NETGEAR ProSafe VPN Client Reference Manual

Download

Reference Manual for the NETGEAR ProSafe VPN Client

NETGEAR, Inc.

4500 Great America Parkway Santa Clara, CA 95054 USA

202-10015-01 November 2003

202-10015-01

Trademarks

NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.

NETGEAR

layout(s) described herein.

™

does not assume any liability that may occur due to the use or application of the product(s) or circuit

Technical Support

Refer to the Support Information Card that shipped with your NETGEAR ProSafe VPN Client.

World Wide Web

NETGEAR maintains a World Wi de Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.

202-10015-01

Chapter 1 About This Manual

Audience, Versions, Conventions ...................................................................................1-1

How to Use this Manual ..................................................................................................1-2

How to Print this Manual .................................................................................................1-3

Chapter 2 Introduction

What's Included? ............................................................................................................2-1

What’s in the Box? ..........................................................................................................2-2

Chapter 3 Installation

What You Need Before You Begin ..................................................................................3-1

System Requirements .. ... ... ... .......................................... .... ... ... ... .... ... ... ... ... .... ........3-1

Installing .........................................................................................................................3-2

Upgrading ........................................................................... ............................................3-3

Getting Started ................................................................................................................3-3

VPN Client Connection Indicators ..................................................................................3-3

Uninstalling the NETGEAR ProSafe VPN Client ............................................................3-4

Keyboard Shortcuts ........................................................................................................3-5

Chapter 4 Configuring L2TP Connections

Basic Steps .....................................................................................................................4-1

How to Configure an L2TP Dial-Up Network Connection ................ ............................... 4-1

For Windows 95/98/Me ............................................................................................4-1

For Windows NT 4.0 ................................................................................................4-2

For Windows 2000 ...................................................................................................4-3

For Windows XP ......................................................................................................4-4

How to Configure a Security Policy ................................................................................4-5

When Using a Modem to Establish the L2TP Connection ......................................... ..... 4-5

Contents iii

202-10015-01M-10207-01, Reference Manual v2

Chapter 5 Using the Security Policy Editor

What is the Security Policy Editor? .................................................................................5-1

Basic Steps to Configure a Security Policy .....................................................................5-1

How to Secure All Connections ... .... ... ... ... .... ... ... ... ... .... ... ... .......................................... ..5-2

How to Configure Global Policy Settings ........................................................................5-3

How to Configure Other Connections .............................................................................5-4

How to Add and Configure a Connection .......................................................................5-5

How to Enter a Preshared Key .......................................................................................5-8

How to Configure a Gateway ..........................................................................................5-9

Configure My Identity ....................................................................................................5-10

Configure Security Policy Connection Options .......................... ................................... 5-12

Configure Authentication (Phase 1) ..............................................................................5-13

Configure Key Exchange (Phase 2) .............................................................................5-14

Edit a Distinguished Name ...........................................................................................5-16

Configure and Manage Connections ............................................................................5-17

Add and Configure a Connection ...........................................................................5-17

Copy a Connection .................................................................................................5-20

Move a Connection ................................................................................................5-20

Rename a Connection .......... .... .......................................... ... ................................5-20

Delete a Connection ............................... ... ... ... ... .... ... ... ..........................................5-21

Manage Proposals ........................................................................................................5-21

Add a Proposal .......................................................................................................5-21

Copy a Proposal .....................................................................................................5-22

Move a Proposal ....................................................................................................5-22

Delete a Proposal ................................... ... ... ... ... .... ... .......................................... ...5-23

Manage Redundant Gateways .....................................................................................5-23

Add a Redundant Gateway ....................................................................................5-24

Copy a Redundant Gateway ..................................................................................5-25

Move a Redundant Gateway ..................................................................................5-25

Rename a Redundant Gateway ...... ... .... ... ... ..........................................................5-25

Delete a Redundant Gateway ................ ... .............................................................5-26

Disable Redundant Gateways ................................... ... ... .... ... ... ... .... ... ... ... ... .... ... ...5-26

Manage the Security Policy ..........................................................................................5-26

Edit a Security Policy .............................................................................................5-27

iv Contents

202-10015-01M-10207-01, Reference Manual v2

Import a Security Policy .........................................................................................5-28

Reload the Security Policy .............................................. .... ... ... ... .... ......................5-28

Deactivate the Security Policy ............................ ....... ...... ....... ... ....... ...... ...... ....... ...5-29

Reactivate the Security Policy ............................ ....... ...... ....... ... ....... ...... ...... ....... ...5-29

Configure the Client to Retrieve a New Policy from a Policy Server or Web Address 5-3 0

Retrieve a New Policy Manually .............................................................................5-32

Chapter 6 Using the Certificate Manager

What is the Certificate Manager? ...................................................................................6-1

Getting Started with the Certificate Manager ......................................... ..................6-2

What are Certificates? ..............................................................................................6-2

CA Enrollment Methods and Procedures .................................................................6-3

Obtain Certificates .................................................... .... ... ... ... .........................................6-4

With Online (SCEP) Enrollment ...............................................................................6-4

CAs that Support SCEP ..................................... ... ... .... ... ... ... .... ... ... ..................6-4

Retrieve a CA Certificate Online ........................................................................6-5

Configure a CA Certificate .................................................................................6-6

Use an HTTP Proxy Server for Online Certificate Requests and CRL Updates 6-6

Import a CA Certificate ......................................................................................6-7

Select a CSP .....................................................................................................6-8

Request a Personal Certificate ..........................................................................6-8

Define How Often to Check for and Retrieve New Personal Certificates ........6-10

Retrieve a Personal Certificate Manually ........................................................6-10

Manage Certificate Requests ..........................................................................6-11

With Manual (File-Based) Enrollment .................................................................... 6-11

Import a CA Certificate ....................................................................................6-12

Request a Personal Certificate ........................................................................6-13

Create a Personal Certificate File to Import ....................................................6-14

Import a Personal Certificate ...........................................................................6-15

Select a CSP ...................................................................................................6-17

View and Delete Certificate Requests .............................................................6-17

Obtain Certificates Through Internet Explorer ........................ ............. ............. ......6-18

Manage Certificates ......................................................................................................6-18

Verify a Certificate ........................................ ... .......................................... ... ..........6-19

Contents v

202-10015-01M-10207-01, Reference Manual v2

Export a CA Certificate ...........................................................................................6-19

Delete a Certificate .......................... ... .... ... ....................................... ... ... ... ... .... ... ...6-20

RA Certificates ....................................... ... ....................................... ... ... ... ... .... ... ...6-21

Personal Certificates ..............................................................................................6-22

Export a Personal Certificate .................................................................................6-24

Delete a Certificate .......................... ... .... ... ....................................... ... ... ... ... .... ... ...6-25

Manage Certificate Revocation Lists (CRLs) ................................................................6-26

Import a CRL ..........................................................................................................6-27

Update all CRLs Manually ......................................................................................6-27

View a CRL ............................................................................................................6-28

Delete a CRL ..........................................................................................................6-28

Manage the Trust Policy ...............................................................................................6-28

Set the Trust Policy ................................................................................................6-29

Set the Trust Policy and View Trusted Root CA Certificates ..................................6-29

Chapter 7 Using Sessions

Authenticate Yourself ......................................................................................................7-1

Automatically Start and End Secure Sessions ...............................................................7-1

Start and End a Secure Session Manually .....................................................................7-2

Chapter 8 Distributing Customized Profiles

Create a Customized Installation Containing a Security Policy ......................................8-1

Create a Customized Installation Containing a Security Policy and a CA Certificate .....8-2

Create a Customized Installation Containing a Security Policy, CA Certificate, and Personal

Certificate .......................................................................................................................8-2

Chapter 9 Troubleshooting

System Tray Icons ..........................................................................................................9-1

Remove the Client Icon from the System Tray .. .......................................... .... ........9-2

Restore the Client Icon to the System Tray .............................................................9-2

Log Viewer ......................................................................................................................9-2

Freeze the Log Viewer ....... ... .... ... ... ... .......................................... .... ... ... ... ... ............9-3

Unfreeze the Log Viewer ..........................................................................................9-3

Clear Log Viewer Messages ....................................................................................9-3

Save the Log Viewer Messages ................................................ ................ ...............9-4

Print the messages in the Log Viewer ......................................................................9-4

vi Contents

202-10015-01M-10207-01, Reference Manual v2

Configure Global Policy Settings ....................................................................................9-4

Network Address Translation (NAT) ...............................................................................9-6

Connection Monitor ..... ... .... .......................................... ... ... ... .... .....................................9-7

Manual keys ...................................................................................................................9-9

Enable Manual Keys ................................................. ... ... .... ... ... ... .... ... ... ... ... ..........9-10

Enter Inbound and Outbound Manual Keys .................... .... ... ... ... .... ... ... ... ... .... ... ...9-11

Start a Secure Connection with Manual Keys ..................................... ... ... ... .... ... ...9-13

Disable Manual Keys ................... ... ... .... ... ... .......................................... ... ... .... ... ...9-13

Appendix A Networks, Routing, and Firewall Basics

Related Publications ...................................................................................................... A-1

Basic Router Concepts .................................................................................................. A-1

What is a Router? ................................................................................................... A-1

Routing Information Protocol ................................................................................... A-2

IP Addresses and the Internet ......................................... .... ... ... ... .... ... ... ... ... .... ... ... . A-2

Netmask .................................... ................................................................ ..............A-4

Subnet Addressing .................................................................................................. A-4

Private IP Addresses ................................. ... ... ... .......................................... .... ... .... A-7

Single IP Address Operation Using NAT ................................................................. A-8

MAC Addresses and Address Resolution Protocol ................................................. A-9

Related Documents ................................................................................................. A-9

Domain Name Server .............................................................................................. A-9

IP Configuration by DHCP .............. ... .... ... ... .......................................... ... ... .... ... .. A-10

Internet Security and Firewalls .................................................................................... A-10

What is a Firewall? .................................................................................................A-11

Stateful Packet Inspection ............................... ... .... ... ... ... .... ... ................................A-11

Denial of Service Attack .........................................................................................A-11

Appendix B Virtual Private Networking

What is a VPN? ............................................................................................................. B-1

What Is IPSec and How Does It Work? ......................................................................... B-2

IPSec Security Features .............. ... ... .... ... ... ... ... .......................................... .... ... ... . B-2

IPSec Components ............................................ .... ... ... ... .... .................................... B-2

Encapsulating Security Payload (ESP) ................................................................... B-3

Authentication Header (AH) ...................................................... ... .... ... ... ... ... .... ... ... . B-4

Contents vii

202-10015-01M-10207-01, Reference Manual v2

IKE Security Association ........... ... .......................................... ... ... .... ... ... ................. B-4

Mode ...................................... ...................... .................... ...................... ........... B-5

Key Management .................................................................................................... B-6

Understand the Process Before You Begin ................................................................... B-6

VPN Process Overview ................................ ... ... .......................................... ... .............. B -6

Network Interfaces and Addresses ......................................................................... B-7

Interface Addressing ......................................................................................... B-7

Firewalls ........................................................................................................... B-8

Setting Up a VPN Tunnel Between Gateways ........................................................ B-8

VPNC IKE Security Parameters .................................................................................. B-10

VPNC IKE Phase I Parameters ............................................................................. B-10

VPNC IKE Phase II Parameters .............................................................................B-11

Testing and Troubleshooting .........................................................................................B-11

Additional Reading ...... ... .... .......................................... ... ... ... .... ...................................B-11

Appendix C NETGEAR ProSafe VPN Client to NETGEAR FVS318 or FVM318 VPN Routers

Configuration Summary ............................ .... ... ... ... .......................................... ... .... ... ... . C-1

The Use of a Fully Qualified Domain Name (FQDN) ................. ... ... ... .... ... ... ... ... .... ... ... . C-2

Step-By-Step Configuration of FVS318 or FVM318 Gateway A ....................................C-3

Step-By-Step Configuration of the NETGEAR VPN Client B .........................................C-6

Testing the VPN Connection ........ .... ... ... ... .... .......................................... ... ... ... ... .... ... .. C-12

From the Client PC to the FVS318 ........................................................................ C-12

From the FVS318 to the Client PC ...................................... ... ... ... .... ... ... ... ... .... ... .. C-13

Monitoring the VPN Connection from the PC ..............................................................C-14

Monitoring the VPN Connection from the FVS318 ...................................................... C-16

Appendix D NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router

Configuration Profile .............................................................. .... ... ... ... .... ... ... ... ... ...........D-1

Step-By-Step Configuration of FVL328 or FWAG114 Gateway .....................................D-2

Step-By-Step Configuration of the NETGEAR VPN Client B .........................................D-8

Testing the VPN Connection ........ .... ... ... ... .... .......................................... ... ... ... ... .... ... .. D-15

From the Client PC to the FVL328 .................. ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... .. D-15

From the FVL328 to the Client PC ......... ... .......................................... ... ... ... .... ... .. D-16

Monitoring the PC VPN Connection .......................................... ... ... ... .... ... ... ... ... .... ... .. D-17

viii Contents

202-10015-01M-10207-01, Reference Manual v2

Viewing the FVL328 VPN Status and Log Information ................................................D-19

Glossary

Numeric .........................................................................................................................G-1

A ....................................................................................................................................G-1

C ..................................... ........................................................................... ....................G-2

D ..................................... ........................................................................... ....................G-2

E ....................................................................................................................................G-3

F ....................................................................................................................................G-4

G ..................................... .............................................. .................................................G-4

I .................................... ............. .......... ............. ............. ............. ............. ............ ...........G-4

L ...................................... ................. ............. ................ ................ ................ .................G-6

M ..................................... ............. ............. ............. ............. ............. ............. .................G-6

N ..................................... ........................................................................... ....................G-7

P ....................................................................................................................................G-7

Q ..................................... .............................................. .................................................G-9

R ..................................... ........................................................................... ....................G-9

S ....................................................................................................................................G-9

T ..................................................................................................................................G-10

V ..................................................................................................................................G-10

W .................................................................................................................................G-10

Index

Contents ix

202-10015-01M-10207-01, Reference Manual v2

x Contents

202-10015-01M-10207-01, Reference Manual v2

Chapter 1

About This Manual

Thank your for purchasing the NETGEAR ProSafe VPN Client. This chapter describes the target audience, versions, conventions, and features of this manual.

Audience, Versions, Conventions

This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic co mputer network, Internet, and firewall technologies tutorial information is provided in the Appendices and on the NETGEAR Web site.

This guide uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

This manual is written for the NETGEAR VPN Client according to these versions.:

Table 1-1. Product, Firmware Version, Manual Version, and Publication Date

Product NETGEAR ProSafe VPN Client Manual Part Number 202-10015-01 Manual Publication Date November 2003

Note: Product updates are available on the NETGEAR, Inc. Web site at http://

www.netgear.com/support/main.asp. Documentation updates are available on the

NETGEAR, Inc. Web site at http://www.netgear.com/docs.

About This Manual 1

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

4 About This Manual

202-10015-01

Chapter 2

Introduction

This chapter describes the features of the NETGEAR ProSafe VPN Client. The NETGEAR ProSafe VPN Client is a remote access and end-point security product that

secures communications over the Internet and other public networks to create a virtual private network (VPN) between users. The NETGEAR VPN Client secures data communications sent from a desktop or portable computer across a public or private TCP/IP network. The client protects the office computer user and the home and mobile workforce.

The NETGEAR VPN Client supports secure client-to-gateway or client-to-client communications. For example, employees can telecommute from their homes to the office through the Internet or dial-in connections for secure client-to-gateway communications. Organizations that require a low-cost solution for secure communications among their employees or members across a private LAN, WAN, or individual dial-up connections can use the NETGEAR VPN Client for secure client-to-client communications.

The NETGEAR VPN Client starts automatically when the user's computer starts, and runs transparently at all times behind other software programs. A system tray icon indicates the status of communications for the client.

What's Included?

The NETGEAR ProSafe VPN Client contains two primary components:

• Security Policy Editor is where you create, import, and manage connections and their

associated proposals that make up your security policy.

• Certificate Manager allows users to request and retrieve, import, and store the certificates

users receive from certificate authorities (CAs), and to also set the trust policy.

There are also two diagnostic tools:

• Log Viewer lists the IKE negotiations that occur during Authenticatio n (Phase 1).

• Connection Monitor displays statistical and diagnostic information for each active

connection.

Introduction 2-1

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

What’s in the Box?

The product package should contain the following items:

• NETGEAR ProSafe VPN Client

• Resource CD (230-10007-01), including: — This manual — Application Notes, Tools, and other helpful information

• Warranty and support information card

2-2 Introduction

202-10015-01

Chapter 3

Installation

This chapter describes how to install your NETGEAR ProSafe VPN Client.

What You Need Before You Begin

You need to verify that your computer meets the minimum system requirements.

System Requirements

Before installing the NETGEAR ProSafe VPN Client, please make sure that these minimum requirements have been met:

• IBM-compatible computer with Pentium processor or equivalent (not Alpha platforms)

• Compatible operating systems with minimum RAM:

Operating system Minimum RAM

Microsoft® Windows® 95 16 MB Windows 98 and Windows NT Windows Me and 2000 Professional 64 MB Windows XP Home and Professional 64 MB; 128 MB recommended

Some versions of Windows may ask for the original Windows operating system installation files to complete the installation of the VPN Client driver software

• 10 MB hard disk space

• Native Microsoft TCP/IP communications protocol

• For dial-up connections: – Non-encrypting modem – Native Microsoft PPP dialer

• For network connections, Ethernet card and connection

• Microsoft Internet Explorer 4.0 or later

Installation 3-1

Workstation 4.0 32 MB

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Installing

Use the procedure below to install the NETGEAR ProSafe VPN Client.

1. If you're installing this product on Windows NT or Windows 2000 or XP, log on as

administrator or its equivalent.

2. Run the setup.exe file on the installation CD-ROM or in the installation package.

3. Work through the installation wizard. Unless otherwise instructed, accept the defaults.

Note: The SafeNet VPN Adapter, which supports L2TP, is installed only when these network components are already installed on your computer:

Operating system Component

Windows 95 Dial-Up Networking with the Microsoft Dial-Up Networking 1.3 Upgrade Windows 98 and Me Dial-Up Networking Windows NT Remote Access Server (RAS)

Because Windows 2000 and XP use the native Windows L2TP adapter, the SafeNet L2TP adapter isn't installed on computers running these operating systems.

4. When the installation completes, click Finish.

5. To complete the client installation, make sure that your computer restarts.

Note: The NETGEAR ProSafe VPN Client lets you configure and switch among

multiple profiles for multiple tunnels. You can “Import” predefined configuration profiles. The FVS318.SPD and FVL328.SPD profile files on the NETGEAR ProSafe VPN Client Resource CD (230-10007-01) include all the settings identified in the configuration procedures published in these appendices: “NETGEAR ProSafe VPN

Client to NETGEAR FVS318 or FVM318 VPN Routers“ on page C-1 and “NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router“ on page D-1.

3-2 Installation

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Upgrading

To upgrade to this version of the NETGEAR ProSafe VPN Client, take these steps:

1. Uninstall the current version on your computer through the Control Panel Add/Remove

Programs application:

a. In the uninstall wizard, on the Maintenance dialog box, click Remove. This removes all

the client product's components, but not your security policy.

b. The Uninstall Security Policy dialog box prompts you to delete your IPSec security

policy, which includes any certificates and private keys: – To keep it, click No. You can import this security policy after you install the new

version of the NETGEAR ProSafe VPN Client.

– To delete it, click Yes.

c. When the Maintenance Complete dialog box opens, click Finish. d. To complete the uninstall, make sure that your computer restarts.

2. Install this new version of the NETGEAR ProSafe VPN Client.

Getting St arted

The NETGEAR ProSafe VPN Client contains two primary modules:

• Security Policy Editor to configure and maintain the security policy

• Certificate Manager to request, store, and administer certificates

To learn how to use NETGEAR VPN Client, go to Start>Programs>NETGEAR ProSafe VPN Client>NETGEAR ProSafe VPN Client Help.

VPN Client Connection Indicators

The NETGEAR ProSafe VPN Client provides the following three indicators which give you feedback on the status of your wireless connection:

The System Tray (SysTray) resides on one end of the taskbar in the Microsoft Windows desktop.

Installation 3-3

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Table 3-1.

Icon Explanation

• The Windows operating system did not start the IREIKE service properl y. To start this service, restart your computer. If this icon continues to display, you may need to reinstall the client.

• Your security policy is deactivated—that is, disabled. To reactivate it, go to Reactivate the security polity.

Your computer is ready to establish connections or transmit data.

Your computer has established no secure connections and is transmitting unsecured data.

Your computer has established at least one secure connection, but is transmitting no data.

Your computer has established at least one secure connection and is transmitting only unsecured data.

Your computer has established at least one secure connection and is transmitting only secured data.

Your computer has established at least one secure connection and is transmitting secured and unsecured data.

Uninstalling the NETGEAR ProSafe VPN Client

When you remove NETGEAR ProSafe VPN Client and its components, you have the option to keep your security policy, certificates, and private keys to use when you upgrade or reinstall the client.

Note: Before you upgrade the client, read the readme file and Release Notes provided with the new version.

1. Open the Control Panel Add/Remove Programs application.

2. Remove NETGEAR ProSafe VPN Client. The details depend on th e version of Windows on

your computer.

3. Work through the uninstall wizard:

a. When the Maintenance dialog box opens, click Remove.

3-4 Installation

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

When prompted to remove all installed components, click Yes.

Note: This does not remove the IPSec security policy, certificates, or private keys.

c. When prompted to remove the IPSec security policy, which includes certificates and

private keys, in most cases, click No. You can import this policy after you reinstall this client version or upgrade to a newer client version; this can save a lot of time.

d. When the maintenance complete message opens, click Finish.

Make sure that the computer restarts; this is required to complete the uninstall.

Keyboard Shortcuts

The client supports standard Windows keyboard shortcuts for accessibility. For a complete list of Windows keyboard shortcuts, refer to the keyboard shortcuts help topics in Windows.

Installation 3-5

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

3-6 Installation

202-10015-01

Chapter 4

Configuring L2TP Connections

This chapter describes how to use configure VPN tunnels using the NETGEAR ProSafe VPN Client.

Basic Steps

The client supports Layer 2 Tunneling Protocol (L2TP) connections through a virtual adapter: the SafeNet VPN Adapter. The specific steps required vary with the Windows operating system installed on your computer.

To create and secure an L2TP connection, perform these tasks in the sequence that your network security administrator recommends:

• Configure a network connection to the remote party’s L2TP network server.

• Configure the security policy for L2TP.

• If you are establishing the L2TP or virtual adapter connection over a physical dial-up connection—that is, a modem—add another dial-up connection adapter.

How to Configure an L2TP Dial-Up Network Connection

Configuring a dial-up network connection for L2TP requires you to use the Dial-Up Networking (DUN) features of the Windows operating system. The steps vary by operating system.

For Windows 95/98/Me

1. Create the connection to the other party's L2TP network server: a. On the desktop, double-click My Computer. b. Double-click Dial-Up Networking. The Dial-Up Networking dialog box opens. c. Double-click Make New Connection. The Make New Connection wizard opens.

Configuring L2TP Connections 4-1

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Note: If this is the first dial-up connection for your computer, the Welcome to Dial-Up

Networking page opens instead. Follow the prompts to start the Make New Connection wizard.

e. In the Type a name for the computer you are using box, type the name for the

connection.

f. In the Select a device box, click SafeNet_VPN x Adapter, where x is the number of the

VPN adapter.

g. Click Next. h. In the Host name or IP address box, type the IP address of the remote party's L2TP

network server (LNS).

i. Click Next. j. Click Finish.

2. Change properties for this connection: a. In My Computer, double-click Dial-Up Networking. The Dial-Up Networking dialog

box opens.

b. Right-click the specific connection, and then click Properties. The connection_name

dialog box opens.

c. On the tabs, locate the settings to change, and then make the changes. d. Click OK until you return to the Dial-up Networking window. e. Close the window.

For Windows NT 4.0

1. Double-click My Computer.

2. Double-click Dial-up Networking. The Dial-Up Networking dialog box opens.

Note: If this is the first dial-up connection for your computer, the Welcome to Dial-Up Networking page opens instead. Follow the prompts until the Dial-Up Networking dialog

box opens.

3. Click New. The New Phonebook Entry page opens.

4. Click the Basic tab.

5. In the Entry name box, type the name for the connection.

4-2 Configuring L2TP Connections

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the Phone number box, type the IP address of the remote party's LNS.

7. In the Dial using box, click SafeNet_VPN x Adapter, where x is the number of the VPN

adapter.

8. Click the Server tab.

9. Click OK.

For Windows 2000

1. On the Windows desktop, click Start>Settings>Network and Dial-up Connections. The

Network and Dial-up Connections window opens.

2. Double-click Make New Connection. The Network Connection Wizard opens.

Note: If this is the first dial-up connection for your computer, you may be prompted to provide some preliminary data. Follow the prompts until you return to the Network Connection Wizard.

3. On the Network Connection Type page, take these steps: a. Click Connect to a private network through the Internet. b. Click Next.

4. On the Select a Device page, take these steps: a. In the Select the devices to use in this connection list, as many of the check boxes that

apply; you must select at least one. If you're not sure which ones to select, contact your network administrator.

b. Click Next.

5. On the Public Network page, take these steps: a. Click Do not dial the initial configuration. b. Click Next.

6. On the Destination Address page, identify the remote party's L2TP server: a. In the Host name or IP address box, type the IP address of the remote party's L2TP

network server.

b. Click Next.

7. On the Connection Availability page, select whether to make this connection available to

only you or all others who use your computer:

Configuring L2TP Connections 4-3

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Ask your network administrator which option to select, and then click that option.

a. b. Click Next.

8. On the Completing the Network Connection Wizard page, take these steps: a. Type the name for this connection; the default is Virtual Private Connection. b. Click Finish.

For Windows XP

1. On the Windows desktop, click Start>Settings>Network Connections. The Network

Connections window opens.

2. Double-click Make New Connection. The Network Connection Wizard opens.

3. Click Next. The Network Connection Type page opens.

4. Note: If this is the first dial-up connection for your computer, you may be prompted to provide

some preliminary data. Follow the prompts until you return to the Network Connection Wizard.

5. Click Connect to the network at my workplace.

6. Click Next. The Network Connection page opens.

7. Click Virtual Private Network connection.

8. Click Next. The Connection Name page opens.

9. In the Workplace box, type the name for this connection.

10. Click Next. The VPN Server Selection page opens.

11. Type the hostname or IP address of the remote party's L2TP server.

12. Click Next. The Connection Availability page opens.

13. For the Create the connection for option, accept the default, Anyone's use, or click My use

only.

14. Click Next. The Completing the New Connection Wizard page opens.

15. If you like, select the Add a shortcut to this connection to my desktop check box.

16. Click Finish.

4-4 Configuring L2TP Connections

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

How to Configure a Security Policy

1. In the Security Policy Editor, in the Network Security Policy list, click the specific secure

connection .

2. In the Remote Party Identity and Addressing group, configure the remote party's information.

Note: When configuring security for L2TP, the remote party is the L2TP network server (LNS).

a. In the ID Type box at the top of the group, click one of these remote party identifiers:

• Domain name

• IP address

• Email address

• Distinguished name

•Any

b. In the IP Address box, type the IP address of the LNS. c. In the Protocol box, click UDP. d. In the Port box, click L2TP. e. Unless otherwis e instructed, make sure that the Connect using check box is clear.

3. Ask the remote party if you need to change the Port value to L2TP in My Identity.

4. When you configure the Key Exchange (Phase 2) proposal, in the Encapsulation box, click

Transport, which is the typical L2TP connection setting.

5. Click Save.

When Using a Modem to Establish the L2TP Connection

Note: If you use a network or broadband connection, such as cable or DSL, to establish an L2TP connection on a network, skip this topic; it doesn't apply. If you have questions, contact your network security administrator.

If you establish the L2TP connection from your computer through a physical di al-up connectio n— that is, a modem—your computer requires two Microsoft dial-up connections or adapters:

• One for the L2TP connection, which is a virtual connection

Configuring L2TP Connections 4-5

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

• One for the physical dial-up connection

Therefore, you must add another dial-up connection through Windows. The specific steps required to add a second dial-up connection differ among the various Windows operating systems. This is the general procedure:

1. On your computer, in Windows help, look up network adapters, network connections, or

add a connection.

2. In Control Panel, open the Network or Network and Dial-up Connections application.

3. Follow the instructions in the help to add another dial-up connection or adapter.

Note: In Windows 95 and 98, dial-up adapters may be labeled Dial-Up Adapter and Dial-Up Adapter#2 (VPN Support).

If you need additional help, contact your network security administrator or IT staff.

4-6 Configuring L2TP Connections

202-10015-01

Chapter 5

Using the Security Policy Editor

This chapter describes how to use the Security Policy Editor of the NETGEAR VPN Client.

What is the Security Policy Editor?

The Security Policy Editor is the client module in which you (or your network security administrator) create, import, and export security policies. Only one security policy is in effect at any time.

The policy contains connections and proposals that define the address of the remote (or other) party, the security level for the connection, how you identify yourself to the other party, and other attributes concerning the proposals and connections.

The sequence of the connections in the Network Security Policy list in the Security Policy Editor determines the order in which the client tests for a match between an incoming transmission and the proposed policies, and in turn defines the connection's security policy.

There are two ways to open the Security Policy Editor:

• On the Windows desktop, click Start>Programs>NETGEAR ProSafe VPN Client>Security Policy Editor.

• Right-click the NETGEAR ProSafe VPN Cl ient icon>Security Policy Editor.

Basic Steps to Configure a Security Policy

Caution: Before attempting to configure the security policy, check with your network security administrator: your security policy may have been configured when the client was installed.

Using the Security Policy Editor 5-1

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Table 5-1. Summary of steps

Step Task

1 • Create one connection that secures all communications, with the option to direct all

connections to a specific gateway

• Create multiple connections and specify which ones to secure 2 Select options that apply to all connections in the security policy 3 Identify yourself (the user) through one of these methods:

Select the personal certificate Let the client automatically select the personal certificate du ring IKE negotiation Enter the specific preshared key

4 Select the Phase 1 mode:

Main Mode (high security) Aggressive Mode (low security) Manual keys (for troubleshooting only)

5 Add proposals, if needed, and select these options:

Encryption algorithm Hash algorithm SA life Key (Diffie-Hellman) group

6 Add proposals, if needed, and select the options for Encapsulated Security Payload (ESP)

or Authentication header (AH) 7 Identify backup gateways on the network 8 For network administrators or installers only: Create and deploy a customized client

installation package, with the security policy you configured, to users

How to Secure All Connections

You can create a single connection called All Connections in your security policy that secures all IP communications between your computer and every other party.

1. In the Security Policy Editor, click Options>Secure>All Connections . A secure connection

called All Connections is added to the Network Security Policy list.

2. To route all secure communications from your computer through a specific , secure,

IPSec-compliant network gateway, such as a firewall or router, go to Configure a gateway.

3. Click Save.

5-2 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Configure My Identity for this connection.

5. Exit the Security Policy Editor.

How to Configure Global Policy Settings

Global policy settings are program preferences that apply to all secure IP communications. You can change these at any time to match to your security policy.

1. In the Security Policy Editor, click Options, and then click Global Policy Settings. The

Global Policy Settings dialog box opens.

2. In the Retransmit Interval box, type the length of time, in seconds, that the client waits

before resending an IKE protocol packet that has not been responded to. The de fault is 8 seconds.

Note: If the client selects a redundant gateway when you know that the primary one is available, try entering a higher number for Retransmit Interval.

3. In the Number of retries box, type the number of times your computer resends an IKE

protocol packet before abandoning the exchange. The default is 3 tries.

4. Status notifications are messages that inform communicating parties what the time-out periods

are and whether their security proposals have been accepted or rejected. To send thes e messages, select the Send status notifications to peer host check box.

5. An internal network IP address is a virtual IP address assigned to the client user. Remote users

can appear as internal users on a private network to, for example, access a WINS server or browse the network.

To enable remote users to appear as internal users on a private network, select the Allow to Specify Internal Network Address check box.

Note: If you select this check box, you must enter a private internal network IP address when Configuring My Identity.

6. To enable logging the Log Viewer's IKE negotiation messages to the isakmp.log file in the

client's installation directory , select the Enable logging to a file check box. This can facilitate remote troubleshooting by allowing a user to send a file with these messages instead of repeatedly freezing and printing the Log Viewer.

Notes:

Using the Security Policy Editor 5-3

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

• The maximum size for the isakmp.log file is 100 KB. When the client computer, the client, and the IKE service restart and the isakmp.log file size exceeds 100 KB, this isakmp.log file is deleted and a new one created.

• On computers running Windows 95 and 98 , when the isakmp.log file size exceeds 64 KB, Notepad prompts the user to try WordPad instead because of the file's size. When the user tries WordPad, however, WordPad prompts the user that it can't open the file because it is in use by another program (the IKE service).

In this case, to view the file, try one of these options: – Rename it, and then open it in WordPad. – Open a read-only version of the file in Microsoft Word. – Clear the Enable logging to a file check box, and then open the file.

7. If you don't use a smart card and reader or similar device to authenticate your identity, skip this

step. If you do use a smart card and reader or similar device, the client can, when it detects that the

smart card or reader is removed, delete active keys and end these communications sessions. This provides extra security. Only connections that use the keys on your smart card are affected.

To enable this feature, select the Smart card removal clea rs key s ch ec k box.

8. Click OK.

9. Click Save.

How to Configure Other Connections

The security policy includes a connection called Other Connections. This connection, non-secure by default, is designed to allow all non-encrypted IP traffic through and let you to access the Internet and other public networks unsecured.

The client processes connections in the order in which they display in the Network Security Policy list. Because Other Connections is the catchall or default rule for communications that don't conform to the proposals for individual connections, it is always last in the connections list.

1. In the Security Policy Editor, click Options, point to Secure, and then click Specified

Connections.

2. In the Network Security Policy list, click Other Connections.

5-4 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the Connection Security group, click a security level:

• Secure secures communications for this connection.

• Non-secure , the default, allows communications for this connection to pass through unsecured, or not encrypted.

• Block prohibits all communications for this connection from passing through.

4. If you selected Non-secure or Block in the Connection Security group, the Internet Interface

group is available:

a. In the Name list, click the interface for your computer to use to connect to a network. The

default, Any, lets your computer select any available interface. For devices with associated IP addresses, the IP Addr box shows the IP address.

b. In the Port box, click the protocol port through which your computer connects to the

remote party. The default, All, secures all protocol ports. The port's standard numeric designation shows next to the Port box.

5. Click Save. a. If you selected Secure in the Connection Security group, is your network protected by a

secure IPSec-compliant gateway, such as a firewall or router?

• If it is, go to Configure a gateway.

• If it is not, continue with the next step.

b. The Connection Security setting determines your next step:

• If you selected Secure, Configure My Identity for this connection.

• If you selected Non-secure or Block, you can add and configure connections.

How to Add and Configure a Connection

You can create and configure multiple connections for your security policy. Before you can configure a connection, make sure that you have identification information for the

remote party , such as network IP address, domain name, or email address. If the remote party (user or network) is protected by a secure IPSec-compliant gateway device, obtain that gateway's IP address, too.

1. In the Security Policy Editor, Configure Other Connections.

Using the Security Policy Editor 5-5

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the Network Security Policy list, if the My Connections folder does not appear, click

Options, point to Secure, and then click Specified Connections.

3. Click (or Edit>Add Connection). A highlighted New Connection entry displays in the

Network Security Policy list.

4. Rename the new connection.

5. In the Connection Security group, take these steps: a. Click the security level:

• Secure secures communications for this connection. This is the default.

• Non-secure allows communications for this connection to pass through

unsecured, or not encrypted.

• Block prohibits all communications for this connection from passing through.

b. When the Secure security level is selected, the Only Connect Manually check box

appears. By default, the check box is clear; this means that the client establishes and terminates connections automatically as needed. You can, however, initiate and end secure sessions manually.

To require the user to manually establish and terminate all secure sessions using this connection (with the Connect and Disconnect options on the client icon's shortcut menu), select the Only Connect Manually check box.

If a connection for which the Only Connect Manually check box is selected isn't manually connected, traffic that would otherwise go over this connection is bypassed, as though there were no connection configured for this traffic. Traffic that would go over that connection if it were active is instead compared against the remaining connections in the Network Security Policy box to determine how to handle it.

6. In the Remote Party Identity and Addressing group, in the ID Type box at the top of the

group, click an identifier for the other party. Boxes become available below the ID Type box to enter information about the ID type you selected:

Table 5-2: Remote Party Addressing

ID Type option In boxes below ID Type box, type…

IP Address IP address Domain Name domain name and IP address Email Address email address

5-6 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

IP Subnet subnet address and mask IP Address Range first and last IP addresses for the range Distinguished Name IP address

To edit a distinguished name, go to edit a distinguished name

Any (default) IP address

To create a generic security policy for multiple users, select Any.

7. In the Protocol box, click the protocol for the remote party to use to connect with you. The

default, All, secures all protocol ports. Selecting the exact protocol port tightens your security policy.

8. If you clicked UDP or TCP in the Protocol box, in the Port box, click a protocol port. The

standard numeric designation for this port displays next to the Port box.

9. Your Connection Security selection determines your next step:

• If you selected Secure and a secure IPSec-compliant gateway device, such as a

firewall or router, protects the remote user or network, go to Configure a gateway.

• If you selected Secure and the remote user or network is not protected by a secure

IPSec-compliant gateway, make sure that the Connect using check box is clear.

• If you selected Non-secure or Block , the Internet Interface group opens:

a. In the Name box, click the interface for your computer to use to connect to a network. The

default, Any, enables your computer to select any available interface. For devices with associated IP addresses, the read-only IP Addr box shows the IP address.

b. In the Port box, click the protocol port for your computer to connect to the remote party

through. The default, All, secures all protocol ports. The number displayed next to the Port box is the port's standard designation.

10. Click Save.

11. Configure My Identity for this connection.

Using the Security Policy Editor 5-7

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

How to Enter a Preshared Key

A preshared key is an alphanumeric character string that can be used instead of certificates to authenticate the identity of communicating parties during Phase 1 IKE negotiations. This character string, which can contain from 8 through 255 characters, is called preshared because the remote party needs it before you can communicate with it. Both parties must enter this preshared key in their IPSec-compliant devices, such as a firewall, gateway encryptor, router, or software client. Preshared keys can be included with the security policy when it is exported or included in a customized client installation.

When you use preshared keys, you don't have to deal with CAs and certificates. Preshared keys, however, do not provide the same level of security as certificates.

Before you begin to configure the security policy, decide whether to use certificates or preshared keys.

To use preshared keys instead of certificat es for authentication, enter the preshared key when you Configure My Identity for a selected connection.

Note: Preshared keys are not global policy settings; therefore, you must assign the key to each applicable connection individually.

1. In the Security Policy Editor, in the Network Security Policy list, expand the specific secure

connection .

2. In this connection, click My Identity.

3. In the Select Certificate box, click None.

4. Click Pre-Shared Key. The Pre-shared Key dialog box opens.

5. Click Enter Key.

6. Type the key.

7. Click OK.

8. Click Save.

9. Complete configuring My Identity.

5-8 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

How to Configure a Gateway

When configuring a secure connection—Other Connections, All Connections, or a Specific connection—in the Security Policy Editor, and your network or, for specific connectio ns only, the remote party's network routes secure IP communications through a gateway device, such as a firewall or router, you must identify the gateway and its addressing.

1. In the Security Policy Editor, in the Network Security Policy list, click the particular secure

connection .

2. In the right pane, select the Connect using check box. When configuring a specific

connection, this is in the Remote Party Identity and Addressing group.

3. In the adjoining box, click the gateway to use.

4. In the ID Type box immediately below the Connect using check box, click an identifier for

this gateway. Note: To create a generic security policy for multiple users, select Any (the default).

5. Complete the boxes that become available, based on the gateway identifier you specified in ID

Type:

• If you clicked IP Address, you can edit the gateway's IP address in a box below the ID

Type box.

• If you clicked Domain Name:

a. You can edit the gateway's IP address in a box below the ID Type box. b. In the box adjacent to the ID Type box, select how to specify the gateway: click Gateway

IP Address or Gateway Hostname (DNS name).

c. In the box below the Gateway IP Address/Hostname box, type the value for the selected

gateway option.

• If you clicked Distinguished Name or Any:

a. In the box adjacent to the ID Type box, select how to specify the gateway: click Gateway

IP Address or Gateway Hostname (DNS name).

b. In the box below the Gateway IP Address/Hostname box, type the value for the selected

gateway option. To change the distinguished name, go to Edit a distinguished name.

6. Click Save.

Using the Security Policy Editor 5-9

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Configure My Identity

The remote party that you want to communicate securely with uses the information in My Identity to verify that you really are who you indicate that you are. This is done with either a preshared key that you and the remote party have or a certificate. This information also distinguishes you from the remote party during the key exchange process.

The ID types available for identifying yourself in My Identity come from the subject information fields of the personal certificate request that you completed when you requested a personal certificate from a CA.

1. In the Security Policy Editor, in the Network Security Policy list, expand the specific secure

connection .

2. Click My Identity.

3. If you are using preshared keys, go to Enter a preshared key.

4. If you are using certificates: a. In the Select Certificate box, you can specify a personal certificate or let the client select

one: – To select a particular personal certificate, click that certificate. – For the client to select a personal certificate automatically , click Select automatically

during IKE negotiation, the default for new security policies. This option facilitates creating a policy.

b. In the ID Type box, click the information and format that identifies you to remote parties.

A box opens below the ID Type box with the particular subject information, in the ID type you clicked, from the personal certificate that you selected in the Select Certificate box.

If you selected Select automatically during IKE negotiation in the Select Certificate box, the default ID type is Distinguished Name; each personal certificate contains this.

Caution: The ID type is a search criterion that the client uses when automatically selecting a certificate. This means that if it doesn't find a personal certificate with the ID type selected, the connection attempt fails.

5. If the Port box is enabled, click the protocol port through which your computer will connect to

the other party . The default, All, secures all protocol ports. Selecting the exact protocol port tightens your security policy.

The port's standard numeric designation shows next to the Port box.

5-10 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the Virtual Adapter box, you can configure the client to use a virtual adapter to handle

private IP addressing. If certain programs that work with the client are “IP address-aware,” your computer is assigned a private Windows Internet Naming Service (WINS) server address, or both, you may need to do this.

In the Virtual Adapter box, click an option:

• Disabled—No virtual adapter is used. This is the default.

• Required—When the client tries to launch the connection with the virtual adapter, IP

address-aware programs know the assigned address for the virtual adapter and use it as the source IP address. If the launch fails, the connection attempt fails.

• Preferred—Uses the same procedure as Required with one exception: if the connection

launch using the virtual adapter IP address fails, the client uses address substitution to dynamically change the server IP address throughout the session.

7. If you selected the Allow to Specify Internal Network Address check box when you

Configured Global Policy Settings, and the Internal Network IP Address box opens, type an IP address in it.

8. In the Internet Interface group, in the Name box, click the interface for your computer to use

to connect to a network. The default, Any, enables your computer to select any available interface.

For devices with associated IP addresses, the IP Addr box shows the IP address. Caution: If the Name box contains an entry other than Any, do not change it. This was

configured by your network security administrator. The only instance in which you may need to change this entry is to assist your network security administrator in troubleshooting connection problems.

9. Click Save.

Using the Security Policy Editor 5-11

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Configure Security Policy Connection Options

Before you configure the options for Security Policy in a connection, take these steps:

• Make sure that the connection is secure: In the Connection Security group, click Secure .

• Configure My Identity for this connection.

The Phase 1 negotiation mode selected for Security Policy determines how the security association (SA) is established for each connection through IKE negotiations.

1. In the Security Policy Editor, in the Network Security Policy list, expand the specific secure

connection .

2. Expand Security Policy.

3. In the Select Phase 1 Negotiation Mode group, click an option:

• Main Mode ensures the highest level of security when the communicating parties are

negotiating authentication (Phase 1).

• Aggressive Mode is quicker than Main Mode, because it eliminates several steps when

the communicating parties are negotiating authentication (Phase 1).

• Use Manual Keys requires no negotiations; SafeNet recommends using this for

troubleshooting only.

4. T o activate the perfect forward secrecy (PFS) fe ature, which requires exchanging independent

keying material each time Key Exchange keys are generated, select the Enable Perfect Forward Secrecy (PFS) check box.

5. If you selected the Enable Perfect Forward Secrecy (PFS) check box, in the PFS Key

Group list, click a Diffie-Hellman Group 1, 2, or 5.

6. To set a counter that determines if a packet is unique, select the Enable Replay Detection

check box.

7. Click Save.

The Phase 1 Negotiation Mode you selected determines your next step:

• If you selected Main Mode or Aggressive Mode, configure Authentication (Phase 1).

• If you selected Use Manual Keys, configure Key Exchange (Phase 2).

5-12 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Configure Authentication (Phase 1)

After you configure Security Policy for a secure connection, the next step is to configure authentication proposals for this policy, one connection at a time.

Note: If you are using manual keys, skip this topic, and go to Configure Key Exchange (Phase 2).

1. In the Security Policy Editor , in the Network Security Policy list, expand a secure connection

2. For the selected connection, expand Security Policy. Authentication (Phase 1) and Key

Exchange (Phase 2) appear .

3. Expand Authentication (Phase 1).

4. Your next step depends on whether you are configuring the first proposal or a subsequent one:

• For the first proposal, click Proposal 1.

• For subsequent proposals, create a new one from scratch or copy an existing one as a base:

– To c reate one from scratch, click Create New Proposal. – To copy an existing proposal, click the source proposal, and then click Copy.

5. In the Authentication Method and Algorithms group, select these options for this proposal: a. In the Authentication Method box, accept the default option, based on how you

configured My Identity: – If you entered a preshared key, Pre-Shared Key – If you selected a certificate, RSA Signatures If your gateway is configured for Extended Authentication (XAUTH), you can select an

XAUTH version of the default option.

b. In the Encryption Algorithm box, click an option:

– For minimal security, DES – For medium security, Triple-DES (the default) – For maximum security, AES-128, AES-192, or AES-256

c. In the Hash Algorithm box, click an option:

– For minimal security, MD5 – For maximum security, SHA-1 (the default)

Using the Security Policy Editor 5-13

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the SA Life box, click an option. Unspecified is the default.

d. e. If you clicked Seconds for SA Life, in the adjacent box, type the number of seconds. f. In the Key Group box, click Diffie-Hellman Group 1, Group 2 (the default), or

Group 5.

6. Click Save.

7. Configure Key Exchange (Phase 2).

Configure Key Exchange (Phase 2)

After you add and configure the authentication proposals for Security Policy, the next step is to add and configure the key exchange proposals for that policy, one connection at a time.

1. Configure Authentication (Phase 1).

2. In the Security Policy Editor, in the Network Security Policy list, expand a secure connection

3. For the selected connection, expand Security Policy. Authentication (Phase 1) and Key

Exchange (Phase 2) appear .

4. Expand Key Exchange (Phase 2). Proposals appear.

5. Your next step depends on whether you are configuring the first proposal or a subsequent one:

• For the first proposal, click Proposal 1.

• For a subsequent proposal, you can start from scratch or copy an existing one as a base:

– To start from scratch, click Create New Proposal. – To copy an existing proposal, click the source proposal, and then click Copy.

6. In the IPSec Protocols group, configure these options: a. In the SA Life box, click the measurement unit. Your selection opens various boxes for

you to enter additional information. Note: If you click Unspecified, no boxes are enabled; skip step “b”.

b. In the enabled boxes, type a value. c. In the Compression box, click Deflate; this value increases the transmission speed.

7. Encapsulation Protocol (ESP) and Authentication Protocol (AH) are mutually exclusive

check boxes. Select the one that meets your requirements:

5-14 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

• T o encrypt and authenticate the data, select the Encapsulation Pr otocol (ESP) check box.

a. In the Encryption Algorithm box, click an option:

– For minimal security, DES – For medium security, Triple-DES (the default) – For maximum security, AES-128, AES-192, or AES-256 – For no security, Null

b. In the Hash Algorithm box, click an option:

– For minimal security, MD5 – For maximum security, SHA-1 (the default) – DES-MAC

c. In the Encapsulation box, accept Tunnel (the default) or click Transport.

Note: If you selected the Connect using check box and a gateway when you configured All Connections or a specific connection to be secured, Tunnel is the only option.

• To ensure that the data has not been altered, select the Authentication Protocol (AH)

check box.

a. In the Hash Algorithm box, click an option:

– For minimal security, MD5 – For maximum security, SHA-1 (the default)

b. In the Encapsulation box, accept Tunnel (the default) or click Transport.

Note: If you selected the Connect using check box and a gateway when you configured All Connections or a specific connection to be secured, Tunnel is the only option.

8. If, when you configured Security Policy, you selected Use Manual Keys in the Select Phase 1

Negotiation Mode group, the Inbound Keys and Outbound Keys buttons are enabled. Go to Enter manual keys.

9. Click Save.

Using the Security Policy Editor 5-15

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Edit a Distinguished Name

When you identify yourself (your computer) or a remote party in a connection, and you select the distinguished name identifier as the ID type, the client typically retrieves your distinguished name information from your personal certificate.

The distinguished name that the remote party identifies itself with must match the distinguished name entered in the Remote Party Identity and Addressing group. Enter the distinguished name exactly as it displays in the remote party's security policy, matching spelling, case, punctuation, and spaces.

1. In the Security Policy Editor, when performing one of these tasks, click Edit Name:

• Configuring a gateway

• Adding a redundant gateway

• Adding and configuring a connection

• Configuring Other Connections The Edit Distinguished Name dialog box opens.

2. You can enter subject information in LDAP—with distinguished names (DNs) and their

relative distinguished name (RDN) components—or non-LDAP (the default) format. Warning! Do not mix LDAP and non-LDAP format. This information may not translate

between the two. Your entry in one format may not display if you select the other format.

• To use the non-LDAP format, take these steps:

a. Make sure that the Enter Name in LDAP Format check box is clear. b. Enter the relevant personal information.

• To use the LDAP format, take these steps:

a. Select the Enter Name in LDAP Format check box. The box labels change to RDNs.

5-16 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the Subject Name in LDAP Format box, enter the relevant personal information, from

specific to general. Preface each type of information with the correct RDN component, and an equals sign (=):

RDN Information Example

CN First and last name CN=Kerry Smith OU Department; there can be multiple OUs OU=HR

OU=New York office O Company O=ispname Company S State (two-letter abbreviation) S=MD C Country C=US postalCode ZIP or postal code postalCode=21210 E Email address E=ksmith@ispname.com

c. To start a new line to enter another RDN component—for example, to add the O after an

OU on a new line—place the cursor in this box, and then press <Enter>.

3. Click Save.

Configure and Manage Connections

You can create and configure multiple connections for your security policy. Before you can configure a connection, make sure that you have identification information for the

Add and Configure a Connection

1. In the Security Policy Editor, configure Other Connections.

2. In the Network Security Policy list, if the My Connections folder does not appear, click

Options, point to Secure, and then click Specified Connections.

Using the Security Policy Editor 5-17

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

Click (or Edit>Add Connection). A highlighted New Connection entry displays in the

Network Security Policy list.

4. Rename the new connection.

5. In the Connection Security group, take these steps:

a. Click the security level:

• Secure secures communications for this connection. This is the default.

• Non-secure allows communications for this connection to pass through

unsecured, or not encrypted.

• Block prohibits all communications for this connection from passing through.

b. When the Secure security level is selected, the Only Connect Manually check box

appears. By default, the check box is clear; this means that the client establishes and terminates connections automatically as needed. You can, however, Initiate and end secure sessions manually.

5-18 Using the Security Policy Editor

202-10015-01

Reference Manual for the NETGEAR ProSafe VPN Client

In the Remote Party Identity and Addressing group, in the ID Type box at the top of the

group, click an identifier for the other party. Boxes become available below the ID Type box to enter information about the ID type you selected:

ID Type option In boxes below ID Type box, type…

IP Address IP address Domain Name domain name and IP address Email Address email address IP Subnet subnet address and mask IP Address Range first and last IP addresses for the range Distinguished Name IP address

To edit a distinguished name, go to Edit a distin guished name