Netgear FVS336G Guia De Referência
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Virtual Private Networking Using IPsec
5-25
v1.0, October 2007
a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio
button.
b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the Diffie-
Hellman Group 2 from the PFS Key Group pull-down menu.
c.
Enable Replay Detection should be checked.
4. Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter
the Authentication values to match those in the VPN firewall ModeConfig Record menu.
5. Click on Key Exchange (Phase 2) on the left-side of the menu and choose Proposal 1. Enter
the values to match your configuration of the VPN firewall ModeConfig Record menu. (The
SA Lifetime can be longer, such as 8 hours [28800 seconds]
SA Lifetime can be longer, such as 8 hours [28800 seconds]
6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.
To test the connection:
1. Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection
policy you configured will appear; in this case “My Connections\modecfg_test”.
2. Click on the connection. Within 30 seconds the message “Successfully connected to
MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read
“On”.
“On”.
3. From the client PC, ping a computer on the VPN firewall LAN.
Extended Authentication (XAUTH) Configuration
When connecting many VPN clients to a VPN firewall, an administrator may want a unique user
authentication method beyond relying on a single common preshared key for all clients. Although
the administrator could configure a unique VPN policy for each user, it is more convenient for the
VPN firewall to authenticate users from a stored list of user accounts. XAUTH provides the
mechanism for requesting individual authentication information from the user, and a local User
Database or an external authentication server, such as a RADIUS server, provides a method for
storing the authentication information centrally in the local network.
authentication method beyond relying on a single common preshared key for all clients. Although
the administrator could configure a unique VPN policy for each user, it is more convenient for the
VPN firewall to authenticate users from a stored list of user accounts. XAUTH provides the
mechanism for requesting individual authentication information from the user, and a local User
Database or an external authentication server, such as a RADIUS server, provides a method for
storing the authentication information centrally in the local network.
XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are
available:
available:
•
Edge Device. If this is selected, the VPN firewall is used as a VPN concentrator where one or
more gateway tunnels terminate. If this option is chosen, you must specify the authentication
type to be used in verifying credentials of the remote VPN gateways: User Database,
RADIUS-PAP, or RADIUS-CHAP.
more gateway tunnels terminate. If this option is chosen, you must specify the authentication
type to be used in verifying credentials of the remote VPN gateways: User Database,
RADIUS-PAP, or RADIUS-CHAP.