Version 5.5 and Earlier Versions
User Manual
April 2013 202-10684-05
350 East Plumeria Drive
San Jose, CA 95134
USA
NETGEAR ProSAFE VPN Client
Support
Thank you for selecting NETGEAR products.
After installing your device, locate the serial number on the label of your product and use it to register your product at https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR recommends registering your product through the NETGEAR website. For product updates and web support, visit http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR.
Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx.
Trademarks
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. NETGEAR, Inc. All rights reserved.
Revision History
Publication Part Number |
Version |
Publish Date |
Comments |
|
|
|
|
|
|
202-10684-05 |
– |
April 2013 |
• Entirely reorganized and rewrote the manual |
|
|
|
|
as a task-based manual. |
|
|
|
|
• Described new features in the following |
|
|
|
|
sections: |
|
|
|
|
- |
VPN Client Features |
|
|
|
- |
Configure PKI Options |
|
|
|
- Software Setup Command Reference |
|
|
|
|
- Customize How the VPN Client Handles |
|
|
|
|
|
Readers and Certificates |
|
|
|
• Described changes in the global parameters |
|
|
|
|
defaults (see Configure the Global VPN |
|
|
|
|
Parameters). |
|
|
|
|
|
|
202-10684-04 |
v1.0 |
April 2012 |
Minor new features and improvements such as the |
|
|
|
|
Remote Sharing pane. |
|
|
|
|
|
|
202-10684-03 |
v1.0 |
May 30, 2011 |
Major revision to document the new format of the |
|
|
|
|
user interface and some new features such as the |
|
|
|
|
enhanced capability to change languages. |
|
|
|
|
|
|
202-10684-02 |
v1.1 |
December 2010 |
Minor editorial changes and addition of an index. |
|
|
|
|
|
|
202-10684-02 |
v1.0 |
December 2010 |
Reorganization and revision of the entire manual. |
|
|
|
|
|
|
202-10684-01 |
v1.0 |
June 2010 |
First publication. |
|
|
|
|
|
|
2
Chapter 1 Introduction
How to Use This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 VPN Client Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 VPN Client Licenses (Lite and Professional) and Supported Features . . . 10 Linux Appliance Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 References and Useful Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2 Install the Software
Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Launch the VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Trial Software Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
License Number Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Software Activation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Software Activation Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Troubleshoot Software Activation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Software Upgrade Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Software Uninstallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 3 Overview of the User Interface
Overview of the User Interface Components . . . . . . . . . . . . . . . . . . . . . . . 24
Configuration Panel Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Status Bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
About Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Options Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Wizards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
System Tray Icon and System Tray Menu . . . . . . . . . . . . . . . . . . . . . . . . . 27
System Tray Pop-Up Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Connection Panel Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
VPN Console Active Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 4 Create VPN Tunnel Connections
Use the Configuration Wizard to Create a VPN Tunnel Connection . . . . . 36 Open and Close VPN Tunnels with the User Interface . . . . . . . . . . . . . . . 39 High-Level Steps to Manually Create a VPN Tunnel Connection . . . . . . . 40 Manually Configure Authentication or Phase 1 . . . . . . . . . . . . . . . . . . . . . 41 Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3
NETGEAR ProSAFE VPN Client
Configure Advanced Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Manually Configure IP Security or Phase 2 . . . . . . . . . . . . . . . . . . . . . . . . 49 High-Level Steps to Specify a Certificate for User Authentication . . . . . . . 53 Configure the Global VPN Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 5 Advanced Configuration Options
Configure How VPN Tunnels Are Opened . . . . . . . . . . . . . . . . . . . . . . . . . 59 Configure a Tunnel to Open Automatically. . . . . . . . . . . . . . . . . . . . . . . 59 Configure a VPN Tunnel to Open before Windows Logon . . . . . . . . . . . 60 Open a Tunnel with a Double-Click on a Desktop Icon . . . . . . . . . . . . . 62 Configure Alternate DNS and WINS Servers . . . . . . . . . . . . . . . . . . . . . . . 63 Configure Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Configure Remote Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 USB Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Enable a New USB Drive with a VPN Configuration . . . . . . . . . . . . . . . 68 To Configure Tunnels to Open Automatically with a USB Drive. . . . . . . 72 Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Certificate Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Import Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 View and Assign Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 View Certificate Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Use Certificates from USB Tokens and Smart Cards. . . . . . . . . . . . . . . 80 Troubleshoot Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Configure PKI Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 VPN Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Import a VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Export a VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Merge VPN Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Split a VPN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Easily Import a VPN Configuration and Open a Tunnel . . . . . . . . . . . . . 91 Configure Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Configure the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Configure VPN Client Startup Mode and Network Interface Detection . . . 95 Configure Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Chapter 6 VPN Client Software Setup and Network Deployment
Software Setup and Deployment Concepts . . . . . . . . . . . . . . . . . . . . . . . 101 Software Setup File Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Software Setup Command Requirements . . . . . . . . . . . . . . . . . . . . . . 102 Examples of Options that You Can Include in a Software Setup File. . 102 Software Setup Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Customize VPN Client Display and Access for End Users . . . . . . . . . . . 108 Display the Configuration Panel Screen after Startup . . . . . . . . . . . . . 109 Display the Connection Panel Screen after Startup . . . . . . . . . . . . . . . 109 Display the System Tray Menu Only after Startup . . . . . . . . . . . . . . . . 109 Require a Password to Access the Configuration Panel Screen . . . . . 110
Limit Usage to the System Tray Menu and Require a
4
NETGEAR ProSAFE VPN Client
Password to Access Other Screens . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Configure Which Items of the System Tray Menu Are Visible . . . . . . .111 VPN Client Silent Software Setup Deployment to End Users . . . . . . . . .112 Create a Silent VPN Client Software Setup . . . . . . . . . . . . . . . . . . . . .112 Deploy a VPN Client Software Setup from a CD-ROM . . . . . . . . . . . .113 Deploy a VPN Client Software Setup from a Shortcut . . . . . . . . . . . . .114 Deploy a VPN Client Software Setup Using a Batch Script . . . . . . . . .115 Deploy a VPN Client Software Setup from a Network Drive. . . . . . . . .116 Deliver a VPN Configuration to an End User . . . . . . . . . . . . . . . . . . . . . .117
Embed a VPN Configuration in a VPN Client Software
Setup Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Export and Deploy a VPN Configuration . . . . . . . . . . . . . . . . . . . . . . .119 Command-Line Interface Command Reference. . . . . . . . . . . . . . . . . . . .120 Customize the VPN Client Using CLI Commands . . . . . . . . . . . . . . . . . .123 Open or Close a VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 Close All Active Tunnels and Close the VPN Client . . . . . . . . . . . . . . .124 Import, Export, Add, or Replace the VPN Configuration. . . . . . . . . . . .124 Customize How the VPN Client Handles Readers and Certificates . . . . .126 Customize the vpnsetup.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Customize the vpnconf.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Chapter 7 Troubleshoot the VPN Client
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Resolve Firewall Interference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Typical Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 PAYLOAD_MALFORMED Error (Wrong Phase 1 [SA]). . . . . . . . . . . .134 INVALID_COOKIE Error. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 no keystate Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 received remote ID other than expected Error . . . . . . . . . . . . . . . . . . .135 NO_PROPOSAL_CHOSEN Error (Phase 1) . . . . . . . . . . . . . . . . . . . .135 NO_PROPOSAL_CHOSEN Error (Phase 2) . . . . . . . . . . . . . . . . . . . .135 INVALID_ID_INFORMATION Error . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Other Common Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 There Is No Response to a Phase 1 Request . . . . . . . . . . . . . . . . . . .137 The Console Shows Only SEND and RECV . . . . . . . . . . . . . . . . . . . .137 There Is No Response to a Phase 2 Requests . . . . . . . . . . . . . . . . . .138 A Tunnel No Longer Opens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 A VPN Tunnel Is Up but You Cannot Ping the Remote Endpoint. . . . .138 View the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Appendix A Configure the VPN Client with a NETGEAR Router
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Sample VPN Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configure the SRX5308 VPN Router . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Use the VPN Wizard to Configure a Client-to-Router VPN Connection144
Manually Configure a Client-to-Router VPN Connection . . . . . . . . . . .150
Configure the VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
5
NETGEAR ProSAFE VPN Client
Use the Configuration Wizard to Configure the VPN Client . . . . . . . . . 155 Manually Configure the VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Establish a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Index
6
1. Introduction |
1 |
|
|
||
|
|
|
The VPN Client supports all Windows versions and allows you to establish secure connections over the Internet, for example, between a remote worker and the corporate Intranet. IPSec is the most secure way to connect to the enterprise because it provides strong user authentication and strong tunnel encryption with the ability to work with existing network and firewall settings.
This chapter includes the following sections:
•How to Use This Manual
•VPN Client Features
•VPN Client Licenses (Lite and Professional) and Supported Features
•Linux Appliance Support
•References and Useful Websites
Note: For more information about the topics covered in this manual, visit the support website at http://support.netgear.com.
Note: Firmware updates with new features and bug fixes are made available from time to time on downloadcenter.netgear.com. Some products can regularly check the site and download new firmware, or you can check for and download new firmware manually. If the features or behavior of your product do not match what is described in this guide, you might need to update your firmware.
7
NETGEAR ProSAFE VPN Client
How to Use This Manual
This manual is primarily intended for network administrators who need to implement the VPN Client for end users.
The manual explains how to use the user interface to configure the VPN Client. An exception is Chapter 6, VPN Client Software Setup and Network Deployment. That chapter describes how to use software setup commands, how to use CLI commands, and how to configure initialization files to preconfigure the VPN Client software setup before deployment to end users, to remotely install or upgrade the VPN Client, and to centrally manage VPN configurations.
The VPN Client has the following features.
Table 1. List of features
Feature |
Specifications |
|
|
|
|
Windows versions |
• |
Windows 2000 32-bit |
|
• Windows XP 32-bit SP3 |
|
|
• |
Windows Server 2003 32-bit |
|
• |
Windows Server 2008 32/64-bit |
|
• Windows Vista 32/64-bit |
|
|
• |
Windows 7 32/64-bit |
|
• |
Windows 8 32/64-bit |
|
|
|
Languages |
Arabic, Chinese (simplified), Czech, Danish, Dutch, English, Farsi, Finnish, French, |
|
|
German, Greek, Hindi, Hungarian, Italian, Japanese, Korean, Norwegian Polish, |
|
|
Portuguese, Russian, Serbian, Slovenian, Spanish, Thai, and Turkish. |
|
|
|
|
Connection modes |
• |
Supports peer-to-peer connections (point-to-point connections between two |
|
|
computers that have the VPN Client installed). |
|
• Supports peer-to-gateway connections, for example, between a computer that has |
|
|
|
the VPN Client installed and NETGEAR platform that supports VPN. |
|
• Supports connection types such as dial-up, DSL, cable, GSM/GPRS, 3G, 4G, and |
|
|
|
WiFi. |
|
• Allows IP range networking. |
|
|
• Runs in a Remote Desktop Protocol (RDP) connection session. |
|
|
|
|
Tunneling protocols |
• |
Full Internet Key Exchange (IKE) support: the IKE implementation is based on the |
|
|
OpenBSD 3.1 implementation (ISAKMPD). This provides the best compatibility |
|
|
with existing IPSec routers and gateways. |
|
• |
Full IPSec support: |
|
|
- Main mode and aggressive mode |
|
|
- MD5, SHA-1, and SHA-256 hash algorithms |
|
|
- Change IKE port |
|
|
|
Introduction
8
NETGEAR ProSAFE VPN Client
Table 1. List of features (continued)
Feature |
Specifications |
|
|
|
|
NAT Traversal |
• NAT Traversal Draft 1 (enhanced), Draft 2, and Draft 3 (full implementation), |
|
|
|
including: |
|
|
- NAT OA support |
|
|
- NAT keep-alive |
|
|
- NAT-T aggressive mode |
|
• Forced NAT-Traversal mode |
|
|
|
|
SIP/VoIP support |
Support for Session Initiation Protocol (SIP) and Voice over IP (VoIP) traffic in a VPN |
|
|
tunnel on Window Vista, Windows 7, and Windows 8. |
|
Encryption |
Provides the following encryption algorithms: |
|
|
• 3DES, DES, and AES 128/192/256-bit encryption |
|
|
• Support for Diffie-Hellman group 1 (768 bits), group 2 (1024 bits), group 5 |
|
|
|
(1536 bits), and group 14 (2048 bits) |
|
|
|
User authentication |
Supports the following user authentication methods: |
|
|
• Pre-shared keying and X509 certificate support. Compatible with most of the |
|
|
|
currently available IPSec gateways. |
|
• Extended authentication (AUTH). |
|
|
• Flexible certificates: PEM, PKCS#12 certificates can be directly imported from the |
|
|
|
user interface. Ability to configure one certificate per tunnel. |
|
• |
Hybrid authentication method. |
|
|
|
|
Certificate storage capabilities: |
|
|
• USB token and smart card support |
|
|
• Personal Certificate Store support |
|
|
• |
VPN configuration file |
|
|
|
|
Remote login: |
|
|
• Gina mode supported on Windows 2000 and Windows XP to enable Windows |
|
|
|
logon using a VPN tunnel or enable to log in on a local machine. |
|
• Credential providers supported on Windows Vista and Windows 7 to enable |
|
|
|
Windows logon using a VPN tunnel or enable to log in on a local machine. |
|
|
|
Dead Peer Detection |
Dead Peer Detection (DPD) is an IKE extension (RFC3706) for detecting a dead IKE |
|
|
peer. |
|
Redundant Gateway |
The Redundant Gateway feature provides a highly reliable secure connection to a |
|
|
corporate network. The Redundant Gateway feature allows the VPN Client to open an |
|
|
IPSec tunnel with an alternate gateway if the primary gateway is down or not |
|
|
responding. |
|
|
|
|
Mode Config |
Mode Config is an IKE extension that enables the VPN gateway to provide LAN |
|
|
configuration to the remote user’s machine (that is, the VPN Client). With Mode Config, |
|
|
you can access all servers on the remote network by using their network name (for |
|
|
example, \\myserver\marketing\budget) instead of their IP address. |
|
USB drive |
You can save VPN configurations and security elements (certificates, pre-shared key, |
|
|
and so on) to a USB drive to remove security information (for example, user |
|
|
authentication) from the computer. You can automatically open and close tunnels when |
|
|
plugging in or removing the USB drive. You can attach a VPN configuration to a specific |
|
|
computer or to a specific USB drive. |
|
|
|
|
Introduction
9
NETGEAR ProSAFE VPN Client
Table 1. List of features (continued)
Feature |
Specifications |
|
|
Smart card and USB |
The VPN Client can read certificates from smart cards to make full use of existing |
token |
corporate ID or employee cards that carry digital credentials. |
|
You can easily import smart card ATR codes to enable new smart card and USB token |
|
models that are not yet in the software. |
|
|
Log console |
All phase messages are logged for testing or staging purposes. |
|
|
Flexible user |
• Silent install and invisible graphical interface allow network administrators to |
interface |
deploy solutions while preventing user misuse of configurations. |
|
• Small Connection Panel screen and VPN Configuration Panel screen can be |
|
available to end users separately with access control. |
|
• Drag and drop VPN configurations into the VPN Client. |
|
• Keyboard shortcuts to easily navigate the VPN Client. |
|
|
Scripts |
Scripts or applications can be launched automatically on events (for example, before |
|
and after a tunnel opens, or before and after a tunnel is closed). |
|
|
Configuration |
• User interface and command-line interface (CLI). |
management |
• Password-protected VPN configuration file. |
|
• Specific VPN configuration file can be provided within the setup. |
|
• Embedded demo VPN configuration to test and debug with online servers. |
|
• Ability to prevent software upgrade or uninstallation if protected by password. |
|
|
Live update |
Ability to check for online updates. |
|
|
VPN Client Licenses (Lite and Professional) and
Supported Features
NETGEAR products can include a license for the VPN Client Lite or for a 30-day trial copy of the VPN Client Professional, or for both. The following table lists the features that are included in the VPN Client Lite and VPN Client Professional versions. When you launch the VPN Client, you can purchase a license for the VPN Client and activate (register) either the VPN Client Professional or VPN Client Lite.
Introduction
10
NETGEAR ProSAFE VPN Client
The following table compares the features of the VPN Client Professional and VPN Client Lite.
Table 2. Feature comparison between VPN Client Lite and VPN Client Professional
VPN Client Functions |
Lite |
Pro |
|
|
|
|
|
Configuration |
Configuration Wizard |
|
|
|
|
|
|
|
X-Auth |
|
|
|
|
|
|
|
Mode Config |
|
|
|
|
|
|
|
DNS/WINS server manual configuration |
|
|
|
|
|
|
|
Hybrid mode |
– |
|
|
|
|
|
|
IKE/NAT-T ports can be modified |
– |
|
|
|
|
|
Control |
Connection Panel |
|
|
|
|
|
|
|
Console logs |
|
|
|
|
|
|
|
Disable split tunneling |
|
|
|
|
|
|
|
Dead Peer Detection |
|
|
|
|
|
|
|
System tray popup |
|
|
|
|
|
|
|
GUI protection (password) |
– |
|
|
|
|
|
|
Auto Open (Windows on startup on traffic detection) |
– |
|
|
|
|
|
|
Start VPN tunnel before Windows logon |
– |
|
|
|
|
|
|
Easy deployment by command-line interface (CLI) |
– |
|
|
|
|
|
Advanced Features |
Multitunnel configurations |
– |
|
|
|
|
|
|
Redundant Gateways |
|
|
|
|
|
|
|
Scripts |
– |
|
|
|
|
|
|
USB mode |
– |
|
|
|
|
|
The VPN Client supports several versions of Linux IPSec VPN such as StrongS/WAN and FreeS/WAN. The VPN Client is compatible with most of the IPSec routers and appliances that are based on those Linux implementations.
Introduction
11
NETGEAR ProSAFE VPN Client
These references and websites are for the ProSAFE VPN Client Lite and ProSAFE VPN Client Professional, both of which are developed by TheGreenBow.
•Access to VPNG01L product information and a 30-day trial software version: http://support.netgear.com/product/VPNG01L
•Access to VPNG05L product information and a 30-day trial software version: http://support.netgear.com/product/VPNG05L
•VPNG01L/VPNG05L FAQs: http://kb.netgear.com/app/answers/detail/a_id/14903
•TheGreenBow IPSec VPN Client: http://www.thegreenbow.com/vpn.html
•TheGreenBow VPN documentation and manuals: http://www.thegreenbow.com/vpn_doc.html
The documents that you can access from this link are based on TheGreenBow VPN Client. The NETGEAR ProSAFE VPN Client Lite and ProSAFE VPN Client Professional are developed by TheGreenBow, so configuration is likely identical or similar.
Note: For documentation about the legacy ProSAFE VPN Client that was developed by SafeNet, see the following NETGEAR sites: http://support.netgear.com/product/VPN01L http://support.netgear.com/product/VPN05L
Introduction
12
2. Install the Software |
2 |
|
|
||
|
|
|
This chapter describes installation of the VPN Client and related processes. The chapter includes the following sections:
•Software Installation
•Launch the VPN Client
•Trial Software Evaluation
•Software Activation
•Software Upgrade Concepts
•Software Uninstallation
13
NETGEAR ProSAFE VPN Client
Software Installation
The VPN Client software installation does not require specific information and is self-explanatory. After completing the installation, you are asked to reboot your computer. However, if your operating system is Windows 8, Windows 7, or Windows Vista, you can install the VPN Client software without rebooting your computer.
After you have rebooted and logged in to your computer, the VPN Client Activation Wizard screen displays. The information about how to proceed depends on whether you want to use a trial license or activate a permanent license:
•If you downloaded a free trial software version, see Trial Software Evaluation on page 14.
•If you purchased a permanent license, see Software Activation on page 17.
After you have installed the VPN Client software, there are three methods to launch the VPN Client:
•On your desktop, double-click the VPN Client shortcut.
•In the taskbar, click the VPN Client icon.
•From the Start menu, select the path to the VPN Client, for example:
Start > All Programs > NETGEAR > NETGEAR VPN Client.
Note: If your operating system is Windows 8, Windows 7 or Windows Vista, you can select a check box to automatically run the VPN Client after software installation.
The VPN Client creates new rules in the Windows firewall (Vista and later operating systems) so that VPN traffic is enabled: UDP ports 500 and 4500 are authorized both for authentication (phase 1) traffic and for IPSec (phase 2) traffic.
If you use an earlier Windows operating system or another firewall, you might have to create firewall rules to enable the VPN Client. For information, see Resolve Firewall Interference on page 133.
The VPN Client is available as a free trial version. The evaluation period is limited to 30 days. After the evaluation period has expired, the VPN Client becomes disabled. By purchasing and activating a permanent license, you can transfer the trial version to a permanent version and access the VPN Client indefinitely. For more information, see License Number Concepts on page 17 and Software Activation on page 17.
Install the Software
14
NETGEAR ProSAFE VPN Client
To use the VPN Client during the evaluation period:
1.In the taskbar, click the VPN Client icon.
For other methods to launch the VPN Client, see Launch the VPN Client on page 14. The Software Activation screen displays:
2.Select the I want to Evaluate the software radio button.
You do not need to enter a license number and email address to activate the trial software.
3.Click Next.
The Configuration screen displays, and the user interface is accessible.
During the evaluation period, the Software Activation screen displays each time that you start the VPN Client. The remaining days of the evaluation period are displayed next to the calendar icon on the right of the screen. You can also see the remaining time of the evaluation period on the About screen (see About Screen on page 26).
When the evaluation period expires, the following occurs:
•The I want to Activate the software radio button is automatically selected.
•The I want to Evaluate the software radio button is masked out.
•The message Evaluation period expired is displayed.
•The software is disabled.
When the evaluation period has expired, in order for you to use the VPN Client, you need to purchase and activate a permanent license. You can purchase and activate a permanent license while you are still in the evaluation period or after the evaluation period has expired.
Install the Software
15
NETGEAR ProSAFE VPN Client
To view the remaining time of the evaluation period from VPN Client’s user interface:
From the main menu of the Connection Panel screen, select ? > About.
(When you launch the VPN Client, the Configuration Panel screen displays by default.)
The About screen displays, showing the number of days that remain in the evaluation period:
To buy a permanent license:
1.In the taskbar, click the VPN Client icon.
For other methods to launch the VPN Client, see Launch the VPN Client on page 14.
Install the Software
16
NETGEAR ProSAFE VPN Client
The Software Activation screen displays. The following figure shows the Software Activation screen after the evaluation period has expired:
2.Click the Buy a license link.
The NETGEAR website displays. Follow the instructions onscreen to purchase a permanent license.
3.After you have purchased a license, follow the procedure in Software Activation, to activate the permanent license.
A license number is attached to a single computer after activation. However, you can deactivate the license number (see Software Uninstallation on page 22) and transfer it to another computer.
You can also change the license number at any time, but you first need to uninstall the VPN Client before you can reinstall the VPN Client with another license number.
After activation, save the license key number. You might need it again to reactivate your software if a problem has occurred. Also, keep the CD label for technical support.
When you purchase a permanent license, you are required to activate it before you can use the VPN Client.
Install the Software
17
NETGEAR ProSAFE VPN Client
In order for you to use the VPN Client beyond the evaluation period, you need to activate the VPN Client license on your computer. You need the license number or key and an email address.
To activate your software using the Activation Wizard:
1.Make sure that your computer is connected to the Internet.
2.Do one of the following:
•If you did not yet launch the VPN Client:
In the taskbar, click the VPN Client icon.
For other methods to launch the VPN Client, see Launch the VPN Client on page 14.
•If you already launched the VPN Client and the user interface is accessible:
From the main menu on the Configuration Panel screen, select ? > Activation Wizard.
The Software Activation screen displays. The following figure shows the Software Activation screen when the evaluation period has not yet expired:
3.Select the I want to Activate the software radio button.
4.Enter your permanent license number.
5.Enter your email address.
Your email address is used to send you the activation confirmation.
Install the Software
18
NETGEAR ProSAFE VPN Client
Note: The email address might not be required. If the network administrator suppresses display of the Email address field during the software setup, the Software Activation Wizard does not display the Email address field. Suppression can be used to centralize all software activation confirmation emails to a single email address.
6.Click Next.
The Activation Wizard attempts to automatically connect to the activation server to activate the VPN Client software. The progress bar shows the activation progress.
When the activation is complete, the screen shows whether the activation was successful and displays messages associated with the outcome (see also Troubleshoot Software Activation on page 20).
7.(Optional, and only if an error occurs) Click the More information about this error link.
For troubleshooting information, see the following section, Troubleshoot Software Activation.
8.Click Run.
The VPN Client relaunches with the new license. The Configuration screen displays and the user interface is accessible.
Install the Software
19
NETGEAR ProSAFE VPN Client
Errors can occur during the activation process. Each activation error type is displayed on the Software Activation screen.
You can resolve most of errors by carefully checking the following:
•Verify that you entered the correct license number. (Error 031 indicates that the license number was not found.)
•Your license number could already be activated (Error 033). Contact NETGEAR support.
•Your license number cannot be used for activation (Error 034). Contact NETGEAR support.
•A firewall might block communication with the activation server (Error 053 or Error 054). Find out if a personal or corporate firewall is blocking communications.
•The activation server might be temporarily unreachable. Wait a few minutes and try again.
All activation errors are listed at www.netgear.com/support.
The following two figures show examples of activation errors.
Figure 1. Activation Error 31
Install the Software
20
NETGEAR ProSAFE VPN Client
Figure 2. Activation Error 34
You need to reactivate the VPN Client after each software upgrade. Depending on your maintenance contract, a software upgrade activation might be rejected. Carefully read the recommendations in this section.
To check the status of the VPN Client’s software release:
From the main menu of the Connection Panel screen, select ? > Check for Update.
The NETGEAR website displays. You can check if the VPN Client is running that latest software release or download a new software release.
The success of a software upgrade activation depends on your maintenance contract:
•During the maintenance period (which starts from your first activation), all software upgrades are allowed.
•If the maintenance period has expired or if you have no maintenance contract, only maintenance software upgrades are allowed. Maintenance software upgrades are identified by the last digit of a version.
Example: Your maintenance period has expired and your current software release is 3.12. You can upgrade to releases 3.13 through 3.19 but not to release 3.20, 3.30, 4.00, or 5.00.
If you want to subscribe or extend your maintenance period, contact NETGEAR by email at sales@netgear.com.
Install the Software
21
NETGEAR ProSAFE VPN Client
Note: The VPN configuration is saved during a software upgrade and automatically reenabled within the new release.
Note: If you have specified a password for access control (see Configure Access Control on page 92), you need to enter it to be able to upgrade the software.
To transfer a license to a new computer, you need to uninstall the software from the old computer. Deactivation of the license on the old computer occurs automatically if the computer is connected to the Internet. The license can then be used to activate the VPN Client on a new computer.
If your computer is not connected to the Internet and you need to inactivate your license, contact NETGEAR support by email at support@netgear.com, or call the technical center to inactivate your license.
There are several methods to uninstall the VPN Client software. Depending on your Windows operating system, these methods might differ slightly from the following procedures.
Tip: After uninstallation, save the license key number. You might need it again to reactivate your software. Also, keep the CD label for technical support.
To uninstall the VPN Client through the Control Panel:
1.Make sure that your computer is connected to the Internet.
2.Select Start > Control Panel.
3.Double-click Programs and Features. (In some Windows versions, you need to double-click Add or Remove Programs.)
4.Right-click the NETGEAR VPN Client and select Uninstall. (In some Windows versions, you need to select Remove.)
To uninstall the VPN Client through the All Programs menu:
1.Make sure that your computer is connected to the Internet.
2.Select Start > All Programs.
3.Select the path to the VPN Client, for example:
Start > All Programs > NETGEAR > NETGEAR VPN Client.
4.Select the uninstall option.
Install the Software
22
3. Overview of the User Interface |
3 |
|
|
||
|
|
|
This chapter describes the user interface for the VPN Client. The chapter includes the following sections:
•Overview of the User Interface Components
•Configuration Panel Screen
•System Tray Icon and System Tray Menu
•System Tray Pop-Up Screens
•Connection Panel Screen
•VPN Console Active Screen
•Keyboard Shortcuts
23
NETGEAR ProSAFE VPN Client
Overview of the User Interface Components
The VPN Client is fully autonomous and can start and stop tunnels without user intervention, depending on traffic to certain destinations. However, it requires a VPN configuration.
The VPN Client configuration is defined in a VPN configuration file. The software user interface allows creating, modifying, saving, exporting, or importing the VPN configurations together with security elements such as a pre-shared key or certificates.
The user interface consists of the following components:
•Configuration Panel
•Connection Panel
•Main menus
•System tray icon and pop-up screens
•Status bar
•Wizards
•Preferences
When you launch the VPN Client, the Configuration Panel screen displays by default. (The following figure shows configured VPN tunnels, which would be absent if you launched the Configuration Panel for the first time.)
Main menu
Status bar
Figure 3. Configuration Panel screen
Overview of the User Interface
24
NETGEAR ProSAFE VPN Client
The Configuration Panel screen enables you to configure VPN tunnels, and consists of the following components:
•Main menu (at the top of the screen), showing the Configuration, Tools, and ? menu selections.
•The Save and Apply buttons in the left column of the screen:
-Save. The VPN tunnel is saved for immediate and future use. The VPN tunnel is saved to the startup configuration. The next time that you start the VPN Client, the configuration is present.
-Apply. The VPN tunnel is saved for immediate use only. The VPN tunnel is not saved to the startup configuration. The next time that you start the VPN Client, the configuration is no longer present.
•A tree list pane (in the left column of the screen) that contains the Global Parameters button and all authentication phase names (that is, phase 1 names) with their associated IPSec configuration names (that is, phase 2 names or tunnel names).
•A configuration pane (in the right column of the screen) that shows the associated settings for each tree level.
•Status bar (at the bottom of the screen).
Note: For information about restricting access to the Configuration Panel screen, see Configure Access Control on page 92.
For information about hiding the Configuration Panel link from the system tray menu, see Configure the User Interface on page 94.
The main menu lets you make the following selections:
•Configuration. Lets you import and export a VPN configuration, select the location of the VPN configuration (locally stored on the computer or on a USB drive), access the Configuration Wizard, and quit the VPN Client.
•Tools. Lets you access the Connection Panel, access the Console screen, reset the IKE settings, and access the Option screen to configure miscellaneous preferences such as the way the VPN Client starts and the language of the VPN Client.
•?. Lets you access online help, check for software updates, connect to the NETGEAR website to purchase a license online, access the Activation Wizard, and access the About screen.
Note: Some selections that are available from the Configuration menu are also available by right-clicking a component of the tree list pane in the Configuration Panel screen.
Overview of the User Interface
25
NETGEAR ProSAFE VPN Client
The status bar at the bottom displays the following information:
•The radio button indicates whether the VPN Client is ready for use. (Green indicates ready; gray indicates not ready.)
•The text to the right of the radio button provides the status of the VPN Client (for example, VPN Client Ready, or Apply VPN configuration).
•The progress bar at the very right displays the progress when you apply or save the configuration.
The About screen that you can access by clicking the question mark (?) on the main menu provides the VPN Client software release number and software activation information. There is also a URL to the NETGEAR website.
Figure 4. About screen
Overview of the User Interface
26
NETGEAR ProSAFE VPN Client
This screen is available in the VPN Client Professional but not in the VPN Client Lite.
The Options screen, which you access by selecting Tools > Options from the main menu, has four tabs that provide access to the following panes:
•View pane. From the View pane, you can configure access control to the user interface (see Configure Access Control on page 92) and change the appearance of the user interface (see Configure the User Interface on page 94).
•General pane. From the General pane, you can configure the startup mode and configure detection of the state of the network interface (see Configure VPN Client Startup Mode and Network Interface Detection on page 95).
•PKI Options pane. From the PKI Options pane, you can configure how certificates are checked, accessed, and read (see Configure PKI Options on page 84).
•Language pane. From the Language pane, you can select the language for the user interface and modify the default translations (see Configure Languages on page 97).
There are several wizards available:
•VPN Configuration Wizard. Access this wizard by selecting Configuration > Wizard from the main menu (for more information, see Use the Configuration Wizard to Create a VPN Tunnel Connection on page 36).
•Software Activation Wizard. Access this wizard by selecting ? > Activation Wizard from the main menu (for more information, see Software Activation Wizard on page 18).
•USB Mode Wizard. Access this wizard by selecting File > Move to USB Drive from the main menu (for more information, see USB Mode on page 68).
•Certificate Export Wizard. Access this wizard in the following way:
1.On the Certificate pane, select View Certificate.
2.On the View Certificate screen, click the Details tab.
3.Select Copy to File.
For more information, see View Certificate Details on page 79.
After you have launched the VPN Client (see Launch the VPN Client on page 14), the VPN Client displays an icon in the system tray that indicates whether a tunnel is opened, using a color code.
Overview of the User Interface
27
NETGEAR ProSAFE VPN Client
Green icon: |
|
Purple icon: |
at least one VPN tunnel opened. |
|
no VPN tunnel opened. |
Figure 5. VPN Client icon colors in the system tray
To open the system tray menu:
Right-click the purple VPN Client icon in the system tray. The system tray menu displays:
By default, the system tray menu shows the following links from top to bottom:
•Configured tunnels with their status. You can open or close tunnels by selecting Open '<gateway name-tunnel name>' or Close '<gateway name-tunnel name>'.
•Console. Clicking the link opens the VPN Console Active screen.
•Connection Panel. Clicking the link opens the Connection Panel screen, which lets you open and close VPN tunnels and displays information about VPN tunnels.
•Configuration Panel. Clicking the link opens the Configuration Panel screen, which lets you create and configure VPN tunnels.
•Quit. Clicking the link closes all established VPN tunnels, then closes the VPN Client.
Note: The Quit link for the system tray menu is disabled in the VPN Client Lite. For the VPN Client Professional, you can remove this link during the software setup through the menuitem software setup command (see Configure Which Items of the System Tray Menu Are Visible on page 111).
Overview of the User Interface
28
NETGEAR ProSAFE VPN Client
To hide one or more links from the system menu tray:
1.From the main menu, select Tools > Options.
The Options screen displays. The View pane is selected by default.
2.In the Show in systray menu section of the screen, configure which links are hidden in the system tray menu:
•Console. Clear the check box to hide the Console link from the system menu tray.
•Connection Panel. Clear the check box to hide the Connection Panel link from the system menu tray.
•Configuration Panel. Clear the check box to hide the Configuration Panel link from the system menu tray.
Note: The Quit check box is disabled. You cannot disable the Quit link in the system tray menu from the View pane. For information about disabling the Quit link in the system tray menu, see Configure Which Items of the System Tray Menu Are Visible on page 111.
3. Click OK.
Overview of the User Interface
29
NETGEAR ProSAFE VPN Client
When a VPN tunnel opens or closes, by default, a small pop-up screen comes out from the system tray icon and shows the following:
•VPN tunnel opening with different phases. The pop-up screen disappears after 6 seconds unless you move the mouse over the screen.
Figure 6. Tunnel opened pop-up screen
•VPN tunnel closing, followed by tunnel closed.
Figure 7. Tunnel closed pop-up screen
•If the VPN tunnel cannot open, the screen might display an error or warning with a link to more information.
Figure 8. Pre-shared key mismatched pop-up screen
Overview of the User Interface
30