一．NETGEAR VPN防火墙产品介绍

NETGEAR VPN NETGEAR 6 http://www.netgear.com.cn - 1 -

NETGEAR VPN... 4 1.1 VPN...4 1.2 Dynamic Domain Name Service...4 1.3 Netgear VPN...4 Netgear VPN... 6 2.1 FVS318 to FVS318 IKE Main...7 2.1.1 A VPN MAIN...7 2.1.2 B VPN MAIN...11 2.2 Remote to FVS318 IKE Main / Aggressive...15 2.2.1 Main Remot-to-LAN VPN...16 2.2.2 Aggressive Remote-to-LAN VPN...21 2.3 Remote to FQDN FVS318 (IKE Main IP )...28 2.3.1 FVS318 VPN Main...28 2.3.2 VPN Main...32 2.4 FVL328 to FVL328 IKE Main...33 2.4.1 A IP VPN MAIN...34 2.4.2 B IP VPN Main...38 2.5 Remote to FVL328 Aggressive...44 2.5.1 FVL328 VPN Aggressive...44 2.5.2 VPN Aggressive...49 2.6 Remote to FQDN FVL328(IKE Aggress IP)...54 2.6.1 FVL328 Aggressive VPN...54 2.6.2 VPN Aggressive...57 2.7 FVS318 to FVL328 IKE Main...58 2.7.1 FVS318 VPN(MAIN )...58 2.7.2 FVL328 IP VPN Main...62 2.8 FQDN FVS318 to FVL328 IKE Main/Aggressive...68 2.8.1 IKE Main VPN...68 2.8.2 IKE Aggressive VPN...74 VPN... 77 3.1 IPsec...77 3.2 Internet (IKE)...77 3.2.1 IKE...77 3.2.2 IKE...78 3.2.3 IKE 1 - IKE...78 3.2.4 IKE 2 - IPsec...78 3.2.4 IKE...79 3.3 IKE PSK...82 3.3.1...82 3.3.2 Pre-Shared, PSK...82 3.3.3...82 http://www.netgear.com.cn - 2 -

3.4 IPsec (ESP/AH)...83 3.4.1 (Authentication Header)...83 3.4.2 ESP (Encapsulating Security Payload)...83 http://www.netgear.com.cn - 3 -

NETGEAR VPN 1.1 VPN VPN Internet VPN PPTP L2TP IPSec VPN IPSec IPSEC VPN VPN Client to Gateway Intranet VPN Gateway to Gateway Extranet VPN Gateway to Gateway / VPN VPN Internet 1.2 Dynamic Domain Name Service VPN, VPN IP ( IP ) IP IP VPN IP. NETGEAR FQDN DDNS NETGEAR DDNS( ) VPN IP VPN NETGEAR VPN ADSL, VPN, 1.3 Netgear VPN NETGEAR VPN http://www.netgear.com.cn - 4 -

NETGEAR SOHO VPN NERGEAR VPN FVL328 FVS328 FVS318 FWG114P FVM318 FWAG114 VPN01L VPN05L 1 10/100M 8 10/100M SPI VPN (100 IPSEC VPN ) 1 10/100M 8 10/100M SPI VPN (50 IPSEC VPN ) 1 10M 8 10/100M VPN (8 IPSEC VPN ) 1 10/100M 4 10/100M 802.11g 54Mbps VPN (2 IPSEC VPN ) 1 10/100M 8 10/100M 11M VPN (102 IPSEC VPN ) 1 10/100M 4 10/100M VPN (2 IPSEC VPN ) NETGEAR VPN ( ) http://www.netgear.com.cn - 5 -

VPN FVS318 Version 2.3 FVS328 Version 1.0 Release 09 FVL328 Version 2.0 Release 02 FWG114P Version 2.0Release 10 FVM318 Version 1.1 FWAG114 Version 1.0.26 RC4 IPSec VPN Client Software Netgear Prosafe vpn clinet 10.1.1(build 10) Http://www.NETGEAR.com FVM318 VPN FVS318 FWAG114 FWG114P FVS328 VPN FVL328 FVS318 FVL328 VPN Netgear VPN NETGEAR VPN 8 8 VPN 8 FVS318 to FVS318 (IKE Main) Remote to FVS318 (IKE Main / Aggressive) Remote to FQDN FVS318 (IKE Main) FVL328 to FVL328 (IKE Main) Remote to FVL328 (IKE Main / Aggressive) Remote to FVL328 (IKE Aggressive) FVS318 to FVL328 (IKE Main) FQDN FVS318 to FVL328 (IKE Main/Aggressive) IP IP IP IP IP IP IP IP IPSec IKE VPN IPSec Manual VPN VPN www.vpnc.com http://www.netgear.com.cn - 6 -

2.1 FVS318 to FVS318 IKE Main NETGEAR VPN LAN-to-LAN ( IP VPN) FVS318 to FVS318 MAIN VPN VPN VPN : : NETGEAR- A NETGEAR- B IP NETGEAR- A NETGEAR- B LAN-TO-LAN FVS318-TO-FVS318 MAIN LAN-t o-lan Gateway-to-Gateway (Client-to-Gateway ) IKE CA IPSEC FVS318 version 2.3 FVS318 version 2.3 ISP IP ISP IP VPN LAN-TO-LAN MAIN LAN-TO-LAN VPN VPN VPN www.vpnc.com VPN : Gateway-to-Gateway MAIN LAN-TO-LAN VPN VPN NETGEAR FVS318 Gateway A IP 192.168.0.1/24. ISP IP NETGEAR FVL328 Gateway B IP 192.168.0.1/24. ISP IP 2.1.1 A VPN MAIN FVS318 http://www.netgear.com.cn - 7 -

1. IE,FVS318 IP http://192.168.0.1 admin password. FVS318 LAN IP DNS IP NETGEAR FVS318 v2.3 VPN 2. VPN Settings. VPN ( VPN ). Edit VPN Settings MAIN Mode http://www.netgear.com.cn - 8 -

NETGEAR FVS318 v2.3 VPN Settings ( ) MAIN Mode Connection Name VPN. to-gateway B. NETGEAR FVS318 Gateway A Local IPSec Identifier. Remote IPSec Identifier 0.0.0.0 local identifier Remote IPSec Identifier Local IPSec Identifier 0.0.0.0 the remote identifier Tunnel can be accessed from a subnet from local addres. Local LAN start IP Address LAN ( 192.168.0.0). Local LAN IP Subnetmask ( 255.255.255.0 ). Tunnel can access a subnet from local address Remote LAN Start IP Address GatewayB ( 172.10.10.0) Remote LAN IP Subnetmask ( 255.255.255.0) Remote WAN IP or FQDN FVS318 Gateway B IP ( 218.18.10.18) http://www.netgear.com.cn - 9 -

NETGEAR FVS318 v2.3 VPN MAIN Mode Secure Association, Main Mode. Perfect Forward Secrecy, Enabled. Encryption Protocol, 3DES. PreShared Key, netgear.. Key Life, 28800 seconds.( ) IKE Life, 86400 seconds( ). NetBIOS VPN NETBIOS Enable, Microsoft Apply. VPN Settings NETGEAR FVS318 v2.3 VPN VPN http://www.netgear.com.cn - 10 -

3. VPN Settings, Enable. 2.1.2 B VPN MAIN FVS318 1. IE,FVS318 IP http://192.168.0.1 admin password. FVS318 LAN IP DNS IP NETGEAR FVS318 v2.3 VPN 2. VPN Settings. VPN ( VPN ). Edit VPN Settings MAIN Mode http://www.netgear.com.cn - 11 -

NETGEAR FVS318 v2.3 VPN Settings ( ) MAIN Mode Connection Name VPN. to-gateway A. NETGEAR FVS318 Gateway B Local IPSec Identifier. Remote IPSec Identifier 0.0.0.0 local identifier Remote IPSec Identifier Local IPSec Identifier 0.0.0.0 the remote identifier Tunnel can be accessed from a subnet from local addres. Local LAN start IP Address LAN ( 172.10.10.0). Local LAN IP Subnetmask ( 255.255.255.0 ). Tunnel can access a subnet from local address Remote LAN Start IP Address GatewayA ( 192.168.0.0) Remote LAN IP Subnetmask ( 255.255.255.0) Remote WAN IP or FQDN FVS318 Gateway A IP ( 61.144.62.250) http://www.netgear.com.cn - 12 -

NETGEAR FVS318 V2.3 VPN MAIN Mode Secure Association, Main Mode. Perfect Forward Secrecy, Enabled. Encryption Protocol, 3DES. PreShared Key, netgear.. Key Life, 28800 seconds.( ) IKE Life, 86400 seconds( ). NetBIOS VPN NETBIOS Enable, Microsoft Apply. VPN Settings NETGEAR FVS318 v2.3 VPN VPN http://www.netgear.com.cn - 13 -

3. VPN Settings, Enable Gateway A Gateway B VPN PING ping 172.10.10.1 t. Ping 192.168.0.1 t VPN http://www.netgear.com.cn - 14 -

2.2 Remote to FVS318 IKE Main / Aggressive Remote to FVS318 MAIN Aggressive IP ) VPN VPN VPN VPN : : NETGEAR- A IP NETGEAR- A Remote-TO-LAN Remote-TO-FVS318 MAIN Aggressive Client-to-Gateway(LAN-to-LAN Gateway-to-Gateway) IKE CA IPSEC FVS318 version 2.3 ISP.( Modem ADSL ISDN ISP IP OK VPN LAN-TO-LAN Remote-TO-LAN VPN VPN VPN www.vpnc.com VPN : Remote-to-Gateway MAIN Remote-TO-LAN VPN NETGEAR FVS318 Gateway A IP 192.168.0.1/24. ISP IP ISP http://www.netgear.com.cn - 15 -

2.2.1 Main Remot-to-LAN VPN 2.2.1.1 FVS318 VPN MAIN FVS318 1. IE,FVS318 IP http://192.168.0.1 admin password. FVS318 LAN IP DNS IP NETGEAR FVS318 v2.3 VPN 2 VPN Settings. VPN ( VPN ). Edit VPN Settings MAIN Mode http://www.netgear.com.cn - 16 -

NETGEAR FVS318 va1.4 F VPN Settings ( ) MAIN Mode Connection Name VPN. Remote-to-318. NETGEAR FVS318 Gateway A Local IPSec Identifier. Remote IPSec Identifier 0.0.0.0 local identifier Remote IPSec Identifier Local IPSec Identifier 0.0.0.0 the remote identifier Tunnel can be accessed from a subnet from local addres. Local LAN start IP Address LAN ( 192.168.0.0). Local LAN IP Subnetmask ( 255.255.255.0 ). Tunnel can access Remote WAN IP or FQDN Remote WAN IP or FQDN IP ( IP 0.0.0.0) http://www.netgear.com.cn - 17 -

2.2.1.2 VPN Main NETGEAR VPN 1. Netgear Prosafe VPN Client v 10.1.1 2. Netgear Prosafe VPN Client Security Policy Edit Main http://www.netgear.com.cn - 19 -

My Identity Pre-Shared-Key 318 netgear. VPN http://www.netgear.com.cn - 20 -

ping 192.168.0.1 t. VPN Route Status Show VPN Status VPN VPN 2.2.2 Aggressive Remote-to-LAN VPN 2.2.2.1 FVS318 VPN Aggressive FVS318 1. IE,FVS318 IP http://192.168.0.1 admin password. http://www.netgear.com.cn - 21 -

FVS318 LAN IP DNS IP NETGEAR FVS318 v2.3 VPN Aggressive Mode Connection Name VPN. Remote-to-318. NETGEAR FVS318 Gateway A Local IPSec Identifier. Remote IPSec Identifier Aggressive fvs_local identifier NETGEAR FVS318 Gateway A Remote IPSec Identifier. Remote IPSec Identifie fvs_remote Remote identifier. Tunnel can be accessed from a subnet of local addres. Local LAN start IP Address LAN IP FVS318 Gateway A ( 192.168.0.0). Local LAN IP Subnetmask ( 255.255.255.0). Tunnel can access The remote WAN IP or FQDN. Remote WAN IP or FQDN IP 0.0.0.0 ( 0.0.0.0) http://www.netgear.com.cn - 22 -

NETGEAR FVS318 v2.3 VPN Aggressive Mode Secure Association, Aggressive Mode. Perfect Forward Secrecy, Enabled. Encryption Protocol, 3DES. Key Group Diffie-Hellman Group1 PreShared Key, netgear.. Key Life, 28800 seconds.( ) IKE Life, 86400 seconds( ) NetBIOS VPN, NETBIOS Enable Apply VPN Settings NETGEAR FVS318 va1.4 VPN VPN http://www.netgear.com.cn - 23 -

3 VPN Settings, Enable. 2.2.1.2 VPN Agressive 1. Netgear Prosafe VPN Client v10.1.1 2. Netgear Prosafe VPN Client v 10.1.1 Security Policy Edit Aggressive Mode http://www.netgear.com.cn - 24 -

My Identity Pre-Shared-Key 318 netgear. My Identity My Identity Gateway A Remote Identity VPN http://www.netgear.com.cn - 25 -

3. ping 192.168.0.1 t. VPN Route Status Show VPN Status VPN http://www.netgear.com.cn - 26 -

VPN http://www.netgear.com.cn - 27 -

2.3 Remote to FQDN FVS318 (IKE Main IP ) NETGEAR VPN VPN IP IP VPN IP 2.2 2.2 FVS318 IP FVS318 IP 2.3.1 FVS318 VPN Main 1 ngddns http://www.netgear.com.cn - 28 -

.ng.iego.net http://www.netgear.com.cn - 29 -

2 Gateway A FVS318 DDNS Oray.net A Netgear-a.ng.iego.net 3 IP Router Status http://www.netgear.com.cn - 30 -

PING IP DOS ping netgeqar-a.ng.iego.net IP GATEWAY IP http://www.netgear.com.cn - 31 -

IP Gateway A 4 VPN VPN 2.2 2.3.2 VPN Main 2.1 Remote Party Idnetity and Addressing ID IP Address Gateway Hostname ping 192.168.0.1 -t. VPN Route Status Show VPN Status VPN VPN http://www.netgear.com.cn - 32 -

2.4 FVL328 to FVL328 IKE Main NETGEAR VPN LAN-to-LAN VPN ( IP VPN ) FVL328 to FVL328 MAIN VPN VPN VPN : : NETGEAR- A NETGEAR- B IP NETGEAR- A NETGEAR- B LAN-TO-LAN FVL328-TO-FVL328 MAIN LAN-to-LAN Gateway-to-Gateway (Client-to-Gateway ) IKE CA IPSEC FVL328 Version 2.0 Release 02 FVL328 Version 2.0 Release 02 ISP IP ISP IP VPN LAN-TO-LAN MAIN LAN-TO-LAN VPN VPN VPN www.vpnc.com VPN : Gateway-to-Gateway MAIN LAN-TO-LAN VPN gateway-to-gateway VPN NETGEAR FVL328 Gateway A IP LAN 192.168.0.0 /24 IP 192.168.0.1/24, ISP IP. ( ) NETGEAR FVL328 Gateway B IP IP LAN :172.10.10.0 /24. Gateway B (Internet) ISP IP. ( ) IKE : Main mode 3DES TripleDES http://www.netgear.com.cn - 33 -

MD5 Key group 2 (1024 bits) pre-shared secret of "netgear" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying IKE TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying,, IPv4 172.10.10.0/24 2.4.1 A IP VPN MAIN FVS318 NETGEAR VPN 1. IE,FVL328 IP http://192.168.0.1 admin password. FVL328 LAN IP DNS IP NETGEAR FVL328 v2.0 r02 VPN 2. VPN IKE Policies VPN Settings. IKE Policies Add IKE Policy http://www.netgear.com.cn - 34 -

: NETGEAR FVL328 v2.0 R02 VPN Settings Policy Name. VPN. IKE to-gateway A Policy Name to-gatewayb Direction/Type Both Directions Exchange Mode Main Mode Local Identity Type WAN IP Address( Local Identity Data IP ) Remote Identity Type, Remote WAN IP ( Remote Identity Data IP ) Encryption Algorithm, 3DES Authentication Algorithm, MD5 Authentication Method, Pre-shared Key Pre-Shared Key field, Netgear. Diffie-Hellman (DH) Group, Group 2 (1024 Bit) SA Life Time field, 28800 Apply. IKE Policies http://www.netgear.com.cn - 35 -

NETGEAR FVL328 v2.0 R02 VPN VPN 3. VPN Policies VPN Settings. VPN Policies Add Auto Policy. VPN Add Manual Policy. VPN Auto Policy. NETGEAR FVL328 v2.0 R02 VPN Policy http://www.netgear.com.cn - 36 -

VPN to-gatewayb Policy Name to-gateway B IKE policy, IKE Policy to-gatewayb IKE Policy. IKE Keep Alive IKE VPN Remote VPN Endpoint Address Type Ip Address Address Date Remote VPN Endpoint Address Date Gateway A (218.18.10.18 ) SA Life Time (Seconds) 86400 SA Life Time (Kbytes) 0 IPSec PFS. PFS Key Group Group 1 (768 Bit). Traffic Selector Local IP Subnet address. Start IP Address LAN IP B ( 192.168.0.0) Subnet Mask B ( 255.255.255.0) Traffic Selector Remote IP Subnet address. Start IP Address LAN IP A ( 172.10.10.0) Subnet Mask LAN A ( 255.255.255.0) NETGEAR FVL328 v2.0 R02 VPN Policy Enable Encryption ESP Configuration Enable Encryption. ESP Configuration Encryption Algorithm 3DES. Enable Authentication ESP Configuration Enable Authentication ESP Configuration Authentication Algorithm SHA-1. NETBIOS Enable NETBIOS Enable http://www.netgear.com.cn - 37 -

Apply VPN Policies NETGEAR VPN NETGEAR FVL328 v2.0 r02 VPN (Post Configuration) 4 VPN Policies, Enable 2.4.2 B IP VPN Main FVS318 1. IE,FVL328 IP http://192.168.0.1 admin password. FVL328 LAN IP DNS IP http://www.netgear.com.cn - 38 -

NETGEAR FVL328 v2.0 r02 VPN 2 VPN IKE Policies VPN IKE Policies. Add. IKE Policy http://www.netgear.com.cn - 39 -

NETGEAR FVL328 v2.0 r02ike Policy Policy Name. VPN. IKE to-gatewaya Policy Name to-gatewaya Direction/Type Both Directions Exchange Mode Main Mode.. Local Identity Type WAN IP Address( Local Identity Data IP ). Remote Identity Type, Remote WAN IP ( Remote Identity Data IP ). Encryption Algorithm, 3DES. Authentication Algorithm, SHA-1. Authentication Method, Pre-shared Key. Pre-Shared Key field, Netgear. Diffie-Hellman (DH) Group, Group 2 (1024 Bit) SA Life Time field, 28800 Apply. IKE Policies http://www.netgear.com.cn - 40 -

NETGEAR FVL328 v2.0 r02 IKE Policies FVL328 IKE Policy IKE Policies. 3. VPN VPN Policies Add Auto Policy. VPN Add Manual Policy VPN Auto Policy NETGEAR FVL328 VPN v2.0 r02 http://www.netgear.com.cn - 41 -

VPN to-gatewaya Policy Name to- GatewayA IKE policy, IKE Policy to-gatewaya IKE Policy Remote VPN Endpoint Address Type Ip Address Address Date Remote VPN Endpoint Address Date Gateway A (61.144.62.250 ) SA Life Time (Seconds) 86400 SA Life Time (Kbytes) 0 IPSec PFS. PFS Key Group Group 1 (768 Bit) Traffic Selector Local IP Subnet address. Start IP Address LAN IP B ( 172.10.10.0) Subnet Mask B ( 255.255.255.0) Traffic Selector Remote IP Subnet address. Start IP Address LAN IP A IP ( 192.168.0.0) Subnet Mask LAN A ( 255.255.255.0) : NETGEAR FVL328 VPN v2.0 r02 AH Configuration Authentication Algorithm, SHA-1. Enable Encryption ESP Configuration Enable Encryption. ESP Configuration Encryption Algorithm 3DES. ESP Configuration Enable Authentication Enable Authentication ESP Configuration Authentication Algorithm MD5. NETBIOS Enable NETBIOS Enable http://www.netgear.com.cn - 42 -

Apply VPN Policies NETGEAR VPN : NETGEAR FVL328 v2.0 r02 VPN (Post Configuration) 4 VPN Policies, Enable Gateway A Gateway B VPN PING ping 172.10.10.1 t. ping 192.168.0.1 -t VPN FVL328 VPN : NETGEAR FVL328 v2.0 r02 VPN http://www.netgear.com.cn - 43 -

2.5 Remote to FVL328 Aggressive NETGEAR VPN IP ) VPN Remote to FVL328 Remote Gateway Aggressive VPN VPN VPN VPN : NETGEAR- A IP NETGEAR- A Remote-TO-LAN Remote-TO-FVL328 MAIN Aggressive Client-to-Gateway(LAN-to-LAN Gateway-to-Gateway) IKE CA IPSEC FVL328 version 2.0 Release 02 Netgear Prosafe vpn client version 10.1.1 ISP IP OK VPN LAN-TO-LAN Remote-to-LAN VPN VPN VPN www.vpnc.com VPN : Remote-to-Gateway Aggressive Remote-TO-LAN VPN VPN NETGEAR FVL328 Gateway A IP LAN 192.168.0.0/24. IP 192.168.0.1/24, IP ISP ISP 2.5.1 FVL328 VPN Aggressive FVS318 1. IE,FVL328 IP http://192.168.0.1 admin password. FVL328 LAN IP DNS IP http://www.netgear.com.cn - 44 -

:NETGEAR FVL328 v2.0 r02 VPN 2. VPN IKE Policies VPN, IKE Policies. Add. IKE Policy. http://www.netgear.com.cn - 45 -

:NETGEAR FVL328 v2.0 r02 IKE Policy Policy Name. VPN IKE Remote-328 Policy Name Remote-328 Direction/Type Remote Access Exchange Mode Aggressive Mode Local Identity Type Fully Qualified Domain Name( Local Identity Data FVL328 fvl_local ) Remote Identity Type, Fully Qualified Domain Name ( Remote Identity Data FVL328 fvl_remote ) Encryption Algorithm, 3DES Authentication Algorithm, SHA-1 Authentication Method, Pre-shared Key http://www.netgear.com.cn - 46 -

Pre-Shared Key field, Netgear. KEY Diffie-Hellman (DH) Group, Group 2 (1024 Bit) SA Life Time field, 180 Apply. IKE Policies NETGEAR FVL328 v2.0 r02 IKE Policies 3. Settings, VPN Policies VPN Policies Add Auto Policy. VPN Add ManualPolicy. VPN Auto Policy. http://www.netgear.com.cn - 47 -

NETGEAR FVL328 VPN v2.0 r-2 VPN Remote-328 Policy Name Remote- 328 IKE policy, IKE Policy Remote-328 IKE Policy. Remote VPN Endpoint Address Type Ip Address Remote VPN Endpoint Address Date 0.0.0.0 Gateway B Ip Address SA Life Time (Seconds) 86400 SA Life Time (Kbytes) 0 IPSec PFS. PFS Key Group Group2(1024Bit). Traffic Selector Local IP Subnet address. LAN IP B I Start IP Address ( 192.168.0.0) http://www.netgear.com.cn - 48 -

B ( 255.255.255.0) Subnet Mask Traffic Selector Remote IP ANY NETGEAR FVL328 VPN v2.0 r02 AH Configuration Authentication Algorithm, MD5. Enable Encryption ESP Configuration Enable Encryption. ESP Configuration Encryption Algorithm 3DES. Enable Authentication ESP Configuration Enable Authentication ESP Configuration Authentication Algorithm SHA-1. NETBIOS Enable NETBIOS Enable Apply VPN Policies NETGEAR FVL328 v2.0 r02 VPN (Post Configuration) 4 VPN Policies, Enable 2.5.2 VPN Aggressive 1 Netgear Prosafe VPN Client v 10.1.1 http://www.netgear.com.cn - 49 -

2 Netgear Prosafe VPN Client v 10.1.1 Security Policy Edit Aggressive Mode http://www.netgear.com.cn - 50 -

My Identity Pre-Shared-Key 318 netgear. My Identity My Identity Gateway A Remote Identity http://www.netgear.com.cn - 51 -

VPN 3 ping 192.168.0.1 t. VPN http://www.netgear.com.cn - 52 -

VPN VPN Status VPN http://www.netgear.com.cn - 53 -

2.6 Remote to FQDN FVL328(IKE Aggress IP) NETGEAR VPN 2.3 2.5 2.5 FVL328 IP FVL328 IP 2.6.1 FVL328 Aggressive VPN 1 ngddns http://www.netgear.com.cn - 54 -

.ng.iego.net http://www.netgear.com.cn - 55 -

2 Gateway A FVS318 DDNS Oray.net A Netgear-a.ng.iego.net 3 Dynamic Dns Show Status http://www.netgear.com.cn - 56 -

4 VPN VPN 2.5 2.6.2 VPN Aggressive 2.5 Remote Party Idnetity and Addressing ID IP Address Gateway Hostname ping 192.168.0.1 -t. VPN Route Status Show VPN Status VPN VPN http://www.netgear.com.cn - 57 -

2.7 FVS318 to FVL328 IKE Main NETGEAR VPN FVS318 to FVL328 LAN-to-LAN VPN ( IP MAIN VPN VPN VPN : : NETGEAR- A NETGEAR- B IP NETGEAR- A NETGEAR- B LAN-TO-LAN FVS318-TO-FVS318 MAIN LAN-to-LAN Gateway-to-Gateway (Client-to-Gateway ) IKE CA IPSec FVS318 version 2.3 FVL328 version2.0 Release 02 ISP IP ISP IP : VPN LAN-TO-LAN MAIN LAN-TO-LAN VPN VPN VPN www.vpnc.com VPN : Gateway-to-Gateway MAIN LAN-TO-LAN VPN gateway-to-gateway NETGEAR FVS318 Gateway A IP LAN 192.168.0.0/24. IP 192.168.0.1/24, ISP IP. ( ) NETGEAR FVL328 Gateway B IP IP LAN :172.10.10. /24. Gateway B (Internet) ISP IP. ( ) 2.7.1 FVS318 VPN(MAIN ) FVS318 1. IE,FVS318 IP http://192.168.0.1 admin password. http://www.netgear.com.cn - 58 -

FVS318 LAN IP DNS IP : NETGEAR FVS318 v2.3 VPN 2. VPN Settings. VPN ( VPN ). Edit VPN Settings MAIN Mode http://www.netgear.com.cn - 59 -

NETGEAR FVS318 v2.3 VPN Settings MAIN Mode Connection Name VPN. to-gateway B. NETGEAR FVS318 Gateway A Local IPSec Identifier. Remote IPSec Identifier 0.0.0.0 local identifier Remote IPSec Identifier Local IPSec Identifier 0.0.0.0 the remote identifier Tunnel can be accessed from a subnet from local addres. Local LAN start IP Address LAN ( 192.168.0.0). Local LAN IP Subnetmask ( 255.255.255.0 ). Tunnel can access a subnet from local address Remote LAN Start IP Address GatewayB ( 172.10.10.0) Remote LAN IP Subnetmask ( 255.255.255.0) Remote WAN IP or FQDN FVS318 Gateway B IP ( 218.18.10.18) http://www.netgear.com.cn - 60 -

NETGEAR FVS318 v2.3 VPN MAIN Mode Secure Association, Main Mode. Perfect Forward Secrecy, Enabled. Encryption Protocol, 3DES. PreShared Key, netgear.. Key Life, 28800 seconds.( ) IKE Life, 86400 seconds( ). NetBIOS VPN NETBIOS Enable, Microsoft Apply. VPN Settings :NETGEAR FVS318 v2.3 VPN VPN http://www.netgear.com.cn - 61 -

3. VPN Settings, Enable. 2.7.2 FVL328 IP VPN Main FVS318 1. IE,FVL328 IP http://192.168.0.1 admin password. FVL328 LAN IP DNS IP NETGEAR FVL328 v2.0 r02 VPN 2 VPN IKE Policies VPN IKE Policies. Add IKE Policy http://www.netgear.com.cn - 62 -

NETGEAR FVL328 v2.0 r02ike Policy Policy Name VPN. IKE to- GatewayA Policy Name to-gatewaya Direction/Type Both Directions Exchange Mode Main Mode.. Local Identity Type WAN IP Address( Local Identity Data IP ). Remote Identity Type, Remote WAN IP ( Remote Identity Data IP ). Encryption Algorithm, 3DES. Authentication Algorithm, SHA-1. Authentication Method, Pre-shared Key. Pre-Shared Key field, Netgear. Diffie-Hellman (DH) Group, Group 2 (1024 Bit). SA Life Time field, 28800 http://www.netgear.com.cn - 63 -

Apply. IKE Policies NETGEAR VPN NETGEAR FVL328 v1.4 IKE Policies FVL328 IKE Policy IKE Policies 3. VPN Policies VPN Settings. VPN Policies Add Auto Policy. VPN Add Manual Policy. VPN Auto Policy. http://www.netgear.com.cn - 64 -

NETGEAR FVL328 VPN v2.0 r02 VPN to GatewayA Policy Name to- GatewayA IKE policy, IKE Policy to-gatewaya IKE Policy. Remote VPN Endpoint Address Type Ip Address Address Date Remote VPN Endpoint Address Date Gateway A (61.144.62.250 ) SA Life Time (Seconds) 86400 SA Life Time (Kbytes) 0 IPSec PFS. PFS Key Group Group 1 (768 Bit). Traffic Selector Local IP Subnet address. Start IP Address LAN IP B ( 172.10.10.0) Subnet Mask B ( 255.255.255.0) http://www.netgear.com.cn - 65 -

Traffic Selector Remote IP Subnet address. Start IP Address LAN IP A IP ( 192.168.0.0) Subnet Mask LAN A ( 255.255.255.0) : NETGEAR FVL328 VPN v2.0 r02 AH Configuration Authentication Algorithm, MD5. Enable Encryption ESP Configuration Enable Encryption. ESP Configuration Encryption Algorithm 3DES. ESP Configuration Enable Authentication Enable Authentication ESP Configuration Authentication Algorithm MD5. NETBIOS Enable NETBIOS Enable Apply VPN Policies : NETGEAR FVL328 v2.0 r02 VPN (Post Configuration) 4 VPN Policies, Enable http://www.netgear.com.cn - 66 -

Gateway A Gateway B VPN PING ping 172.10.10.1 t. ping 192.168.0.1 -t VPN FVL328 VPN : NETGEAR FVL328 v2.0 r02 VPN http://www.netgear.com.cn - 67 -

2.8 FQDN FVS318 to FVL328 IKE Main/Aggressive LAN-to-LAN VPN ( IP VPN ) FVS318 to FVL328 Main/Aggressive Mode VPN LAN-TO-LAN MAIN VPN LAN-to-LAN Gateway-to-Gateway (Client-to-Gateway ) VPN : IKE CA IPSEC : NETGEAR- A FVS318 version 2.3 NETGEAR- B FVL328 version 2.0 Release02 IP NETGEAR- A ADSL IP NETGEAR- B ADSL IP : VPN LAN-TO-LAN LAN-TO-LAN VPN VPN VPN www.vpnc.com VPN : Gateway-to-Gateway VPN gateway-to-gateway VPN NETGEAR FVS318 IP LAN 192.168.0.0/24. IP 192.168.0.1, ADSL netgear-a.ng.iego.net NETGEAR FVL328 IP LAN 172.10.10.0/24. IP 172.10.10.1 ADSL rain.ng.iego.net 2.8.1 IKE Main VPN 2.8.1.1 FVS318 VPN FVS318 ADSL IKE MAIN VPN http://www.netgear.com.cn - 68 -

2.7 FVS318toFVL328 IKE Main FVS318 FVL328 2.7 IP IP 1 FVS318 ngddns.ng.iego.net http://www.netgear.com.cn - 69 -

2 FVS318 DDNS Oray.net A Netgear-a.ng.iego.net 3 IP Router Status http://www.netgear.com.cn - 70 -

PING IP DOS ping netgeqar-a.ng.iego.net IP GATEWAY IP http://www.netgear.com.cn - 71 -

IP Gateway A 4 FVS318 Remote WAN IP or FQDN IP 2.9.1.2 FVL328 VPN 1 FVS318 2 Gateway A FVS318 DDNS Oray.net A Netgear-a.ng.iego.net http://www.netgear.com.cn - 72 -

3 Dynamic Dns Show Status 4 VPN To-GatewayA VPN Policy http://www.netgear.com.cn - 73 -

2.7 Remote VPN Endpoint IP 2.8.2 IKE Aggressive VPN Aggressive FVS318 FVS328 VPN 2.8.2.1 FVS318 1 VPN Setting http://www.netgear.com.cn - 74 -

Agrgressive IP 2.8.2.2 FVL328 1.IKE Policy http://www.netgear.com.cn - 75 -

Agrgressive IP 2 VPN Policy VPN Main 2.9.1.2 FVL328 VPN http://www.netgear.com.cn - 76 -

VPN 3.1 IPsec IPSec IETF Internet Engineering Task Force IP Ipsec VPN VPN Internet (IKE) IPsec (AH/ESP/ ) IKE VPN IP SA IKE SA SA Ipsec 2 SA IKE IKE IP IPsec ESP, AH IPsec ESP/AH VPN IKE IKE IKE Ipsec Ipsec VPN 3.2 Internet (IKE) IKE IKE VPN IKE IPsec SA IKE SA Ipsec (ESP/AH/ ) / / SA SA ESP AH 2 SA ESP AH 4 SA 3.2.1 IKE http://www.netgear.com.cn - 77 -

IKE 1 IKE IKE 2 Ipsec 1 VPN IKE Ipsec KB IPSec IKE 2 Ipsec 1 IKE 3.2.2 IKE IKE IPsec VPN VPN Ipsec IKE IKE VPN IKE 3.2.3 IKE 1 - IKE IKE 1 Pre-Shared 2 VPN VPN IKE VPN Pre-Shared Pre-Shared VPN Pre-Shared 3.2.4 IKE 2 - IPsec 2 Ipsec 2 1 Diffie-Hellman VPN PFS 2 Diffie-Hellman 2 VPN http://www.netgear.com.cn - 78 -

3.2.4 IKE VPN VPN 2 VPN IKE Endpoint identification / Tunnel/transport mode / Main/aggressive mode IKE IKE encryption IKE DH IKE DH group PFS / / PFS on/off/identities Ipsec IPsec encryption Ipsec IPsec lifetime / Local and Remote networks/hosts Remote gateway IPsec (ESP/AH/ ) IPsec protocol (ESP/AH/both) IKE IKE authentication IKE IKE lifetime IPsec DH IPsec DH group Ipsec IPsec authentication Endpoint Identification VPN Pre- Shared 16 VPN VPN Pre-Shared Pre-Shared Diffie-Hellman / Local and Remote Networks/Hosts IP VPN LAN LAN LAN 0.0.0.0/0 / Tunnel/Transport mode Ipsec 2 / VPN http://www.netgear.com.cn - 79 -

VPN VPN Ipsec Remote Gateway / none VPN VPN IP none IP IP VPN / Main/Aggressive Mode IKE 2 Diffie-Hellman PFS IPsec IPsec Protocols Ipsec 2 AH Authentication Header ESP Encapsulating Security Payload ESP ESP ESP (Encapsulating Security Payload) AH ESP AH IP IP AH (Authentication Header) IKE IKE Encryption IKE VPN AES Blowfish Twofish Cast128 3DES DES DES VPN DES DES IKE IKE Authentication IKE VPN SHA1 MD5 http://www.netgear.com.cn - 80 -

IKE DH (Diffie-Hellman) IKE Diffie-Hellman VPN Diffie-Hellman DH group 1 (768-bit) DH group 2 (1024-bit) DH group 5 (1536-bit) DH IKE IKE Lifetime IKE KB 1 IKE VPN PFS PFS IKE 1 IKE 2 PFS PFS 2 PFS 2 PFS 2 1 SA 2 PFS IPsec DH IKE Diffie-Hellman Diffie-Hellman PFS IPsec AH ESP Ipsec VPN AES Blowfish Twofish Cast128 3DES DES Ipsec IPsec Authentication ESP Ipsec VPN SHA1 MD5 http://www.netgear.com.cn - 81 -

Ipsec IPsec Lifetime VPN VPN 3.3 IKE PSK 3.3.1 VPN IKE VPN IKE IKE IPsec SA IKE IKE / VPN IKE 3.3.2 Pre-Shared, PSK Pre-Shared VPN IKE IKE Pre-Shared PSK IKE Pre-Shared Pre-Shared VPN PSK PSK PSK PSK 3.3.3 VPN http://www.netgear.com.cn - 82 -

VPN pre-shared pre-shared VPN 3.4 IPsec (ESP/AH) Ipsec VPN IKE Ipsec 2 AH ESP 3.4.1 (Authentication Header) AH IP MAC IP IP AH IP AH AH IP AH IP IP 3.4.2 ESP (Encapsulating Security Payload) ESP IP http://www.netgear.com.cn - 83 -

ESP IP ESP IP IP ESP / AH ESP IP ESP ESP IP http://www.netgear.com.cn - 84 -

http://www.netgear.com.cn - 85 -