manualshive.com logo in svg

NETGEAR DG834G, Reference Manual

The NETGEAR DG834G, a powerful wireless router, comes with a comprehensive Installation Manual for hassle-free setup. You can easily download this manual for free from our website, ensuring smooth installation and seamless browsing experience.

Share
Download
background image

202-10006-05, June 2005

202-10006-05
June 2005

NETGEAR

, Inc.

4500 Great America Parkway 
Santa Clara, CA 95054 USA
Phone 1-888-NETGEAR

Reference Manual for the 
Model Wireless ADSL 
Firewall Router DG834G

Summary of Contents for DG834G

Page 1: ...202 10006 05 June 2005 202 10006 05 June 2005 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Phone 1 888 NETGEAR Reference Manual for the Model Wireless ADSL Firewall Router DG834G ...

Page 2: ...lar installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on...

Page 3: ...r compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference i...

Page 4: ...202 10006 05 June 2005 iv ...

Page 5: ... 3 Protocol Support 2 3 Virtual Private Networking VPN 2 5 Content Filtering 2 5 Auto Sensing and Auto Uplink LAN Ethernet Connections 2 5 What s in the Box 2 5 The Router s Front Panel 2 6 The Router s Rear Panel 2 7 Chapter 3 Connecting the Router to the Internet What You Need Before You Begin 3 1 ADSL Microfilter Requirements 3 1 ADSL Microfilter 3 1 ADSL Microfilter with Built In Splitter 3 2 ...

Page 6: ...d Uses PPPoE 3 16 Internet Connection Requires Login and Uses PPPoA 3 17 Internet Connection Does Note Require A Login 3 18 ADSL Settings 3 19 Chapter 4 Wireless Configuration Considerations for a Wireless Network 4 1 Observe Performance Placement and Range Guidelines 4 1 Implement Appropriate Wireless Security 4 2 Understanding Wireless Settings 4 3 How to Set Up and Test Basic Wireless Connectiv...

Page 7: ...bound Rule Example Blocking Instant Messenger 5 9 Order of Precedence for Rules 5 11 Services 5 12 How to Define Services 5 12 Setting Times and Scheduling Firewall Services 5 13 How to Set Your Time Zone 5 13 How to Schedule Firewall Services 5 14 Chapter 6 Managing Your Network Backing Up Restoring or Erasing Your Settings 6 1 How to Back Up the Configuration to a File 6 1 How to Restore the Con...

Page 8: ... 7 3 Disable Port Scan and DOS Protection 7 3 Respond to Ping on Internet WAN Port 7 3 MTU Size 7 3 Configuring LAN IP Settings 7 3 DHCP 7 5 Use Router as DHCP server 7 5 Reserved IP addresses 7 6 How to Configure LAN TCP IP Settings 7 7 Configuring Dynamic DNS 7 7 How to Configure Dynamic DNS 7 8 Using Static Routes 7 9 Static Route Example 7 9 How to Configure Static Routes 7 10 Universal Plug a...

Page 9: ...VPN Tunnel 8 33 Deleting a VPN Tunnel 8 35 How to Set Up VPN Tunnels in Special Circumstances 8 35 Using Auto Policy to Configure VPN Tunnels 8 36 Configuring VPN Network Connection Parameters 8 36 Example of Using Auto Policy 8 41 Using Manual Policy to Configure VPN Tunnels 8 48 Chapter 9 Troubleshooting Basic Functioning 9 1 Power LED Not On 9 2 Test LED Never Turns On or Test LED Stays On 9 2 ...

Page 10: ...ion Protocol B 8 Related Documents B 9 Domain Name Server B 9 IP Configuration by DHCP B 9 Internet Security and Firewalls B 10 What is a Firewall B 10 Stateful Packet Inspection B 10 Denial of Service Attack B 11 Ethernet Cabling B 11 Category 5 Cable Quality B 11 Inside Twisted Pair Cables B 12 Uplink Switches Crossover Cables and MDI MDIX Switching B 13 Appendix C Preparing Your Network Prepari...

Page 11: ...g the Readiness of Your Internet Account C 18 Are Login Protocols Used C 18 What Is Your Configuration Information C 18 Obtaining ISP Configuration Information for Windows Computers C 19 Obtaining ISP Configuration Information for Macintosh Computers C 20 Restarting the Network C 21 Appendix D Wireless Networking Basics Wireless Networking Overview D 1 Infrastructure Mode D 1 Ad Hoc Mode Peer to P...

Page 12: ...vate Networking What is a VPN E 1 What Is IPSec and How Does It Work E 2 IPSec Security Features E 2 IPSec Components E 2 Encapsulating Security Payload ESP E 3 Authentication Header AH E 4 IKE Security Association E 4 Mode E 5 Key Management E 6 Understand the Process Before You Begin E 6 VPN Process Overview E 7 Network Interfaces and Addresses E 7 Interface Addressing E 7 Firewalls E 8 Setting ...

Page 13: ...Up the Client to Gateway VPN Configuration Telecommuter Example F 14 Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office F 14 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office F 16 Monitoring the VPN Tunnel Telecommuter Example F 25 Viewing the PC Client s Connection Monitor and Log Viewer F 25 Viewi...

Page 14: ...202 10006 05 June 2005 xiv Contents ...

Page 15: ...es the following typographical conventions This guide uses the following formats to highlight special messages This manual is written for the DG834G wireless router according to these specifications Table 1 1 Typographical Conventions italics Emphasis books CDs URL names bold User input fixed Screen text file and server names extensions commands IP addresses Note This format is used to highlight i...

Page 16: ...for browsing forwards or backwards through the manual one page at a time A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directly to where the topic is described in the manual A button to access the full NETGEAR Inc online knowledge base for the product model Links to PDF versions of the full manual and individual chap...

Page 17: ...were viewing opens in a browser window Note Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting thi...

Page 18: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G 1 4 About This Manual 202 10006 05 June 2005 ...

Page 19: ...e computer With minimum setup you can install and use the router within minutes The DG834G wireless router provides multiple Web content filtering options plus e mail browsing activity reporting and instant alerts Parents and network administrators can establish restricted access policies based on time of day Web site addresses and address keywords They can also share high speed ADSL Internet acce...

Page 20: ...unwanted traffic from the Internet to your LAN Blocks access from your LAN to Internet locations or services that you specify as off limits Logs security incidents The DG834G will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the router to email the log to you at specified intervals You can also configure the router to send immed...

Page 21: ...required for your type of ISP account Remote management The router allows you to log in to the Web management interface from a remote location via the Internet For security you can limit remote management access to a specified remote IP address or range of addresses and you can choose a nonstandard port number Diagnostic functions The router incorporates built in diagnostic functions such as Ping ...

Page 22: ...btains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN Classical IP RFC 1577 Some Internet service providers in Europe for example use Classical IP in their ADSL services In such cases the router is able to use the Classical IP address from the ISP PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet ov...

Page 23: ...access to Internet content by screening for keywords within Web addresses You can configure the router to log and report attempts to access objectionable Internet sites Auto Sensing and Auto Uplink LAN Ethernet Connections With its internal 4 port 10 100 switch the DG834G can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network The local LAN ports are autosensi...

Page 24: ... Warranty and Support Information cards If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair The Router s Front Panel The DG834G Wireless ADSL Firewall Router front panel shown below contains status LEDs Figure 2 1 DG834G Front Panel You can use the LEDs to verify ...

Page 25: ... ready and running Internet Blink Amber On Green Blink Green Indicates ADSL training The Internet port has detected a link with an attached device Data is being transmitted or received by the Internet port Wireless On Off Indicates that the Wireless port is initialized The Wireless Access Point is turned off LAN On Green Blink Green On Amber Blink Amber Off The Local port has detected a link with ...

Page 26: ...05 June 2005 Viewed from left to right the rear panel contains the following elements AC power adapter outlet Four Local Ethernet RJ 45 LAN ports for connecting the router to the local computers Factory Default Reset push button ADSL port for connecting the router to an ADSL line Wireless antenna ...

Page 27: ...hrough your router 1 The router connected to an ADSL line and a computer properly connected to the router as explained below 2 Active Internet service such as that provided by an ADSL account 3 The Internet Service Provider ISP configuration information for your DSL account Note If you purchased the DG834G in a country where a microfilter is not included you must acquire one ADSL Microfilter Requi...

Page 28: ...lter with built in splitter when there is a single wall outlet which must provide connectivity for both the DG834G and telephone equipment Ethernet Cabling Requirements The DG834G wireless router connects to your Ethernet LAN via twisted pair cables If the computer will connect to your network at 100 Mbps you must use a Category 5 CAT5 cable such as the one provided with your router Computer Hardw...

Page 29: ...you cannot locate this information you can ask your ISP to provide it or you can try one of the options below If you have a computer already connected using the active Internet access account you can gather the configuration information from that computer For Windows 95 98 ME open the Network control panel select the TCP IP entry for the Ethernet adapter and click Properties For Windows 2000 XP op...

Page 30: ...__ Fixed or Static IP Address If you have a static IP address record the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address ______ ______ ______ ______ Router IP Address ______ ______ ______ ______ Subnet Mask ______ ______ ______ ______ ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS S...

Page 31: ...n to the router 4 Connect to the Internet Follow the steps below to connect your router to your network Before you begin locate the ADSL configuration information from your Internet Service Provider ISP 1 CONNECT ADSL FILTERS ON THE PHONE LINES a You need to install a filter on every telephone or device that shares the same phone number as your ADSL router Select the filter that came with your rou...

Page 32: ...onnect the one line filter to the splitter and connect the phone to the filter 2 CONNECT THE DG834G TO THE ADSL FILTER Note Improperly connecting a filter to your DG834G wireless router will block your ADSL connection a Turn off your computer b Connect the ADSL port of the DG834G to the ADSL port B of the two line filter Figure 3 5 Connecting the DG834G wireless router to an ADSL microfilter and p...

Page 33: ... the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection d Connect the power adapter to the router and plug it in to a power outlet Verify the following The power light is lit after turning on the router The ADSL link light is solid green indicating a link has been established ...

Page 34: ... on configuring for DHCP please see Appendix C Preparing Your Network a Connect to the router by typing http 192 168 0 1 in the address field of Internet Explorer or Netscape Navigator Figure 3 7 Connect to the router A login window opens as shown below Figure 3 8 Login window b When prompted enter admin for the user name and password for the password both in lower case letters After logging in yo...

Page 35: ... 3 9 for instructions b Manually choose which type of Internet connection you have and configure it See Manually Configuring Your Internet Connection on page 3 14 for instructions These options are described below In either case unless your ISP automatically assigns your configuration automatically via DHCP you need the configuration parameters from your ISP you recorded in Record Your Internet Co...

Page 36: ...opriate configuration page If the Setup Wizard finds no connection you will be prompted to check the physical connection between your router and the ADSL line When the connection is properly made the router s Internet LED should be on 5 The ADSL settings for the multiplexing method and VPI VCI will update with the preset defaults The multiplexing method preset default settings will usually work On...

Page 37: ... Wizard determines that your Internet service account uses a login protocol such as PPP over ATM PPPoA you will be directed to the PPPoA page shown in Figure 3 11 below Figure 3 11 Setup Wizard menu for PPPoA login accounts Enter your login user name and password These fields are case sensitive Wizard Detected Dynamic IP Account Setup If the Setup Wizard determines that your Internet service accou...

Page 38: ...izard menu for IP over ATM Classical IP address 1 Enter your assigned IP Address and Subnet Mask This information should have been provided to you by your ISP You need the configuration parameters from your ISP you recorded in Record Your Internet Connection Information on page 3 3 2 Enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also ...

Page 39: ...r ATM IPoA RFC1483 Routed according to the information from your ISP If you choose IPoA the router will be able to detect the gateway IP address but you still need to provide the router IP address 3 Enter your assigned IP Address Subnet Mask and the IP Address of your ISP s gateway router This information should have been provided to you by your ISP You need the configuration parameters from your ...

Page 40: ...r network Your router automatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enternet to connect log in or disconnect These functions are performed by the router as needed To access the Internet from any computer connected to your router launch a browser such as Microsoft Internet Expl...

Page 41: ...talian After you change the language the remaining setup screens change to the language of your choice 2 Select No to manually configure your router connection 3 Click Next 4 Manually configure the router in the Basic Settings menu shown in Figure 3 15 5 Follow the instructions below according to the encapsulation method and whether your Internet connection requires a login The following methods a...

Page 42: ... minutes This determines how long the router keeps the Internet connection active after there is no Internet activity from the LAN Entering an Idle Timeout value of zero means never log out 5 When a connection uses PPPoE the IP address is normally assigned automatically However the DG834G allows this address to be set manually Select Get Automatically from ISP if your ISP assigns your IP address S...

Page 43: ...ng an Idle Timeout value of zero means never log out 5 When a connection uses PPPoA the IP address is normally assigned automatically However the DG834G allows this address to be set manually Select Get Automatically from ISP if your ISP assigns your IP address Select Use Static IP Address if your ISP gave you a statically assigned address 6 The DNS server is used to look up site addresses based o...

Page 44: ... if your ISP uses DHCP to assign your IP address Your ISP will automatically assign this address If you know that your ISP does not automatically transmit DNS addresses to the router during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also A DNS server is a host on the Internet that translates I...

Page 45: ...ternatively select Use this MAC address and enter it 7 Click Apply to save your settings 8 Click the Test button to test your Internet connection If the NETGEAR Web site does not appear within one minute refer to Chapter 9 Troubleshooting ADSL Settings The default settings of your DG834G Wireless ADSL Firewall Router will work fine for most ISPs However some ISPs use a specific Multiplexing Method...

Page 46: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G 3 20 Connecting the Router to the Internet 202 10006 05 June 2005 ...

Page 47: ...ce or range of your wireless connection can vary significantly based on the physical placement of the wireless firewall The latency data throughput performance and notebook power consumption also vary depending on your configuration choices For best results place your firewall Near the center of the area in which your computers will operate In an elevated location such as a high shelf where the wi...

Page 48: ...e covered in detail in this chapter Deploy the security features appropriate to your needs Figure 4 1 DG834G wireless data security options There are several ways you can enhance the security of your wireless network Restrict Access Based on MAC Address You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the DG834G Restricting access by MAC address adds an ob...

Page 49: ...es data security WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper WPA PSK Wi Fi Protected Access WPA data encryption provides data security The very strong authentication along with dynamic per frame re keying of WPA make it virtually impossible to compromise Because this is a new standard wireless device driver and software availability may...

Page 50: ...e in the Wireless Settings menu Wireless Network Name SSID The Service Set ID also known as the wireless network name Enter a value of up to 32 alphanumeric characters The same Name SSID must be assigned to all wireless devices in your network The default SSID is NETGEAR but NETGEAR strongly recommends that you change your network Name to a different value ...

Page 51: ...less Access Point This field lets you turn off or turn on the wireless access point built in to the router The wireless icon on the front of the router will also display the current status of the Wireless Access Point to let you know if it is disabled or enabled The wireless access point must be enabled to allow wireless stations to access the Internet Allow Broadcast of Name SSID If enabled the S...

Page 52: ... With Open Network Authentication and 64 or 128 bit WEP Data Encryption the DG834G does perform 64 or 128 bit data encryption but does not perform any authentication Security Encryption WEP Key These key values must be identical on all wireless devices in your network key 1 must be the same for all key 2 must be the same for all and so on The DG834G provides two methods for creating WEP encryption...

Page 53: ... Select the region in which the wireless interface will operate WPA PSK Wi Fi Protected Access Pre Shared Key WPA Pre Shared Key uses a pre shared key to perform the authentication and generate the initial data encryption keys Then it dynamically varies the encryption key For a full explanation of WPA see WPA Wireless Security on page D 8 Note Not all wireless adapters support WPA Furthermore clie...

Page 54: ...gram the wireless adapter of your computers to have the same SSID and channel that you configured in the router Check that they have a wireless link and are able to obtain an IP address by DHCP from the firewall Once your computers have basic wireless connectivity to the firewall you can configure the advanced wireless security functions of the firewall How to Restricting Wireless Access to Your N...

Page 55: ...is feature is turned off If you turn this feature on wireless devices will not see your DG834G You must configure your wireless devices to match the wireless network name SSID you configure in the DG834G wireless router Note The SSID of any wireless access adapters must match the SSID you configure in the DG834G Wireless ADSL Firewall Router If they do not match you will not get a wireless connect...

Page 56: ... is not currently connected you can enter its address manually Enter the MAC address of the authorized computer The MAC address is usually printed on the wireless card or it may appear in the router s DHCP table The MAC address will be 12 hexadecimal digits Click Add to add your entry You can add several stations to the list but the entries will be discarded if you do not click Apply Note You can ...

Page 57: ...settings described below will prevent a determined intruder from eavesdropping on your wireless data communications Also if you are using the Internet for such activities as purchases or banking those Internet sites use another level of highly secure encryption called SSL You can tell if a web site is using SSL because the web address begins with HTTPS rather than HTTP Authentication Type Selectio...

Page 58: ...ection but leaves your wireless data fully exposed 64 or 128 bit WEP When 64 Bit WEP or 128 Bit WEP is selected WEP encryption will be applied If WEP is enabled you can manually or automatically program the four data encryption keys These values must be identical on all computers and access points in your network There are two methods for creating WEP encryption keys Passphrase Enter a word or gro...

Page 59: ...ing 6 Enter the encryption keys You can manually or automatically program the four data encryption keys These values must be identical on all computers and Access Points in your network Automatic enter a word or group of printable characters in the Passphrase box and click the Generate button The four key boxes will be automatically populated with key values Manual enter hexadecimal digits any com...

Page 60: ...o configure WPA PSK follow these steps 1 Log in at the default LAN address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever LAN address and password you have set up 2 Click Wireless Settings in the Setup section of the main menu of the DG834G 3 Choose the WPA PSK radio button The WPA PSK menu will open 4 Enter the pre shared key in the Pass...

Page 61: ...dministrator s login timeout Note The user name and password are not the same as any user name or password your may use to log in to your Internet connection NETGEAR recommends that you change this password to a more secure password The ideal password should contain no dictionary words from any language and should be a mixture of both upper and lower case letters numbers and symbols Your password ...

Page 62: ...hould do a new backup so that the saved settings file includes the new password Changing the Administrator Login Timeout For security the administrator s login to the router configuration will timeout after a period of inactivity To change the login timeout period 1 In the Set Password menu type a number in Administrator login times out field The suggested default value is 5 minutes 2 Click Apply ...

Page 63: ...our LAN to Internet locations or services that you specify as off limits Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocking unwanted traffic from the Internet to your LAN The section below explains how to configure your router to perform these functions How to Block Keywords and Sites...

Page 64: ...e keyword XXX is specified the URL http www badstuff com xxx html is blocked If the keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Enter the keyword to block all Internet browsing access Up to 32 entries are supported in the Keyword list 5 To delete a keyword or domain select it from the list click Delete Keyword then click Apply 6 To specify a ...

Page 65: ... of the DG834G are Inbound Block all access from outside except responses to requests from the LAN side Outbound Allow all access from the LAN side to the outside You can define additional rules that will specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day You can also ch...

Page 66: ... game server visible and available to the Internet The rule tells the router to direct inbound traffic for a particular service to one local server based on the destination port number This is also known as port forwarding Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network Following are two application examples of inboun...

Page 67: ...Action Choose how you want this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu Send to LAN Server Enter the IP address of the computer or server on your LAN which will receive the inbound traffic covered by this rule WAN Users These settings determine which packets are covered by the ru...

Page 68: ...allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown in Figure 5 6 CU SeeMe connections are allowed only from a specified range of external IP addresses In this case we have also specified logging of any incoming CU SeeMe requests that do not match the allowed parameters Fig...

Page 69: ...se of certain Internet services by computers on your network This is called service blocking or port filtering You can define an outbound rule to block Internet access from a local computer based on IP address of the local computer source address IP address of the Internet site being contacted destination address Time of day Type of service being requested service port number Following is an appli...

Page 70: ...e to add any additional services or applications that do not already appear Action Choose how you want this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu LAN Users These settings determine which packets are covered by the rule based on their source LAN IP address Select the desired opt...

Page 71: ...ish fields Single address enter the required address in the Start field Log You can select whether the traffic will be logged The choices are Never no log entries will be made for this service Always any traffic for this service type will be logged Match traffic of this type that matches the parameters and action will be logged Not match traffic of this type that does not match the parameters and ...

Page 72: ...er computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Ser...

Page 73: ... Add Services menu 4 Click Apply to save your changes Setting Times and Scheduling Firewall Services The DG834G wireless router uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Internet How to Set Your Time Zone In order to localize the time for your log entries you must specify your Time Zone 1 Log in to the router at its defau...

Page 74: ...avings Time and clear it at the end Enabling Daylight Savings Time will cause one hour to be added to the standard time 4 The router has a list of NETGEAR NTP servers If you would prefer to use a particular NTP server as the primary server enter its IP address under Use this NTP Server 5 Click Apply to save your settings How to Schedule Firewall Services If you enabled services blocking in the Blo...

Page 75: ...elect one or more days If you want to limit access completely for the selected days select All Day Otherwise to limit access during certain times for the selected days enter Start Blocking and End Blocking times Note Enter the values in 24 hour time format For example 10 30 am would be 10 hours and 30 minutes and 10 30 pm would be 22 hours and 30 minutes If you set the start time after the end tim...

Page 76: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G 5 16 Protecting Your Network 202 10006 05 June 2005 ...

Page 77: ...up to your computer restored or reverted to factory default settings The procedures below explain how to do these tasks How to Back Up the Configuration to a File 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Mainten...

Page 78: ...Configuration It is sometimes desirable to restore the router to the factory default settings This can be done by using the Erase function 1 To erase the configuration from the Maintenance menu Settings Backup link click the Erase button on the screen 2 The router will then reboot automatically After an erase the router s password will be password the LAN IP address will be 192 168 0 1 and the rou...

Page 79: ...ult User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 3 From the Main Menu of the browser interface under the Maintenance heading select the Router Upgrade heading to display the menu shown in Figure 6 2 Figure 6 2 Router Upgrade menu 4 In the Router Upgrade menu click the Browse to locate the binary BIN or IMG upgra...

Page 80: ... DG834G provides a variety of status and usage information which is discussed below Viewing Router Status and Usage Statistics From the Main Menu under Maintenance select Router Status to view the screen in Figure 6 3 Figure 6 3 Router Status screen The Router Status menu provides status and usage information This screen shows the following parameters ...

Page 81: ...y the Internet ADSL port of the router Domain Name Server DNS This field displays the DNS Server IP addresses being used by the router These addresses are usually obtained dynamically from the ISP LAN Port These parameters apply to the Local ADSL port of the router MAC Address This field displays the Ethernet MAC address being used by the Local LAN port of the router IP Address This field displays...

Page 82: ...rial ports For each port the screen displays Status The link status of the port TxPkts The number of packets transmitted on this port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clear Collisions The number of collisions on this port since reset or manual clear Tx B s The current line utilization percentage of current bandwidth used on this p...

Page 83: ...lds for Dynamic IP Field Description IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider Subnet Mask The Network Mask assigned to the WAN port by the ADSL Internet Service Provider Default Gateway The default gateway router assigned to the WAN port by the ADSL Internet Service Provider DHCP Server The DHCP server s IP address DNS Server The DNS server s IP addr...

Page 84: ...us information This screen shows the following statistics Table 6 1 Connection Status Fields for PPPoA Field Description Connection Time The time elapsed since the last connection to the Internet via the ADSL port Connecting to Sender The connection status Negotiation ON or OFF Authentication ON or OFF IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider Network...

Page 85: ...ernet MAC address Note that if the router is rebooted the table data is lost until the router rediscovers the devices To force the router to look for attached devices click the Refresh button Viewing Selecting and Saving Logged Information The router will log security related events such as denied incoming service requests hacker probes and administrator logins If you enabled content filtering in ...

Page 86: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G 6 10 Managing Your Network 202 10006 05 June 2005 Figure 6 8 Security Logs menu Log entries are described in Table 6 1 below ...

Page 87: ...Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or We...

Page 88: ...ut IP 192 168 0 2 This entry shows an administrator logging in and out from IP address 192 168 0 2 Tue 2002 05 21 19 00 06 Login screen timed out IP 192 168 0 2 This entry shows a time out of the administrator login Wed 2002 05 22 22 00 19 Log emailed This entry shows when the log was emailed Dropped Packets Wed 2002 05 22 07 15 15 TCP packet dropped Source 64 12 47 28 4787 WAN Destination 134 177...

Page 89: ...n the configuration menu of your e mail program Enter the e mail address to which logs and alerts are sent This e mail address will also be used as the From address If you leave this box blank log and alert messages will not be sent via e mail Send alert immediately Select the corresponding check box if you would like immediate notification of a significant security event such as a known attack po...

Page 90: ...DG834G wireless router has a diagnostics feature You can use the diagnostics menu to perform the following functions from the router Ping an IP Address to test connectivity to see if you can reach a remote host Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the DNS server configuration is working Display the Routing Table to identify what other routers th...

Page 91: ...IP address on the Internet select Everyone To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range To allow access from a single IP address on the Internet select Only this Computer Enter the IP address that will be allowed access 5 Specify the Port Number that will be used for accessing the management...

Page 92: ... the Internet you will type your router s WAN IP address in your browser s Address in IE or Location in Netscape box followed by a colon and the custom port number For example if your external address is 134 177 0 123 and you use port number 8080 enter in your browser http 134 177 0 123 8080 Note In this case the http must be included in the address ...

Page 93: ... Internet WAN Port MTU Size Flexibility on configuring your LAN TCP IP settings Using the Router as a DHCP Server Configuring Dynamic DNS Configuring Static Routes These features are discussed below Setting Up A Default DMZ Server The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT The router is programmed to reco...

Page 94: ...hese steps 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the router 2 From the Main Menu under Advanced click the WAN Setup link to view the page shown in Figure 7 1 Figure 7 1 WAN Setup Page 3 Select the Default DMZ Server check box 4 Type the IP ...

Page 95: ...nt the router to respond to a ping from the Internet select the Respond to Ping on Internet WAN Port check box This should only be used as a diagnostic tool since it allows your router to be discovered Do not select this box unless you have a specific reason to do so MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes or 1492 Bytes for PPPoE connections For...

Page 96: ...f the router IP Subnet Mask This is the LAN Subnet Mask of the router Combined with the IP address the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or router RIP Direction RIP Router Information Protocol allows a router to exchange routing information with other routers The RIP Direction selection controls how the Router s...

Page 97: ...ore it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings of the router are satisfactory See IP Configuration by DHCP on page B 9 for an explanation of DHCP and information about how to assign IP addresses for your network Use Router as DHCP server If another device on your network will be the DHCP server or if you will manually configure...

Page 98: ...ows Reserved IP addresses When you specify a reserved IP address for a computer on the LAN that computer will always receive the same IP address each time it access the router s DHCP server Reserved IP addresses should be assigned to servers that require permanent IP settings To reserve an IP address 1 Click the Add button 2 In the IP Address box type the IP address to assign to the computer or se...

Page 99: ...gure 7 3 LAN IP Setup Menu 3 Enter the TCP IP DHCP or Reserved IP parameters 4 Click Apply to save your changes Configuring Dynamic DNS If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advan...

Page 100: ...address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Main Menu of the browser interface under Advanced select Dynamic DNS to display the page below Figure 7 4 Dynamic DNS menu 3 Access the Web site of one of the dynamic DNS service providers whose names appear in t...

Page 101: ...ple routers or multiple IP subnets located on your network Static Route Example As an example of when a static route is needed consider the following case Your primary Internet access is through a cable modem to an ISP You have an ISDN router on your home network for connecting to the company where you are employed This router s address on your LAN is 192 168 0 100 Your company s network is 134 17...

Page 102: ...warded to the ISDN router at 192 168 0 100 A Metric value of 1 will work since the ISDN router is on the LAN This represents the number of routers between your network and the destination This is a direct connection so it is set to 1 Private is selected only as a precautionary security measure in case RIP is activated How to Configure Static Routes 1 Log in to the router at its default LAN address...

Page 103: ...the LAN only The static route will not be reported in RIP d Select Active to make this route effective e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the destination is a single host type 255 255 255 255 g Type the Gateway IP Address which must be a router on the same LAN segment as the router h Type a number between 1 and 15 as the Met...

Page 104: ...apping of the Router Advertisement Period The Advertisement Period is how often the Router will advertise broadcast its UPnP information This value can range from 1 to 1440 minutes The default period is for 30 minutes Shorter durations will ensure that control points have current device status at the expense of additional network traffic Longer durations may compromise the freshness of the device ...

Page 105: ...Router and which ports Internal and External that device has opened The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address 3 To save cancel or refresh the table a Click Apply to save the new settings to the Router b Click Cancel to disregard any unsaved changes c Click Refresh to update the portmap table and to show the active ports th...

Page 106: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G 7 14 Advanced Configuration 202 10006 05 June 2005 ...

Page 107: ...tion on page 8 6 summarizes the three ways to configure a VPN tunnel VPN Wizard recommended for most situations Auto Policy and Manual Policy How to Set Up a Client to Gateway VPN Configuration on page 8 6 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client How to Set Up a Gateway to Gateway VPN Confi...

Page 108: ...secure access from a remote PC such as a telecommuter connecting to an office network see Figure 8 1 Figure 8 1 Client to Gateway VPN Tunnel A VPN client access allows a remote PC to connect to your network from any location on the Internet In this case the remote PC is one tunnel endpoint running the VPN client software The DG834G wireless router on your network is the other tunnel endpoint See H...

Page 109: ...iness partners over the Internet VPN tunnels also enable access to network resources across the Internet In this case use DG834Gs on each end of the tunnel to form the VPN tunnel end points See How to Set Up a Gateway to Gateway VPN Configuration on page 8 20 to set up this configuration Planning a VPN When you set up a VPN it is helpful to plan the network configuration and record the configurati...

Page 110: ...e remote end be any device on the remote LAN a portion of the remote network as defined by a subnet or by a range of IP addresses or a single PC Will either endpoint use Fully Qualified Domain Names FQDNs FQDNs supplied by Dynamic DNS providers see The Use of a Fully Qualified Domain Name FQDN on page F 7 can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request...

Page 111: ...ypting these values using a 56 bit key Faster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys What level of authentication will you use MDS 128 bits faster but less secure SHA 1 160 bits slower but more secure Table 8 2 Parameters Recommended by the VPNC and Used in the VPN Wizard Paramet...

Page 112: ...n the VPN Wizard and its VPNC defaults see Table 8 2 on page 8 5 are not appropriate for your special circumstances and you must specify each phase of the connection You manually enter all the authentication and key parameters You have more control over the process however the process is more complex and there are more opportunities for errors or configuration mismatches between your DG834G and th...

Page 113: ...N Tunnel on the DG834G Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 8 2 on page 8 5 If you have special requirements not covered by these VPNC recommended parameters refer to How to Set Up VPN Tunnels in Special Circumstances on page 8 35 to set up the VPN tunnel 192 168 3 1 VPN Tunnel DG834G 22 23 24 25 PC Running NETGEAR ProSafe...

Page 114: ... the VPN Wizard link in the main menu to display this screen Click Next to proceed Table 8 3 VPN Tunnel Configuration Worksheet Connection Name RoadWarrior Pre Shared Key 12345678 Secure Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled NETBIOS Enabled or Disabled Enabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Di...

Page 115: ... in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Note The Connection Name is arbitrary and not relevant to how the configuration functions Figure 8 5 Connection Name and Remote IP Type Enter the new Connection Name e g RoadWarrior Enter the pre shared key e g 12345678 Select the radio button A remote VPN client single PC ...

Page 116: ...eference Manual for the Model Wireless ADSL Firewall Router DG834G 8 10 Virtual Private Networking Advanced Feature 202 10006 05 June 2005 The Summary screen below displays Figure 8 6 VPN Wizard Summary ...

Page 117: ...PN Wizard click the here link see Figure 8 6 Click Back to return to the Summary screen Figure 8 7 VPNC Recommended Settings 3 Click Done on the Summary screen see Figure 8 6 to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled Figure 8 8 VPN Policies To view or modify the tunnel settings select the radio button next to the tunnel entr...

Page 118: ...ation If you do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary The system should sho...

Page 119: ...to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel see Figure 8 5 because Connection Names are arbitrary to how the VPN tunnel functions Tip Choose Connection Names that make sense to the people using and administrating the VPN Figure 8 9 Security Policy Editor New Connection Figure 8 10 Security Policy Editor Connection Settings Select the Secure in the Connection...

Page 120: ...23 24 25 would be used The resulting Connection Settings are shown in Figure 8 10 3 Configure the Security Policy in the NETGEAR ProSafe VPN Client software In the Network Security Policy list expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear below the connection name Click on the Security Policy subheading to show th...

Page 121: ... the Internal Network IP Address box Otherwise leave this box empty In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable or DSL line You may also choose Any if you will be switching between adapters or if you have only one adapter Click th...

Page 122: ...tication subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Authentication Figure 8 14 Security Policy Editor Authentication In the Authentication Method menu select Pre Shared key In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834G in Table 8 3 on page 8 8 In this example ...

Page 123: ...kbox In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834G in Table 8 3 on page 8 8 In this example use Triple DES In the Hash Alg menu select SHA 1 In the Encapsulation menu select Tunnel Leave the Authentication Protocol AH checkbox unchecked 7 Save the VPN Client Settings From the File menu at the top of the Securi...

Page 124: ...g test using our example start from the remote PC a Establish an Internet connection from the PC b On the Windows taskbar click the Start button and then click Run c Type ping t 192 168 3 1 and then click OK Figure 8 16 Running a Ping test to the LAN from the PC This will cause a continuous ping to be sent to the first DG834G After between several seconds and two minutes the ping response should c...

Page 125: ... then select Programs then NETGEAR ProSafe VPN Client then Log Viewer 2 The Log Viewer screen for a successful connection is shown below Figure 8 18 Log Viewer screen 3 The Connection Monitor screen for this connection is shown below Figure 8 19 Connection Monitor screen In this example you can see the following The DG834G has a public IP WAN address of 22 23 24 25 Note Use the active VPN tunnel i...

Page 126: ...VPN Wizard Figure 8 20 Gateway to Gateway VPN Tunnel Set the LAN IPs on each DG834G to different subnets and configure each properly for the Internet The examples below assume the following settings Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN connection in order to have normal Internet ac...

Page 127: ...e GtoG Pre Shared Key 12345678 Secure Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled NETBIOS Enabled or Disabled Enabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID L...

Page 128: ...of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed Figure 8 21 VPN Wizard Start Screen 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Figure 8 22 Connection Name and Remote IP Type Enter the new Connection Name e g...

Page 129: ...et VPN endpoint WAN connection and click Next Figure 8 23 Remote IP 4 Identify the IP addresses at the target endpoint which can use this tunnel and click Next Figure 8 24 Secure Connection Remote Accessibility Enter the WAN IP address of the remote VPN gateway e g 22 23 24 25 Enter the LAN IP settings of the remote VPN gateway IP Address e g 192 168 3 1 Subnet Mask e g 255 255 255 0 ...

Page 130: ...eference Manual for the Model Wireless ADSL Firewall Router DG834G 8 24 Virtual Private Networking Advanced Feature 202 10006 05 June 2005 The Summary screen below displays Figure 8 25 VPN Wizard Summary ...

Page 131: ...e here link see Figure 8 25 Click Back to return to the Summary screen Figure 8 26 VPN Recommended Settings 5 Click Done on the Summary screen see Figure 8 25 to complete the configuration procedure The VPN Settings menu below displays showing that the new tunnel is enabled Figure 8 27 VPN Policies Note Refer to Using Auto Policy to Configure VPN Tunnels on page 8 36 to enable the IKE keepalive ca...

Page 132: ... Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps a Open the DG834G management interface and click on VPN Status to get the VPN Status Log screen Figure 8 28 Figure 8 28 VPN Status Log Screen b Click on VPN Status Figure 8 30 to get the Current VPN Tunnels SAs screen Figure 8 29 Click on Connect for the VPN t...

Page 133: ...ys to activate a VPN tunnel Use the VPN Status page Activate the VPN tunnel by pinging the remote endpoint Start using the VPN tunnel Note Refer to Using Auto Policy to Configure VPN Tunnels on page 8 36 to enable the IKE keepalive capability on an existing VPN tunnel Using the VPN Status Page to Activate a VPN Tunnel To use the VPN Status screen to activate a VPN tunnel perform the following step...

Page 134: ... 30 VPN Status Log Screen 3 Click on VPN Status Figure 8 30 to get the Current VPN Tunnels SAs screen Figure 8 31 Click on Connect for the VPN tunnel you want to activate Figure 8 31 Current VPN Tunnels SAs Screen Activate the VPN Tunnel by Pinging the Remote Endpoint Note This section uses 192 168 3 1 for an example remote endpoint LAN IP address ...

Page 135: ...roSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b On the Windows taskbar click the Start button and then click Run c Type ping t 192 168 3 1 and then c...

Page 136: ...ote The pings may fail the first time If so then try the pings a second time Start Using a VPN Tunnel to Active It To use a VPN tunnel use a Web browser to go to a URL whose IP address or range is covered by the policy for that VPN tunnel Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel perform the following steps 1 Log in to the Router 2 Open...

Page 137: ...e the SPI is specified in the Policy definition For Automatic key exchange the SPI is generated by the IKE protocol Policy Name the name of the VPN policy associated with this SA Remote Endpoint the IP address on the remote VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero t...

Page 138: ...nel must be deactivated for testing purposes There are two ways to deactivate a VPN tunnel Policy table on VPN Policies page VPN Status page Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel To use the VPN Policies page to deactivate a VPN tunnel perform the following steps 1 Log in to the Router 2 Open the DG834G management interface and click on VPN Policies to get the V...

Page 139: ... box for the VPN tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel perform the following steps 1 Log in to the Router 2 Open the DG834G management interface and click on VPN Status to get the VPN Status Log screen Figure 8 38 ...

Page 140: ...tual Private Networking Advanced Feature 202 10006 05 June 2005 Figure 8 38 VPN Status Log Screen 3 Click VPN Status Figure 8 38 to get the Current VPN Tunnels SAs screen Figure 8 39 Click Drop for the VPN tunnel you want to deactivate Figure 8 39 Current VPN Tunnels SAs Screen ...

Page 141: ... and its VPNC defaults see Table 8 2 are not appropriate for your special circumstances use one of the following alternatives Auto Policy for a typical automated Internet Key Exchange IKE setup see Using Auto Policy to Configure VPN Tunnels on page 8 36 Auto Policy uses the IKE protocol to define the authentication scheme and automatically generate the encryption keys Note When NETBIOS is enabled ...

Page 142: ...ure VPN Tunnels You need to configure matching VPN settings on both VPN endpoints The outbound VPN settings on one end must match to the inbound VPN settings on other end and vice versa See Example of Using Auto Policy on page 8 41 for an example of using Auto Policy Configuring VPN Network Connection Parameters All VPN tunnels on the DG834G wireless router require configuring several network para...

Page 143: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G Virtual Private Networking Advanced Feature 8 37 202 10006 05 June 2005 Figure 8 41 DG834G VPN Tunnel Auto Policy Configuration Menu ...

Page 144: ...etworking IKE Keep alive Enable this if you wish to ensure that a connection is kept open or if that is not possible that it is quickly re established when disconnected The Ping IP Address must be associated with the remote endpoint The remote LAN address must be used This IP address will be pinged periodically to generate traffic for the VPN tunnel The remote keep alive IP address must be covered...

Page 145: ...on the remote LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Local addresses IKE Direction Type this setting is used when determining if the IKE policy matches the current traffic Select the desired option Responder only incoming connections are all...

Page 146: ...aster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys Authentication Algorithm authentication Algorithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway Auto MD5 and SHA 1 are supported Auto negotiates with the remote VPN endpoint and is not a...

Page 147: ...y have to specify the Key Group used For this device the Key Group is the same as the DH Group setting in the IKE section Example of Using Auto Policy Figure 8 42 Gateway to Gateway VPN Tunnel 1 Set the LAN IPs on each DG834G to different subnets and configure each properly for the Internet The following settings are assumed for this example A B VPN Tunnel DG834G VPN Firewall DG834G VPN Firewall P...

Page 148: ...rfect Forward Secrecy Enabled or Disabled Disabled NETBIOS Enabled or Disabled Enabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP WAN IP Address DG834G A LAN_A 192 168...

Page 149: ...o Policy 4 Enter policy settings see Figure 8 44 General Policy Name GtoG Remote VPN Endpoint Address Type Fixed IP Address Remote VPN Endpoint Address Data 22 23 24 25 Local LAN use default setting Remote LAN IP Address select Subnet address from the pulldown menu Start IP address 192 168 3 1 Subnet Mask 255 255 255 0 IKE Direction Initiator and Responder Exchange Mode Main Mode Diffie Hellman DH...

Page 150: ...eless ADSL Firewall Router DG834G 8 44 Virtual Private Networking Advanced Feature 202 10006 05 June 2005 Remote Identity Type use default setting Parameters Encryption Algorithm 3DES Authentication Algorithm MD5 Pre shared Key 12345678 ...

Page 151: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G Virtual Private Networking Advanced Feature 8 45 202 10006 05 June 2005 Figure 8 44 VPN Auto Policies Screen ...

Page 152: ...gs as appropriate General Remote Address Data e g 14 15 16 17 Remote LAN Start IP Address IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps a Open the DG834G management interface and click on VPN Status to display the VPN Status Log screen Figure 8 46 Note The VPN Status scree...

Page 153: ...006 05 June 2005 Figure 8 46 VPN Status Log Screen b Click VPN Status Figure 8 46 to display the Current VPN Tunnels SAs screen Figure 8 47 Click on Connect for the VPN tunnel you want to activate Figure 8 47 Current VPN Tunnels SAs Screen c Review the VPN Status Log screen Figure 8 46 to verify that the tunnel is connected ...

Page 154: ...IKE you may use Manual Keying in which you must specify each phase of the connection A Manual VPN policy requires all settings for the VPN tunnel to be manually input at each end both VPN endpoints Click the VPN Policies link of the main menu and then click the Add Manual Policy radio button to display the Manual Keys menu shown in Figure 8 48 Figure 8 48 DG834G VPN Tunnel Manual Policy Configurat...

Page 155: ...ust be provided as follows Single address enter an IP address in the Single Start IP address field Typically this setting is used when you wish to make a single Server on your LAN available to remote users Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on your LAN Subnet ad...

Page 156: ...ings must match the remote VPN endpoint The in setting here must match the out setting on the remote VPN endpoint and the out setting here must match the in setting on the remote VPN endpoint Encryption select the desired Encryption Algorithm and enter the key in the field provided For 3DES the keys should be 24 ASCII characters and for DES the keys should be 8 ASCII characters DES the Data Encryp...

Page 157: ...n t access the Internet Go to Troubleshooting the ISP Connection on page 9 4 I can t remember the router s configuration password I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 9 9 Basic Functioning After you turn on power to the router the following sequence of events should occur 1 When power is first applied verify that the ...

Page 158: ...chnical support Test LED Never Turns On or Test LED Stays On When the router is turned on the Test LED turns on for about 10 seconds and then turns off If the Test LED does not turn on or if it stays on there is a fault within the router If you experience problems with the Test LED Cycle the power to see if the router recovers and the LED blinks for the correct amount of time If all LEDs including...

Page 159: ... your computer Note If your computer s IP address is shown as 169 254 x x Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the computer to the router and reboot your computer If your router s IP address wa...

Page 160: ... is correct WAN LED Blinking Yellow If your WAN LED is blinking yellow then your router is attempting to make an ADSL connection with the service provider The LED should turn green within several minutes If the WAN LED does not turn green disconnect all telephones on the line If this solves the problem reconnect the telephones one at a time being careful to use a microfilter on each telephone If t...

Page 161: ... was successful using the browser interface To check the WAN IP address from the browser interface 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the router s configuration at http 192 168 0 1 3 Under the Maintenance heading check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your router has not obtained an IP address from you...

Page 162: ...t http 192 168 0 1 2 Under the Maintenance heading select the Router Status link 3 Click the Connection Status button 4 If all of the steps indicate OK then your PPPoE or PPPoA connection is up and working 5 If any of the steps indicates Failed you can attempt to reconnect by clicking Connect The router will continue to attempt to connect indefinitely If you cannot connect after several minutes yo...

Page 163: ... page C 6 Troubleshooting a TCP IP Network Using the Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the ping utility in your computer Testing the LAN Path to Your Router You can ping the router from your com...

Page 164: ...lies as in the previous section are displayed If you do not receive replies Check that your PC has the IP address of your router listed as the default router If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel Verify that the IP address of the router is listed as the default router as described in Verifying TCP IP Propertie...

Page 165: ...t Reset button on the rear panel of the router 1 Press and hold the Default Reset button until the Test LED turns on about 10 seconds 2 Release the Default Reset button and wait for the router to reboot Problems with Date and Time The E mail menu in the Content Filtering section displays the current date and time of day The DG834G wireless router uses the Network Time Protocol NTP to obtain the cu...

Page 166: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G 9 10 Troubleshooting 202 10006 05 June 2005 ...

Page 167: ... over ATM PPPoA RFC 1483 Bridged or Routed Ethernet and RFC 1577 Classical IP over ATM Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 15 V AC 1 0A output 30W maximum Physical Specifications Dimensions 10 x 6 7 x 1 3 255 mm x 169 mm x 34 mm Weight 1 4 lbs 0 62 kg Environmental Specifications...

Page 168: ...ical Specifications 202 10006 05 June 2005 Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T or 100BASE Tx RJ 45 WAN ADSL Dual RJ 11 pins 2 and 3 T1 413 G DMT G Lite ITU Annex A or B ...

Page 169: ... be very expensive Because of this expense Internet access is usually provided by a slower speed wide area network WAN link such as a cable or DSL modem In order to make the best use of the slower WAN link a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet The function of selecting and forwarding this data is performed by a router What is a Rou...

Page 170: ...org The Internet Protocol IP uses a 32 bit address structure The address is usually written in dot notation also called dotted decimal notation in which each group of eight bits is written in decimal form separated by decimal points For example the following binary address 11000011 00100010 00001100 00000111 is normally written as 195 34 12 7 The latter version is easier to remember and easier to ...

Page 171: ... have up to 65 354 hosts on a network A Class B address uses a 16 bit network number and a 16 bit node number Class B addresses are in this range 128 1 x x to 191 254 x x Class C Class C addresses can have 254 hosts on a network Class C addresses use 24 bits for the network address and eight bits for the node They are in this range 192 0 1 x to 223 255 254 x Class D Class D addresses are used for ...

Page 172: ... A B and C addresses are 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively For example the address 192 168 170 237 is a Class C IP address whose network portion is the upper 24 bits When combined using an AND operator with the Class C netmask as shown here only the network portion of the address remains 11000000 10101000 10101010 11101101 192 168 170 237 combined with 11111111 11111111 11111111...

Page 173: ...ifferent subnets for other geographical locations in the network or for other departments in the organization Although the preceding example uses the entire third octet for a subnet address note that you are not restricted to octet boundaries in subnetting To create more network numbers you need only shift some bits from the host address to the network address For instance to partition a Class C n...

Page 174: ...N segment to use the same netmask for the following reasons So that hosts recognize local IP broadcast packets Table 9 1 Netmask Notation Translation Table for One Octet Number of Bits Dotted Decimal Value 1 128 2 192 3 224 4 240 5 248 6 252 7 254 8 255 Table 9 2 Netmask Formats Dotted Decimal Masklength 255 0 0 0 8 255 255 0 0 16 255 255 255 0 24 255 255 255 128 25 255 255 255 192 26 255 255 255 ...

Page 175: ... always follow the guidelines explained here For more information about address assignment refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space The Internet Engineering Task Force IETF publishes RFCs on its Web site at www ietf org Single IP Address Operation Using NAT In the past if multiple PCs on a LAN needed to access the Interne...

Page 176: ...rt the IP address of the destination device to its media access control MAC address Each device on an Ethernet network has a unique MAC address which is a 48 bit number assigned to each device by the manufacturer The technique that associates the IP address with a MAC address is known as address resolution Internet Protocol uses the Address Resolution Protocol ARP to resolve MAC addresses If a dev...

Page 177: ...r to actually contact the resource Just as a telephone directory maps names to phone numbers or as an ARP table maps IP addresses to MAC addresses a domain name system DNS server maps descriptive names of network resources to IP addresses When a PC accesses a resource by its descriptive name it first contacts a DNS server to obtain the IP address of the resource The PC sends the desired message us...

Page 178: ...hacker intrusion or attack Several known types of intrusion or attack can be recognized when they occur When an incident is detected the firewall can log details of the attempt and can optionally send email to an administrator notifying them of the incident Using information from the log the administrator can take action with the ISP of the hacker In some types of intrusions the firewall can fend ...

Page 179: ...works originally used thick or thin coaxial cable most installations currently use unshielded twisted pair UTP cabling The UTP cable contains eight conductors arranged in four twisted pairs and terminated with an RJ45 type connector A normal straight through UTP Ethernet cable follows the EIA568B standard wiring as described below in Table B 1 Category 5 Cable Quality Category 5 distributed cable ...

Page 180: ...ements regarding loss and crosstalk In addition there are restrictions on maximum cable length for both 10 and 100 Mbits second networks Inside Twisted Pair Cables For two devices to communicate the transmitter of each device must be connected to the receiver of the other device The crossover function is usually implemented internally as part of the circuitry in the device Computers and workstatio...

Page 181: ...hone cable results in excessive collisions causing the attached port to be partitioned or disconnected from the network Uplink Switches Crossover Cables and MDI MDIX Switching In the wiring table above the concept of transmit and receive are from the perspective of the PC which is wired as Media Dependant Interface MDI In this wiring the PC transmits on pins 1 and 2 At the hub the perspective is r...

Page 182: ...tified by comparing the two connectors Since the cable connectors are clear plastic it is easy to place them side by side and view the order of the wire colors on each On a straight through cable the color order will be the same on both connectors On a crossover cable the orange and blue pairs will be exchanged from one connector to the other The DG834G wireless router incorporates Auto UplinkTM t...

Page 183: ...ludes the software components for establishing a TCP IP network Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chameleon Macintosh Operating System 7 or later includes the software components for establishing a TCP IP network All versions of UNIX or Linux include TCP IP components Follow the instructions provided with...

Page 184: ...he router assigns the following TCP IP configuration information automatically when the PCs are rebooted PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 Subnet mask 255 255 255 0 Gateway address the router 192 168 0 1 These addresses are part of the IETF designated private address range for use in private networks Configuring Windows 95 98 and Me for TCP IP Networking As part of t...

Page 185: ...ow these steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Select Protocol and then click Add c Select Microsoft d Select TCP IP and then click OK Note It is not necessary to remove any other network components shown in the Network window in order to install the...

Page 186: ... network The simplest way to configure this information is to allow the PC to obtain the information from a DHCP server in the network You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP IP The following steps will walk you through the configuration process for each of these versions of Windows Locate your Network Neighborhood ...

Page 187: ...Network C 5 202 10006 05 June 2005 Verify the following settings as shown Client for Microsoft Network exists Ethernet adapter is present TCP IP is present Primary Network Logon is set to Windows logon Click on the Properties button The following TCP IP Properties window will display ...

Page 188: ...all boxes in the LAN Internet Configuration screen and click Next 6 Proceed to the end of the Wizard Verifying TCP IP Properties After your PC is configured and has rebooted you can check the TCP IP configuration using the utility winipcfg exe 1 On the Windows taskbar click the Start button and then click Run By default the IP Address tab is open on this window Verify the following Obtain an IP ad...

Page 189: ...ation process you may need to install and configure TCP IP on each networked PC Before starting locate your Windows CD you may need to insert it during the TCP IP installation process Installing or Verifying Windows Networking Components To install or verify the necessary components for IP networking 1 On the Windows taskbar click the Start button point to Settings and then click Control Panel 2 D...

Page 190: ...walk you through the configuration process for each of these versions of Windows DHCP Configuration of TCP IP in Windows XP Locate your Network Neighborhood icon Select Control Panel from the Windows XP new Start Menu Select the Network Connections icon on the Control Panel This will take you to the next step Now the Network Connection window displays The Connections List that shows all the networ...

Page 191: ...ction Status window This box displays the connection status duration speed and activity statistics Administrator logon access rights are needed to use this window Click the Properties button to view details about the connection The TCP IP details are presented on the Support tab page Select Internet Protocol and click Properties to view the configuration information ...

Page 192: ...dded by default and set to DHCP without your having to configure it However if there are problems follow these steps to configure TCP IP with DHCP for Windows 2000 Verify that the Obtain an IP address automatically radio button is selected Verify that Obtain DNS server address automatically radio button is selected Click the OK button This completes the DHCP configuration of TCP IP in Windows XP R...

Page 193: ... and Dial up Connections Right click on Local Area Connection and select Properties The Local Area Connection Properties dialog box appears Verify that you have the correct Ethernet card selected in the Connect using box Verify that at least the following two items are displayed and selected in the box of Components checked are used by this connection Client for Microsoft Networks and Internet Pro...

Page 194: ...pen the Internet Protocol TCP IP Properties dialogue box Verify that Obtain an IP address automatically is selected Obtain DNS server address automatically is selected Click OK to return to Local Area Connection Properties Click OK again to complete the configuration process for Windows 2000 Restart the PC Repeat these steps for each PC with this version of Windows on your network ...

Page 195: ...led the network card you need to configure the TCP IP environment for Windows NT 4 0 Follow this procedure to configure TCP IP with DHCP in Windows NT 4 0 Choose Settings from the Start Menu and then select Control Panel This will display Control Panel window Double click the Network icon in the Control Panel window The Network panel will display Select the Protocols tab to continue ...

Page 196: ...ence Manual for the Model Wireless ADSL Firewall Router DG834G C 14 Preparing Your Network 202 10006 05 June 2005 Highlight the TCP IP Protocol in the Network Protocols box and click on the Properties button ...

Page 197: ...r IP Configuration information will be listed and should match the values below if you are using the default TCP IP settings that NETGEAR recommends for connecting through a router or gateway The IP address is between 192 168 0 2 and 192 168 0 254 The subnet mask is 255 255 255 0 The TCP IP Properties dialog box now displays Click the IP Address tab Select the radio button marked Obtain an IP addr...

Page 198: ...acintosh On each networked Macintosh you need to configure TCP IP to use DHCP MacOS 8 6 or 9 x 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens 2 From the Connect via box select your Macintosh s Ethernet interface 3 From the Configure box select Using DHCP Server You can leave the DHCP Client ID box empty 4 Close the TCP IP Control Panel 5 Repeat this for each...

Page 199: ...can check the TCP IP configuration by returning to the TCP IP Control Panel From the Apple menu select Control Panels then TCP IP The panel is updated to show your settings which should match the values below if you are using the default TCP IP settings that NETGEAR recommends The IP Address is between 192 168 0 2 and 192 168 0 254 The Subnet mask is 255 255 255 0 The Router address is 192 168 0 1...

Page 200: ...e router s Internet port is connected to the broadband modem the router appears to be a single PC to the ISP The router then allows the PCs on the local network to masquerade as the single PC to access the Internet through the broadband modem The method used by the router to accomplish this is called Network Address Translation NAT or IP masquerading Are Login Protocols Used Some ISPs require a sp...

Page 201: ...router These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that you can use this information when you configure the DG834G wireless router Following this procedure is only necessary when your ISP does not dynamically supply the account information To get the informatio...

Page 202: ...rom your Macintosh so that you can use this information when you configure the DG834G wireless router Following this procedure is only necessary when your ISP does not dynamically supply the account information To get the information you need to configure the router for Internet access 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens which displays a list of c...

Page 203: ...computers to work with the router you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the firewall After configuring all of your computers for TCP IP networking and restarting them and connecting them to the local network of your DG834G wireless router you are ready to access and configure the router ...

Page 204: ...Reference Manual for the Model Wireless ADSL Firewall Router DG834G C 22 Preparing Your Network 202 10006 05 June 2005 ...

Page 205: ...s Ethernet Compatibility Alliance WECA see http www wi fi net an industry standard group promoting interoperability among 802 11 devices The 802 11 standard offers two methods for configuring a wireless network ad hoc and infrastructure Infrastructure Mode With a wireless Access Point you can operate the wireless LAN in the infrastructure mode This mode provides wireless connectivity to multiple w...

Page 206: ...an ad hoc wireless network with no access points the Basic Service Set Identification BSSID is used In an infrastructure wireless network that includes an access point the ESSID is used but may still be referred to as SSID An SSID is a thirty two character maximum alphanumeric key identifying the name of the wireless local area network Some vendors refer to the SSID as network name For the wireles...

Page 207: ...n sends an authentication request to the access point 5 The access point authenticates the station 6 The station sends an association request to the access point 7 The access point associates with the station 8 The station can now communicate with the Ethernet network through the access point An access point must authenticate a station before the station can associate with the access point or comm...

Page 208: ...s to the station s default key The access point compares the decrypted text with the original challenge text If the decrypted text matches the original challenge text then the access point and the station share the same WEP Key and the access point authenticates the station 5 The station connects to the network If the decrypted text does not match the original challenge text the access point and s...

Page 209: ...thentication purposes the network uses Open System Authentication 3 Use WEP for Authentication and Encryption A transmitting 802 11 device encrypts the data portion of every packet it sends using a configured WEP Key The receiving device decrypts the data using the same WEP Key For authentication purposes the wireless network uses Shared Key Authentication Note Some 802 11 access points also suppo...

Page 210: ...of the cryptic hexadecimal characters to ease encryption key entry 128 bit encryption is stronger than 40 bit encryption but 128 bit encryption may not be available outside of the United States due to U S export regulations When configured for 40 bit encryption 802 11 products typically support up to four WEP Keys Each 40 bit WEP Key is expressed as 5 sets of two hexadecimal digits 0 9 and A F For...

Page 211: ...as its default key to transmit The two devices will communicate as long as the AP s WEP key 2 is the same as the client s WEP key 2 and the AP s WEP key 3 is the same as the client s WEP key 3 Wireless Channels The wireless frequencies used by 802 11b g networks are discussed below IEEE 802 11b g wireless nodes communicate with each other using radio frequency signals in the ISM Industrial Scienti...

Page 212: ...nd grow to use channel 6 and 11 when necessary as these three channels do not overlap WPA Wireless Security Wi Fi Protected Access WPA is a specification of standards based interoperable security enhancements that increase the level of data protection and access control for existing and future wireless LAN systems Table D 2 802 11b g Radio Frequency Channels Channel Center Frequency Frequency Spre...

Page 213: ...n the second half of 2003 Existing Wi Fi certified products will have one year to add WPA support or they will lose their Wi Fi certification The 802 11i standard is currently in draft form with ratification due at the end of 2003 While the new IEEE 802 11i standard is being ratified wireless vendors have agreed on WPA as an interoperable interim standard How Does WPA Compare to WEP WEP is a data ...

Page 214: ...ready to bring to market today such as 802 1x and TKIP The main pieces of the 802 11i draft that are not included in WPA are secure IBSS Ad Hoc mode secure fast handoff for specialized 802 11 VoIP phones as well as enhanced encryption protocols such as AES CCMP These features are either not yet ready for market or will require hardware upgrades to implement What are the Key Features of WPA Securit...

Page 215: ... gained by choosing an EAP type supporting this feature and is required by WPA 802 1X port access control prevents full access to the network until authentication completes 802 1X EAPOL Key packets are used by WPA to distribute per session keys to those stations successfully authenticated The supplicant in the station uses the authentication and cipher suite information contained in the informatio...

Page 216: ... type such as Transport Layer Security EAP TLS or EAP Tunneled Transport Layer Security EAP TTLS defines how the authentication takes place Note For environments with a Remote Authentication Dial In User Service RADIUS infrastructure WPA supports Extensible Authentication Protocol EAP For environments without a RADIUS infrastructure WPA supports the use of a pre shared key Together these technolog...

Page 217: ...Responses AP to station and Association Requests station to AP also contain WPA information elements 1 Initial 802 1x communications begin with an unauthenticated supplicant client device attempting to connect with an authenticator 802 11 access point The client sends an EAP start message This begins a series of message exchanges to authenticate the client 2 The access point replies with an EAP re...

Page 218: ...any EAP type without needing to upgrade an 802 1x compliant access point As a result you can update the EAP authentication type to such devices as token cards Smart Cards Kerberos one time passwords certificates and public key authentication or as newer types become available and your requirements for security change WPA Data Encryption Key Management With 802 1x the rekeying of unicast encryption...

Page 219: ...ad and update the encrypted ICV without being detected by the receiver With WPA a method known as Michael specifies a new algorithm that calculates an 8 byte message integrity check MIC using the calculation facilities available on existing wireless devices The MIC is placed between the data portion of the IEEE 802 11 frame and the 4 byte ICV The MIC field is encrypted together with the frame data...

Page 220: ...i Fi certified products will support the WPA standard NETGEAR Inc wireless products that had their Wi Fi certification approved before August 2003 will have one year to add WPA so as to maintain their Wi Fi certification WPA requires software changes to the following Wireless access points Wireless network adapters Wireless client programs Supporting a Mixture of WPA and WEP Wireless Clients is Di...

Page 221: ...the WPA information element and respond with a specific security configuration The WPA two phase authentication Open system then 802 1x supplicant EAP or preshared key TKIP Michael AES optional To upgrade your wireless network adapters to support WPA obtain a WPA update from your wireless network adapter vendor and update the wireless network adapter driver For Windows wireless clients you must ob...

Page 222: ...asics Changes to Wireless Client Programs Wireless client programs must be updated to permit the configuration of WPA authentication and preshared key and the new WPA encryption algorithms TKIP and the optional AES component To obtain the Microsoft WPA client program visit the Microsoft Web site ...

Page 223: ...ta flowing across the network is protected by encryption technologies Private networks lack data security which allows data attackers to tap directly into the network and read the data IPSec based VPNs use encryption to provide data security which increases the network s resistance to data tampering or theft IPSec based VPNs can be created over any type of IP network including the Internet Frame R...

Page 224: ...and inexpensively installed on existing Internet connections What Is IPSec and How Does It Work IPSec is an Internet Engineering Task Force IETF standard suite of protocols that provides data authentication integrity and confidentiality as data is transferred between communication points across IP networks IPSec provides data security at the IP packet level A packet is a data bundle that is organi...

Page 225: ...d unforgeable identifier for each packet which is a data equivalent of a fingerprint This fingerprint allows the device to determine if a packet has been tampered with Furthermore packets that are not authenticated are discarded and not delivered to the intended receiver ESP also provides all encryption services in IPSec Encryption translates a readable message into an unreadable format to hide th...

Page 226: ... known In addition AH does not protect the data s confidentiality If data is intercepted and only AH is used the message contents can be read ESP protects data confidentiality For added protection in certain cases AH and ESP can be used together In the following table IP HDR represents the IP header and includes both source and destination IP addresses Figure E 2 Original packet and packet with IP...

Page 227: ...cessed with IPSec the new IP packet contains the old IP header with the source and destination IP addresses unchanged and the processed packet payload Transport mode does not shield the information in the IP header therefore an attacker can learn where the packet is coming from and where it is going to The previous packet diagrams show a packet in transport mode Tunnel Mode The tunnel mode IPSec i...

Page 228: ...e VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard The case studies in this TechNote follow the addressing and configuration mechanics defined by the VPN Consortium Additional information regarding inter vendor interoperability may be found at http www vpnc org intero...

Page 229: ...st cases each Gateway will have a public facing address WAN side and a private facing address LAN side These addresses are referred to as the network interface in documentation regarding the construction of VPN communication Interface Addressing This Appendix uses example addresses provided the VPN Consortium It is important to understand that you will be using addresses specific to the devices th...

Page 230: ...r both gateways to understand how to open specific protocols ports and addresses that you intend to allow Setting Up a VPN Tunnel Between Gateways A SA frequently called a tunnel is the set of information that allows two entities networks PCs routers firewalls gateways to trust each other and communicate securely as they pass information over the Internet Table E 1 WAN Internet Public and LAN Inte...

Page 231: ... another gateway using the parameters and processes established by IPSec As illustrated below the most common method of accomplishing this process is via the Internet Key Exchange IKE protocol which automates some of the negotiation procedures Alternatively you can configure your gateways using manual key exchange which involves manually configuring each paramter on both gateways Figure E 6 IPSec ...

Page 232: ...IPSec keys for the SAs 3 IKE Phase II a The two parties negotiate the encryption and authentication algorithms to use in the IPSec SAs b The master key is used to derive the IPSec keys for the SAs Once the SA keys are created and exchanged the IPSec SAs are ready to protect user data between the two VPN gateways 4 Data transfer Data is transferred between IPSec peers based on the IPSec parameters ...

Page 233: ...troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working Common problems encountered in setting up VPNs include Parameters may be configured differently on Gateway A vs Gateway B Two LANs set up with similar or overlapping addressing schemes So many required configuration parameters mean errors such as mistyped information or m...

Page 234: ...1 S Kent R Atkinson Security Architecture for the Internet Protocol RFC 2401 November 1998 RFC 2407 D Piper The Internet IP Security Domain of Interpretation for ISAKMP November 1998 RFC 2474 K Nichols S Blake F Baker D Black Definition of the Differentiated Services Field DS Field in the IPv4 and IPv6 Headers December 1998 RFC 2475 S Blake D Black M Carlson E Davies Z Wang and W Weiss An Architec...

Page 235: ... all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Check that there are no firewall restrictions Table F 1 Profile Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway not PC Client to Gateway Sec...

Page 236: ... in this example are as follows DG834G WAN IP 14 15 16 17 LAN IP 10 5 6 1 LAN Subnet Mask 255 255 255 0 FVL328 WAN IP 22 23 24 25 LAN IP 172 23 9 1 LAN Subnet Mask 255 255 255 0 a In Step 1 enter toFVL328 for the Connection Name b In Step 2 enter 22 23 24 25 for the remote WAN s IP address c In Step 3 enter the following IP Address 172 23 9 1 Subnet Mask 255 255 255 0 Note Product updates are avai...

Page 237: ...G834G NETGEAR VPN Configuration F 3 202 10006 05 June 2005 Figure F 2 Viewing and editing the VPN parameters of the DG834G at gateway A toFVL328 10 5 6 1 172 23 9 1 toFVL328 22 23 24 25 10 10 5 6 172 23 9 Click VPN Policies under Advanced VPN to invoke this screen ...

Page 238: ...ateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 8 20 being certain to use appropriate network addresses for the environment a In Step 1 enter toDG834 for the Connection Name b In Step 2 enter 14 15 16 17 for the remote WAN s IP address c In Step 3 enter the following IP Address 10 5 6 1 Subnet Mask 255 255 255 0 ...

Page 239: ...05 Figure F 3 Viewing and editing the VPN parameters of the FVL328 at gateway B toDG834 toDG834 toDG834 toDG834 toDG834 22 23 24 25 14 15 16 17 14 15 16 17 22 23 24 25 14 15 16 17 172 23 9 1 10 5 6 1 172 23 9 10 5 6 1 Click IKE Policies under VPN to invoke this screen Click VPN Policies under VPN to invoke this screen ...

Page 240: ...a NETGEAR DG834G to a FVL328 using a Fully Qualified Domain Name FQDN to resolve the public address of one or both routers This case study follows the VPN Consortium interoperability profile guidelines found at http www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium G...

Page 241: ...mmary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway not PC Client to Gateway Security Scheme IKE with Preshared Secret Key not Certificate based Date Tested June 2004 Model Firmware Tested NETGEAR Gateway A DG834G firmware version V2 10 17 NETGEAR Gateway B FVL328 with firmware version V2 0_07 IP Addressing NETGEAR Gateway A Fully Qualified Domain Name FQDN NETGEA...

Page 242: ...ablished the hostname dg834g dyndns org for gateway A using the DynDNS service Gateway B will use the DDNS Service Provider when establishing a VPN tunnel In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider Again the following step by step procedures assum...

Page 243: ...een see Figure F 6 in the Advanced menu Figure F 6 Dynamic DNS Setup Screen b Configure this screen with appropriate account and hostname settings and then click Apply Check the box Use a Dynamic DNS Service Host Name dg834g dyndns org User Name user s account username Password user s account password c Click Show Status The resulting screen should show Update OK good see Figure F 7 Figure F 7 Sta...

Page 244: ...y configured DynDNS account a Browse to the Dynamic DNS Setup Screen see Figure F 8 in the Advanced menu Figure F 8 Dynamic DNS Setup Screen b Select the DynDNS org radio button see Figure F 8 configure with appropriate account and hostname settings see Figure F 9 and then click Apply Host and Domain Name fvl328 dyndns org User Name user s account username Password user s account password ...

Page 245: ...reless ADSL Firewall Router DG834G NETGEAR VPN Configuration F 11 202 10006 05 June 2005 Figure F 9 Dynamic DNS Setup Screen c Click Show Status The resulting screen should show Update OK good see Figure F 10 Figure F 10 Status Screen ...

Page 246: ...8 for the Connection Name b In Step 2 enter fvl328 dyndns org for the remote WAN s IP address c In Step 3 enter the following IP Address 172 23 9 1 Subnet Mask 255 255 255 0 6 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 8 20 being certain to use appropriate network addresses for the environment a I...

Page 247: ...in the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Assure that there are no firewall restrictions Table F 1 Configuration summary telecommuter example VPN Consortium Scenario Scenario 1 Type of VPN PC client to gateway with client behind NAT router Security Scheme IKE with Pr...

Page 248: ...gures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Follow this procedure to configure a client to gateway VPN tunnel by filling out the VPN Auto Policy screen 1 Log in to the VPN router at its LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Polic...

Page 249: ...lified Domain Name fromDG834G com in this example fromDG834G in the example Dynamic IP address Subnet address Single address 192 168 0 1 in this example 255 255 255 0 192 168 2 3 in this example IKE Keep Alive is optional must match Remote LAN IP Address when enabled Main Mode remote PC must respond to pings 3DES 12345678 in this example 3600 Remote NAT router must have Address Reservation set and...

Page 250: ...uter We will assume the PC running the client has a dynamically assigned IP address The PC must have a VPN client program installed that supports IPSec in this case study the NETGEAR VPN ProSafe Client is used Go to the NETGEAR website http www netgear com and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client 1 Install t...

Page 251: ... the Security Policy Editor 2 Add a new connection a Run the NETGEAR ProSafe Security Policy Editor program and create a VPN Connection b From the Edit menu of the Security Policy Editor click Add then Connection A New Connection listing appears in the list of policies Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834G on Gateway A Note I...

Page 252: ...ct All in the Protocol menu to allow all traffic through the VPN tunnel h Select the Connect using Secure Gateway Tunnel check box i Select Domain Name in the ID Type menu below the check box and enter fromDG834G com in this example j Select Gateway Hostname and enter ntgr dyndns org in this example k The resulting Connection Settings are shown in Figure F 16 3 Configure the Security Policy in the...

Page 253: ... menu Figure F 17 Security Policy Editor security policy c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide The Pre Shared Key that you configured in the DG834G Either a fixed IP address or a fixed virtual IP address of the VPN client PC ...

Page 254: ...gure F 18 Security Policy Editor my identity b Choose None in the Select Certificate menu c Select Domain Name in the ID Type menu and enter toDG834G com in this example in the box below it Choose Disabled in the Virtual Adapter menu d In the Internet Interface box select Intel PRO 100VE Network Connection in this example your Ethernet adapter may be different in the Name menu and enter 192 168 2 ...

Page 255: ...is entered This field is case sensitive Figure F 19 Security Policy Editor pre shared key 5 Configure the VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration a In the Network Security Policy list on the left side of the Security Policy Editor windo...

Page 256: ...tication c In the Authentication Method menu select Pre Shared key d In the Encrypt Alg menu select the type of encryption In this example use Triple DES e In the Hash Alg menu select SHA 1 f In the SA Life menu select Unspecified g In the Key Group menu select Diffie Hellman Group 2 6 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES t...

Page 257: ... d Check the Encapsulation Protocol ESP checkbox e In the Encrypt Alg menu select the type of encryption In this example use Triple DES f In the Hash Alg menu select SHA 1 g In the Encapsulation menu select Tunnel h Leave the Authentication Protocol AH checkbox unchecked 7 Save the VPN Client settings From the File menu at the top of the Security Policy Editor window select Save After you have con...

Page 258: ...est a Right click the system tray icon to open the popup menu b Select Connect to open the My Connections list c Choose toDG834G The DG834G Wireless ADSL Firewall Router will report the results of the attempt to connect Once the connection is established you can access resources of the network connected to the VPN router Figure F 22 Connecting the PC the DG834G over the VPN tunnel To perform a pin...

Page 259: ... the VPN router After a short wait you should see the login screen of the VPN router unless another PC already has the VPN router management interface open Note You can use the VPN router diagnostic utilities to test the VPN connection from the VPN router to the client PC Run ping tests from the Diagnostics link of the VPN router main menu Monitoring the VPN Tunnel Telecommuter Example Viewing the...

Page 260: ... will show SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol Note Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is th...

Page 261: ... and Log Information To view information on the status of the VPN client connection open the VPN router s VPN Status screen by following the steps below 1 To view this screen click the Router Status link of the VPN router s main menu then click the VPN Status button The VPN Status Log screen for a connection is shown below Figure F 26 VPN Status Log screen ...

Page 262: ...he Model Wireless ADSL Firewall Router DG834G F 28 NETGEAR VPN Configuration 202 10006 05 June 2005 2 To view the VPN tunnels status click the VPN Status link on the right side of the main menu Current VPN Tunnels SAs screen ...

Page 263: ...y varying encryption keys 802 1x uses a protocol called EAP Extensible Authentication Protocol and supports multiple authentication methods such as token cards Kerberos one time passwords certificates and public key authentication For details on EAP specifically refer to IETF s RFC 2284 Access Control List ACL An ACL is a database that an Operating System uses to track each user s access rights to...

Page 264: ...ices that you have not defined There are security issues with doing this so only do this if you are willing to risk open access DNS See Domain Name Server Domain Name A descriptive name for an address or group of addresses on the Internet Domain names are of the form of a registered entity name plus one of a number of predefined top level suffixes such as com edu uk and so on For example in the ad...

Page 265: ...ch as storage and printers Although many technologies exist to implement a LAN Ethernet is the most common for connecting personal computers MAC address Media Access Control address A unique 48 bit hardware address assigned to every Ethernet node Usually written in the form 01 23 45 67 89 ab Mbps Megabits per second MDI MDIX In cable wiring the concept of transmit and receive are from the perspect...

Page 266: ...mulating a dial up connection PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always on connection by simulating a dial up connection PPTP Point to Point Tunneling Protocol A method for establishing a virtual private network VPN by embedding Microsoft s network protocol into Internet packets PSTN Public Switched Telephone Network Point to...

Page 267: ...t routers provide broadband users at home and small businesses with a seamless way to participate in online games video conferencing and other peer to peer services UTP Unshielded twisted pair The cable used by 10BASE T and 100BASE Tx Ethernet networks VCI Virtual Channel Identifier Together with the VPI defines a Virtual Channel through an ATM network Used by ATM switching equipment to route data...

Page 268: ...twork contains a WINS server your Windows PCs can gather information from that WINS server about its local hosts This allows your PCs to browse that remote network using Network Neighborhood WINS See Windows Internet Naming Service WPA Wi Fi Protected Access WPA is a specification of standards based interoperable security enhancements that increase the level of data protection and access control f...

Reviews:

No comments

Related manuals for DG834G

Panasonic ET-UW100 Firmware Update Procedure preview
ET-UW100
Brand: Panasonic Pages: 6
Kathrein DCG 10 Notice D'Utilisation preview
DCG 10
Brand: Kathrein Pages: 16
ARC CDL-900 Manual preview
CDL-900
Brand: ARC Pages: 24
Go DGA0122 Quick Start Manual preview
DGA0122
Brand: Go Pages: 2
SimpleTech STI-FAX/28.8 User Manual preview
STI-FAX/28.8
Brand: SimpleTech Pages: 90
Cradlepoint WIPIPE MBR1000 Product Manual preview
WIPIPE MBR1000
Brand: Cradlepoint Pages: 130
CTC Union VDTU-101 User Manual preview
VDTU-101
Brand: CTC Union Pages: 19
CTC Union SDTU-01 User Manual preview
SDTU-01
Brand: CTC Union Pages: 29
Telstra MF626i_QRG Quick Reference Manual preview
MF626i_QRG
Brand: Telstra Pages: 8
Telstra Business Smart Modem Manual preview
Business Smart Modem
Brand: Telstra Pages: 13
H3 System H3G-900 Instruction preview
H3G-900
Brand: H3 System Pages: 15
adaptiveRF IPML-10 User Manual preview
IPML-10
Brand: adaptiveRF Pages: 17
TRENDnet TDM-C504 Quick Installation Manual preview
TDM-C504
Brand: TRENDnet Pages: 15
MTX MTX-GTW II User Manual preview
MTX-GTW II
Brand: MTX Pages: 61
US Robotics 002605-00 - Manual preview
002605-00 -
Brand: US Robotics Pages: 192
MTN FastLink MF667 Quick User Manual preview
FastLink MF667
Brand: MTN Pages: 2
Trust 14284 User Manual preview
14284
Brand: Trust Pages: 44
Trust 56K PC-CARD MODEM Instruction Manual preview
56K PC-CARD MODEM
Brand: Trust Pages: 24

Brands by name

Popular brands

Load more brands