Netgear FVS318G User Manual [zh]

NETGEAR ProSAFE VPN Client

VPNG01L and VPNG05L Version 6.0 User Manual

May 2015

202-10684-07

350 East Plumeria Drive

San Jose, CA 95134

USA

NETGEAR ProSAFE VPN Client

Support

Thank you for selecting NETGEAR products.

After installing your device, locate the serial number on the label of your product and use it to register your product at

https://my.netgear.com. Y

recommends registering your product through the NETGEAR website.

For product updates and web support, visit http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR.

Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx.

ou must register your product before you can use NETGEAR telephone support. NETGEAR

Trademarks

NETGEAR, Inc., NETGEAR and the NETGEAR logo are trademarks of NETGEAR, Inc. Any non-NETGEAR trademarks are used for reference purposes only.

Compliance

For regulatory compliance information, visit http://www.netgear.com/about/regulatory/.

See the regulatory compliance document before connecting the power supply.

Revision History

Publication Part Number Version Publish Date Comments

202-10684-07 6.0 May 2015 Documented VPN Client 6.0 software with new

GUI displays.

DH groups, and IPv6. The index was removed. 202-10684-06 – May 2013 Color correction and minor nontechnical edits. 202-10684-05 – April 2013 • Rewrote the manual to be task-based.

• Described new features, command references,

certificates, and global VPN parameters.

202-10684-04 v1.0 April 2012 Minor new features and improvements such as the

Remote Sharing pane. 202-10684-03 v1.0 May 30, 2011 Major revision to document the new format of the

user interface and some new features such as the

enhanced capability to change languages. 202-10684-02 v1.1 December 2010 Minor editorial changes and addition of an index. 202-10684-02 v1.0 December 2010 Reorganization and revision of the entire manual. 202-10684-01 v1.0 June 2010 First publication.

Added the new features, SHA-512,

Chapter 1 Introduction

Chapter 2 Install the Software

VPN Client Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

VPN Client Licenses for Lite and Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Linux Appliance Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

References and Useful Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Install the VPN Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Launch the VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Use the VPN Client Lite Evaluation Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

View the Remaining Days in the Evaluation Period . . . . . . . . . . . . . . . . . . . . . 15

Buy a License When the Evaluation Period Expires . . . . . . . . . . . . . . . . . . . . . 15

License Number Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Activate the VPN Client License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Troubleshoot Software Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Software Upgrade Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Uninstall the VPN Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 3 Overview of the User Interface

User Interface Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

VPN Configuration Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

System Tray Icon and System Tray Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

System Tray Pop-Up Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Connection Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 4 Configure VPN Tunnels

VPN Tunnel Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configure IKE Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configure Advanced Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configure XAUTH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configure a Redundant Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Configure Mode Config Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Configure Hybrid Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configure IPSec Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Configure the Parameter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Open and Close VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

NETGEAR ProSAFE VPN Client

Chapter 5 Advanced Settings

Control How VPN Tunnels Are Opened . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Open a Tunnel Automatically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Open a Tunnel Before Windows Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Open a Tunnel by Double-Clicking on a Desktop Icon . . . . . . . . . . . . . . . . . . 47

Automatically Open a Web Page When a VPN Tunnel Opens . . . . . . . . . . . . . 49

Configure Alternate DNS and WINS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configure Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configure Remote Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

USB Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Enable a New USB Drive with a VPN Configuration. . . . . . . . . . . . . . . . . . . . . 53

Configure Tunnels to Open Automatically with a USB Drive . . . . . . . . . . . . . 56

Manage Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Import a PEM Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Import a P12 Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

View and Assign Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

View Certificate Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Use Certificates from USB Tokens and Smart Cards . . . . . . . . . . . . . . . . . . . . 64

Open a Tunnel with Certificates from a USB Token or Smart Card . . . . . . . . 65

Troubleshoot Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Manage VPN Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Import a VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Export a VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Merge VPN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Access Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Configure Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Remove Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Hide User Interface Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Hide Links on the System Tray Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Disable the Systray Pop-Up Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Hide the Connection Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configure VPN Client Startup Mode and Network Interface Detection . . . . . . 76

Change the Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Edit a Software Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 6 VPN Client Software Setup and Network Deployment

Software Setup and Deployment Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Software Setup File Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Software Setup Command Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Examples of Options That You Can Include in a Software Setup File . . . . . . 81

Software Setup Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Customize VPN Client Display and Access for End Users . . . . . . . . . . . . . . . . . . 87

Display the Configuration Panel After Startup. . . . . . . . . . . . . . . . . . . . . . . . . 87

Display the Connection Panel After Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Display the System Tray Menu Only After Startup . . . . . . . . . . . . . . . . . . . . . 88

Require a Password to Access the Configuration Panel . . . . . . . . . . . . . . . . . 88

NETGEAR ProSAFE VPN Client

Limit Usage to the System Tray Menu and Require a

Password to Access Other Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configure Which Items of the System Tray Menu Are Visible . . . . . . . . . . . . 89

VPN Client Silent Software Setup Deployment to End Users. . . . . . . . . . . . . . . 90

Create a Silent VPN Client Software Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Deploy a VPN Client Software Setup from a CD . . . . . . . . . . . . . . . . . . . . . . . 91

Deploy a VPN Client Software Setup from a Shortcut . . . . . . . . . . . . . . . . . . 92

Deploy a VPN Client Software Setup Using a Batch Script. . . . . . . . . . . . . . . 93

Deploy a VPN Client Software Setup from a Network Drive . . . . . . . . . . . . . 94

Deliver a VPN Configuration to an End User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Embed a VPN Configuration in a VPN Client Software

Setup Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Export and Deploy a VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Command-Line Interface Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Customize the VPN Client Using CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . 101

Open or Close a VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Close All Active Tunnels and Close the VPN Client. . . . . . . . . . . . . . . . . . . . . 102

Import, Export, Add, or Replace the VPN Configuration . . . . . . . . . . . . . . . 102

Customize How the VPN Client Handles Readers and Certificates . . . . . . . . . 103

Customize the vpnsetup.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Customize the vpnconf.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Chapter 7 Troubleshoot the VPN Client

VPN Client Troubleshooting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Resolve Firewall Interference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

View and Control VPN Client Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Enable the VPN Console Debugging Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

VPN Console Log Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

No Response to a Phase 1 Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

The Console Shows Only SEND and RECV. . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

No Response to Phase 2 Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

View VPN Gateway Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

A VPN Tunnel Is Up but You Cannot Ping the Remote Endpoint . . . . . . . . . . . .118

Appendix A Configure a NETGEAR VPN Gateway

VPN Gateway Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Use the Router’s VPN Wizard to Configure a VPN Gateway . . . . . . . . . . . . . . .122

Edit a VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Edit an IKE Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Manually Configure a NETGEAR Router as a VPN Gateway . . . . . . . . . . . . . . . 126

Set Up an IKE Policy in the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Set Up a VPN Policy in the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configure a VPN Client to Match the VPN Gateway Settings. . . . . . . . . . . . . . 130

1. Introduction

The VPN Client allows you to establish secure connections over the Internet, for example,

between a computer and a remote corporate Intranet. IPSec is the most secure way to connect because it provides strong user authentication and strong tunnel encryption and it works with existing network and firewall settings.

Note: To set up a VPN tunnel between a computer and a VPN gateway , first

configure the VPN gateway. For information about how to set up a NETGEAR router as a VPN gateway, see

NETGEAR VPN Gateway.

This chapter includes the following sections:

• VPN Client Features

• VPN Client Licenses for Lite and Professional

• Linux Appliance Support

• References and Useful Websites

Appendix A, Configure a

Note: For more information about the topics covered in this manual, visit the

support website at http://support.netgear.com.

Note: Firmware updates with new features and bug fixes are made

available from time to time on Some products can regularly check the site and download new firmware, or you can check for and download new firmware manually . If the features or behavior of your product do not match what is described in this guide, you might must update your firmware.

http://downloadcenter.netgear.com.

NETGEAR ProSAFE VPN Client

VPN Client Features

The VPN Client includes the following features.

Table 1. List of features

Feature Specifications Supported operating

systems

Languages Arabic, Chinese (simplified), Czech, Danish, Dutch, English, Farsi, Finnish, French,

Connection modes • Supports peer-to-peer connections (point-to-point connections between two

Tunneling protocols • Full Internet Key Exchange (IKE) support: the IKE implementation is based on the

• Windows Server 2003 32-bit

• Windows Server 2008 32/64-bit

• Windows 2012 32/64-bit

• Windows Vista 32/64-bit

• Windows 7 32/64-bit

• Windows 8.1 32/64-bit

• Windows 8 32/64-bit

German, Greek, Hindi, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Serbian, Slovenian, Spanish, Thai, and Turkish.

computers with the VPN Client installed).

• Supports peer-to-gateway connections, for example, between a computer with the

VPN Client installed and NETGEAR platform that supports VPN.

• Supports connection types such as dial-up, DSL, cable, GSM/GPRS, 3G, 4G, and

WiFi.

• Allows IP range networking.

• Runs in a Remote Desktop Protocol (RDP) connection session.

OpenBSD 3.1 implementation (ISAKMPD). This provides the best compatibility with existing IPSec routers and gateways.

• Full IPSec support:

- Main mode and aggressive mode

- MD5, SHA-1, and SHA-256 hash algorithms

- Change IKE port

NAT Traversal • NAT Traversal Draft 1 (enhanced), Draft 2, and Draft 3 (full implementation),

including:

- NAT OA support

- NAT keep-alive

- NAT-T aggressive mode

• Forced NAT Traversal mode

SIP/VoIP support Support for Session Initiation Protocol (SIP) and Voice over IP (VoIP) traffic in a VPN

tunnel on Window Vista, Windows 7, and Windows 8.

Encryption Provides the following encryption algorithms:

• 3DES, DES, and AES 128/192/256-bit encryption

• Support for Diffie-Hellman Group 1 (768 bits), Group 2 (1024 bits), Group 5

(1536

bits), and Group 14 (2048 bits)

Introduction

NETGEAR ProSAFE VPN Client

Table 1. List of features (continued)

Feature Specifications User authentication Supports the following user authentication methods:

• Pre-shared keying and X509 certificate support. Compatible with most of the

currently available IPSec gateways.

• Extended authentication (AUTH).

• Flexible certificates: PEM, PKCS#12 certificates can be directly imported from the

user interface. Ability to configure one certificate per tunnel.

• Hybrid authentication method.

Certificate storage capabilities:

• USB token and smart card support

• Personal Certificate Store support

• VPN configuration file

Remote login:

• Gina mode is supported on Windows Vista, Windows 2012, Windows 7, Windows

8, Windows server 2003, and Windows server 2008 to enable Windows logon using a VPN tunnel or enable to log in on a local machine.

• Credential providers are supported on Windows Vista and Windows 7 to enable

Windows logon using a VPN tunnel or enabling logging in on a local machine.

Dead Peer Detection Dead Peer Detection (DPD) is an IKE extension (RFC3706) for detecting a dead IKE

peer.

Redundant gateway The redundant gateway feature provides a highly reliable secure connection to a

corporate network. The redundant gateway feature allows the VPN Client to open an IPSec tunnel with an alternate gateway if the primary gateway is down or not responding.

Mode Config Mode Config is an IKE extension that enables the VPN gateway to provide LAN

configuration to the remote user’s machine (that is, the VPN Client). With Mode Config, you can access all servers on the remote network by using their network name (for example, \\myserver\marketing\budget) instead of their IP address.

USB drive You can save VPN configurations and security elements (certificates, pre-shared key,

and so on) to a USB drive to remove security information (for example, user authentication) from the computer. You can automatically open and close tunnels when plugging in or removing the USB drive. Y ou can attach a VPN configuration to a specific computer or to a specific USB drive.

Smart card and USB token

Log console All phase messages are logged for testing or staging purposes. Flexible user

interface

The VPN Client can read certificates from smart cards to make full use of existing corporate ID or employee cards that carry digital credentials.

You can easily import smart card ATR codes to enable new smart card and USB token models that are not yet in the software.

• Silent install and invisible graphical interface allow network administrators to

deploy solutions while preventing user misuse of configurations.

• Small Connection Panel and VPN Configuration Panel can be available to end

users separately with access control.

• Drag and drop VPN configurations into the VPN Client.

• Keyboard shortcuts to easily navigate the VPN Client.

Introduction

NETGEAR ProSAFE VPN Client

Table 1. List of features (continued)

Feature Specifications Scripts Scripts or applications can be launched automatically on events (for example, before

and after a tunnel opens, or before and after a tunnel is closed).

Configuration management

Live update Ability to check for online updates.

• User interface and command-line interface (CLI).

• Password-protected VPN configuration file.

• Specific VPN configuration file can be provided within the setup.

• Embedded demo VPN configuration to test and debug with online servers.

• Ability to prevent software upgrade or uninstallation if protected by password.

VPN Client Licenses for Lite and Professional

You can download a free 30-day trial version of VPN Client Light software, or you can purchase VPN Client Lite or VPN Client Professional, which includes more features.

Note: After the evaluation period expires, the VPN Client is disabled. By

purchasing and activating a permanent license, you can transfer the trial version to a permanent version.

The following table lists the features that are included in the VPN Client Lite and VPN Client Professional versions.

Table 2. VPN Client Lite and VPN Client Professional comparison

VPN Client Feature Lite Professional

Connection Panel Yes Yes Console logs Yes Yes System tray pop-up Yes Yes X-Auth Yes Yes Mode Config Yes Yes DNS/WINS server manual configuration Yes Yes Hybrid mode No Yes IKE/NAT-T ports can be modified No Yes Disable split tunneling Yes Yes Dead Peer Detection Yes Yes GUI protection (password) No Yes

Introduction

NETGEAR ProSAFE VPN Client

Table 2. VPN Client Lite and VPN Client Professional comparison (continued)

VPN Client Feature Lite Professional

Auto Open (Windows on startup on traffic detection) No Yes Start VPN tunnel before Windows logon No Yes Multitunnel configurations No Yes Redundant gateways Yes Yes Easy deployment by command-line interface (CLI) No Yes Scripts No Yes USB mode No Yes

Linux Appliance Support

The VPN Client supports several versions of Linux IPSec VPN such as StrongS/WAN and FreeS/WAN. The VPN Client is compatible with most of the IPSec routers and appliances that are based on those Linux implementations.

References and Useful Websites

These references and websites are for the ProSAFE VPN Client Lite and ProSAFE VPN Client Professional, both of which are developed by TheGreenBow:

• Access to VPNG01L product information and a 30-day trial software version:

http://support.netgear.com/product/vpng05l

• VPNG01L/VPNG05L FAQs:

http://kb.netgear.com/app/answers/detail/a_id/14903

• TheGreenBow IPSec VPN Client:

http://www.thegreenbow.com/vpn.html

• TheGreenBow VPN documentation and manuals:

http://www.thegreenbow.com/vpn_doc.html

The documents that you can access from this link are based on TheGreenBow VPN Client. The NETGEAR ProSAFE VPN Client Lite and ProSAFE VPN Client Professional are developed by TheGreenBow, so configuration is likely identical or similar.

Introduction

NETGEAR ProSAFE VPN Client

Note: For documentation about the legacy ProSAFE VPN Client that was

developed by SafeNet, see the following NETGEAR sites:

http://support.netgear.com/product/VPN01L http://support.netgear.com/product/VPN05L

Introduction

2. Install the Software

This chapter describes installation of the VPN Client and related processes. The chapter

includes the following sections:

• Install the VPN Client Software

• Launch the VPN Client

• Use the VPN Client Lite Evaluation Version

• License Number Concepts

• Activate the VPN Client License

• Uninstall the VPN Client Software

NETGEAR ProSAFE VPN Client

Install the VPN Client Software

You can download a free 30-day trial version of VPN Client Lite software, or you can purchase and download VPN Client Lite or VPN Client Professional software, which includes more features. (See VPN Client Features on page 7.)

Note: If you use the 30-day trial version, when the evaluation period expires,

the VPN Client is disabled. By purchasing and activating a permanent license, you can transfer the trial version to a permanent version.

To download the VPN client software, visit http://support.netgear

 To install the VPN client software:

1. T

o download the VPN client software, visit http://support.netgear.com/product/vpng05l.

2. Unzip the file that you downloaded.

3. Double-click the file.

The Welcome page displays.

4. Follow the onscreen prompts to complete installation.

5. If you are prompted to restart your computer

Whether you must restart depends on your operating system. Windows 8, Windows 7, or Windows V

The VPN Client Activation Wizard page displays.

How you activate VPN client depends on whether you activate a trial license or a permanent license:

• For information about the free trial software version, see Use the VPN Client Lite Evaluation Version on page 14.

• For information about software with a permanent license, see Activate the VPN Client License on page 16.

ista computers do not need to be restarted.

, than do so.

.com/product/vpng05l.

Launch the VPN Client

After you install the VPN Client software, there are three methods to launch the VPN Client:

• On your desktop, double-click the VPN Client shortcut

• In the taskbar

• From the Windows Start menu, select the path to the VPN Client, for example, Start >

Programs > NETGEAR > NETGEAR VPN Client Professional.

, click the VPN Client icon .

Install the Software

All

NETGEAR ProSAFE VPN Client

Note: If your operating system is Windows 8, Windows 7 or Windows Vista,

you can select a check box to automatically run the VPN Client after software installation.

The VPN Client creates new rules in the Windows firewall (Vista and later operating systems) so that VPN traf (phase 1) traffic and for IPSec (phase 2) traffic.

If you use an earlier Windows operating system or another firewall, you might need to create firewall rules to enable the VPN Client. For information, see VPN Console Log Errors on page 113.

fic is enabled: UDP ports 500 and 4500 are authorized both for authentication

Use the VPN Client Lite Evaluation Version

 To use the VPN Client during the evaluation period:

1. On your desktop, double-click the VPN Client shortcut .

2. Select the I want to Evaluate the software radio button.

You do not need to enter a license number and email address to activate the trial software.

3. Click the Next button.

The VPN Configuration page displays.

During the evaluation period, the Software Activation page displays each time that you start the VPN Client. the remaining days of the evaluation period on the About page (see View the Remaining

Days in the Evaluation Period on page 15).

When the evaluation period expires, the following occurs:

• The I want to

• The I want to Evaluate the software radio button is disabled.

The remaining days of the evaluation period are displayed. You can also see

Activate the software radio button is automatically selected.

Install the Software

NETGEAR ProSAFE VPN Client

• The message Evaluation period expired displays.

• The software is disabled.

For you to use the VPN Client, you must purchase and activate a permanent license. You can purchase and activate a permanent license while you are still in the evaluation period or after the evaluation period expires.

View the Remaining Days in the Evaluation Period

 To view the remaining days in the evaluation period from VPN Client’s user interface:

1. On your desktop, double-click the VPN Client shortcut

The VPN Configuration page displays.

2. Select ? >

About.

The About page displays the number of days that remain in the evaluation period.

Buy a License When the Evaluation Period Expires

When the evaluation period expires, the VPN Client is disabled. By purchasing and activating a permanent license, you can transfer the trial version to a permanent version.

 To buy a permanent license:

1. On your desktop, double-click the VPN Client shortcut .

The Software Activation page displays. If the trial period expired, the page displays Evaluation period expired.

2. Click the Buy a license link.

Install the Software

NETGEAR ProSAFE VPN Client

The NETGEAR website displays.

3. Follow the instructions onscreen to purchase a permanent license.

4. After you purchase a license, activate the permanent license.

For more information about how to activate a permanent license, see Activate the VPN

Client License on page 16.

License Number Concepts

A license number is attached to a single computer after activation. However, you can

deactivate the license number (see Uninstall the VPN Client Software on page 18) and transfer it to another computer.

You can also change the license number at any time, but you first must uninstall the VPN Client before you can reinstall the VPN Client with another license number

After activation, save the license key number. You might need it again to reactivate your

software if a problem occurs. Also, keep the CD label for technical support.

Activate the VPN Client License

When you purchase a license, you must activate it before you can use the VPN Client. You must activate the VPN Client license on your computer. You need the license number or key and an email address.

 To activate your VPN Client license:

1. Make sure that your computer is connected to the Internet.

2. On your desktop, double-click the VPN Client shortcut

The VPN Configuration page displays.

3. Select ? > Activation W

izard.

Install the Software

NETGEAR ProSAFE VPN Client

4. Select the I want to Activate the software radio button.

5. When prompted, enter your license number.

6. If a field displays to enter an email address, complete the field.

Your email address is used to send you the activation confirmation.

Note: If the network administrator set up VPN Client to suppress the email

address field, this field does not display. Some network administrators use this method to direct all software activation confirmation email to a single email address.

7. Click the Next button.

The Software Activation Wizard connects to the activation server to activate the VPN

Client software. The progress bar shows the activation progress. The page displays a message when activation is complete.

8. If an error occurs, click the More information about this error link.

For troubleshooting information, see Troubleshoot Software Activation on page 17.

9. Click the Run button.

The VPN Client relaunches with the new license. The VPN Configuration page displays.

Troubleshoot Software Activation

Errors can occur during the activation process. Each activation error type is displayed on the Software Activation page.

You can resolve most of errors by carefully checking the following:

• Verify that you entered the correct license number. (Error 031 indicates that the license

number was not found.)

• Your license number could already be activated (Error 033). Contact NETGEAR support.

• Your license number cannot be used for activation (Error 034). Contact NETGEAR

support.

• A firewall might block communication with the activation server (Error 053 or Error 054).

Find out if a personal or corporate firewall is blocking communications.

• The activation server might be temporarily unreachable. Wait a few minutes and try

again.

To view a list of all activation errors, visit http://.support.netgear.com.

Software Upgrade Concepts

Your VPN configuration is saved during a software upgrade and automatically reenabled within the new release. If you specified a password for access control (see

Overview on page 69), you must enter it to be able to upgrade the software.

Install the Software

Access Control

NETGEAR ProSAFE VPN Client

After each software upgrade, you must reactivate the VPN Client. Depending on your

maintenance contract, a software upgrade activation might be rejected. The success of software upgrade activation depends on your maintenance contract:

• During the maintenance period, which starts from your first activation, all software

upgrades are allowed.

• If the maintenance period expired or if your license does not include a maintenance

contract, only maintenance software upgrades are allowed. Maintenance software upgrades are identified by the last digit of a version.

Example: Your maintenance period expired and your current software release is 4.12.

ou can upgrade to releases 4.13 through 4.19 but not to release 4.20, 5.00, or 6.00.

To subscribe or extend your maintenance period, contact NETGEAR by email at

sales@netgear.com.

 To check the status of a VPN Client software release:

1. On your desktop, double-click the VPN Client shortcut .

The VPN Configuration page displays.

2. Select ? > Check for Update.

The NETGEAR website displays.

3. Check to see if the VPN Client is running the latest software release.

4. Download the updates that are supported by your license.

Uninstall the VPN Client Software

To transfer a license to a new computer, you must uninstall the software from the old computer. Deactivation of the license on the old computer occurs automatically if the computer is connected to the Internet. The license can then be used to activate the VPN Client on a new computer.

If your computer is not connected to the Internet and you must deactivate your license, contact NETGEAR support by email at support@netgear.com, or call technical support to deactivate your license.

Several methods are available for uninstalling the VPN Client software. Depending on your Windows operating system, these methods might dif procedures.

fer slightly from the following

Tip: Save the license key number

software. Also, keep the CD label for technical support.

 To uninstall the VPN Client through the Windows Control Panel:

1. Make sure that your computer is connected to the Internet.

2. Select Start > Control Panel.

. You might need it to reactivate your

Install the Software

NETGEAR ProSAFE VPN Client

3. Double-click Programs and Features.

IIn some Windows versions, you must double-click Add or Remove Programs.

4. Right-click NETGEAR VPN Client Professional and select Uninstall.

In some Windows versions, you must select Remove. The software is uninstalled from your computer.

 To uninstall the VPN Client through the Windows All Programs menu:

1. Make sure that your computer is connected to the Internet.

2. Select Start > All Programs.

3. Select the path to the VPN Client, for example, Start > All Programs > NETGEAR >

NETGEAR VPN Client Professional.

4. Select the uninstall option.

The software is uninstalled from your computer.

Install the Software

3. Overview of the User Interface

This chapter describes the user interface for the VPN Client. The chapter includes the following

sections:

• User Interface Components

• VPN Configuration Panel

• System Tray Icon and System Tray Menu

• Connection Panel

• Keyboard Shortcuts

NETGEAR ProSAFE VPN Client

User Interface Components

The VPN Client configuration is defined in a VPN configuration file. You can create, modify, save, export, or import the VPN configuration together with security elements such as a pre-shared key or certificates. You can also configure the VPN client to start and stop tunnels automatically, depending on traffic to certain destinations.

The user interface consists of the following components:

• VPN Configuration Panel that you use to specify VPN settings

• VPN Connection Panel that lets you open and close tunnels that you configured

• System tray icon and pop-up windows to view and manage the VPN tunnel status

For information about how to control the user interface display for end users, see Hide User

Interface Features on page 71 and Configure Which Items of the System Tray Menu Are Visible on page 89.

VPN Configuration Panel

When you launch the VPN Client, the VPN Configuration page displays.

VPN Tunnel Tree pane

Configuration pane

Status bar

Figure 1. VPN Configuration page

You can use this page to configure VPN tunnels to connect the client computer to remote destinations that are configured to accept VPN client connections.

Overview of the User Interface

NETGEAR ProSAFE VPN Client

Note: For information about restricting access to the VPN Configuration

page, see Access Control Overview on page 69. For information about hiding the VPN Configuration link from the system tray menu, see Hide User Interface Features on page 71.

The menu at the top of the window includes the following selections:

• Configuration. Lets you import and export a VPN configuration, select the location of the

VPN configuration (locally stored on the computer or on a USB drive), access the Configuration Wizard, and quit the VPN Client.

• T

ools. Lets you access the Connection Panel, access the Console page, reset the IKE

settings, and access the Option page to configure miscellaneous preferences such as the way the VPN Client starts and the language of the VPN Client.

• ?. Lets you access online help, check for software updates, connect to the NETGEAR

website to purchase a license online, access the page.

Activation Wizard, and access the About

Note: Some selections on the Configuration menu are also available by

right-clicking a component of the VPN Tunnel Tree pane.

System Tray Icon and System Tray Menu

After you launch the VPN Client, the VPN Client displays an icon in the system tray that

indicates whether a tunnel is open, using a color code.

Green icon: at least one VPN tunnel opened.

Figure 2. VPN Client icon colors in the system tray

 To open the system tray menu:

Right-click the VPN Client icon in the system tray

Purple icon: no VPN tunnel opened.

Overview of the User Interface

NETGEAR ProSAFE VPN Client

Some menu items do not display until you configure a working VPN tunnel. The following options are available in the system tray menu:

• Close <gateway name-tunnel name> Close the VPN tunnel that is currently open.

• Open <gateway name-tunnel name> Open an established VPN tunnel that is currently

closed.

• Console. Open the VPN Console

• Connection Panel. Open the Connection Panel, which lets you open and close VPN

tunnels and displays information about VPN tunnels.

• Configuration Panel. Open the Configuration Panel, which lets you create and configure

VPN tunnels.

• Quit. Close all established VPN tunnels, then close the VPN Client.

Active page.

System Tray Pop-Up Window

When a VPN tunnel opens or closes, a small window pops up from the system tray icon.

Figure 3. Tunnel opened pop-up window

If the VPN tunnel cannot open, the window might display an error or warning with a link to more information.

Connection Panel

The Connection Panel lets you open and close each tunnel that is configured. If a network administrator configured the VPN tunnels, the end user needs access only to the Connection Panel to open and close tunnels.

Note: For information about hiding the Connection Panel link from the

system tray menu, see Hide User Interface Features on page 71.

 To open the Connection Panel:

1. On your desktop, double-click the VPN Client shortcut

The VPN Configuration page displays.

Overview of the User Interface

NETGEAR ProSAFE VPN Client

2. Select Tools > Connection Panel.

Open tunnel

Closed tunnel

These examples show the Connection Panel after the VPN tunnel was already established.

The Connection Panel lets you open, close, and receive information about every tunnel that was configured. If a network administrator configured the VPN tunnels, the end user needs access to the Connection Panel only to open and close tunnels.

The Connection Panel consists of the following components:

• For each tunnel, the following components:

- An icon that shows the status of the tunnel:

The tunnel is closed. The tunnel is being opened. The tunnel is open. An incident occurred during the opening or closure of the tunnel.

- A rectangular traf

fic gauge ( ) that shows the traffic volume passing through the

tunnel.

- The connection name (tunnel name) in the format authentication phase name–IPSec

configuration name.

• Three icons in the upper right corner:

- ?. Opens the

About page.

- +. Opens the Configuration Panel.

- x. Closes the Connection Panel.

Note: You can switch back and forth between the Connection Panel and the

Configuration Panel by pressing Ctrl + Enter.

Overview of the User Interface

NETGEAR ProSAFE VPN Client

Keyboard Shortcuts

The user interface supports the following keyboard shortcuts.

Table 3. Keyboard shortcuts

Shortcut Action General shortcuts

Ctrl + Enter Lets you switch back and forth between the Configuration Panel and the Connection Panel.

If the Configuration Panel is protected with a password, you are asked for this password

when you switch to the Configuration Panel. Ctrl + D Opens the VPN Console for network debugging. Ctrl + Alt + T Activates the trace mode for the generation of logs. Ctrl + Alt + R Resets the IKE settings.

Shortcuts for the VPN Tunnel Tree pane (see Figure 1 on page 21)

F2 Lets you edit the name of a selected phase. Del Lets you delete the selected phase or the entire VPN configuration.

To delete the entire VPN configuration, first select the VPN configuration. Ctrl + O Opens the VPN tunnel of the selected phase 2. Ctrl + W Closes the VPN tunnel of the selected phase 2. Ctrl + C Copies the selected phase. Ctrl + V Pastes the selected phase. Ctrl + N Creates a new phase:

• T

o create a phase 1, first select the VPN configuration.

• T

o create a phase 2, first select the phase 1.

Ctrl + S Saves and applies a VPN configuration.

Overview of the User Interface

4. Configure VPN Tunnels

This chapter describes how to create VPN tunnels. The chapter includes the following sections:

• VPN Tunnel Overview

• Configure IKE Authentication Settings

• Configure Advanced Authentication Settings

• Configure IPSec Settings

• Configure the Parameter Settings

• Open and Close VPN Tunnels

NETGEAR ProSAFE VPN Client

VPN Tunnel Overview

You can configure a computer as a VPN client. The computer can use the VPN tunnel to connect to a remote corporate LAN through a VPN gateway and for peer-to-peer connections. The remote gateway or peer must be configured to accept VPN clients.

The VPN tunnel in the following figure is set up with these characteristics:

• The VPN client computer uses a dynamically provided public IP address.

• The VPN client computer connects to the remote corporate LAN behind a VPN gateway

with a DNS address name gateway

• The corporate LAN address is 192.168.1.xxx, that is, the VPN client computer can

access a server with the IP address 192.168.1.100.

.mydomain.com.

203.0.113.101 gateway.mydomain.com

Figure 4. VPN connection between a computer and a remote corporate LAN

 To configure the tunne:

192.168.1.2

192.168.1.3

1. Set up the gateway for VPN connections.

For information about how to set up a NETGEAR router as a VPN gateway , see Appendix

A, Configure a NETGEAR VPN Gateway.

2. Specify the authentication (phase 1) settings.

See Configure IKE Authentication Settings on page 28.

3. Specify the advanced authentication settings.

See Configure Advanced Authentication Settings on page 30.

192.168.1.100

192.168.1.4

4. Specify the IPSec (phase 2) settings.

See Configure IPSec Settings on page 37.

5. Specify the parameters.

See Configure the Parameter Settings on page 40.

Configure VPN Tunnels

NETGEAR ProSAFE VPN Client

Note: You can use the VPN Wizard to enter some authentication settings

(select Configuration > Wizard), but after you complete the wizard, you must also specify the advanced authentication, IPSec, and parameter settings.

Configure IKE Authentication Settings

Y ou can specify the settings for the authentication phase, which is also referred to as phase 1 or as the Internet Key Exchange (IKE) negotiation phase. The purpose of phase 1 is to negotiate IKE policy sets, authenticate the peers, and set up a secure channel between the peers. As part of phase 1, each end system must identify and authenticate itself to the other.

You can specify settings for several authentication phases, enabling one computer to establish IPSec VPN connections with several gateways or other computers (peer-to-peer connections).

A pre-shared key is the authentication method that is the easiest to implement but is also the

weakest in terms of security which are listed in the order of increased security (from weakest to strongest security):

• Pre-shared key

• Static extended authentication

• Dynamic extended authentication

• Certificate stored in the VPN security policy

• Certificate in the Windows Certificate Store

• Certificate on a smart card or token

 To configure authentication IKE settings:

1. On your desktop, double-click the VPN Client shortcut .

. The VPN Client supports the following authentication methods,

Configure VPN Tunnels

NETGEAR ProSAFE VPN Client

2. In the VPN Tunnel Tree pane, right-click the name of the IKE configuration.

3. Select New Phase 1 or select the configuration.

The Ikev1Gateway: Authentication page displays in the Configuration pane on the right. The default name for authentication phase 1 is Ikev1Gateway. This authentication phase

is used only for the VPN Client, not during IKE negotiation.This name must be unique.

4. T

o change the authentication phase 1 name, do the following:

a. In the VPN

Tunnel Tree pane, right-click the name.

b. Select Rename. c. T

ype the new name.

d. Click anywhere in the VPN

Tunnel Tree pane.

The authentication name changes on the VPN Tunnel Tree pane and also in the Configuration pane on the right.

5. Specify the

Addresses settings in the Authentication page:

Configure VPN Tunnels

NETGEAR ProSAFE VPN Client

a. In the Interface menu, leave Any selected if the IP address changes (when it is

received dynamically from an ISP or router). You can enter the IP address of the network interface of the computer through which

the VPN connection is established. If you select an IP address that does not exist on the computer, Any is used automatically.

b. In the Remote Gateway field, type the remote IP address or the DNS name of the

VPN gateway. For example, type myrouter.dyn.com or 10.200.13.18.

6. To specify a preshared key, do the following:

a. Select the Preshared Key radio button. b. Enter the preshared key that you already specified in the VPN gateway in the

Preshared Key field and in the Confirm field.

7. To specify a X509 certificate, do the following:

a. Click the Certificate tab.

The Certificate page displays the certificate source. You can use a PEM file, PKCS#21 file, smart card, or token, or a certificate from the Personal Certificate Store. Specify only one certificate per tunnel.

b. Select the certificate.

For information about certificates, see Manage Certificates on page 57.

c. Click the Authentication tab.

8. In the Encryption menu, select the encryption algorithm that is used during the

authentication phase. For a typical NETGEAR VPN gateway, select 3DES.

9. In the Authentication menu, select the authentication algorithm that is used during the

authentication phase. For a typical NETGEAR VPN gateway, select SHA1.

10. In the Key Group field, select the Diffie-Hellman key length that is used during the

authentication phase. For a typical NETGEAR VPN gateway, select DH2 (1024). On NETGEAR routers, this

key group is referred to as Diffie-Hellman Group 2 (1024 bit).

11. Select Configuration > Save or press Ctrl + S.

Your settings are saved.

Configure Advanced Authentication Settings

For IKE authentication settings, the advanced configuration settings apply to all its associated IPSec policy settings.

Configure VPN Tunnels

+ 99 hidden pages

Netgear FVS318G User Manual [zh]

NETGEAR ProSAFE VPN Client

Contents

1. Introduction

VPN Client Features

VPN Client Licenses for Lite and Professional

Linux Appliance Support

References and Useful Websites

2. Install the Software

Install the VPN Client Software

Launch the VPN Client

Use the VPN Client Lite Evaluation Version

View the Remaining Days in the Evaluation Period

Buy a License When the Evaluation Period Expires

License Number Concepts

Activate the VPN Client License

Troubleshoot Software Activation

Software Upgrade Concepts

Uninstall the VPN Client Software

3. Overview of the User Interface

User Interface Components

VPN Configuration Panel

System Tray Icon and System Tray Menu

System Tray Pop-Up Window

Connection Panel

Keyboard Shortcuts

4. Configure VPN Tunnels

VPN Tunnel Overview

Configure IKE Authentication Settings

Configure Advanced Authentication Settings