Netgear FVS318v3 – Cable/DSL ProSafe VPN Firewall with 8-Port Switch Reference Manual
ProSafe VPN Firewall FVS318v3 Reference Manual
5-14
Advanced Virtual Private Networking
v5.0, January 2012
Each CA has its own certificate. The certificates of a CA are added to the FVS318v3 and then can
be used to form IKE policies for the user. Once a CA certificate is added to the FVS318v3 and a
certificate is created for a user, the corresponding IKE policy is added to the FVS318v3. Whenever
the user tries to send traffic through the FVS318v3, the certificates are used in place of pre-shared
keys during initial key exchange as the authentication and key generation mechanism. Once the
keys are established and the tunnel is set up the connection proceeds according to the VPN policy.
be used to form IKE policies for the user. Once a CA certificate is added to the FVS318v3 and a
certificate is created for a user, the corresponding IKE policy is added to the FVS318v3. Whenever
the user tries to send traffic through the FVS318v3, the certificates are used in place of pre-shared
keys during initial key exchange as the authentication and key generation mechanism. Once the
keys are established and the tunnel is set up the connection proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVS318v3 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
CRL on the FVS318v3 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVS318v3 CRL regularly in order for the CA-based authentication
process to remain valid.
process to remain valid.
VPN Configuration Scenarios for the FVS318v3
There are a variety of configurations you might implement with the FVS318v3. The scenarios
listed below illustrate typical configurations you might use in your organization.
listed below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (
These scenarios were developed by the VPN Consortium (
). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
you with both of these scenarios in the following two formats:
•
VPN Consortium Scenarios using a pre-shared key
•
VPN Consortium Scenarios using an RSA interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing.
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing.
The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go
to the NETGEAR Web site (
to the NETGEAR Web site (
Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN
Client.
Client.