NETGEAR ProSafe VPN Client Reference Manual
Reference Manual for the NETGEAR ProSafe VPN Client
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
202-10015-01
November 2003
202-10015-01
© 2003 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc.
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR
layout(s) described herein.
™
does not assume any liability that may occur due to the use or application of the product(s) or circuit
Technical Support
Refer to the Support Information Card that shipped with your NETGEAR ProSafe VPN Client.
World Wide Web
NETGEAR maintains a World Wi de Web home page that you can access at the universal resource locator (URL)
http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer
or Netscape are required.
ii
202-10015-01
Contents
Chapter 1
About This Manual
Audience, Versions, Conventions ...................................................................................1-1
How to Use this Manual ..................................................................................................1-2
How to Print this Manual .................................................................................................1-3
Chapter 2
Introduction
What's Included? ............................................................................................................2-1
What’s in the Box? ..........................................................................................................2-2
Chapter 3
Installation
What You Need Before You Begin ..................................................................................3-1
System Requirements .. ... ... ... .......................................... .... ... ... ... .... ... ... ... ... .... ........3-1
Installing .........................................................................................................................3-2
Upgrading ........................................................................... ............................................3-3
Getting Started ................................................................................................................3-3
VPN Client Connection Indicators ..................................................................................3-3
Uninstalling the NETGEAR ProSafe VPN Client ............................................................3-4
Keyboard Shortcuts ........................................................................................................3-5
Chapter 4
Configuring L2TP Connections
Basic Steps .....................................................................................................................4-1
How to Configure an L2TP Dial-Up Network Connection ................ ............................... 4-1
For Windows 95/98/Me ............................................................................................4-1
For Windows NT 4.0 ................................................................................................4-2
For Windows 2000 ...................................................................................................4-3
For Windows XP ......................................................................................................4-4
How to Configure a Security Policy ................................................................................4-5
When Using a Modem to Establish the L2TP Connection ......................................... ..... 4-5
Contents iii
202-10015-01M-10207-01, Reference Manual v2
Chapter 5
Using the Security Policy Editor
What is the Security Policy Editor? .................................................................................5-1
Basic Steps to Configure a Security Policy .....................................................................5-1
How to Secure All Connections ... .... ... ... ... .... ... ... ... ... .... ... ... .......................................... ..5-2
How to Configure Global Policy Settings ........................................................................5-3
How to Configure Other Connections .............................................................................5-4
How to Add and Configure a Connection .......................................................................5-5
How to Enter a Preshared Key .......................................................................................5-8
How to Configure a Gateway ..........................................................................................5-9
Configure My Identity ....................................................................................................5-10
Configure Security Policy Connection Options .......................... ................................... 5-12
Configure Authentication (Phase 1) ..............................................................................5-13
Configure Key Exchange (Phase 2) .............................................................................5-14
Edit a Distinguished Name ...........................................................................................5-16
Configure and Manage Connections ............................................................................5-17
Add and Configure a Connection ...........................................................................5-17
Copy a Connection .................................................................................................5-20
Move a Connection ................................................................................................5-20
Rename a Connection .......... .... .......................................... ... ................................5-20
Delete a Connection ............................... ... ... ... ... .... ... ... ..........................................5-21
Manage Proposals ........................................................................................................5-21
Add a Proposal .......................................................................................................5-21
Copy a Proposal .....................................................................................................5-22
Move a Proposal ....................................................................................................5-22
Delete a Proposal ................................... ... ... ... ... .... ... .......................................... ...5-23
Manage Redundant Gateways .....................................................................................5-23
Add a Redundant Gateway ....................................................................................5-24
Copy a Redundant Gateway ..................................................................................5-25
Move a Redundant Gateway ..................................................................................5-25
Rename a Redundant Gateway ...... ... .... ... ... ..........................................................5-25
Delete a Redundant Gateway ................ ... .............................................................5-26
Disable Redundant Gateways ................................... ... ... .... ... ... ... .... ... ... ... ... .... ... ...5-26
Manage the Security Policy ..........................................................................................5-26
Edit a Security Policy .............................................................................................5-27
iv Contents
202-10015-01M-10207-01, Reference Manual v2
Import a Security Policy .........................................................................................5-28
Reload the Security Policy .............................................. .... ... ... ... .... ......................5-28
Deactivate the Security Policy ............................ ....... ...... ....... ... ....... ...... ...... ....... ...5-29
Reactivate the Security Policy ............................ ....... ...... ....... ... ....... ...... ...... ....... ...5-29
Configure the Client to Retrieve a New Policy from a Policy Server or Web Address 5-3 0
Register with a Policy Management Application ....................................................5-31
Retrieve a New Policy Manually .............................................................................5-32
Chapter 6
Using the Certificate Manager
What is the Certificate Manager? ...................................................................................6-1
Getting Started with the Certificate Manager ......................................... ..................6-2
What are Certificates? ..............................................................................................6-2
CA Enrollment Methods and Procedures .................................................................6-3
Obtain Certificates .................................................... .... ... ... ... .........................................6-4
With Online (SCEP) Enrollment ...............................................................................6-4
CAs that Support SCEP ..................................... ... ... .... ... ... ... .... ... ... ..................6-4
Retrieve a CA Certificate Online ........................................................................6-5
Configure a CA Certificate .................................................................................6-6
Use an HTTP Proxy Server for Online Certificate Requests and CRL Updates 6-6
Import a CA Certificate ......................................................................................6-7
Select a CSP .....................................................................................................6-8
Request a Personal Certificate ..........................................................................6-8
Define How Often to Check for and Retrieve New Personal Certificates ........6-10
Retrieve a Personal Certificate Manually ........................................................6-10
Manage Certificate Requests ..........................................................................6-11
With Manual (File-Based) Enrollment .................................................................... 6-11
Import a CA Certificate ....................................................................................6-12
Request a Personal Certificate ........................................................................6-13
Create a Personal Certificate File to Import ....................................................6-14
Import a Personal Certificate ...........................................................................6-15
Select a CSP ...................................................................................................6-17
View and Delete Certificate Requests .............................................................6-17
Obtain Certificates Through Internet Explorer ........................ ............. ............. ......6-18
Manage Certificates ......................................................................................................6-18
Verify a Certificate ........................................ ... .......................................... ... ..........6-19
Contents v
202-10015-01M-10207-01, Reference Manual v2
Export a CA Certificate ...........................................................................................6-19
Delete a Certificate .......................... ... .... ... ....................................... ... ... ... ... .... ... ...6-20
RA Certificates ....................................... ... ....................................... ... ... ... ... .... ... ...6-21
Personal Certificates ..............................................................................................6-22
Export a Personal Certificate .................................................................................6-24
Delete a Certificate .......................... ... .... ... ....................................... ... ... ... ... .... ... ...6-25
Manage Certificate Revocation Lists (CRLs) ................................................................6-26
Import a CRL ..........................................................................................................6-27
Update all CRLs Manually ......................................................................................6-27
View a CRL ............................................................................................................6-28
Delete a CRL ..........................................................................................................6-28
Manage the Trust Policy ...............................................................................................6-28
Set the Trust Policy ................................................................................................6-29
Set the Trust Policy and View Trusted Root CA Certificates ..................................6-29
Chapter 7
Using Sessions
Authenticate Yourself ......................................................................................................7-1
Automatically Start and End Secure Sessions ...............................................................7-1
Start and End a Secure Session Manually .....................................................................7-2
Chapter 8
Distributing Customized Profiles
Create a Customized Installation Containing a Security Policy ......................................8-1
Create a Customized Installation Containing a Security Policy and a CA Certificate .....8-2
Create a Customized Installation Containing a Security Policy, CA Certificate, and Personal
Certificate .......................................................................................................................8-2
Chapter 9
Troubleshooting
System Tray Icons ..........................................................................................................9-1
Remove the Client Icon from the System Tray .. .......................................... .... ........9-2
Restore the Client Icon to the System Tray .............................................................9-2
Log Viewer ......................................................................................................................9-2
Freeze the Log Viewer ....... ... .... ... ... ... .......................................... .... ... ... ... ... ............9-3
Unfreeze the Log Viewer ..........................................................................................9-3
Clear Log Viewer Messages ....................................................................................9-3
Save the Log Viewer Messages ................................................ ................ ...............9-4
Print the messages in the Log Viewer ......................................................................9-4
vi Contents
202-10015-01M-10207-01, Reference Manual v2
Configure Global Policy Settings ....................................................................................9-4
Network Address Translation (NAT) ...............................................................................9-6
Connection Monitor ..... ... .... .......................................... ... ... ... .... .....................................9-7
Manual keys ...................................................................................................................9-9
Enable Manual Keys ................................................. ... ... .... ... ... ... .... ... ... ... ... ..........9-10
Enter Inbound and Outbound Manual Keys .................... .... ... ... ... .... ... ... ... ... .... ... ...9-11
Start a Secure Connection with Manual Keys ..................................... ... ... ... .... ... ...9-13
Disable Manual Keys ................... ... ... .... ... ... .......................................... ... ... .... ... ...9-13
Appendix A
Networks, Routing, and Firewall Basics
Related Publications ...................................................................................................... A-1
Basic Router Concepts .................................................................................................. A-1
What is a Router? ................................................................................................... A-1
Routing Information Protocol ................................................................................... A-2
IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . A-2
Netmask .................................... ................................................................ ..............A-4
Subnet Addressing .................................................................................................. A-4
Private IP Addresses ................................. ... ... ... .......................................... .... ... .... A-7
Single IP Address Operation Using NAT ................................................................. A-8
MAC Addresses and Address Resolution Protocol ................................................. A-9
Related Documents ................................................................................................. A-9
Domain Name Server .............................................................................................. A-9
IP Configuration by DHCP .............. ... .... ... ... .......................................... ... ... .... ... .. A-10
Internet Security and Firewalls .................................................................................... A-10
What is a Firewall? .................................................................................................A-11
Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ................................A-11
Denial of Service Attack .........................................................................................A-11
Appendix B
Virtual Private Networking
What is a VPN? ............................................................................................................. B-1
What Is IPSec and How Does It Work? ......................................................................... B-2
IPSec Security Features .............. ... ... .... ... ... ... ... .......................................... .... ... ... . B-2
IPSec Components ............................................ .... ... ... ... .... .................................... B-2
Encapsulating Security Payload (ESP) ................................................................... B-3
Authentication Header (AH) ...................................................... ... .... ... ... ... ... .... ... ... . B-4
Contents vii
202-10015-01M-10207-01, Reference Manual v2
IKE Security Association ........... ... .......................................... ... ... .... ... ... ................. B-4
Mode ...................................... ...................... .................... ...................... ........... B-5
Key Management .................................................................................................... B-6
Understand the Process Before You Begin ................................................................... B-6
VPN Process Overview ................................ ... ... .......................................... ... .............. B -6
Network Interfaces and Addresses ......................................................................... B-7
Interface Addressing ......................................................................................... B-7
Firewalls ........................................................................................................... B-8
Setting Up a VPN Tunnel Between Gateways ........................................................ B-8
VPNC IKE Security Parameters .................................................................................. B-10
VPNC IKE Phase I Parameters ............................................................................. B-10
VPNC IKE Phase II Parameters .............................................................................B-11
Testing and Troubleshooting .........................................................................................B-11
Additional Reading ...... ... .... .......................................... ... ... ... .... ...................................B-11
Appendix C
NETGEAR ProSafe VPN Client
to NETGEAR FVS318 or FVM318 VPN Routers
Configuration Summary ............................ .... ... ... ... .......................................... ... .... ... ... . C-1
The Use of a Fully Qualified Domain Name (FQDN) ................. ... ... ... .... ... ... ... ... .... ... ... . C-2
Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................C-3
Step-By-Step Configuration of the NETGEAR VPN Client B .........................................C-6
Testing the VPN Connection ........ .... ... ... ... .... .......................................... ... ... ... ... .... ... .. C-12
From the Client PC to the FVS318 ........................................................................ C-12
From the FVS318 to the Client PC ...................................... ... ... ... .... ... ... ... ... .... ... .. C-13
Monitoring the VPN Connection from the PC ..............................................................C-14
Monitoring the VPN Connection from the FVS318 ...................................................... C-16
Appendix D
NETGEAR VPN Client
to NETGEAR FVL328 or FWAG114 VPN Router
Configuration Profile .............................................................. .... ... ... ... .... ... ... ... ... ...........D-1
Step-By-Step Configuration of FVL328 or FWAG114 Gateway .....................................D-2
Step-By-Step Configuration of the NETGEAR VPN Client B .........................................D-8
Testing the VPN Connection ........ .... ... ... ... .... .......................................... ... ... ... ... .... ... .. D-15
From the Client PC to the FVL328 .................. ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .. D-15
From the FVL328 to the Client PC ......... ... .......................................... ... ... ... .... ... .. D-16
Monitoring the PC VPN Connection .......................................... ... ... ... .... ... ... ... ... .... ... .. D-17
viii Contents
202-10015-01M-10207-01, Reference Manual v2
Viewing the FVL328 VPN Status and Log Information ................................................D-19
Glossary
Numeric .........................................................................................................................G-1
A ....................................................................................................................................G-1
C ..................................... ........................................................................... ....................G-2
D ..................................... ........................................................................... ....................G-2
E ....................................................................................................................................G-3
F ....................................................................................................................................G-4
G ..................................... .............................................. .................................................G-4
I .................................... ............. .......... ............. ............. ............. ............. ............ ...........G-4
L ...................................... ................. ............. ................ ................ ................ .................G-6
M ..................................... ............. ............. ............. ............. ............. ............. .................G-6
N ..................................... ........................................................................... ....................G-7
P ....................................................................................................................................G-7
Q ..................................... .............................................. .................................................G-9
R ..................................... ........................................................................... ....................G-9
S ....................................................................................................................................G-9
T ..................................................................................................................................G-10
V ..................................................................................................................................G-10
W .................................................................................................................................G-10
Index
Contents ix
202-10015-01M-10207-01, Reference Manual v2
x Contents
202-10015-01M-10207-01, Reference Manual v2
Chapter 1
About This Manual
Thank your for purchasing the NETGEAR ProSafe VPN Client. This chapter describes the target
audience, versions, conventions, and features of this manual.
Audience, Versions, Conventions
This reference manual assumes that the reader has basic to intermediate computer and Internet
skills. However, basic co mputer network, Internet, and firewall technologies tutorial information is
provided in the Appendices and on the NETGEAR Web site.
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
This manual is written for the NETGEAR VPN Client according to these versions.:
Table 1-1. Product, Firmware Version, Manual Version, and Publication Date
Product NETGEAR ProSafe VPN Client
Manual Part Number 202-10015-01
Manual Publication Date November 2003
Note: Product updates are available on the NETGEAR, Inc. Web site at http://
www.netgear.com/support/main.asp. Documentation updates are available on the
NETGEAR, Inc. Web site at http://www.netgear.com/docs.
About This Manual 1
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
4 About This Manual
202-10015-01
Chapter 2
Introduction
This chapter describes the features of the NETGEAR ProSafe VPN Client.
The NETGEAR ProSafe VPN Client is a remote access and end-point security product that
secures communications over the Internet and other public networks to create a virtual private
network (VPN) between users. The NETGEAR VPN Client secures data communications sent
from a desktop or portable computer across a public or private TCP/IP network. The client protects
the office computer user and the home and mobile workforce.
The NETGEAR VPN Client supports secure client-to-gateway or client-to-client communications.
For example, employees can telecommute from their homes to the office through the Internet or
dial-in connections for secure client-to-gateway communications. Organizations that require a
low-cost solution for secure communications among their employees or members across a private
LAN, WAN, or individual dial-up connections can use the NETGEAR VPN Client for secure
client-to-client communications.
The NETGEAR VPN Client starts automatically when the user's computer starts, and runs
transparently at all times behind other software programs. A system tray icon indicates the status
of communications for the client.
What's Included?
The NETGEAR ProSafe VPN Client contains two primary components:
• Security Policy Editor is where you create, import, and manage connections and their
associated proposals that make up your security policy.
• Certificate Manager allows users to request and retrieve, import, and store the certificates
users receive from certificate authorities (CAs), and to also set the trust policy.
There are also two diagnostic tools:
• Log Viewer lists the IKE negotiations that occur during Authenticatio n (Phase 1).
• Connection Monitor displays statistical and diagnostic information for each active
connection.
Introduction 2-1
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
What’s in the Box?
The product package should contain the following items:
• NETGEAR ProSafe VPN Client
• Resource CD (230-10007-01), including:
— This manual
— Application Notes, Tools, and other helpful information
• Warranty and support information card
2-2 Introduction
202-10015-01
Chapter 3
Installation
This chapter describes how to install your NETGEAR ProSafe VPN Client.
What You Need Before You Begin
You need to verify that your computer meets the minimum system requirements.
System Requirements
Before installing the NETGEAR ProSafe VPN Client, please make sure that these minimum
requirements have been met:
• IBM-compatible computer with Pentium processor or equivalent (not Alpha platforms)
• Compatible operating systems with minimum RAM:
Operating system Minimum RAM
Microsoft® Windows® 95 16 MB
Windows 98 and Windows NT
Windows Me and 2000 Professional 64 MB
Windows XP Home and Professional 64 MB; 128 MB recommended
Some versions of Windows may ask for the original Windows operating system installation
files to complete the installation of the VPN Client driver software
• 10 MB hard disk space
• Native Microsoft TCP/IP communications protocol
• For dial-up connections:
– Non-encrypting modem
– Native Microsoft PPP dialer
• For network connections, Ethernet card and connection
• Microsoft Internet Explorer 4.0 or later
Installation 3-1
®
Workstation 4.0 32 MB
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Installing
Use the procedure below to install the NETGEAR ProSafe VPN Client.
1. If you're installing this product on Windows NT or Windows 2000 or XP, log on as
administrator or its equivalent.
2. Run the setup.exe file on the installation CD-ROM or in the installation package.
3. Work through the installation wizard. Unless otherwise instructed, accept the defaults.
Note: The SafeNet VPN Adapter, which supports L2TP, is installed only when these network
components are already installed on your computer:
Operating system Component
Windows 95 Dial-Up Networking with the Microsoft Dial-Up Networking 1.3 Upgrade
Windows 98 and Me Dial-Up Networking
Windows NT Remote Access Server (RAS)
Because Windows 2000 and XP use the native Windows L2TP adapter, the SafeNet L2TP
adapter isn't installed on computers running these operating systems.
4. When the installation completes, click Finish.
5. To complete the client installation, make sure that your computer restarts.
Note: The NETGEAR ProSafe VPN Client lets you configure and switch among
multiple profiles for multiple tunnels. You can “Import” predefined configuration
profiles. The FVS318.SPD and FVL328.SPD profile files on the NETGEAR ProSafe
VPN Client Resource CD (230-10007-01) include all the settings identified in the
configuration procedures published in these appendices: “NETGEAR ProSafe VPN
Client to NETGEAR FVS318 or FVM318 VPN Routers“ on page C-1 and “NETGEAR
VPN Client to NETGEAR FVL328 or FWAG114 VPN Router“ on page D-1.
3-2 Installation
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Upgrading
To upgrade to this version of the NETGEAR ProSafe VPN Client, take these steps:
1. Uninstall the current version on your computer through the Control Panel Add/Remove
Programs application:
a. In the uninstall wizard, on the Maintenance dialog box, click Remove. This removes all
the client product's components, but not your security policy.
b. The Uninstall Security Policy dialog box prompts you to delete your IPSec security
policy, which includes any certificates and private keys:
– To keep it, click No. You can import this security policy after you install the new
version of the NETGEAR ProSafe VPN Client.
– To delete it, click Yes.
c. When the Maintenance Complete dialog box opens, click Finish.
d. To complete the uninstall, make sure that your computer restarts.
2. Install this new version of the NETGEAR ProSafe VPN Client.
Getting St arted
The NETGEAR ProSafe VPN Client contains two primary modules:
• Security Policy Editor to configure and maintain the security policy
• Certificate Manager to request, store, and administer certificates
To learn how to use NETGEAR VPN Client, go to Start>Programs>NETGEAR ProSafe VPN
Client>NETGEAR ProSafe VPN Client Help.
VPN Client Connection Indicators
The NETGEAR ProSafe VPN Client provides the following three indicators which give you
feedback on the status of your wireless connection:
The System Tray (SysTray) resides on one end of the taskbar in the Microsoft Windows desktop.
Installation 3-3
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Table 3-1.
Icon Explanation
• The Windows operating system did not start the IREIKE service properl y. To start this
service, restart your computer. If this icon continues to display, you may need to reinstall
the client.
or
• Your security policy is deactivated—that is, disabled. To reactivate it, go to Reactivate the
security polity.
Your computer is ready to establish connections or transmit data.
Your computer has established no secure connections and is transmitting unsecured data.
Your computer has established at least one secure connection, but is transmitting no data.
Your computer has established at least one secure connection and is transmitting only
unsecured data.
Your computer has established at least one secure connection and is transmitting only
secured data.
Your computer has established at least one secure connection and is transmitting secured
and unsecured data.
Uninstalling the NETGEAR ProSafe VPN Client
When you remove NETGEAR ProSafe VPN Client and its components, you have the option to
keep your security policy, certificates, and private keys to use when you upgrade or reinstall the
client.
Note: Before you upgrade the client, read the readme file and Release Notes provided with the
new version.
1. Open the Control Panel Add/Remove Programs application.
2. Remove NETGEAR ProSafe VPN Client. The details depend on th e version of Windows on
your computer.
3. Work through the uninstall wizard:
a. When the Maintenance dialog box opens, click Remove.
3-4 Installation
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
When prompted to remove all installed components, click Yes.
b.
Note: This does not remove the IPSec security policy, certificates, or private keys.
c. When prompted to remove the IPSec security policy, which includes certificates and
private keys, in most cases, click No. You can import this policy after you reinstall this
client version or upgrade to a newer client version; this can save a lot of time.
d. When the maintenance complete message opens, click Finish.
Make sure that the computer restarts; this is required to complete the uninstall.
Keyboard Shortcuts
The client supports standard Windows keyboard shortcuts for accessibility. For a complete list of
Windows keyboard shortcuts, refer to the keyboard shortcuts help topics in Windows.
Installation 3-5
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
3-6 Installation
202-10015-01
Chapter 4
Configuring L2TP Connections
This chapter describes how to use configure VPN tunnels using the NETGEAR ProSafe VPN
Client.
Basic Steps
The client supports Layer 2 Tunneling Protocol (L2TP) connections through a virtual adapter: the
SafeNet VPN Adapter. The specific steps required vary with the Windows operating system
installed on your computer.
To create and secure an L2TP connection, perform these tasks in the sequence that your network
security administrator recommends:
• Configure a network connection to the remote party’s L2TP network server.
• Configure the security policy for L2TP.
• If you are establishing the L2TP or virtual adapter connection over a physical dial-up
connection—that is, a modem—add another dial-up connection adapter.
How to Configure an L2TP Dial-Up Network Connection
Configuring a dial-up network connection for L2TP requires you to use the Dial-Up Networking
(DUN) features of the Windows operating system. The steps vary by operating system.
For Windows 95/98/Me
1. Create the connection to the other party's L2TP network server:
a. On the desktop, double-click My Computer.
b. Double-click Dial-Up Networking. The Dial-Up Networking dialog box opens.
c. Double-click Make New Connection. The Make New Connection wizard opens.
Configuring L2TP Connections 4-1
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Note: If this is the first dial-up connection for your computer, the Welcome to Dial-Up
d.
Networking page opens instead. Follow the prompts to start the Make New Connection
wizard.
e. In the Type a name for the computer you are using box, type the name for the
connection.
f. In the Select a device box, click SafeNet_VPN x Adapter, where x is the number of the
VPN adapter.
g. Click Next.
h. In the Host name or IP address box, type the IP address of the remote party's L2TP
network server (LNS).
i. Click Next.
j. Click Finish.
2. Change properties for this connection:
a. In My Computer, double-click Dial-Up Networking. The Dial-Up Networking dialog
box opens.
b. Right-click the specific connection, and then click Properties. The connection_name
dialog box opens.
c. On the tabs, locate the settings to change, and then make the changes.
d. Click OK until you return to the Dial-up Networking window.
e. Close the window.
For Windows NT 4.0
1. Double-click My Computer.
2. Double-click Dial-up Networking. The Dial-Up Networking dialog box opens.
Note: If this is the first dial-up connection for your computer, the Welcome to Dial-Up
Networking page opens instead. Follow the prompts until the Dial-Up Networking dialog
box opens.
3. Click New. The New Phonebook Entry page opens.
4. Click the Basic tab.
5. In the Entry name box, type the name for the connection.
4-2 Configuring L2TP Connections
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
In the Phone number box, type the IP address of the remote party's LNS.
6.
7. In the Dial using box, click SafeNet_VPN x Adapter, where x is the number of the VPN
adapter.
8. Click the Server tab.
9. Click OK.
For Windows 2000
1. On the Windows desktop, click Start>Settings>Network and Dial-up Connections. The
Network and Dial-up Connections window opens.
2. Double-click Make New Connection. The Network Connection Wizard opens.
Note: If this is the first dial-up connection for your computer, you may be prompted to provide
some preliminary data. Follow the prompts until you return to the Network Connection
Wizard.
3. On the Network Connection Type page, take these steps:
a. Click Connect to a private network through the Internet.
b. Click Next.
4. On the Select a Device page, take these steps:
a. In the Select the devices to use in this connection list, as many of the check boxes that
apply; you must select at least one. If you're not sure which ones to select, contact your
network administrator.
b. Click Next.
5. On the Public Network page, take these steps:
a. Click Do not dial the initial configuration.
b. Click Next.
6. On the Destination Address page, identify the remote party's L2TP server:
a. In the Host name or IP address box, type the IP address of the remote party's L2TP
network server.
b. Click Next.
7. On the Connection Availability page, select whether to make this connection available to
only you or all others who use your computer:
Configuring L2TP Connections 4-3
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Ask your network administrator which option to select, and then click that option.
a.
b. Click Next.
8. On the Completing the Network Connection Wizard page, take these steps:
a. Type the name for this connection; the default is Virtual Private Connection.
b. Click Finish.
For Windows XP
1. On the Windows desktop, click Start>Settings>Network Connections. The Network
Connections window opens.
2. Double-click Make New Connection. The Network Connection Wizard opens.
3. Click Next. The Network Connection Type page opens.
4. Note: If this is the first dial-up connection for your computer, you may be prompted to provide
some preliminary data. Follow the prompts until you return to the Network Connection
Wizard.
5. Click Connect to the network at my workplace.
6. Click Next. The Network Connection page opens.
7. Click Virtual Private Network connection.
8. Click Next. The Connection Name page opens.
9. In the Workplace box, type the name for this connection.
10. Click Next. The VPN Server Selection page opens.
11. Type the hostname or IP address of the remote party's L2TP server.
12. Click Next. The Connection Availability page opens.
13. For the Create the connection for option, accept the default, Anyone's use, or click My use
only.
14. Click Next. The Completing the New Connection Wizard page opens.
15. If you like, select the Add a shortcut to this connection to my desktop check box.
16. Click Finish.
4-4 Configuring L2TP Connections
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
How to Configure a Security Policy
1. In the Security Policy Editor, in the Network Security Policy list, click the specific secure
connection .
2. In the Remote Party Identity and Addressing group, configure the remote party's information.
Note: When configuring security for L2TP, the remote party is the L2TP network server
(LNS).
a. In the ID Type box at the top of the group, click one of these remote party identifiers:
• Domain name
• IP address
• Email address
• Distinguished name
•Any
b. In the IP Address box, type the IP address of the LNS.
c. In the Protocol box, click UDP.
d. In the Port box, click L2TP.
e. Unless otherwis e instructed, make sure that the Connect using check box is clear.
3. Ask the remote party if you need to change the Port value to L2TP in My Identity.
4. When you configure the Key Exchange (Phase 2) proposal, in the Encapsulation box, click
Transport, which is the typical L2TP connection setting.
5. Click Save.
When Using a Modem to Establish the L2TP Connection
Note: If you use a network or broadband connection, such as cable or DSL, to establish an L2TP
connection on a network, skip this topic; it doesn't apply. If you have questions, contact your
network security administrator.
If you establish the L2TP connection from your computer through a physical di al-up connectio n—
that is, a modem—your computer requires two Microsoft dial-up connections or adapters:
• One for the L2TP connection, which is a virtual connection
Configuring L2TP Connections 4-5
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
• One for the physical dial-up connection
Therefore, you must add another dial-up connection through Windows. The specific steps required
to add a second dial-up connection differ among the various Windows operating systems. This is
the general procedure:
1. On your computer, in Windows help, look up network adapters, network connections, or
add a connection.
2. In Control Panel, open the Network or Network and Dial-up Connections application.
3. Follow the instructions in the help to add another dial-up connection or adapter.
Note: In Windows 95 and 98, dial-up adapters may be labeled Dial-Up Adapter and Dial-Up
Adapter#2 (VPN Support).
If you need additional help, contact your network security administrator or IT staff.
4-6 Configuring L2TP Connections
202-10015-01
Chapter 5
Using the Security Policy Editor
This chapter describes how to use the Security Policy Editor of the NETGEAR VPN Client.
What is the Security Policy Editor?
The Security Policy Editor is the client module in which you (or your network security
administrator) create, import, and export security policies. Only one security policy is in effect at
any time.
The policy contains connections and proposals that define the address of the remote (or other)
party, the security level for the connection, how you identify yourself to the other party, and other
attributes concerning the proposals and connections.
The sequence of the connections in the Network Security Policy list in the Security Policy Editor
determines the order in which the client tests for a match between an incoming transmission and
the proposed policies, and in turn defines the connection's security policy.
There are two ways to open the Security Policy Editor:
• On the Windows desktop, click Start>Programs>NETGEAR ProSafe VPN
Client>Security Policy Editor.
• Right-click the NETGEAR ProSafe VPN Cl ient icon>Security Policy Editor.
Basic Steps to Configure a Security Policy
Caution: Before attempting to configure the security policy, check with your network security
administrator: your security policy may have been configured when the client was installed.
Using the Security Policy Editor 5-1
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Table 5-1. Summary of steps
Step Task
1 • Create one connection that secures all communications, with the option to direct all
connections to a specific gateway
or
• Create multiple connections and specify which ones to secure
2 Select options that apply to all connections in the security policy
3 Identify yourself (the user) through one of these methods:
Select the personal certificate
Let the client automatically select the personal certificate du ring IKE negotiation
Enter the specific preshared key
4 Select the Phase 1 mode:
Main Mode (high security)
Aggressive Mode (low security)
Manual keys (for troubleshooting only)
5 Add proposals, if needed, and select these options:
Encryption algorithm
Hash algorithm
SA life
Key (Diffie-Hellman) group
6 Add proposals, if needed, and select the options for Encapsulated Security Payload (ESP)
or Authentication header (AH)
7 Identify backup gateways on the network
8 For network administrators or installers only: Create and deploy a customized client
installation package, with the security policy you configured, to users
How to Secure All Connections
You can create a single connection called All Connections in your security policy that secures all
IP communications between your computer and every other party.
1. In the Security Policy Editor, click Options>Secure>All Connections . A secure connection
called All Connections is added to the Network Security Policy list.
2. To route all secure communications from your computer through a specific , secure,
IPSec-compliant network gateway, such as a firewall or router, go to Configure a gateway.
3. Click Save.
5-2 Using the Security Policy Editor
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
Configure My Identity for this connection.
4.
5. Exit the Security Policy Editor.
How to Configure Global Policy Settings
Global policy settings are program preferences that apply to all secure IP communications. You
can change these at any time to match to your security policy.
1. In the Security Policy Editor, click Options, and then click Global Policy Settings. The
Global Policy Settings dialog box opens.
2. In the Retransmit Interval box, type the length of time, in seconds, that the client waits
before resending an IKE protocol packet that has not been responded to. The de fault is 8
seconds.
Note: If the client selects a redundant gateway when you know that the primary one is
available, try entering a higher number for Retransmit Interval.
3. In the Number of retries box, type the number of times your computer resends an IKE
protocol packet before abandoning the exchange. The default is 3 tries.
4. Status notifications are messages that inform communicating parties what the time-out periods
are and whether their security proposals have been accepted or rejected.
To send thes e messages, select the Send status notifications to peer host check box.
5. An internal network IP address is a virtual IP address assigned to the client user. Remote users
can appear as internal users on a private network to, for example, access a WINS server or
browse the network.
To enable remote users to appear as internal users on a private network, select the Allow to
Specify Internal Network Address check box.
Note: If you select this check box, you must enter a private internal network IP address when
Configuring My Identity.
6. To enable logging the Log Viewer's IKE negotiation messages to the isakmp.log file in the
client's installation directory , select the Enable logging to a file check box. This can facilitate
remote troubleshooting by allowing a user to send a file with these messages instead of
repeatedly freezing and printing the Log Viewer.
Notes:
Using the Security Policy Editor 5-3
202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client
• The maximum size for the isakmp.log file is 100 KB. When the client computer, the client,
and the IKE service restart and the isakmp.log file size exceeds 100 KB, this isakmp.log
file is deleted and a new one created.
• On computers running Windows 95 and 98 , when the isakmp.log file size exceeds 64 KB,
Notepad prompts the user to try WordPad instead because of the file's size. When the user
tries WordPad, however, WordPad prompts the user that it can't open the file because it is
in use by another program (the IKE service).
In this case, to view the file, try one of these options:
– Rename it, and then open it in WordPad.
– Open a read-only version of the file in Microsoft Word.
– Clear the Enable logging to a file check box, and then open the file.
7. If you don't use a smart card and reader or similar device to authenticate your identity, skip this
step.
If you do use a smart card and reader or similar device, the client can, when it detects that the
smart card or reader is removed, delete active keys and end these communications sessions.
This provides extra security. Only connections that use the keys on your smart card are
affected.
To enable this feature, select the Smart card removal clea rs key s ch ec k box.
8. Click OK.
9. Click Save.
How to Configure Other Connections
The security policy includes a connection called Other Connections. This connection, non-secure
by default, is designed to allow all non-encrypted IP traffic through and let you to access the
Internet and other public networks unsecured.
The client processes connections in the order in which they display in the Network Security
Policy list. Because Other Connections is the catchall or default rule for communications that don't
conform to the proposals for individual connections, it is always last in the connections list.
1. In the Security Policy Editor, click Options, point to Secure, and then click Specified
Connections.
2. In the Network Security Policy list, click Other Connections.
5-4 Using the Security Policy Editor
202-10015-01