Transcription
ProSecure Unified Threat Management (UTM) ApplianceTable 57. IP addressing for VPNs in dual WAN port systems (continued)Configuration and WAN IP addressRollover modeaLoad balancing modeVPN Telecommuter(client to gateway through aNAT router)FixedFQDN requiredFQDN Allowed (optional)DynamicFQDN requiredFQDN requireda. After a rollover, all tunnels need to be reestablished using the new WAN IP address.Use the IPSec VPN Wizard for Client and GatewayConfigurationsYou can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnelpolicies.The following section provides wizard and NETGEAR ProSafe VPN Client softwareconfiguration procedures for the following scenarios: Using the wizard to configure a VPN tunnel between two VPN gateways Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN clientConfiguring a VPN tunnel connection requires that you specify all settings on both sides ofthe VPN tunnel to match or mirror each other precisely, which can be a daunting task. TheVPN Wizard efficiently guides you through the setup procedure with a series of questions thatdetermine the IPSec keys and VPN policies it sets up. The VPN Wizard also configures thesettings for the network connection: security association (SA), traffic selectors, authenticationalgorithm, and encryption. The settings that are used by the VPN Wizard are based on therecommendations of the VPN Consortium (VPNC), an organization that promotesmultivendor VPN interoperability.Create Gateway-to-Gateway VPN Tunnels with the WizardFigure 143. To set up a gateway-to-gateway VPN tunnel using the VPN Wizard:1. Select VPN IPSec VPN VPN Wizard. The VPN Wizard screen displays (see thefollowing figure, which shows the VPN Wizard screen for the UTM50, and contains anexample).Virtual Private Networking Using IPSec Connections251
ProSecure Unified Threat Management (UTM) ApplianceThe Connection Name and Remote IP Type section of the VPN Wizard screen shows thefollowing minor differences for the various UTM models: Single WAN port models. No WAN selection drop-down list. Multiple WAN port models. A drop-down list to select the WAN interface, a check boxto enable VPN rollover, and another drop-down list to select a WAN interface for VPNrollover. If the multiple WAN port model is configured to function in WAN auto-rollovermode, you can use the VPN Wizard to configure VPN rollover and do not need toconfigure this manually.Figure 144.To view the wizard default settings, click the VPN Wizard Default Values option arrow inthe upper right of the screen. A pop-up screen displays (see the following figure), showingthe wizard default values. After you have completed the wizard, you can modify thesesettings for the tunnel policy that you have set up.Virtual Private Networking Using IPSec Connections252
ProSecure Unified Threat Management (UTM) ApplianceFigure 145.2. Select the radio buttons and complete the fields and as explained in the following table:Table 58. IPSec VPN Wizard settings for a gateway-to-gateway tunnelSettingDescriptionAbout VPN WizardThis VPN tunnel will connectto the following peersSelect the Gateway radio button. The local WAN port’s IP address orInternet name displays in the End Point Information section of the screen.Connection Name and Remote IP TypeWhat is the new ConnectionName?Enter a descriptive name for the connection. This name is used to help youto manage the VPN settings; the name is not supplied to the remote VPNendpoint.What is the pre-shared key?Enter a pre-shared key. The key needs to be entered both here and on theremote VPN gateway. This key needs to have a minimum length of8 characters and should not exceed 49 characters.This VPN tunnel will usefollowing local WAN Interface(multiple WAN port modelsonly)Select a WAN interface from the drop-down list to specify which local WANinterface the VPN tunnel uses as the local endpoint.Select the Enable RollOver? check box to enable VPN rollover, and thenselect a WAN interface from the drop-down list to the right of the check boxto specify the interface to which the VPN rollover should occur.Note: If the multiple WAN port model is configured to function in WANauto-rollover mode, you can use the VPN Wizard to configure VPN rolloverand do not need to configure this manually.Virtual Private Networking Using IPSec Connections253
ProSecure Unified Threat Management (UTM) ApplianceTable 58. IPSec VPN Wizard settings for a gateway-to-gateway tunnel (continued)SettingDescriptionEnd Point InformationaWhat is the Remote WAN’s IP Enter the IP address or Internet name (FQDN) of the WAN interface on theAddress or Internet Name?remote VPN tunnel endpoint.What is the Local WAN’s IPAddress or Internet Name?When you select the Gateway radio button in the About VPN Wizardsection of the screen, the IP address of the UTM’s active WAN interface isautomatically entered.Secure Connection Remote AccessibilityWhat is the remote LAN IPAddress?Enter the LAN IP address of the remote gateway.Note: The remote LAN IP address needs to be in a different subnet thanthe local LAN IP address. For example, if the local subnet is 192.168.1.x,then the remote subnet could be 192.168.10.x. but could not be192.168.1.x. If this information is incorrect, the tunnel fails to connect.What is the remote LANSubnet Mask?Enter the LAN subnet mask of the remote gateway.a. Both local and remote endpoints should be defined as either FQDNs or IP addresses. A combination ofan IP address and a FQDN is not supported.Tip: To ensure that tunnels stay active, after completing the wizard, manuallyedit the VPN policy to enable keep-alives, which periodically sends pingpackets to the host on the peer side of the network to keep the tunnelalive. For more information, see Configure Keep-Alives on page 310.Tip: For DHCP WAN configurations, first set up the tunnel with IP addresses.After you have validated the connection, you can use the wizard tocreate new policies using the FQDN for the WAN addresses.3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPNPolicies table on the VPN Policies screen. By default, the VPN policy is enabled.Figure 146.Virtual Private Networking Using IPSec Connections254
ProSecure Unified Threat Management (UTM) Appliance4. Configure a VPN policy on the remote gateway that allows connection to the UTM.5. Activate the IPSec VPN connection:a. Select Monitoring Active Users & VPNs IPSec VPN Connection Status. TheIPSec VPN Connection Status screen displays.Figure 147.b. Locate the policy in the table, and click the Connect table button. The IPSec VPNconnection becomes active.Note: When using FQDNs, if the Dynamic DNS service is slow to updateits servers when your DHCP WAN address changes, the VPN tunnelfails because the FQDNs do not resolve to your new address. If youhave the option to configure the update interval, set it to anappropriately short time.Create a Client-to-Gateway VPN TunnelFigure 148.To configure a VPN client tunnel, follow the steps in the following sections: Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 256. Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 259 orManually Create a Secure Connection Using the NETGEAR VPN Client on page 263.Virtual Private Networking Using IPSec Connections255
Create Gateway-to-Gateway VPN Tunnels with the Wizard Figure 143. To set up a gateway-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN IPSec VPN VPN Wizard. The VPN Wizard screen displays (see the following figure, which shows the VPN Wizard screen for the UTM50, and contains an example). VPN Telecommuter (client to gateway through a
