual for the NETGEAR ProSafe VPN Client d. • Retrieve the personal certificate. Manual (file-based) enrollment, which requires cutting and pasting text from a text editor. CAs handle this method in various ways; all start with a certificate request file. Follow the instructions provided by the CA. These are the typical steps: a. Obtain a CA certificate manually. b. Import a CA certificate. c. Create a certificate request file for a personal certificate.
Reference Manual for the NETGEAR ProSafe VPN Client Table 6-1. Certificate Authority Telephone Web site Entrust Technologies, Inc (972) 943-7300 www.entrust.com iPlanet (888) 786-8111 www.iplanet.com Microsoft Corporation (425) 882-8080 www.microsoft.com RSA Security (Keon) (877) 772-4900 www.rsasecurity.com VeriSign, Inc. (650) 961-7500 www.verisign.
Reference Manual for the NETGEAR ProSafe VPN Client 6. Click OK. In a few seconds, the Root or CA Certificate Store dialog box opens and prompts you to add the CA certificate to the client's root or CA store, according to the type of CA certificate you retrieved. 7. Click Yes. The certificate displays on the appropriate tab, Root CA Certificates or CA Certificates, in the Certificate Manager. If the retrieved CA certificate included RA certificates, these display on the RA Certificates tab.
Reference Manual for the NETGEAR ProSafe VPN Client • 10.0.0.0 through 10.255.255.255 • 172.16.0.0 through 171.31.255.255 • 192.168.0.0 through 192.168.255.255 If your network uses an HTTP proxy server to translate private IP addresses to routable IP addresses, you must configure this option and enter the HTTP proxy server's DNS or IP address.
Reference Manual for the NETGEAR ProSafe VPN Client 4. Unless your network security administrator instructs you to change it, leave the Import certificate to local machine store check box selected (the default). Caution: In Windows NT and Windows 2000 and XP, you must be logged on as administrator or its equivalent to add this certificate to the local machine store (for all users who log on to this computer). 5. Click Import. 6. When a confirmation message box opens, click Yes.
Reference Manual for the NETGEAR ProSafe VPN Client Note: If you requested your CA certificate manually from CA that supports SCEP, and want to request a personal certificate online, configure the CA certificate before requesting the personal certificate. 1. In the Certificate Manager, click the My Certificates tab. 2. Click Request Certificate. The Online Certificate Request or File-based Certificate Request dialog box opens. 3.
Reference Manual for the NETGEAR ProSafe VPN Client When the CA receives (accepts) your request, a confirmation message may open; click OK. It may take some time for the CA to approve your request. The client checks the CA at a defined interval for approved personal certificates to retrieve. To change this polling interval, go to Define how often to check for personal certificates to retrieve.
Reference Manual for the NETGEAR ProSafe VPN Client Note: If the CA hasn't approved your request yet, a message alerts you of this. Try again later or wait for the client to retrieve it. 3. If the CA has approved your request, the client prompted you to add this personal certificate; click Yes. The request is removed from the Requests tab, and the retrieved certificate displays on the My Certificates tab.
Reference Manual for the NETGEAR ProSafe VPN Client 2. Download the CA certificate from the CA's Web site to your computer through the Internet Explorer certificate management. For details, refer to Windows or Internet Explorer help. 3. In the Certificate Manager, on the Root CA Certificates or CA Certificates tab (depending on the certificate you're importing), import the CA certificate. 4. To complete the process, follow the instructions from the specific CA.
Reference Manual for the NETGEAR ProSafe VPN Client Request a Personal Certificate After you retrieve or import a CA certificate, you must request a personal certificate from this CA. If your client was installed with a CA certificate, the Online Certificate Request or File-based Certificate Request dialog box opens automatically the first time your computer restarts after client installation. When the CA supports SCEP, submit the request online.
Reference Manual for the NETGEAR ProSafe VPN Client In the Key Generation Options group, specify whether the private key associated with the personal certificate you're requesting can be exported to, for example, transfer it to another computer or make a backup copy. By default, the private key cannot be exported; the Generate exportable key check box is clear. To make the key exportable, select the Generate exportable key check box. 7. To select the CSP or assign the default CSP, click Advanced. 8.
Reference Manual for the NETGEAR ProSafe VPN Client Dear Applicant, Your Administrator has approved your request for an IPSec certificate. If you have any questions or problems, please contact your Administrator by replying to this email message.
Reference Manual for the NETGEAR ProSafe VPN Client Note: Make sure that you have the password entered to protect the private key when this personal certificate was exported. 1. In the Certificate Manager, click the My Certificates tab. 2. Click Import Certificate. The Import Certificate dialog box opens. 3. In the Import Type group, select the certificate and private key type to import: 4. • For online certificate enrollment, click PKCS12 Personal Certificate.
Reference Manual for the NETGEAR ProSafe VPN Client Select a CSP You can select a cryptographic service provider (CSP) when requesting a personal certificate, regardless of the method. You can also designate a default CSP to use for all personal certificate requests. 1. In the Security Policy Editor, click Options>Certificate Settings. The Online or File-based Certificate Request dialog box opens. 2. Click Advanced. The Advanced Certificate Enrollment Settings dialog box opens. 3.
Reference Manual for the NETGEAR ProSafe VPN Client 4. When a confirmation message opens, click Yes. 5. If prompted to delete the key container, click Yes. Obtain Certificates Through Internet Explorer You can use CA and personal certificates obtained outside the client—for example, through Microsoft Internet Explorer or your email program—with the client. In some email programs, personal certificates are called digital IDs.
Reference Manual for the NETGEAR ProSafe VPN Client 3. Click View. A box opens with information about the selected certificate. 4. To close the certificate, click anywhere in this certificate box. Verify a Certificate After you import or retrieve a certificate, you can check whether it is valid or verified. 1. In the Certificate Manager, take the steps for the specific certificate type: • • 2. For a personal certificate: – Click the My Certificates tab.
Reference Manual for the NETGEAR ProSafe VPN Client When a CA certificate has associated RA certificates, the CA certificate export file also contains these RA certificates. 1. In the Certificate Manager, click the tab for the certificate type to export: • For a root CA certificate, the Root CA Certificates tab • For a subordinate CA certificate, the CA Certificates tab 2. Click the certificate to export. 3. Click Export. The Export CA Certificate dialog box opens. 4.
Reference Manual for the NETGEAR ProSafe VPN Client – When a delete confirmation message box opens, click OK. RA Certificates When you view a certificate, a new window opens with various certificate attributes, such as its name, serial number, key size, and validity dates. 1.
Reference Manual for the NETGEAR ProSafe VPN Client – 2. If the certificate you want to verify isn't listed on the tab, clear the Show only trusted roots check box. Every root CA certificate on the computer displays on the tab. • For a subordinate CA certificate, click the CA Certificates tab. • For an RA certificate, click the RA Certificates tab. – Click the certificate to verify. – Click Verify.
Reference Manual for the NETGEAR ProSafe VPN Client Caution: In Windows NT and Windows 2000 and XP, you must be logged on as administrator or its equivalent to add this certificate to the local machine store (for all users who log on to this computer). 5.
Reference Manual for the NETGEAR ProSafe VPN Client • For an RA certificate, RA Certificates 2. Click the specific certificate to view. 3. Click View. A box opens with information about the selected certificate. 4. To close the certificate, click anywhere in this certificate box. After you import or retrieve a certificate, you can check whether it is valid or verified. 1. In the Certificate Manager, take the steps for the specific certificate type: • • 2.
Reference Manual for the NETGEAR ProSafe VPN Client Caution: The private key is exported with the personal certificate only if, when the personal certificate was requested, the Generate exportable key check box was selected. If this check box was not selected then, you can't export the private key. 1. In the Certificate Manager, click the My Certificates tab. 2. Click the personal certificate to export. 3. Click Export. The Export Certificate and Private Key dialog box opens. 4.
Reference Manual for the NETGEAR ProSafe VPN Client Manage Certificate Revocation Lists (CRLs) A certificate revocation list (CRL) is a list of certificates that the issuing CA rescinded before their expiration dates. This may occur when, for example, a user's name or address changes or the user leaves the company. When you retrieve or import a certificate from a CA, it typically contains a CRL. If it doesn't, you can import one. You can view a CRL on the CRLs tab in the Certificate Manager.
Reference Manual for the NETGEAR ProSafe VPN Client Table 6-2: URL Scheme Name Definition Action file or http CRLS are published to a Web server. The certificate contains this Web server's address. Leave the Default LDAP Server for CRLs box blank. ldap Distinguished name of the distribution point on the LDAP directory server. In the Default LDAP Server for CRLs box, type the LDAP server's IP address, domain name, or complete URL.
Reference Manual for the NETGEAR ProSafe VPN Client 2. Click Update All CRLs. 3. Click Close. View a CRL 1. In the Certificate Manager, click the CRLs tab. 2. Click the CRL to view. 3. Click View. A dialog box with information about the selected CRL opens. 4. To close this dialog box, click OK. Delete a CRL If you no longer need the CRL for a particular CA, you can delete it from the Certificate Manager. 1. In the Certificate Manager, click the CRLs tab. 2. Click the CRL to delete. 3.
Reference Manual for the NETGEAR ProSafe VPN Client • On the Configuration Parameters dialog box, the Trust this certificate for IP security check box is selected. • When you view or verify the certificates, for Enh KeyUsage, the option IP security end system appears.
Reference Manual for the NETGEAR ProSafe VPN Client You can, however, change the trust policy on the Root CA Certificates tab, and view a real-time list of the trusted root CA certificates. When you change the trust policy on this tab, the client dynamically updates the trust policy selected on the Trust Policy tab. 1. In the Certificate Manager, click the Root CA Certificates tab. 2. Select the Show only trusted roots check box.
Chapter 7 Using Sessions This chapter describes how to perform network management tasks with your NETGEAR ProSafe VPN Client. Authenticate Yourself You may be prompted to enter your username and password when you attempt to establish a VPN; enter this information on the dialog box that opens. This is to authenticate who you, the user, are to the network, before the connection is initiated.
Reference Manual for the NETGEAR ProSafe VPN Client Note: You may be required to start and end secure sessions manually or choose to work with secure connections that way. Start and End a Secure Session Manually By default, the client automatically establishes and terminates secure connections—VPNs—based on the remote party's identity. You can, however, directly connect to a specific destination with the Connect option on the client icon's shortcut (right-click) menu.
Chapter 8 Distributing Customized Profiles A customized installation is the standard client installation package modified to include a security policy, a CA certificate, and perhaps a personal certificate. If preshared keys are to be employed, you can include these instead of CA and personal certificates. Because personal certificates are unique to each individual, a single personal certificate cannot be distributed to multiple users.
Reference Manual for the NETGEAR ProSafe VPN Client Create a Customized Installation Containing a Security Policy and a CA Certificate 1. Obtain a CA certificate. 2. Export this CA certificate; name the file CaCert.cser. 3. Configure a security policy. 4. Export the security policy; name the file IPSecPolicy.spd. 5. Add the CaCert.cser and the IPSecPolicy.spd files to the same directory that the setup.exe file is located in on the NETGEAR ProSafe VPN Client installation media. 6.
Reference Manual for the NETGEAR ProSafe VPN Client 6. Export the security policy; name the file IPSecPolicy.spd. 7. Add the CaCert.cser, IPSecCerts.p12, and the IPSecPolicy.spd files to the same directory that the setup.exe file is located in on the NETGEAR ProSafe VPN Client installation media. 8. Deploy this customized installation to users on a network drive, Web page, CD-ROM, or other location/medium as a directory or .zip or .exe file. 9.
Reference Manual for the NETGEAR ProSafe VPN Client 8-4 Distributing Customized Profiles 202-10015-01
Chapter 9 Troubleshooting System Tray Icons The client icon displays in the Windows system tray. The icon may change very quickly to reflect the real-time communications status for active connections; it may even appear to blink. Table 9-1. Icon System Tray Icons Explanation • The Windows operating system did not start the IREIKE service properly. To start this service, restart your computer. If this icon continues to display, you may need to reinstall the client.
Reference Manual for the NETGEAR ProSafe VPN Client Remove the Client Icon from the System Tray Although it is not recommended, the client icon can be removed from the system tray. Typically, this occurs inadvertently. This has no affect on the communications status of active connections. • In the Windows system tray, right-click the client icon, and then click Remove Icon. Restore the Client Icon to the System Tray If you remove the client icon from the system tray, you can put it back. 1.
Reference Manual for the NETGEAR ProSafe VPN Client Freeze the Log Viewer The client doesn't save logged messages; ongoing negotiations overwrite the messages displayed in the Log Viewer. To preserve the currently displayed messages, you can pause or freeze the log, and then save or print its contents. Or, to save all the logged messages to a file, enable the file isakmp.log on the Global Policy Settings dialog box in the Security Policy Editor. • In the Log Viewer, click Freeze.
Reference Manual for the NETGEAR ProSafe VPN Client Save the Log Viewer Messages 1. In the Log Viewer, click Freeze. 2. Click Save Log. 3. In the Save As dialog box, follow the standard Windows Save As procedure. By default, the file is named IKEx.log, where x is an incremental number. Print the messages in the Log Viewer 1. In the Log Viewer, click Freeze. 2. Click Print. 3. In the Print dialog box, follow the standard Windows Print procedure.
Reference Manual for the NETGEAR ProSafe VPN Client To enable remote users to appear as internal users on a private network, select the Allow to Specify Internal Network Address check box. Note: If you select this check box, you must enter a private internal network IP address when configuring My Identity. 6. To enable logging the Log Viewer's IKE negotiation messages to the isakmp.log file in the client's installation directory, select the Enable logging to a file check box.
Reference Manual for the NETGEAR ProSafe VPN Client Network Address Translation (NAT) Network Address Translation (NAT) devices are widely deployed to enable local area networks (LANs) to use a single set of external IP addresses for an entire network. Remote users commonly encounter NAT devices in home networks, broadband modems (cable and DSL), and hotels. Although an IPSec VPN connection can coexist with NAT devices, IPSec-NAT incompatibilities may occur.
Reference Manual for the NETGEAR ProSafe VPN Client Table 9-1. Sample of NAT Log Messages 10:12:05.371 10:12:05.371 My Connections\NAT-T Demo - Initiating IKE Phase 1 (IP ADDR=65.163.78.79) 10:12:05.371 My Connections\NAT-T Demo - SENDING>>>> ISAKMP OAK MM (SA, VID) 10:12:05.481 My Connections\NAT-T Demo - RECEIVED<<< ISAKMP OAK MM (SA, VID, VID, VID) 10:12:05.541 My Connections\NAT-T Demo - Peer is NAT-T capable 10:12:05.551 My Connections\NAT-T Demo - SENDING>>>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VI
Reference Manual for the NETGEAR ProSafe VPN Client negotiations. To view details for a specific entry, go to View an active connection's details. • In the Windows system tray, right-click the client icon, and then click Connection Monitor. The Connection Monitor opens. In the Connection Name column, the icon that precedes the connection name provides connection information: Table 9-2: Connection Monitor Terms and Icons Image Definition SA Connection has only a Phase 1 IKE SA.
Reference Manual for the NETGEAR ProSafe VPN Client 1. In the Connection Monitor, click the specific connection entry. 2. Click Details. The Security Association Details dialog box opens with a Phase 1 tab, Phase 2 tab, or both, based on whether the entry represents a Phase 1 SA, Phase 2 SA, or both. 3. If both tabs appear, click the one with the details to view: • To view Authentication (Phase 1) SAs negotiated by IKE, click the Phase 1 tab. Note: Private Addr is the internal IP address. • 4.
Reference Manual for the NETGEAR ProSafe VPN Client Your computer Remote party inbound key <--> outbound key outbound key <--> inbound key Each direction requires a separate key. The encryption or hash algorithm that you selected when enabling manual keys determines the exact key length. For a list of these key lengths, go to Enter manual keys. Enable Manual Keys 1. In the Security Policy Editor, in the Network Security Policy list, expand the specific secure connection . 2.
Reference Manual for the NETGEAR ProSafe VPN Client – For minimal security, MD5 – For maximum security, SHA-1 (the default) – DES-MAC Record your selection; you need it to determine the length of the key for the ESP Authentication Key box when entering inbound and outbound keys. c. In the Encapsulation box, accept Tunnel (the default) or click Transport.
Reference Manual for the NETGEAR ProSafe VPN Client 5. In the right pane, click one key type: Inbound Keys or Outbound Keys. The Inbound or Outbound Keying Material dialog box opens. 6. In the Security Parameters Index box, type the same value, a number with a maximum of 8 digits, the remote party sets for this parameter. The default is 100. 7. Click Enter Key.
Reference Manual for the NETGEAR ProSafe VPN Client Table 9-4: Key Lengths Algorithm Key Length: ASCII Binary DES 8 16 Triple-DES 24 48 AES-128 128 16 AES-192 192 24 AES-256 256 32 MD5 16 32 SHA-1 20 40 10. Click OK. 11. Repeat steps 5 through 10 for the other key type, Inbound Keys or Outbound Keys. 12. Click Save. A yellow key displays in the client icon .
Reference Manual for the NETGEAR ProSafe VPN Client • • 3. If you're using certificates: – Click My Identity. – In the Select Certificate box, click a personal certificate. Your original settings are restored. If you're using preshared keys: – Click Security Policy. – In the Select Phase 1 Negotiation Mode group, click Main Mode or Aggressive Mode. Your original settings are restored. Click Save.
Appendix A Networks, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and firewalls. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Reference Manual for the NETGEAR ProSafe VPN Client Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The NETGEAR VPN Client supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols.
Reference Manual for the NETGEAR ProSafe VPN Client Class A Network Node Class B Network Node Class C Network Node 7261 Figure A-1: Three Main Address Classes The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range: 1.x.x.x to 126.x.x.x. • Class B Class B addresses can have up to 65,354 hosts on a network.
Reference Manual for the NETGEAR ProSafe VPN Client This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host.
Reference Manual for the NETGEAR ProSafe VPN Client Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet addressing makes use of those bits that are free, as shown below.
Reference Manual for the NETGEAR ProSafe VPN Client The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240. Table A-1.
Reference Manual for the NETGEAR ProSafe VPN Client Table A-2. Netmask Formats 255.255.255.254 /31 255.255.255.255 /32 NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.
Reference Manual for the NETGEAR ProSafe VPN Client Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The NETGEAR VPN Client employs an address-sharing method called Network Address Translation (NAT).
Reference Manual for the NETGEAR ProSafe VPN Client MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer.
Reference Manual for the NETGEAR ProSafe VPN Client When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses. IP Configuration by DHCP When an IP-based local area network is installed, each PC must be configured with an IP address.
Reference Manual for the NETGEAR ProSafe VPN Client What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Reference Manual for the NETGEAR ProSafe VPN Client A-12 Networks, Routing, and Firewall Basics 202-10015-01
Appendix B Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Reference Manual for the NETGEAR ProSafe VPN Client • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Reference Manual for the NETGEAR ProSafe VPN Client • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Reference Manual for the NETGEAR ProSafe VPN Client The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Reference Manual for the NETGEAR ProSafe VPN Client Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly.
Reference Manual for the NETGEAR ProSafe VPN Client Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other.
Reference Manual for the NETGEAR ProSafe VPN Client the terms and the generic processes for connecting two gateways before diving into to the specifics. Network Interfaces and Addresses The VPN gateway is aptly named because it functions as a “gatekeeper” for each of the computers connected on the Local Area Network behind it. In most cases, each Gateway will have a “public” facing address (WAN side) and a “private” facing address (LAN side).
Reference Manual for the NETGEAR ProSafe VPN Client Table B-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 It will also be important to know the subnet mask of both gateway LAN Connections.
Reference Manual for the NETGEAR ProSafe VPN Client VPN Tunnel FVS318 A FVS318 B 10.0.0.1 24.0.0.1 192.168.0.1 192.168.3.1 Figure B-5: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Reference Manual for the NETGEAR ProSafe VPN Client 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties. The master key is also used in the second phase to derive IPSec keys for the SAs. 3.
Reference Manual for the NETGEAR ProSafe VPN Client VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway.
Reference Manual for the NETGEAR ProSafe VPN Client • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R. Atkinson, Security Architecture for the Internet Protocol, RFC 2401, November 1998.
Appendix C NETGEAR ProSafe VPN Client to NETGEAR FVS318 or FVM318 VPN Routers Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVS318 or FVM318. This document follows the VPN Consortium interoperability guidelines. The configuration options and screens for the FVS318 and FVM318 are the same. Configuration Summary The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Reference Manual for the NETGEAR ProSafe VPN Client Network Addresses Gateway Client WAN IP WAN IP LAN IP FVSrouter.dydns.org FQDN 192.168.0.1 0.0.0.0 FVS318 PC with Netgear ProSafe VPN client Figure C-1: Addressing and Subnets Used for Examples The Use of a Fully Qualified Domain Name (FQDN) Many ISPs provide connectivity to their customers using dynamic instead of static IP addressing.
Reference Manual for the NETGEAR ProSafe VPN Client Table C-1. DynDNS TZO.com ngDDNS Example DDNS Service Providers www.dyndns.org netgear.tzo.com ngddns.iego.net In this example, gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname FVSrouter.dyndns.org for gateway A using the DynDNS service. Client B will use the host name registered with the DDNS Service Provider for gateway A when establishing a VPN tunnel.
Reference Manual for the NETGEAR ProSafe VPN Client Figure C-2: NETGEAR FVS318 VPN Settings – Main Mode – – In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used VPNclient. Enter a Local IPSec Identifier for the NETGEAR FVS318 Gateway A. In this example we used FVSrouter.dyndns.org as the local identifier.
Reference Manual for the NETGEAR ProSafe VPN Client – Type the IP Address of client B (0.0.0.0 in our example) in the Remote LAN Start IP Address field. Entering 0.0.0.0 as the Remote LAN Start IP Address tells the FVS318 to accept a connection from any IP address. This enables travelling users who will not know the IP address of their connection to use this tunnel. It also allows telecommuters who have a direct connection at their home with a dynamic IP address to use this tunnel. Note: Entering 0.0.0.
Reference Manual for the NETGEAR ProSafe VPN Client – Check the NETBIOS Enable box if you wish to pass NetBIOS traffic over the VPN tunnel, allowing functions such as Microsoft Network Neighborhood browsing. 3. Click Apply to save all changes. This will return you to the VPN Settings screen. 4. When the screen returns to the VPN Settings, make sure the Enable checkbox is selected.
Reference Manual for the NETGEAR ProSafe VPN Client 2. Configure the Connection Network Settings. Figure C-5: Security Policy Editor New Connection a. Run the Security Policy Editor program and create a VPN Connection. Figure C-6: Security Policy Editor Options menu Note: If the configuration settings on this screen are not available for editing, go to the Options menu, select Secure, and Specified Options to enable editing of these settings.
Reference Manual for the NETGEAR ProSafe VPN Client c. Enter 255.255.255.0 in the Mask field as the LAN Subnet Mask of the FVS318 d. Assure that the following settings are configured: – – – – e. 3. In the Connection Security box, Secure is selected In the ID Type menu, IP Subnet is selected In the Protocol menu, All is selected The Connect using Secure Gateway Tunnel checkbox is checked In the ID Type menus, select Domain Name and Gateway Hostname.
Reference Manual for the NETGEAR ProSafe VPN Client c. Enter the same Pre-Shared Key used in the FVS318 VPN router. In this example, we used hr5xb84l6aa9r6. d. 4. Click OK. Configure the Security Policy Settings. a. In the Network Security Policy list, click the Security Policy subheading. Figure C-9: Security Policy b. c. For this example, assure that the following settings are configured: – In the Select Phase 1 Negotiation Mode menu, select Main Mode.
Reference Manual for the NETGEAR ProSafe VPN Client Figure C-10: Connection Security Policy Authentication (Phase 1) – Configure the Authentication (Phase 1) Settings. • Expand the Security Policy heading, then expand the Authentication (Phase 1) heading, and click on Proposal 1. • For this example, assure that the following settings are configured: – In the Encrypt Alg menu, select Triple DES. – In the Hash Alg, select SHA-1. – In the SA Life, select Unspecified.
Reference Manual for the NETGEAR ProSafe VPN Client • For this example, assure that the following settings are configured: – – – – – – 5. In the SA Life menu, select Unspecified. In the Compression menu, select None. Check the Encapsulation Protocol (ESP) checkbox. In the Encrypt Alg menu, select Triple DES. In the Hash Alg, select SHA-1. In the Encapsulation menu, select Tunnel. Configure the Global Policy Settings. a.
Reference Manual for the NETGEAR ProSafe VPN Client Note: Whenever you make changes to a Security Policy, save them first, then deactivate the security policy, reload the security policy, and finally activate the security policy. This assures that your new settings will take effect. Testing the VPN Connection You can test the VPN connection in several ways: • From the client PC to the FVS318 • From the FVS318 to the client PC These procedures are explained below.
Reference Manual for the NETGEAR ProSafe VPN Client 1. Open the popup menu by right-clicking on the system tray icon. 2. Select Connect to open the My Connections list. 3. Choose FVS318. The NETGEAR VPN Client will report the results of the attempt to connect. Once the connection is established, you can access resources of the network connected to the FVS318. Another method is to ping from the remote PC to the LAN IP address of the FVS318.
Reference Manual for the NETGEAR ProSafe VPN Client Monitoring the VPN Connection from the PC Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR VPN Client Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then NETGEAR ProSafe VPN Client, then either the Connection Monitor or Log Viewer.
Reference Manual for the NETGEAR ProSafe VPN Client A sample Connection Monitor screen for a different connection is shown below: Figure C-15: Connection Monitor screen In this example you can see the following: • • • The FVS318 has a public IP WAN address of 66.120.188.147 The FVS318 has a LAN IP address of 192.168.100.0 The VPN client PC has a dynamically assigned address of 67.74.40.
Reference Manual for the NETGEAR ProSafe VPN Client Monitoring the VPN Connection from the FVS318 Information on the status of the VPN client connection can be viewed by opening the FVS318 VPN Status screen. To view this screen, click the Router Status link of the FVS318 main menu, then click the VPN Status button.
Appendix D NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVL328. This case study follows the VPN Consortium interoperability profile guidelines. The configuration options for the FVS328 and FWAG114 are the same. Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium.
Reference Manual for the NETGEAR ProSafe VPN Client Network Addresses Gateway Client WAN IP LAN IP 66.120.188.153 192.168.0.0 FVL328 WAN IP 0.0.0.0 PC with Netgear ProSafe VPN client Figure D-1: Addressing and Subnet Used for Examples Note: Product updates are available on the NETGEAR Web site at www.netgear.com/support/main.asp. VPNC Interoperability guidelines can be found at http://www.vpnc.org/InteropProfiles/Interop-01.html. Step-By-Step Configuration of FVL328 or FWAG114 Gateway 1.
Reference Manual for the NETGEAR ProSafe VPN Client Figure D-2: NETGEAR FVL328 IKE Policy Configuration – – Enter a descriptive name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In our example, we used VPNclient as the Policy Name. From the Direction/Type drop-down box, select Remote Access From the Exchange Mode drop-down box, select Aggressive Mode.
Reference Manual for the NETGEAR ProSafe VPN Client Figure D-3: NETGEAR FVL328 IKE Policy Configuration – – – – – – From the Encryption Algorithm drop-down box, select 3DES. This will also be selected in the NETGEAR ProSafe VPN Client Security Policy Authentication Phase 1 Proposal 1 Encrypt Alg field, as seen in “Connection Security Policy Authentication (Phase 1)“ on page D-12. From the Authentication Algorithm drop-down box, select SHA-1.
Reference Manual for the NETGEAR ProSafe VPN Client 3. Click the VPN Policies link under the VPN category on the left side of the main menu. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN – Auto Policy. Figure D-4: NETGEAR FVL328 VPN – Auto Policy General settings – – – – – – – – Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name.
Reference Manual for the NETGEAR ProSafe VPN Client Figure D-5: NETGEAR FVL328 VPN – Auto Policy Traffic Selector – – – – – D-6 From the Traffic Selector Local IP drop-down box, select Subnet addresses. This will also be entered in the NETGEAR ProSafe VPN Client Connection Remote Party Identity and Addressing ID Type field, as seen in “Security Policy Editor New Connection“ on page D-9. Type the starting LAN IP Address of the FVL328 in the Local IP Start IP Address field.
Reference Manual for the NETGEAR ProSafe VPN Client Figure D-6: NETGEAR FVL328 VPN – Auto Policy ESP Configuration – – – – – Select Enable Encryption in the ESP Configuration Enable Encryption checkbox. This will also be entered in the NETGEAR ProSafe VPN Client Security Policy Key Exchange (Phase 2) Encapsulation Protocol (ESP) checkbox, as seen in “Connection Security Policy Key Exchange (Phase 2)“ on page D-13. From the ESP Configuration Encryption Algorithm drop-down box, select 3DES.
Reference Manual for the NETGEAR ProSafe VPN Client Step-By-Step Configuration of the NETGEAR VPN Client B Note: The NETGEAR ProSafe VPN Client has the ability to “Import” a predefined configuration profile. The FVL328.SPD file on the NETGEAR ProSafe VPN Client Resource CD (230-10007-01) includes all the settings identified in this procedure.
Reference Manual for the NETGEAR ProSafe VPN Client 2. Configure the Connection Network Settings. Figure D-7: Security Policy Editor New Connection a. Run the Security Policy Editor program and create a VPN Connection. Figure D-8: Security Policy Editor Options menu Note: If the configuration settings on this screen are not available for editing, go to the Options menu, select Secure, and Specified Options to enable editing of these settings.
Reference Manual for the NETGEAR ProSafe VPN Client – – 3. In the Protocol menu, All is selected The Connect using Secure Gateway Tunnel checkbox is checked c. In this example, select IP Subnet as the ID Type, 192.168.0.0 in the Subnet field (the Subnet address is the LAN IP Address of the FVL328 with 0 as the last number), and 255.255.255.0 in the Mask field, which is the LAN Subnet Mask of the FVL328 d. In the ID Type menus, select Domain Name and Gateway IP Address.
Reference Manual for the NETGEAR ProSafe VPN Client In this example, enter this pre-shared key in this field: hr5xb84l6aa9r6 Figure D-11: Connection Identity Pre-Shared Key 4. c. Enter hr5xb84l6aa9r6 which is the same Pre-Shared Key entered in the FVL328. d. Click OK. Configure the Connection Identity Settings. a. In the Network Security Policy list, click the Security Policy subheading. Figure D-12: Security Policy b.
Reference Manual for the NETGEAR ProSafe VPN Client 5. Configure the Connection Security Policy In this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange (Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines. Figure D-13: Connection Security Policy Authentication (Phase 1) a. D-12 Configure the Authentication (Phase 1) Settings.
Reference Manual for the NETGEAR ProSafe VPN Client Figure D-14: Connection Security Policy Key Exchange (Phase 2) b. Configure the Key Exchange (Phase 2). • Expand the Key Exchange (Phase 2) heading, and click on Proposal 1. • For this example, assure that the following settings are configured: – In the SA Life menu, select Unspecified. – In the Compression menu, select None. – Check the Encapsulation Protocol (ESP) checkbox. – In the Encrypt Alg menu, select Triple DES.
Reference Manual for the NETGEAR ProSafe VPN Client 6. Configure the Global Policy Settings. a. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. Figure D-15: Security Policy Editor Global Policy Options 7. b. Increase the Retransmit Interval period to 45 seconds. c. Check the Allow to Specify Internal Network Address checkbox and click OK. Save the VPN Client Settings.
Reference Manual for the NETGEAR ProSafe VPN Client Testing the VPN Connection You can test the VPN connection in several ways: • From the client PC to the FVL328 • From the FVL328 to the client PC These procedures are explained below. Note: Virus protection or firewall software can interfere with VPN communications. Be sure such software is not running on the remote PC with the NETGEAR VPN Client and that the firewall features of the FVL328 is not set in such a way as to prevent VPN communications.
Reference Manual for the NETGEAR ProSafe VPN Client Once the connection is established, you can access resources of the network connected to the FVL328. Another method is to ping from the remote PC to the LAN IP address of the FVL328. To perform a ping test using our example, start from the remote PC: 1. Establish an Internet connection from the PC. 2. On the Windows taskbar, click the Start button, and then click Run. 3. Type ping -t 192.168.0.1, and then click OK.
Reference Manual for the NETGEAR ProSafe VPN Client Monitoring the PC VPN Connection Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR VPN Client Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then NETGEAR ProSafe VPN Client, then either the Connection Monitor or Log Viewer.
Reference Manual for the NETGEAR ProSafe VPN Client A sample Connection Monitor screen for a different connection is shown below: Figure D-18: Connection Monitor screen In this example you can see the following: • • • The FVL328 has a public IP WAN address of 66.120.188.153 The FVL328 has a LAN IP address of 192.168.0.1 The VPN client PC is behind a home NAT router and has a dynamically assigned address of 192.168.0.
Reference Manual for the NETGEAR ProSafe VPN Client Viewing the FVL328 VPN Status and Log Information Information on the status of the VPN client connection can be viewed by opening the FVL328 VPN Status screen. To view this screen, click the VPN Status link of the FVL328 main menu. The FVL328 VPN Status screen for a successful connection is shown below: Figure D-19: FVL328 VPN Status screen To view the FVL328 VPN log, click on the VPN Status link on the left side of the main menu.
Reference Manual for the NETGEAR ProSafe VPN Client D-20 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router 202-10015-01
Glossary Use the list below to find definitions for technical terms used in this manual. Numeric 3DES 3DES (Triple DES) achieves a high level of security by encrypting the data three times using DES with three different, unrelated keys. A ADSL Short for asymmetric digital subscriber line, a technology that allows data to be sent over existing copper telephone lines at data rates of from 1.
Reference Manual for the NETGEAR ProSafe VPN Client Application Programming Interface An API is an interface used by an programmer to interface with functions provided by an application. ARP See “ADSL” on page 1. Auto-negotiation A feature that allows twisted-pair ports to advertise their capabilities for speed, duplex and flow control. When connected to a port that also supports auto-negotiation, the link can automatically configure itself to the optimum setup.
Reference Manual for the NETGEAR ProSafe VPN Client DNS Short for Domain Name System (or Service), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.105.232.4.
Reference Manual for the NETGEAR ProSafe VPN Client F Filtering The process of screening a packet for certain characteristics, such as source address, destination address, or protocol. Filtering is used to determine whether traffic is to be forwarded, and can also prevent unauthorized access to a network or network devices. Forwarding When a frame is received on an input port on a switch, the address is checked against the lookup table.
Reference Manual for the NETGEAR ProSafe VPN Client IKE Internet Key Exchange. An automated method for exchanging and managing encryption keys between two VPN devices. Internet Control Message Protocol ICMP is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection.
Reference Manual for the NETGEAR ProSafe VPN Client ISP Internet service provider. L LAN See “Local Area Network” on page 6. LDAP See “Lightweight Directory Access Protocol” on page 6. Lightweight Directory Access Protocol A set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. Unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access.
Reference Manual for the NETGEAR ProSafe VPN Client MD5 MD5 creates digital signatures using a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. When using a one-way hash function, one can compare a calculated message digest against the message digest that is decrypted with a public key to verify that the message hasn't been tampered with. This comparison is called a "hashcheck.
Reference Manual for the NETGEAR ProSafe VPN Client Perfect Forward Secrecy Perfect Forward Secrecy (PFS) provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. PKIX PKIX. The most widely used standard for defining digital certificates. Point-to-Point Protocol PPP. A protocol allowing a computer using TCP/IP to connect directly to the Internet.
Reference Manual for the NETGEAR ProSafe VPN Client Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft products, and vice versa. Q QoS See “Quality of Service” on page 9. Quality of Service QoS is a networking term that specifies a guaranteed level of throughput.
Reference Manual for the NETGEAR ProSafe VPN Client T TCP/IP The main internetworking protocols used in the Internet. The Internet Protocol (IP) used in conjunction with the Transfer Control Protocol (TCP) form TCP/IP. V VPN Virtual Private Network. A method for securely transporting data between two private networks by using a public network such as the Internet as a connection. W WAN See “Wide Area Network” on page 10. Web Also known as World-Wide Web (WWW) or W3.
Index Numerics C 3DES (Triple DES) 9-10, 9-11 CA (certificate authority) 6-3, 6-4 enrollment methods 6-3 RA (registration authority) 6-3 with SCEP support 6-4 A adapter, SafeNet VPN 4-1 AH (Authentication Header) 9-10, 9-11 CA certificates 6-2, 6-3, 6-5, 6-6, 6-7, 6-18, 6-19, 6-20 configure 6-6 delete 6-20 description 6-2 export 6-19 import 6-7 obtain online 6-5 obtain through Internet Explorer 6-18 obtain through SCEP 6-5 online enrollment 6-3, 6-5 RA certificates 6-4 request online 6-5 retrieve 6-5
delete 6-11 prepare a personal certificate file to import 6-14 view 6-11 certificates 6-2, 6-3, 6-4, 6-5, 6-7, 6-15, 6-19, 6-20, 6-24 create certificate request files 6-8 delete 6-20 description 6-2 export 6-19, 6-24 import 6-7, 6-15 RA 6-4 retrieve 6-5, 6-10 save when uninstalling 3-4 verify 6-19 connect to a secure session 7-1, 7-2 automatic 7-1 manually 7-2 Connection Monitor C-14, D-17 connections 5-5, 5-20, 5-21, 5-27 add 5-5 configure 5-4, 5-5 copy 5-20 create multiple 5-5 delete 5-21 edit 5-27 move 5
E edit 5-5, 5-27, 6-8 connections 5-5, 5-27 distinguished name 5-16 proposals 5-27 security policy 5-27 enable log file 5-3 Encapsulating Security Payload B-3 Encapsulating Security Protocol (ESP) 9-10 encapsulation methods 9-10 encryption algorithms 9-10 end secure connection manually 7-2 Enh KeyUsage 6-6 HTTP proxy server 6-5, 6-6 I IANA contacting A-2 icon 9-2 Remove from system tray 9-2 Restore to system tray 9-2 ID types 5-5, 5-9, 5-10 My Identity 5-10 redundant gateway 5-9 remote party 5-5 Secure Ga
IPSec (Internet Protocol security) configure a gateway 5-9 isakmp.log file 5-3 pause 9-3 print 9-4 resume 9-3 save 9-4 unfreeze 9-3 IPSec Components B-2 IPSec SA negotiation B-9 IPSec Security Features B-2 isakmp.
personal certificate 6-8, 6-10, 6-15 RA certificate 6-5 online certificate requests 6-5, 6-8 CA 6-5 personal 6-8 retrieval interval 6-10 with HTTP proxy server 6-5, 6-6 Phase 2, key exchange 5-12, 5-21 policy management application 5-30, 5-31, 6-6, 6-7 configure CA certificate 6-6 import CA certificate 6-7 register with 5-31 retrieve policy from 5-30 policy server 5-30, 5-31 online enrollment 6-3, 6-5, 6-6, 6-8 automatically retrieve certificate requests 6-10 CA enrollment methods 6-3 CAs that support 6-4
1466 A-7, A-9 1597 A-7, A-9 1631 A-8, A-9 finding A-7 obtain 6-5, 6-7 verify 6-19 RDN (relative distinguished name) 5-16, 5-31, 6-8 reactivate security policy 5-29 redundant gateway 5-9, 5-24, 5-25, 5-26 add 5-9, 5-24 copy 5-25 delete 5-26 disable all 5-26 enter preshared keys 5-24 move 5-25 rename 5-25 reorder 5-25 register with policy server or manager 5-31 relative distinguished name (RDN) 5-16, 5-31, 6-8 reload security policy 5-28 remote party 5-5 root CA certificate configure 6-6 delete 6-20 descrip
edit 5-27 import 5-28 reactivate 5-29 reload 5-28 retrieve automatically 5-30 save when uninstalling 3-4 Security Policy Editor 5-1 basic steps 5-1 See Layer 2 Tunneling Protocol (L2TP) 4-1 See policy 3-4 See root CA certificate 6-2 See subordinate CA 6-2 select certificate automatically 5-10 SHA-1 9-10, 9-11 smart card 5-3 smart card removal and keys 5-3 SoftRemoteLT 3-4 uninstall 3-4 upgrade 3-4 set 6-29 Tunnel Mode B-5 U unfreeze, Log Viewer 9-3 uninstall 3-4 update CRLs 6-27 upgrade 3-4 user authentic