Upload
debra-gilbert
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
NETGEAR Product TrainingFirewall VPN Products
Presented by Hien LyLevel 3, Sr. Tech Support EngineerNovember, 2007
2.© 1996-2006 NETGEAR® . All rights reserved
Agenda
» Introduction to NETGEAR Firewall VPN Products• Firewall Overview
» Types of Firewall» DMZ
• NETGEAR DMZ» How to Choose a Firewall?
• VPN Overview» What is VPN?» Encryption» IPsec Basics
• IPsec Protocols• Security Associations (SA)• IKE Phases
» SSL312 VPN Introduction» NETGEAR Firewall VPN Router Features
• Unique Features highlight• NETGEAR VPN Configuration Screenshots• ProSafe VPN Client Software
» Troubleshooting Tips and Lab• VPN Troubleshooting Flow• Hands-on lab
3.© 1996-2006 NETGEAR® . All rights reserved
Course Objectives
» Agents should be able to do the following after this course:• Recognize the Firewall VPN products that NETGEAR has to offer• Be able to understand the basic Firewall concepts• Be able to understand the basic VPN concepts• Be able to understand the differences between IPSec and SSL
VPN• Be able to understand the different types of firewall settings on the
NETGEAR routers• Be able to configure and establish VPN sessions using various
NETGEAR products:
» Box-to-box VPN» Client-to-box VPN» Hub & Spoke VPN
4.© 1996-2006 NETGEAR® . All rights reserved
NETGEAR Firewall VPN
Product Description Model No.ProSafe VPN Firewall 200 Dual WAN with 8-port 10/100 and 1 Gigabit LAN switch (200 VPN Tunnels) FVX538
ProSafe VPN Firewall 50 with Dial Back-up (50 VPN Tunnels) FVS338
ProSafe VPN Firewall with ADSL Modem and 802.11g Wireless (50 VPN Tunnels) DGFV338
ProSafe Dual WAN gigabit firewall with IPSec & SSL VPN (25 IPSec & 10 SSL tunnels) FVS336G
ProSafe VPN Firewall with 802.11g Wireless and 8-Port 10/100 Switch (8 VPN Tunnels) FVG318
ProSafe VPN Firewall 8 w/8 Port 10/100 Switch (8 VPN Tunnels) FVS318v3
ProSafe VPN Firewall 8 w/8 Port 10/100 Switch (8 VPN Tunnels) FVS114
ProSafe SSL VPN Concentrator 25 SSL312
5.© 1996-2006 NETGEAR® . All rights reserved
ProSafe VPN Firewall Line-up
FVS33850 Tunnels
Dial-up Failover
FVX538
8 Tunnels
FVS1148 Tunnels
“Wired” Fire
walls
Wireless Fire
walls
DGFV338
108Mbps 802.11g50 VPN tunnels
w/ ADSL2+ modemFVG318
108Mbps 802.11g8 VPN Tunnels
200+ Tunnels Dual WAN port1 Gig LAN Port
FVS336G25 IPSec tunnels10 SSL tunnels
4 Gig LANDual Gig WAN
FVS318v3New
SSL31225 SSL Tunnels
New
Firewall 101
7.© 1996-2006 NETGEAR® . All rights reserved
Firewall 101
» A firewall is a set of components that sit between networks and acts as a gatekeeper to allow in or keep out traffic based on certain criteria.
» Firewall types:• Stateful Packet Inspection• Hybrids• Packet filters• Applications proxy
8.© 1996-2006 NETGEAR® . All rights reserved
Stateful Packet Inspection (SPI)
» Examine each packet passed through.» Allows or drops packets depends of rules.» Maintains tables of information about current connections.
• Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
» Use current state of connections in tables to determine if it will allow or drops incoming packets.
» When a connection terminates, it removes the reference from the internal table.
Most of the Firewalls available today are Hybrids. Most of the Firewalls available today are Hybrids.
9.© 1996-2006 NETGEAR® . All rights reserved
Hybrid Firewall
» Offers the best of all world:• Application-Level Packet Filtering• Proxy-ARP Transparency isolates internal systems from
attack• Policy-based routing for efficient use of dual network
connections• Multiple redundant / balanced Internet links for fail-safe
operation• Traffic shaping and QOS control for priority services• Address translation and port/address forwarding hides the
internal network
10.© 1996-2006 NETGEAR® . All rights reserved
Packet Filters
» A packet filter examines every network packets that passes through it.
» It drops or forwards the packets depends on a set of rules.» Rules are depends on:
• IP Address• Protocol (TCP, UDP, IP, ICMP)• Port number (HTTP, FTP, TELNET)• Direction (inbound, outbound)
» Fast» No application or content awareness.» Each packet is examined on a standalone basis.
11.© 1996-2006 NETGEAR® . All rights reserved
Applications Proxy
» Application awareness.» Acts as a “man in the middle”.» Never allows a packet to pass through the proxy.» Receive and send out packets on behalf of the internal users.
• The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server.
» Computational intensive.» Need proxy for each applications.
Internal system Web Server
Applications Proxy
HTTP Rquest HTTP Rquest
Web Page response Web Page response
12.© 1996-2006 NETGEAR® . All rights reserved
DMZ (Demilitarized Zone) » A segment of network for hosting public accessible services
(web servers, mail servers, ftp servers).» Limit damage to private network even if DMZ is compromised.
DMZ
Internal
INTERNET
Internal PCInternal PC
Firewall
Web Server
mail server
FTP server
Internal PC
Only available on FVX538
13.© 1996-2006 NETGEAR® . All rights reserved
DMZ in NETGEAR routers» Only available on FVX538
» This zone can be used to host servers and give public access to them. Port 8 on the LAN of the router can be dedicated as a hardware DMZ port and safely provide the Internet services without compromising security on your LAN.
Note: The IP subnet of the DMZ should be different from that of the LAN port and the WAN port(s).
Example:WAN 1: 10.0.0.1 with subnet 255.0.0.0WAN2: 20.0.0.1 with subnet 255.0.0.0LAN: 192.168.1.1 with subnet 255.255.255.0DMZ: 192.168.10.1 with subnet 255.255.255.0
14.© 1996-2006 NETGEAR® . All rights reserved
How to choose a firewall?
» Security.» Features:
• Flexibility in defining rules – by time/date.• User authentications.• URL Filtering.• Content filtering.• Port forwarding (NAT).
» Performance» Support – updates, enhancement.» Audit Trail – logs, alarms.» Manageability – a firewall is as security as it is configured.
VPN Overview
16.© 1996-2006 NETGEAR® . All rights reserved
VPN Overview
Web Server Web ServerLeased Line, T1, Frame Relay
INTERNET
Web Server Web Server
Web Server Web Server
encryption
VPN
17.© 1996-2006 NETGEAR® . All rights reserved
What is a VPN?
» VPN is a secure path through a public shared network.» Data is secured by encryption.» Types of VPN:
• IPSEC (Internet Protocol Security)• PPTP (Point-to-Point Tunneling Protocol)• L2TP (Layer Two Tunneling Protocol)• SSL (Secure Socket Layer)
18.© 1996-2006 NETGEAR® . All rights reserved
Encryption
» A mathematical function to convert data into secret.» Encryption convert cleartext to ciphertext.
- Encrypt(cleartext, key) = ciphertext
- Decrypt(ciphertext, key) = cleartext» Symmetric encryption (DES, 3DES)» Asymmetric encryption (public key)» Hash algorithm - Hash(A, key) = B
Low probability that another data will be hashed into B. Fast.
19.© 1996-2006 NETGEAR® . All rights reserved
Private key Encryption (Symmetric)» Encrypt and decrypt with the same key.» Need special procedure for key distribution.» Fast and computational inexpensive
• Used for preserving confidentiality
» Encrypt with public key and decryption with private key.
• Encrypt (cleartext, KEYpublic) = ciphertext
• Decrypt (ciphertext, KEYprivate) = cleartext
» Public key can be freely distributed.
» Slow and computational intensive
• used for achieving authentication and non-repudiation.
Encryption Overview
Public key Encryption (Asymmetric)
20.© 1996-2006 NETGEAR® . All rights reserved
Public Key Encryption at work
1. You give John (aka Sender) a copy of your public key.2. John uses your public key to encrypt the plaintext to produce a ciphertext for you. 3. He then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
21.© 1996-2006 NETGEAR® . All rights reserved
IPsec Basics
» Applications transparency.» Automated key management.» Interoperability with PKI (Public Key Infrastructure).» Fast deployment.» Implemented in existing routers/CPE.
22.© 1996-2006 NETGEAR® . All rights reserved
» Three main Protocols of IPsec• IKE (Internet Key Exchange)
» Defines a method for the secure exchange of the initial encryption keys between the two endpoints of a VPN (establishing SA).
» UDP protocol 500
• AH (Authentication Header)» Used to ensure integrity of the header information and payload as the packet
makes its way through the Internet. Authentication only, no encryption» 128-bit MD5 or 160-bit SHA-1 keys used to compute the integrity checksum
value (ICV)» TCP protocol 51
• ESP (Encapsulating Security Payload)» Performs the actual encryption of the data to provide data confidentiality, and
data integrity.» Encrypt with DES/3DES.» TCP protocol 50
IPsec Protocols
23.© 1996-2006 NETGEAR® . All rights reserved
» What is Security Associations (SA)?• Basic concepts of IPsec• Represents a policy contract between two VPN endpoints
describing how they will use IPsec to secure network traffic• Contains all the security parameters to establish VPN connection• Unidirectional – one SA for each direction.• Each established SA is identified by a 32-bit number (SPI)• SPI are written into IPsec packet headers to locate the appropriate
SA.
Security Associations (SA)
24.© 1996-2006 NETGEAR® . All rights reserved
» What are the components of the SA?• Authentication/encryption algorithm, key length, key lifetime, etc…• Session keys• Specification of network traffic which IPsec will apply• IPsec encapsulation protocol (AH/ESP) and mode (Transport/Tunnel).
C
San Jose New York
SA 1000
VPNSA database:San Jose to New York:SPI = 1000ESP/3DES/MD5Key1, Key2, ...key lifetime = 3600New York to San JoseSPI=1001ESP/DES/SHA-1Key3, Key4key lifetime = 3600
SA database:San Jose to New YorkSPI = 1000ESP/3DES/MD5Key1, Key2, ...key lifetime = 3600New York to San JoseSPI=1001ESP/DES/SHA-1Key3, Key4key lifetime = 3600
Security Association (SA) Components
25.© 1996-2006 NETGEAR® . All rights reserved
» Tunnel Mode:• Between two IPsec gateways• Encapsulate both header and data.
» Hides the original IP header
» Transport Mode:• Between two IPsec hosts.
» IP address of the hosts must be Public IP addresses• Only encapsulate data.
IPSec Data Exchange Modes
26.© 1996-2006 NETGEAR® . All rights reserved
AH & ESP Protocols
Normal IP Packet
27.© 1996-2006 NETGEAR® . All rights reserved
» ISAKMP (Internet Security Association and Key Management Protocol)• Protocol to negotiate and establish SA.
» Oakley• Define mechanism for key exchange over the IKE session• By default, use Diffie-Hellman algorithm for key exchange
» Each IKE peer has an IKE identitiy which based on:• IP address• FQDN (Fully qualified domain name)• X.500 (certificate) name• Email address
» IKE session are protected by cryptographic algorithms.
» IKE peers must agree exactly on a set of algorithms and protocols to protect the IKE session
IKE – Internet Key Exchange Protocol
28.© 1996-2006 NETGEAR® . All rights reserved
IKE on NETGEAR
29.© 1996-2006 NETGEAR® . All rights reserved
» Phase1 (Authentication Phase)• Main mode or Aggressive mode• Used to establish a secure channel, authenticate the
negotiating parties, and generate shared keys to protect IKE protocol messages
• Negotiates IKE SA
» Phase2 (Key Exchange Phase)• AKA: Quick mode• Used to establish the IPSec SA and to generate new keying
material • Negotiates IPsec SA
IKE Operations
30.© 1996-2006 NETGEAR® . All rights reserved
» Use 6 messages to establish the IKE SA.• First 2 – negotiate security policy that will be used• Next 2 – performs Diffie-Hellman key exchange and pass Nonces (random # for
signing) to each other• Last 2 – used to authenticate peers
» Hides identity of the IKE peers.
IKE Main Mode Message Exchange
31.© 1996-2006 NETGEAR® . All rights reserved
» Less negotiation flexibility for IKE session protection.» Will not hide identity (all identities of parties involved are revealed).
IKE Aggressive Mode Message Exchange
32.© 1996-2006 NETGEAR® . All rights reserved
» Quick Mode• Fast.• If an IKE SA is in place, only quick mode exchanges are used to
negotiate new key or re-key.• PFS (Perfect Forward Secrecy)
» Generate new key that is independent of the current key (from Phase1).
IKE Quick Mode Message Exchange
33.© 1996-2006 NETGEAR® . All rights reserved
IPsec Inbound Packet Processing
34.© 1996-2006 NETGEAR® . All rights reserved
IPse
c O
utb
ou
nd
Pac
ket
Pro
cess
ing
35.© 1996-2006 NETGEAR® . All rights reserved
Host to Host VPN Traffic Process
36.© 1996-2006 NETGEAR® . All rights reserved
1) Initialization
37.© 1996-2006 NETGEAR® . All rights reserved
2) IKE Phase 1 Triggering
38.© 1996-2006 NETGEAR® . All rights reserved
3) IKE Phase 1 Completed
39.© 1996-2006 NETGEAR® . All rights reserved
4) IKE Phase 2
40.© 1996-2006 NETGEAR® . All rights reserved
5) IPsec VPN Established
41.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy requirements?
» Who are the VPN parties?• IKE Identifiers (WAN IP, FQDN, FQUN, DN).
» Where are the VPN parties?• VPN gateway addresses (WAN IP, FQDN).
» What traffics are included in the VPN?• Local VPN subnet, remote VPN subnet.
» How the VPN secure the communication?• Main mode / Aggressive mode.• Pre-shared key.• Key lifetime.• ESP / AH (authentication algorithm, encryption algorithm).• PFS?
42.© 1996-2006 NETGEAR® . All rights reserved
EthernetEthernet
INTERNET
ProSafe VPN router ProSafe VPN Router
192.168.0.0/255.255.255.0
66.126.237.201
192.168.4.0/255.255.255.0
66.126.237.204
Network A Network B
Network A Network BLocal Identifier WAN IP WAN IPRemote Identifer WAN IP WAN IPLocal subnet 192.168.0.0/24 192.168.4.0/24Remote subnet 192.168.4.0/24 192.168.0.0/24Remote VPN Endpoint 66.126.237.204 66.126.237.201Shared Key 12345678 12345678Encryption Algorithm 3DES 3DESAuthentication Algorithm SHA-1 SHA-1
VPN Gateway-to-Gateway Example
43.© 1996-2006 NETGEAR® . All rights reserved
Ethernet
INTERNET
ProSafe VPN router
192.168.1.0/255.255.255.0
66.126.237.203
Remote UserVPN Client
Network A Remote ClientLocal Identifier WAN IP remoteClientRemote Identifer remoteClient WAN IPLocal subnet 192.168.1.0/24 192.168.100.1Remote subnet 192.168.100.1 192.168.1.0/24Remote VPN Endpoint 66.126.237.203 0.0.0.0Shared Key 12345678 12345678Encryption Algorithm 3DES 3DESAuthentication Algorithm MD5 MD5
VPN Client-to-Gateway Example
44.© 1996-2006 NETGEAR® . All rights reserved
What is SSL VPN?
» SSL VPNs create secure tunnels by performing two functions:• Requiring authentication from users before allowing access so that
only authorized parties can establish tunnels• Encrypting all data transmitted to and from the user by
implementing the actual tunnel using SSL» The process of establishing an SSL tunnel requires exchange of
different configuration information between the computers on either end of the connection.
45.© 1996-2006 NETGEAR® . All rights reserved
SSL VPN on OSI Network Model
» IPSec VPN operates at the Network Layer – Layer 3» SSL VPN establish connectivity using SSL, which functions at
Layers 4 & 5» Information gets encapsulate at Layer 6 & 7 of the OSI model» So why don't SSL VPNs simply use SSL to tunnel network-level
communications as IPSec does and not worry about the higher levels?
• Technical limitations of many devices prevent the establishment of Network-Layer communications over SSL, but allow application-layer access from a web browser.
• Security considerations and policies normally prohibit attaching Internet kiosks and borrowed computers as nodes on your corporate network.
» Cannot install VPN client software on public Kiosks
46.© 1996-2006 NETGEAR® . All rights reserved
SSL VPN
47.© 1996-2006 NETGEAR® . All rights reserved
Home
Kiosk or Laptop
B2B Partner
Segmentation in SSL VPN
Corporate Applications
ProSafe VPN Firewall
InternetSecure SSL VPN
connections
PDA
Internet Café
Email Web Database File server
ProSafe SSL312 VPN Concentrator
Full access
Restricted access
Unique Router Features
49.© 1996-2006 NETGEAR® . All rights reserved
Serial Modem – FR328S, FVS328, FWG114P
50.© 1996-2006 NETGEAR® . All rights reserved
Serial Port – Auto Failover FVS328, FR328S, FWG114P
51.© 1996-2006 NETGEAR® . All rights reserved
Serial Port – Dial inFVS328, FR328S, FWG114P
52.© 1996-2006 NETGEAR® . All rights reserved
Serial Port – LAN to LANFVS328, FR328S, FWG114P
53.© 1996-2006 NETGEAR® . All rights reserved
Dial up ISP – FVS338
54.© 1996-2006 NETGEAR® . All rights reserved
ADSL Interface– DGFV338
55.© 1996-2006 NETGEAR® . All rights reserved
Wireless – FVG318, DGFV338
56.© 1996-2006 NETGEAR® . All rights reserved
WAN Mode w/ Dialup – FVS338
57.© 1996-2006 NETGEAR® . All rights reserved
Auto-Rollover – DGFV338, FVS336G, FVX538
58.© 1996-2006 NETGEAR® . All rights reserved
» If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.
» Link failure is detected in one of the following ways:• By sending DNS queries to a DNS server, or• By sending a Ping request to an IP address, or• None (no failure detection is performed).
» From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down.
» As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.
Auto-Rollover – DGFV338, FVS336G, FVX538
59.© 1996-2006 NETGEAR® . All rights reserved
Load Balancing / Protocol BindingFVS336G, FVX538
60.© 1996-2006 NETGEAR® . All rights reserved
» The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional.
» Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic.
• In the Protocol Binding menu, you specify a protocol such as HTTP, and this causes all outbound traffic of that protocol to use that WAN port.
Load Balancing / Protocol BindingFVS336G, FVX538
61.© 1996-2006 NETGEAR® . All rights reserved
Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538
The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet
62.© 1996-2006 NETGEAR® . All rights reserved
» If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the router. This allows the router to act as a gateway to additional logical subnets on your LAN
NOTE: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.
Multi Home LAN IP – DGFV338, FVS336G, FVS338, FVX538
63.© 1996-2006 NETGEAR® . All rights reserved
Traffic Meter – FVS336G, FVS338, FVX538
64.© 1996-2006 NETGEAR® . All rights reserved
» Allows you to measure and limit the traffic routed by the router.» The router will keep a record of the volume of traffic going from the
selected interface. » The router can also be configured to place a restriction on the volume
of data being transferred.
Traffic Meter – FVS336G, FVS338, FVX538
65.© 1996-2006 NETGEAR® . All rights reserved
Session Limit – FVS338, FVX538
"Total Number of Packets Dropped due to Session Limit:" shows total number of packets dropped when session limit is reached
66.© 1996-2006 NETGEAR® . All rights reserved
» Allows you to specify total number sessions per user (IP) allowed across the router.
» You can give the maximum number of sessions per IP either in percentage of maximum sessions or absolute number of maximum sessions.
» The percentage is computed on the total connection capacity of the device. "User Limit" specifies the maximum number of sessions that should be allowed via box from a single source machine (i.e. session limiting is per machine based) as percentage of total connection capacity
» NOTE: Please note that some protocols like FTP, RSTP create 2 sessions per connection which should be considered when configuring session limiting
Session Limit – FVS338, FVX538
67.© 1996-2006 NETGEAR® . All rights reserved
UPnP – DGFV338, FVG318
UPnP (Universal Plug and Play) is a feature that allows for automatic discovery of devices that can communicate with this router.
Firewall Features
69.© 1996-2006 NETGEAR® . All rights reserved
Static Routes
70.© 1996-2006 NETGEAR® . All rights reserved
Dynamic DNS
» Alias a dynamic IP address to a static hostname.» Requires a dynamic DNS provider.» When dynamic IP changes on network devices, devices log onto DDNS server and change
the record of the hostname to map to new IP address.» Some DDNS providers expire hostname if IP address remain idle for a period of time. (Use
“Update every 30 days” check box to prevent hostname from expiring.
71.© 1996-2006 NETGEAR® . All rights reserved
SNMP – FVS336G, FVS338, FVX538DGFV338
72.© 1996-2006 NETGEAR® . All rights reserved
Groups and Hosts
73.© 1996-2006 NETGEAR® . All rights reserved
Groups and Hosts – Add
74.© 1996-2006 NETGEAR® . All rights reserved
Groups and Hosts – Edit
75.© 1996-2006 NETGEAR® . All rights reserved
Address Filter – Source MAC Filter
76.© 1996-2006 NETGEAR® . All rights reserved
Services
77.© 1996-2006 NETGEAR® . All rights reserved
Scheduling
78.© 1996-2006 NETGEAR® . All rights reserved
Block Sites
79.© 1996-2006 NETGEAR® . All rights reserved
Firewall Rules
80.© 1996-2006 NETGEAR® . All rights reserved
Firewall Rules – Adding Inbound
81.© 1996-2006 NETGEAR® . All rights reserved
Firewall Rules – Adding Outbound
82.© 1996-2006 NETGEAR® . All rights reserved
Address Filter – IP/MAC Binding
83.© 1996-2006 NETGEAR® . All rights reserved
Address Filter – IP/MAC BindingEdit
84.© 1996-2006 NETGEAR® . All rights reserved
Port Triggering
85.© 1996-2006 NETGEAR® . All rights reserved
Port Triggering
Once configured, operation is as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PCs request, and responds using a different port number.
4. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)
86.© 1996-2006 NETGEAR® . All rights reserved
Port Triggering
Note: » Only 1 PC can use a "Port Triggering" application at any time. » After a PC has finished using a "Port Triggering" application,
there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.
» Normally for games and chat.
87.© 1996-2006 NETGEAR® . All rights reserved
Bandwidth Profile
88.© 1996-2006 NETGEAR® . All rights reserved
Attack Checks
89.© 1996-2006 NETGEAR® . All rights reserved
Firewall Logs
90.© 1996-2006 NETGEAR® . All rights reserved
Email Logs
91.© 1996-2006 NETGEAR® . All rights reserved
Syslog
92.© 1996-2006 NETGEAR® . All rights reserved
VPN Logs
Troubleshooting Features
94.© 1996-2006 NETGEAR® . All rights reserved
Diagnostics
FVS338, FVS336G, FVX538, DGFV338
FVG318
95.© 1996-2006 NETGEAR® . All rights reserved
Diagnostics – Packets Capture
VPN Features
97.© 1996-2006 NETGEAR® . All rights reserved
Netgear VPN – VPN Wizard Box-to-box
98.© 1996-2006 NETGEAR® . All rights reserved
Netgear VPN – VPN Wizard Client-to-box
99.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy
100.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy – General
101.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy – Traffic Selection
102.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy – Policy Parameters
103.© 1996-2006 NETGEAR® . All rights reserved
IKE Policy
104.© 1996-2006 NETGEAR® . All rights reserved
IKE Policy – EditFVS336G, FVS338, FVX538
105.© 1996-2006 NETGEAR® . All rights reserved
IKE Policy – Edit for FVG318
106.© 1996-2006 NETGEAR® . All rights reserved
IKE Policy – IKE parameters
107.© 1996-2006 NETGEAR® . All rights reserved
VPN – Certificate Authority (CA)
108.© 1996-2006 NETGEAR® . All rights reserved
Generate Self-sign Certificate
109.© 1996-2006 NETGEAR® . All rights reserved
View Certificate Request
110.© 1996-2006 NETGEAR® . All rights reserved
Certificate Revocation List (CRL)
111.© 1996-2006 NETGEAR® . All rights reserved
Mode Config
112.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – User Database
113.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – RADIUS Client
VPN01L_VPN05LProSafe VPN Client Software
115.© 1996-2006 NETGEAR® . All rights reserved
Client to Gateway VPN Example
116.© 1996-2006 NETGEAR® . All rights reserved
ProSafe VPN Client Software
» Securely enables mobile workers or single-user remote access to corporate network resources
» Broad security support, standards-based• Implements IPSec security protocol with
optional certificates or Smart Cards
» Easy-to-configure and deploy
» Compatible with any IPSec-compliant VPN devices
» Optimized for NETGEAR ProSafe VPN Firewalls
117.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – Security Policy Editor
118.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – Global Config
119.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – Security Policy
120.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – Authentication
121.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – Key Exchange
122.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – My Identity
IKE Identifier
123.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – Preshared key
124.© 1996-2006 NETGEAR® . All rights reserved
FVX538 – Client VPN Policy
125.© 1996-2006 NETGEAR® . All rights reserved
FVX538 – VPN Client
50.0.0.0
fvx_local.com
IKE Identifier
126.© 1996-2006 NETGEAR® . All rights reserved
fvx_remote.com
fvx_remote.com
FVX538 – VPN Client
ExerciseSet up the following two scenario
128.© 1996-2006 NETGEAR® . All rights reserved
Box-to-Box VPN
Ethernet
Ethernet
VPN Gateway #2VPN Gateway #1
Internal Router
Internal Subnet #3
Internal Subet #2
Internal Subet #1
» Create a VPN tunnel between 2 NETGEAR VPN routers
129.© 1996-2006 NETGEAR® . All rights reserved
Hub and Spoke VPN
Local Area Network #1
Hub VPN Gateway
Local Area Network #2
Spoke VPN Gateway1
secure connection through VPN gateway#1
Spoke VPN Gateway #2or VPN Client
» Spoke sites access each other through hub site.
» VPN policy on hub site.• Local VPN network includes spoke site.
» VPN policy on spoke site.• Remote VPN network includes spoke site.
130.© 1996-2006 NETGEAR® . All rights reserved
VPN Troubleshooting
» Can the other VPN end point reach you?• What is the remote VPN endpoint?
» FQDN: resolve to remote WAN IP?» IP Address: Is IP address reachable?» 0.0.0.0: VPN uses aggressive mode?
» Do the VPN parameters matches on both endpoints?• What are the remote/local IKE identities?
» Do they match the remote endpoint’s local/remote IKE identities?• What are the local/remote VPN networks?
» Do they match remote endpoint’s remote/local VPN networks?• What is the pre-shared key?
» Does it match the remote endpoint’s pre-shared key?• What are the encryption/authentication algorithms?
» Do they match the remote endpoint’s algorithms?• What is the IKE mode (main/aggressive)?
» Does it match the remote endpoint’s IKE mode?
131.© 1996-2006 NETGEAR® . All rights reserved
VPN Troubleshooting flow
VPN not working
Dynamic IP onlocal WAN?
Dynanmic IPon remote
WAN?
Check dynamicDNS setting, make
sure FQDNresolve to local
WAN IP
Use FQDN
Setup dynamicDNS
VPN mode mustmatches in bothremote and local
VPN policies
Preshared keymust matches inboth remote and
local VPN policies
Encryptionalgorithm mustmatches in bothlocal and remote
VPN policies
Authenticationalgorthm must
matches in bothremote and local
VPN policies
Y
N
Y
Y
N Y Y
N
Y
N
Use dynamicDNS?
Use FQDN aslocal VPNidentity?
Use dynamicDNS?
Use FQDN asremote VPN
identity?
FQDN resolveto WAN IP?
Preshared keymatches?
FQDN resolveto WAN IP?
Authenticationalgorithimmtaches?
Check dynamicDNS setting, make
sure FQDNresolve to remotel
WAN IP
Setup dynamicDNS
Use FQDN
Encryptionalgorithmmatches?
VPN modematches
N
N
Y
N
Y Y
N
N
N
N
Y
N
Refer to Premiumsupport
Y
132.© 1996-2006 NETGEAR® . All rights reserved
Questions & Answers