Table of ContentsPreviousNextSearch Knowledge Base

Complete PDF manual
PDF of this chapter


Using Auto Policy to Configure VPN Tunnels

You need to configure matching VPN settings on both VPN endpoints. The outbound VPN settings on one end must match to the inbound VPN settings on other end, and vice versa.

See Example of Using Auto Policy for an example of using Auto Policy.

Configuring VPN Network Connection Parameters

All VPN tunnels on the ADSL Modem Wireless Router require configuring several network parameters. This section describes those parameters and how to access them.

The most common configuration scenarios will use IKE to manage the authentication and encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to automatically generate and update the required encryption parameters.

Click the VPN Policies link of the main menu, and then click the Add Auto Policy button to display the VPN - Auto Policy menu shown in Figure 7-40.

Figure 7-40

The DG834G v3 VPN tunnel network connection fields are defined as follows:


General. 

These settings identify this policy and determine its major characteristics.


Local LAN. 

This identifies which PCs on your LAN are covered by this policy. For each selection, data must be provided as follows:


Remote LAN. 

This identifies which PCs on the remote LAN are covered by this policy. For each selection, data must be provided as follows:

The remote VPN endpoint must have these IP addresses entered as its "Local" addresses.


IKE. 

Direction/Type-this setting is used when determining if the IKE policy matches the current traffic. Select the desired option.

Exchange Mode-ensure the remote VPN endpoint is set to use "Main Mode".

Diffie-Hellman (DH) Group-the Diffie-Hellman algorithm is used when exchanging keys. The DH Group setting determines the number of bit size used in the exchange. This value must match the value used on the remote VPN Gateway.

Local Identity Type-select the desired option to match the "Remote Identity Type" setting on the remote VPN endpoint.

Local Identity Data-enter the data for the selection above. (If WAN IP Address is selected, no input is required.)

Remote Identity Type-select the desired option to match the "Local Identity Type" setting on the remote VPN endpoint.

Remote Identity Data-enter the data for the selection above. (If IP Address is selected, no input is required.)


Parameters. 

Encryption Algorithm-encryption Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway. DES and 3DES are supported.

Authentication Algorithm-authentication Algorithm used for both IKE and IPSec. This setting must match the setting used on the remote VPN Gateway. Auto, MD5, and SHA-1 are supported. Auto negotiates with the remote VPN endpoint and is not available in responder-only mode.

Pre-shared Key-the key must be entered both here and on the remote VPN Gateway.

SA Life Time-this determines the time interval before the SA (Security Association) expires. (It will automatically be re-established as required.) While using a short time period (or data amount) increases security, it also degrades performance. It is common to use periods over an hour (3600 seconds) for the SA Life Time. This setting applies to both IKE and IPSec SAs.

IPSec PFS (Perfect Forward Secrecy)-if enabled, security is enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is broken, subsequent keys are no easier to break. (Each key has no relationship to the previous key.)

This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to match this setting, you may have to specify the "Key Group" used. For this device, the "Key Group" is the same as the "DH Group" setting in the IKE section.

Example of Using Auto Policy

Figure 7-41

  1. Set the LAN IPs on each DG834G v3 to different subnets and configure each properly for the Internet. The following settings are assumed for this example:
    Table 7-5. VPN Tunnel Configuration Worksheet
       
     
    Connection Name:
    GtoG
     
    Pre-Shared Key:
    12345678
     
    Secure Association -- Main Mode or Manual Keys:
    Main
     
    Perfect Forward Secrecy -- Enabled or Disabled:
    Disabled
     
    Encryption Protocol -- DES or 3DES:
    3DES
     
    Authentication Protocol -- MD5 or SHA-1:
    SHA-1
     
    Diffie-Hellman (DH) Group -- Group 1 or Group 2:
    Group 2
     
    Key Life in seconds:
    28800 (8 hours)
     
    IKE Life Time in seconds:
    3600 (1 hour)
               
     

    VPN Endpoint

    Local IPSec ID

    LAN IP Address

    Subnet Mask
    FQDN or Gateway IP
    (WAN IP Address)
     
    DG834G v3 A
    LAN_A
    192.168.0.1
    255.255.255.0
    14.15.16.17
     
    DG834G v3 B
    LAN_B
    192.168.3.1
    255.255.255.0
    22.23.24.25
           
  2. Open the DG834G v3 on LAN A management interface and click on VPN Policies.

    Figure 7-42

  3. Click Add Auto Policy.
  4. Enter policy settings (see Figure 7-43).
    • General
      • Policy Name = GtoG
      • Remote VPN Endpoint Address Type = Fixed IP Address
      • Remote VPN Endpoint Address Data = 22.23.24.25
    • Local LAN - use default setting
    • Remote LAN
      • IP Address = select Subnet address from the pulldown menu.
      • Start IP address = 192.168.3.1
      • Subnet Mask = 255.255.255.0
    • IKE
      • Direction = Initiator and Responder
      • Exchange Mode = Main Mode
      • Diffie-Hellman (DH) Group = Group 2 (1024 Bit)
      • Local Identity Type = use default setting
      • Remote Identity Type = use default setting
    • Parameters
      • Encryption Algorithm = 3DES
      • Authentication Algorithm = MD5
      • Pre-shared Key = 12345678

        Figure 7-43

  5. Click Apply. The Get VPN Policies web page is displayed.

    Figure 7-44

  6. Repeat for the DG834G v3 on LAN B and pay special attention to use the following network settings as appropriate.
    • General, Remote Address Data (e.g., 14.15.16.17)
    • Remote LAN, Start IP Address
      • IP Address (e.g, 192.168.0.1)
      • Subnet Mask (e.g., 255.255.255.0)
      • Preshared Key (e.g., 12345678)
  7. Use the VPN Status screen to activate the VPN tunnel by performing the following steps:

    Note: The VPN Status screen is only one of three ways to active a VPN tunnel. See Activating a VPN Tunnel for information on the other ways.
    1. Open the DG834G v3 management interface and click on VPN Status to display the VPN Status/Log screen (Figure 7-45).

      Figure 7-45

    2. Click VPN Status (Figure 7-45) to display the Current VPN Tunnels (SAs) screen (Figure 7-46). Click on Connect for the VPN tunnel you want to activate.

      Figure 7-46

    3. Review the VPN Status/Log screen (Figure 7-45) to verify that the tunnel is connected.

NETGEAR, Inc.
http://www.netgear.com
Table of ContentsPreviousNextSearch Knowledge Base 202-10155-01, October 2006