Netgear DG834 V3 User's Manual
Contents
1. Protocol A v Pot IV Connect using Secure Gateway Tunnel v v 1D Type Domain Name x Gateway Hostname fromDG834G com dyndns org c Select Secure in the Connection Security check box d Select IP Subnet in the ID Type menu e In this example type 192 168 0 1 in the Subnet field as the network address of the DG834 v3 momo pi o Enter 255 255 255 0 in the Mask field as the LAN Subnet Mask of the DG834 v3 Select All in the Protocol menu to allow all traffic through the VPN tunnel Select the Connect using Secure Gateway Tunnel check box Select Domain Name in the ID Type menu below the check box and enter fromDG834G com in this example j Select Gateway Hostname and enter ntgr dyndns org in this example k The resulting Connection Settings are shown in Figure B 16 3 Configure the Security Policy in the DG834 ADSL Modem Router software a Inthe Network Security Policy list expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear below the connection name NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 b Click on the Security Policy subheading to show the Security Policy menu INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help a NETGEAR S Network Security Policy My Connections Secu2. symbol Then select Proposal 1 below Authentication N Security Policy Editor NETGEAR ProSafe VPN Client DER File Edit Options Help gt i NETGEAR N Network Security Policy J My Connections dB toDG834G G My Identity Authentication Method E a Security Policy E Authentication Phase 1 Pre Shared Key Authentication Method and Algorithms 4 Key Exchange Phase 2 Proposal 1 p Other Connections Encryption and Data Integrity Algorithms Encrypt Alg Triple DES v HashAg SHA 1 Seconds SA Lfe Unspecified v Key Group _ Diffie Hellman Group 2 z Figure 6 14 c Inthe Authentication Method menu select Pre Shared key In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834 v3 in Table 6 1 on page 7 In this example use Triple DES e Inthe Hash Alg menu select SHA 1 f Inthe SA Life menu select Unspecified g Inthe Key Group menu select Diffie Hellman Group 2 6 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the DG834 v3 configuration 6 16 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 f g h Expand the Key Exc
3. Never no log entries will be made for this service Always any traffic for this service type will be logged Match traffic of this type that matches the parameters and action will be logged Not match traffic of this type that does not match the parameters and action will be logged Order of Precedence for Rules As you define new rules they are added to the tables in the Rules menu as shown in Figure 3 8 utbound Services E Enable Service Name Action LANUsers WAN Servers Log 1 Vv AIM BLOCK by schedule Any Any Match Defautt Yes Any ALLOW always Any Any Never Add Edit Move Delete inbound Services Enable Service Name Action LAN Server IP address WAN Users Log c 1 Vv CU SEEME ALLOW always 192 168 0 11 134 177 88 1 134 177 88 254 Not Match o 2 Vv HTTP ALLOW always 192 168 0 99 Any Never Default Yes Any BLOCK always Any Match Figure 3 8 Protecting Your Network 3 11 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules Table beginning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet The Move button allows you to relocate a defined rule
4. 668 120 188 152 Drop 3289 3287 Figure 6 31 6 28 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Activate the VPN Tunnel by Pinging the Remote Endpoint Note This section uses 192 168 3 1 for an example remote endpoint LAN IP address To activate the VPN tunnel by pinging the remote endpoint e g 192 168 3 1 do the following steps depending on whether your configuration is client to gateway or gateway to gateway e Client to Gateway Configuration to check the VPN Connection you can initiate a request from the remote PC to the DG834 v3 s network by using the Connect option in the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC a b c Establish an Internet connection from the PC On the Windows taskbar click the Start button and then click Run Type ping t 192 168 3 1 andthen click OK Type the name of a program Folder document or Internet resource and Windows will open it For you Open ping 192 168 0 1 Figure 6 32 This will cause a continuous ping to be sent to the first DG834 v3 After between several seconds and two minutes the ping response should change from timed ou
5. Each key has no relationship to the previous key This setting applies to both IKE and IPSec SAs When configuring the remote endpoint to match this setting you may have to specify the Key Group used For this device the Key Group is the same as the DH Group setting in the IKE section 6 40 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Example of Using Auto Policy A VPN Tunnel 14 15 16 17 DG834 VPN Firewall Y AP I 192 168 0 1 Jg PCs Figure 6 42 B 22 23 24 25 DG834 VPN Firewall 192 168 3 1 LJ CJ C eM t PCs 1 Set the LAN IPs on each DG834 v3 to different subnets and configure each properly for the Internet The following settings are assumed for this example Table 6 1 VPN Tunnel Configuration Worksheet Connection Name Pre Shared Key Secure Association Main Mode or Manual Keys Perfect Forward Secrecy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds GtoG 12345678 Main Disabled 3DES SHA 1 Group 2 28800 8 hours 3600 1 hour FQDN or Gateway IP VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask WAN IP Address DG834 v3 A LAN A 192 168 0 1 255 255 255 0 14 15 16 1
6. Reference Manual for the ADSL Modem Router DG834 v3 NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA 202 10153 01 October 2006 2006 by NETGEAR Inc All rights reserved Trademarks NETGEAR is a trademark of Netgear Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harm
7. whenever Internet bound traffic is detected If this causes high connection costs you can disable this setting If disabled you must connect manually using the sub screen accessed from the Connection Status button on the Status screen If you have an Always on connection this setting has no effect Disable Port Scan and DOS Protection The Firewall protects your LAN against Port Scans and Denial of Service DOS attacks This should be disabled only in special circumstances Advanced Configuration 5 3 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Respond to Ping on Internet WAN Port If you want the modem router to respond to a ping from the Internet select the Respond to Ping on Internet WAN Port check box This should only be used as a diagnostic tool since it allows your modem router to be discovered Do not select this box unless you have a specific reason to do so MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes or 1492 Bytes for PPPoE connections For some ISPs you may need to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP connection Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP These features can be found under the Advanced heading in the Main Menu of the browser interface The modem router i
8. Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard click the here link see Figure 6 25 Click Back to return to the Summary screen VPN Consortium VPNC Recommendation The following parameters are recommended by the VPNC and used in the VPN Wizard Secure Association Main Mode Authentication Method Pre shared Key Encryption Protocol 3DES Authentication Protocol SHA 1 Key Life 8 hours IKE Life Time 1 hour NETBIOS Enabled Back Figure 6 26 5 Click Done on the Summary screen see Figure 6 25 to complete the configuration procedure The VPN Settings menu below displays showing that the new tunnel is enabled VPN Policies Policy Table 8 Enable Name Type Local Remote ESP 192 168 0 1 192 168 3 1 1 m owo Auto 2562552550 255 255 255 0 aves Figure 6 27 Note Refer to Using Auto Policy to Configure VPN Tunnels on page 6 36 to m enable the IKE keepalive capability on an existing VPN tunnel Virtual Private Networking Advanced Feature 6 25 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 6 Repeat for the DG834 v3 on LAN B and pay special attention to use the following network settings as appropriate e WAN IP of the remote VPN gateway e g 14 15 16 17 LANI setting
9. Apply e Check the box Use a Dynamic DNS Service e Host Name dg834 dyndns org e User Name user s account username e Password lt user s account password gt c Click Show Status The resulting screen should show Update OK good see Figure B 7 Z DDNS Status Microsoft Internet Explorer B ni xi Update OK good Figure B 7 4 Onthe FVL328 configure the Dynamic DNS settings Assume a properly configured DynDNS account NETGEAR VPN Configuration B 9 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 a Browse to the Dynamic DNS Setup Screen see Figure B 8 in the Advanced menu Dynamic DNS Use a dynamic DNS service None C DynDNS org Click here for information C TZO com Click here for free trial C ngDDNS Click here to register Apply Cancel Show Status Figure B 8 b Select the DynDNS org radio button see Figure B 8 configure with appropriate account and hostname settings see Figure B 9 and then click Apply e Host and Domain Name fvl328 dyndns org User Name user s account username B 10 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e Password user s account password Dynamic DNS Use a dynamic DNS service C None DynDNS org Click here for information C TZO com Click here for free trial C ngDDNS Clickhere to register DynDNS Host and Domain Name p o exampl
10. IP address DNS Server Display the Routing Table Display Reboot the Router Reboot Figure 4 9 Enabling Remote Management Using the Remote Management page you can allow a user or users on the Internet to configure upgrade and check the status of your DG834 ADSL Modem Router ___ Note Be sure to change the modem router s default password to a very secure password The ideal password should contain no dictionary words from any language and should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters 4 14 Managing Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Configuring Remote Management 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Advanced section of the main menu select the Remote Management link Remote Management Cl Turn Remote Management On Remote Management Address Allow Remote Access By Only This Computer IP Address Range From To 9 Everyone Port Number 8080 Figure 4 10 Select the Turn Remote Management On check box 4 Specify what external addresses will be allowed to access the modem router s remote management For security restric
11. October 2006 Reference Manual for the ADSL Modem Router DG834 v3 In Step 1 enter toDG834 for the Connection Name In Step 2 enter dg834 dyndns org for the remote WAN s IP address c InStep 3 enter the following e IP Address 10 5 6 1 e Subnet Mask 255 255 255 0 7 Test the VPN tunnel by pinging the remote network from a PC attached to the DG834 v3 a Open the command prompt Start gt Run gt cmd b ping 172 23 9 1 c5 C INNT system32 ping exe 1 with 32 bytes of data 1 bytes 32 time lt i ms TTL 128 1 bytes 32 time lt i ms TTL 128 1 bytes 32 time lt i ms TTL 128 1 bytes 32 time lt i ms TTL 128 1 bytes 32 time lt i ms TTL 128 z bytes 32 time lt i ms TTL 128 ji bytes 32 time lt i ms TTL 128 Figure B 11 Note The pings may fail the first time If this happens try the pings a second time NETGEAR VPN Configuration B 13 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Configuration Summary Telecommuter Example The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Assure that there are no firewall restrictions Table B 1 Configuration summa
12. The Local port has detected a link with a 100 Mbps device Blink Green Data is being transmitted or received at 100 Mbps 4 LAN On Amber The Local port has detected a link with a 10 Mbps device Blink Amber Data is being transmitted or received at 10 Mbps Off No link is detected on this port Introduction 2 7 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The Router s Rear Panel The rear panel of the DG834 ADSL Modem Router Figure 2 2 contains port connections Figure 2 2 Viewed from left to right the rear panel contains the following elements 1 RJ 11 ADSL port for connecting the firewall to an ADSL line 2 Four Local Ethernet RJ 45 LAN ports for connecting the firewall to the local computers 3 Factory Default Reset push button 4 AC power adapter outlet 2 8 Introduction v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Connecting the Router to the Internet To connect your DG834 ADSL Modem Router to the Internet refer to the ADSL Modem Router Setup Manual on the ADSL Modem Router Resource CD or online as shown in the following table Table 2 1 Language URL Dutch http documentation netgear com dg534 nld 208 10032 01 English http documentation netgear com dg834 enu 208 10026 01 French http documentation netgear com dg834 fra 208 10027 01 German http documentation netgear com dg834 deu 208 10028 01 Itali
13. tunnel is toDG834G and it does not have to match the VPN client Connection Name used on the gateway side of the VPN tunnel see Figure B 16 because Connection Names are arbitrary to how the VPN tunnel functions gg Tip Choose Connection Names that make sense to the people using and administrating the VPN Si Security Policy Editor NETGEAR ProSafe VPNClient E j oix File Edit Options Help alexa 4 NETGEAR S Network Security Policy J My Connections r Connection Security G New Connection Secure B Only Connect Manually Qy Other Connections s amp C Block r Remote Party Identity and Addressing ID Type Any v IP Address Any ID 0 0 0 0 Protocol All v Pot J b j Tunnel Connect using Secure Gateway Figure B 15 B 18 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 INI Security Policy Editor NETGEAR ProSafe VPN Client Ele Edit Options Help 1B Ba Ps c Rd Network Security Policy C My Connections toDG834G My Identity B Security Policy ES Authentication Phase 1 A Proposal 1 S Key Exchange Phase 2 Proposal 1 Fp Other Connections Figure B 16 NETGEAR N Connection Security Secure Only Connect Manually C Nonsecure e C Block Remote Party Identity and Addressing ID Type IP Subnet z Subnet 192 168 0 1 Mask 255 255 255 0
14. 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router Protecting Your Network 3 3 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 Select the Block Sites link of the Security menu Block Sites Keyword Blocking O Never O Per Schedule Always Type Keyword or Domain Name Here Add Keyword Block Sites Containing these Keywords or Domain Names Delete Keyword J Clear List Allow Trusted IP Address to Visit Blocked Sites Trusted IP Address Apply Figure 3 3 3 To enable keyword blocking select one of the following e Per Schedule to turn on keyword blocking according to the settings on the Schedule page e Always to turn on keyword blocking all of the time independent of the Schedule page 4 Enter a keyword or domain in the Keyword box click Add Keyword then click Apply Some examples of Keyword application follow e Ifthe keyword XXX is specified the URL http ww w badstuff com xxx html is blocked e Ifthe keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Enter the keyword to block all Internet browsing access Up to 32 entries are supported in the Keyword list To delete a keyword or domain select it from the list click Delete Keyword then click Apply 6 To specify
15. 2002 05 22 22 00 19 Log emailed This entry shows when the log was emailed Dropped Packets Wed 2002 05 22 07 15 15 TCP packet dropped Source 64 12 47 28 4787 WAN Destination 134 177 0 11 21 LAN Inbound Default rule match Sun 2002 05 22 12 50 33 UDP packet dropped Source 64 12 47 28 10714 WAN Destination 134 177 0 11 6970 LAN Inbound Default rule match Sun 2002 05 22 21 02 53 ICMP packet dropped Source 64 12 47 28 0 WAN Destination 134 177 0 11 0 LAN Inbound Default rule match These entries show an inbound FTP port 21 packet User Datagram Protocol UDP packet port 6970 and Internet Control Message Protocol ICMP packet port 0 being dropped as a result of the default inbound rule which states that all inbound packets are denied Managing Your Network 4 11 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Enabling Security Event E mail Notification In order to receive logs and alerts by e mail you must provide your e mail information in the E mail subheading E mail Cl Turn E mail Notification On Send Alerts and Logs Via E mail Send To This E mail Address Outgoing Mail Server o My Mail Server requires authentication User Name Password Send E Mail alerts immediately If a DoS attack is detected If a Port Scan is detected If someone attempts to access a blocked site Send Logs According to this Schedule Hourly j Day
16. 2006 Contents Reference Manual for the ADSL Modem Router DG834 v3 Chapter 1 About This Manual Audience Scope Conventions and Formats ccccccccccccccecceceseeeeeeeeeeseeeeseceeeeeeeseeeees 1 1 Howto Primi this Manai oseas eae Peper rir entries Die Peres me etree A 1 2 Chapter 2 Introduction About the Modem prr Mete ct T iG anie einander anaE a EEANN E Kna E 2 1 Key Fero P 2 2 A Fowatiul Tue Firewall Luis tet t lier AN 2 2 Easy Installation and Management ci cedsaciiieincainnianuaennandeinniariemaee tenants 2 3 Protocol Suppor mE RE 2 3 Virtual Private Networking VPN aaessseeessssssssesrsreersrrsnseerrrenersnnnnsesnnenernnnnnaenennananannnns 2 5 Auto Sensing and Auto Uplink LAN Ethernet Connections s src 2 5 esp cH CIL e 2 5 Trend Micro Home Network Security 1 esee cere entre rra da ko re nia ti bkn dg adi 2 5 Puis Ru io qd 2 6 The Modem Routers Front Panel scsi isn Gases on et ere dien serta ds 2 7 The FOU 9 Rear POE dauusbussentisivie ute eene cto bee ibsiv e ast bis Ne eos RE EN MENO 2 8 Conngcting the Router to ihe IDemipt i2 iuiueiccui meter emerserit seid Gh accedente cui eqs 2 9 Chapter 3 Protecting Your Network Protecting Access to Your DG834 ADSL Modem Router ssessseee 3 1 Howto Change the Built In Password 11 15 cniin kenn kk tad b aka 3 1 Changing the Administrator Login Timeout eeeeeseeeeeeermmeee nennt 3 2 Configuring Basic Fire
17. 24 2005 05 24 2005 05 24 2005 05 24 12 i2 20 20 20 20 20 20 20 20 20 01 35 added connection description fromDG834 01 35 adding interface ipsecO pppO 67 116 6 4 46 33 fromDG834G responding to Main Mode fr 46 35 fromDG834G sent MR3 ISAKMP Si establ 46 35 fromDG834G responding to Quick Mode 46 36 fromDG834G IPsec S established 50 41 deleting connection fromDG834G instan 50 41 deleting connection fromDG834G 50 41 shutting down interface ipsecO pppO 67 50 42 added connection description fromDGs34 50 42 adding interface ipsecO pppO 67 116 6 4 ad Refresh Clear Log VPN Status Figure B 26 B 28 v1 1 October 2006 NETGEAR VPN Configuration Reference Manual for the ADSL Modem Router DG834 v3 2 To view the VPN tunnels status click the VPN Status link on the right side of the main menu E Current VPN Tunnels SAs Microsoft Internet Explorer Current VPN Tunnels SAs SPI in SPl Out Policy Name Remote Endpoint Action SLifeTime HLifeTime aa185e44 af bf cb fromDG834G 56 120 188 152 Drop 3288 3287 Figure B 27 Current VPN Tunnels SAs screen NETGEAR VPN Configuration B 29 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 B 30 NETGEAR VPN Configuration v1 1 October 2006 Appendix C Related Documents This appendix provides links to reference
18. Add Custom Service Jl Edit Service Jl Delete Service Figure 3 9 e To create a new Service click the Add Custom Service button 3 12 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e To edit an existing Service select its button on the left side of the table and click Edit Service e To delete an existing Service select its button on the left side of the table and click Delete Service 3 Use the page shown below to define or edit a service Add Services Service Definition Name Type TCP Start Port Finish Port Apply Figure 3 10 4 Click Apply to save your changes Setting Times and Scheduling Firewall Services The DG834 ADSL Modem Router uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Internet How to Set Your Time Zone In order to localize the time for your log entries you must specify your Time Zone 1 Login to the modem router at its default LAN address of Attp 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router Protecting Your Network 3 13 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 Select the Schedule link of the Security menu to display menu shown below Schedule Figure 3 11 3 Sel
19. Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example a Web server or game server visible and available to the Internet The rule tells the modem router to direct inbound traffic for a particular service to one local server based on the destination port number This is also known as port forwarding Note Some residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to the Acceptable Use Policy of your ISP 3 6 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of day This rule is shown in Figure 3 5 Inbound Services Service HTTP TCP 80 x Action ALLOW alway
20. Check the VPN Connection To check the VPN Connection you can initiate a request from the remote PC to the VPN router s network by using the Connect option in the DG834 ADSL Modem Router menu bar see Figure B 22 Since the remote PC has a dynamically assigned WAN IP address it must initiate the request a Right click the system tray icon to open the popup menu b Select Connect to open the My Connections list Choose toDG834G The DG834 ADSL Modem Router will report the results of the attempt to connect Once the connection is established you can access resources of the network connected to the VPN router Security Policy Editor Certificate Manager Deactivate Security Policy Reload Security Policy Remove Icon Log Viewer Connection Monitor Disconnect Right mouse click on the system tray icon to open the popup menu My ConnectionsltoDG834G Help About NETGEAR ProSafe VPN Clie PIR ONO BE iuo C Figure B 22 To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b Onthe Windows taskbar click the Start button and then click Run NETGEAR VPN Configuration B 25 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 c Type ping t 192 168 0 1 and then click OK Type the name of a program Folder document or Internet resource and Windows will open it For you Open ping 192 1
21. Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time Enable PFS Perfect Forward Security Figure 6 44 GteG Address Type Fixed IP Address z Address Data 22 23 24 25 Ping IP Address i MA Subnet address J Single Start address uo N Il Alf Finish address AU LU Subnet Mask N tn tn N tn tn Subnet address zl Single Start IP address N Finish IP address 8 s ENG 8 7 LIE Subnet Mask N tn tn Main Mode z Group 2 1024 Bi DES Auto 12345 678 3600 Seconds Back Cancel Virtual Private Networking Advanced Feature v1 1 October 2006 6 43 Reference Manual for the ADSL Modem Router DG834 v3 5 Click Apply The Get VPN Policies web page is displayed VPN Policies Policy Table 5 Enable Name Type Local Remote ESP 192168017 192168317 e GtoG Auto 555 255 2550 2552552550 DES Figure 6 45 6 Repeat for the DG834 v3 on LAN B and pay special attention to use the following network settings as appropriate e General Remote Address Data e g 14 15 16 17 e Remote LAN Start IP Address IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps Note The
22. IKE policy yDG834_ 7 IKE Keep Alive Ping Pads E o P Remote VPN Endpoint AweusTme iPAddess a Asaross Data 5714 15 16 17 IBA Life Time 6600 Seconds bo oe F iPSec PFS PFS Key Group Group 768 Ef F NetBIOS Enable Traffic Selector Locale Subneraddress sane aadress 1915 165 2 D Finish Pats p P Subnetmask fess ss pus 0 _ Remote IP Sube eddross urPasdes hs fex fo f 10 S5 6 um fwshiPadeess o E Subnetmask rs es pe uo o AH Configuration F Enable Authentication Aarenbeston Algortmm MOS E FSP Configuration F Enable Encryption Encnpaon Algontnen IDES Z F Enable Aumenticaton Augnontication Algoremim SHAI 3 Back Aegiy canal Figure B 3 NETGEAR VPN Configuration B 5 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 3 Test the VPN tunnel by pinging the remote network from a PC attached to the DG834 v3 a Open the command prompt Start gt Run gt cmd b ping 172 23 9 1 ESCA WINNT system32 ping exe Pinging 172 23 9 1 with 32 bytes of data from 172 1 bytes 32 time lt i ms TTL 128 from 172 23 9 1 bytes 32 time lt i ms TTL 128 from 172 9 1 bytes 32 time lt i ms TTL 128 from 172 9 1 bytes 32 time lt i ms TTL 128 from 172 9 1 bytes 32 time lt i ms TTL 128 from 172 9 1 bytes 32 time lt i ms TTL 128 from 172 9 1 bytes 32 time lt i ms TTL 128 Figure B 4 Note The pings may fail the first t
23. October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Problems with Date and Time The E mail menu in the Content Filtering section displays the current date and time of day The DG834 ADSL Modem Router uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The router has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the router wait at least five minutes and check the date and time again e Time is off by one hour Cause The router does not automatically sense Daylight Savings Time In the E mail menu check or uncheck the box marked Adjust for Daylight Savings Time 7 10 Troubleshooting v1 1 October 2006 Appendix A Technical Specifications This appendix provides technical specifications for the DG834 ADSL Modem Router Network Protocol and Standards Compatibility Data and Routing Protocols Power Adapter North America United Kingdom Australia Europe Japan All regions output Physical Specifications Dimensions Weight Environmental Specifications Operating temperature Operating humidity Electromagnetic Emissions Meets requirements of Interface
24. Specifications LAN WAN TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE or PPP over ATM PPPoA RFC 1483 Bridged or Routed Ethernet and RFC 1577 Classical IP over ATM 120V 60 Hz input 240V 50 Hz input 230V 50 Hz input 100V 50 60 Hz input 12 V AC 1 0A output 6 9 x 4 7 x 1 1 175 mm x 119 mm x 28 mm 0 7 Ibs 0 3 kg 0 to 40 C 32 to 104 F 90 maximum relative humidity noncondensing FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B 10BASE T or 100BASE Tx RJ 45 ADSL ADSL2 Dual RJ 11 pins 2 and 3 T1 413 G DMT G Lite ITU Annex A or B Annex B unit is DG834B Technical Specifications v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 A 2 v1 1 October 2006 Technical Specifications Appendix B NETGEAR VPN Configuration DG834 v3 to FVL328 This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR DG834 v3 to a FVL328 This case study follows the VPN Consortium interoperability profile guidelines found at http www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters t
25. Time a m p m Figure 4 8 Turn e mail notification on Select this check box if you want to receive e mail logs and alerts from the modem router Send alerts and logs via email Send To This E mail Address Enter the e mail address where you want to send the alerts and logs Use a full e mail address such as ChrisXY myISP com Outgoing Mail Server Enter the name or IP address of the outgoing SMTP mail server of your ISP such as mail myISP com 4 12 Managing Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Check My Mail Server requires authentication if you need to login to your SMTP server to send E mail If you check this box you must enter the user name and password for the mail server Tip If you cannot remember the above information from when you set up your e mail account check the settings in your e mail program gt Send alert immediately Select the corresponding check box if you would like immediate notification of a significant security event such as a known attack port scan or attempted access to a blocked site Send logs according to this schedule Specifies how often to send the logs Hourly Daily Weekly or When Full Day for sending log Specifies which day of the week to send the log Relevant when the log is sent weekly or daily Time for sending log Specifies the time of day to send the log Relevant when th
26. VPN Status screen is only one of three ways to active a VPN tunnel See Activating a VPN Tunnel on page 6 27 for information on the other ways 4 6 44 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 a Open the DG834 v3 management interface and click on VPN Status to display the VPN Status Log screen Figure 6 46 VPN Status Log Tue 2004 06 22 22 58 26 Tue 2004 06 22 22 58 26 Tue 2004 06 22 22 58 26 Tue 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP SA established GtoG sent QI2 IPsec 5A established GtoG sent Q12 IPsec Si established Retesh CherLog VPN Status Figure 6 46 b Click VPN Status Figure 6 46 to display the Current VPN Tunnels SAs screen Figure 6 47 Click on Connect for the VPN tunnel you want to activate Current VPN Tunnels SAs 3t SPI In SPI Out Policy Name Remote Endpoint Action SLifeTime HLifeTime 2 GtoG Connect Figure 6 47 c Review the VPN Status Log screen Figure 6 46 to verify that the tunnel is connected Virtual Private Networking Advanced Feature 6 45 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Using Manual Policy to Configure VPN Tunnels As an alternative to IKE you may use Manual Keying in which you must specify each phase of the connec
27. access click Active To completely disable this user s Internet access click Inactive 3 Select the access profile that will apply to this user as follows a To select a predefined profile click Apply Profile and then choose a profile from the list Protecting Your Network 3 19 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 b To create a custom profile click Use Custom Settings and then select the check boxes as desired For additional choices click More Categories c To allow unrestricted Internet access click No Restrictions d Click Apply To change a user s account information 1 Select the user s name in the User Account Information table and then click Edit 2 Make the desired changes and then click Apply To delete a user select the user s name in the User Account Information table and then click Delete Parental Controls Logs Click Parental Controls Logs to view attempts to access restricted sites and actual accesses Blocking criteria for potentially offensive categories Trend Micro has defined twelve potentially offensive categories of Web sites Following are the blocking criteria for each category Adult Mature Content Sites that contain material of an adult nature but without excessive violence sexual content or nudity These sites may include profane or vulgar content not appropriate for children e Alcohol Tobacco Sites that promote or sell alcohol an
28. click Refresh to be sure the Java applet is loaded Try quitting the browser and launching it again Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK is off when entering this information If the router does not save changes you have made in the Web Configuration Interface check the following When entering configuration settings be sure to click the APPLY button before moving to another menu or tab or your changes are lost Troubleshooting 7 3 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e Click the Refresh or Reload button in the Web browser The changes may have occurred but the Web browser may be caching the old configuration Troubleshooting the ISP Connection If your router is unable to access the Internet you should check the ADSL connection then the WAN TCP IP connection ADSL link If your router is unable to access the Internet you should first determine whether you have an ADSL link with the service provider The state of this connection is indicated with the Internet LED Internet LED Green or Blinking Green If your Internet LED is green or blinking green then you have a good ADSL connection You can be confident that the service provider has connected your line correctly and that your wiring is correct Internet LED Blinking Amber If your Internet LED is blinking a
29. clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help Network Security Policy My Connections By toDG834G 3 My Identity z E Security Policy Eg Authentication Phase 1 4 Proposal 1 D Key Exchange Phase 2 m NETGEAR N IPSec Protocols Seconds KBytes SA Life Unspecified x Compression None JV Encapsulation Protocol ESP Encrypt Ag Triple DES Other Connections Hash Alg SHA 1 E Encapsulation Tunnel Authentication Protocol AH Figure B 21 E In the SA Life menu select Unspecified In the Compression menu select None Check the Encapsulation Protocol ESP checkbox RD In the Encrypt Alg menu select the type of encryption In this example use Triple DES In the Hash Alg menu select SHA 1 In the Encapsulation menu select Tunnel Leave the Authentication Protocol AH checkbox unchecked 7 Savethe VPN Client settings sm m From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router s LAN B 24 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 8
30. dyndns org fvl328 dyndns org DG834 FQDN FQDN FVL328 Figure B 5 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834 v3 asp NETGEAR VPN Configuration B 7 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The Use of a Fully Qualified Domain Name FQDN Many ISPs Internet Service Providers provide connectivity to their customers using dynamic instead of static IP addressing This means that a user s IP address does not remain constant over time which presents a challenge for gateways attempting to establish VPN connectivity A Dynamic DNS DDNS service allows a user whose public IP address is dynamically assigned to be located by a host or domain name It provides a central public database where information such as email addresses host names and IP addresses can be stored and retrieved Now a gateway can be configured to use a 3 party service in lieu of a permanent and unchanging IP address to establish bi directional VPN connectivity To use DDNS you must register with a DDNS service provider Example DDNS Service Providers include e DynDNS www dyndns org e TZO com netgear tzo com e ngDDNS ngddns iego net In this example Gateway A is configured using an example FQDN provided by a DDNS Service provider In this case we established the hostname dg834 dyndns org for gateway A using the DynDNS service Gateway B will use the DDNS Service
31. from Your Computer to a Remote Device sseussss 7 8 Restoring the Default Configuration and Password sssssssssseseeeeeees 7 9 Using tho Rosat DUUN oosina 7 9 Problems with Date and TITE scs ode ob aiana ada a aaa aa aAa aai 7 10 Appendix A Technical Specifications Appendix B NETGEAR VPN Configuration DGCI V O FYL ro quee a ETT B 1 enr reis B 1 Seep Oy ote Moris airis B 2 B x vo Mil FADN TO FY c Em B 6 nisi ruoausS D M B 6 Step By Step Configuratori iri eicd serrandi Le bd deb rn eu Ru e Lon dk La t e ba eR bk da B 8 Configuration Summary Telecommuter Example eere B 14 Setting Up the Client to Gateway VPN Configuration Telecommuter Example B 15 Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Man OMICS e B 15 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telocomimutor e Home INCE au ucisassazec ers imissccet esee tuer pest rtt qaae EE PEL daro rt ene pare cede B 17 Monitoring the VPN Tunnel Telecommuter Example sseeeee B 27 Viewing the PC Client s Connection Monitor and Log Viewer s B 27 Viewing the VPN Router s VPN Status and Log Information B 28 Appendix C Related Documents v1 1 October 2006 Chapter 1 Abo
32. screen 1 Log in to the VPN router at its LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Policies link in the main menu to display the VPN Policies screen Click Add Auto Policy to proceed and enter the information NETGEAR VPN Configuration B 15 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 VPN Auto Policy General Policy Name Remote VPN Endpoint Address Type F NetBIOS Enable Iv IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time rompG834G Dynamic IP address Address Data Ping IP Address Subnet address z Single Start address Finish address Subnet Mask Single address z E i Single Start IP address 192 16e E P Finish IP address Subnet Mask Responder only Main Mode 7 lt Auto M Fully Qualified Domain Name gt fromDG834G com Fully Qualified Domain Name toD G834G com 3DES z m s 600 Enable PFS Perfect Forward Security Back Cancel Figure B 13 fromDG834G in the example Dynamic IP address IKE Keep Alive is optional must match Remote LAN IP Address when enabled remote PC must respond to pings Subn
33. select one or more days If you want to limit access completely for the selected days select All Day Otherwise to limit access during certain times for the selected days enter Start Blocking and End Blocking times 4 Enter the values in 24 hour time format For example 10 30 am would be 10 hours and 30 minutes and 10 30 pm would be 22 hours and 30 minutes If you set the start time after the end time the schedule will be effective through midnight the next day 5 Click Apply to save your changes Trend Micro Home Network Security You can enable Home Network Security as described in this section if you did not do so when you originally set up your router Home routers provide an enhanced Internet experience but the likelihood of attacks also increases Trend Micro Home Network Security addresses the security needs of computers accessing the Internet via home routers Note The DG834 ADSL Modem Router supports Home Network Security To take advantage of this feature you must register an account with Trend Micro For more information refer to the Home Network Security Quick Start Guide on the NETGEAR Resource CD or to http www trendmicro com offers netgear The Trend Micro software requires Microsoft Internet Explorer 5 5 or higher To begin using Home Network Security configure the Security Service and Parental Controls menus on your DG834 ADSL Modem Router Each screen has a GUI button to click that will
34. time Otherwise select the desired option IP address or Domain Name and enter the address of the remote VPN endpoint to which you wish to connect Note The remote VPN endpoint must have this VPN Gateway s address entered as its Remote VPN Endpoint IKE Keep alive Enable this if you wish to ensure that a connection is kept open or if that is not possible that it is quickly re established when disconnected The Ping IP Address must be associated with the remote endpoint The remote LAN address must be used This IP address will be pinged periodically to generate traffic for the VPN tunnel The remote keep alive IP address must be covered by the remote LAN IP range and must correspond to a device that can respond to ping The range should be made as narrow as possible to meet this objective Local LAN This identifies which PCs on your LAN are covered by this policy For each selection data must be provided as follows Single address enter an IP address in the Single Start IP address field Typically this setting is used when you wish to make a single Server on your LAN available to remote users Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on your LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask fi
35. to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel 2 The Connection Monitor screen is shown below Connection Monitor NETGEAR ProSafe PN Client Global Statistics Non Secured Packets pz 4 Secured Packets o Dropped Packets o Secured Data KBytes o Details Local Address Local Subnet Remote Address Remote Modifier GW Address Figure B 25 While the connection is being established the Connection Name field in this menu will show SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol NETGEAR VPN Configuration B 27 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN y connection in order to have normal Internet access Viewing the VPN Router s VPN Status and Log Information To view information on the status of the VPN client connection open the VPN router s VPN Status screen by following the steps below l To view this screen click the Router Status link of the VPN router s main menu then click the VPN Status button The VPN Status Log screen for a connection is shown below VPN Status Log 2002 09 08 2002 09 08 2005 05 24 2005 05 24 2005 05 24 2005 05 24 2005 05 24 2005 05
36. 1999 5 EF Deutsch Hiermit erkl rt NETGEAR Inc dass sich das Ger t DG834 ADSL Modem Router in German bereinstimmung mit den grundlegenden Anforderungen und den brigen einschl gigen Bestimmungen der Richtlinie 1999 5 EG befindet Eesti Kaesolevaga kinnitab NETGEAR Inc seadme DG834 ADSL Modem Router vastavust Estonian direktiivi 1999 5 EU p hin uetele ja nimetatud direktiivist tulenevatele teistele asjakohastele s tetele English Hereby NETGEAR Inc declares that this DG834 ADSL Modem Router is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC Espanol Por medio de la presente NETGEAR Inc declara que el DG834 ADSL Modem Router Spanish cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE EAAnviK ME THN lIAPOY2A NETGEAR Inc AHAONEI OTI DG834 ADSL Modem Router Greek ZYMMOPOONETAI lIPO2 TIZ OYZIOAEIZ ANAITHZEIZ KAI TIX AOITIEX ZXETIKE2 AIATAZEIX TH OAHMAZ 1999 5 EK Francais Par la pr sente NETGEAR Inc d clare que l appareil DG834 ADSL Modem Router est French conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999 5 CE Italiano Con la presente NETGEAR Inc dichiara che questo DG834 ADSL Modem Router Italian conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999 5 CE Latviski Ar o NETGEAR Inc
37. 2 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 being certain to use appropriate network addresses for the environment In Step 1 enter toDG834 for the Connection Name In Step 2 enter 14 15 16 17 for the remote WAN s IP address c InStep 3 enter the following e IP Address 10 5 6 1 e Subnet Mask 255 255 255 0 B 4 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Policy Name opGssa Directon Type Bem Drectons s Man Mode z mme tode tocam Remotem Ener autn DH eh tobGS34 wa 22232425 14 15 16 17 3OES SHA1 Group 2 1024 Bib Local ientity Type IWAN IP Address z Click IKE Policies under aiis VPN to invoke this screen Remote Identity Typo Remote WAN IP E Remote identity Data izisie T IKE SA Parameters Encryption Ajgoremm 3DES Authentication Algorithm SHA s Authentication Method Pre shared Key RSA Signature requires Certificate Diffie Hetman DH Group Group 2 1024 Bi ISA Life Time 20800 secs T T Type Local Remote m tse T T toDG834 Auto 172 23 9 1 255 255 2550 10 5 6 1 255 255 2550 Disabled esr Click VPN Policies under NPN Auto Policy VPN to invoke this screen Genital Policy Name ja teDG834
38. 2006 Reference Manual for the ADSL Modem Router DG834 v3 1 Login to the Modem Router 2 Open the DG834 v3 management interface and click VPN Policies to display the VPN Policies screen Figure 6 40 Select the radio button for the VPN tunnel to be deleted and click the Delete button VPN Policies Policy Table Enable Name Type Local Remote ESP G1 RoadWarrior Auto 192 168 3 1 255 255 255 0 3DES Figure 6 40 Virtual Private Networking Advanced Feature 6 35 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Set Up VPN Tunnels in Special Circumstances When the VPN Wizard and its VPNC defaults see Table 6 2 are not appropriate for your special circumstances use one of the following alternatives e Auto Policy for a typical automated Internet Key Exchange IKE setup see Using Auto Policy to Configure VPN Tunnels on page 6 36 Auto Policy uses the IKE protocol to define the authentication scheme and automatically generate the encryption keys Manual Policy for a Manual Keying setup in which you must specify each phase of the connection see Using Manual Policy to Configure VPN Tunnels on page 6 46 Manual Policy does not use IKE Rather you manually enter all the authentication and key parameters You have more control over the process however the process is more complex and there are more opportunities for errors or configuration mismatches between your D
39. 27 Verirying the Status of a VPN Turirigl uicit rr rrrtbnra soatiecintasarcusuiscnsiecwueivenieesus 6 30 D actvating a VPN TUE ER S IT I 6 32 Deleting VFN NI Ne c Same 6 34 How to Set Up VPN Tunnels in Special Circumstances eeeeeeeenn 6 36 Using Auto Policy to Configure VPN Tunnels eeeeeeeeeeeeeeenenee enne 6 36 Using Manual Policy to Configure VPN Tunnels cene 6 46 Chapter 7 Troubleshooting ic edu esp oe TRE 7 1 Power LEU NO OT saad aden dede udo pi dad Gosodo erba Mem epa ubt pM Cou Fest 7 2 Test LED Never Turns On or Test LED Stays ON iis tt tn tte epe rh any penu aa E Eaia 7 2 v1 1 October 2006 LAN f Internet Port LEDs NOE OIN iiuiccdesec koci dne ebbYad ine ue viele t Ct kbudduc t kb adt eiai 7 2 Troubleshooting the Web Configuration Interface ssssene 7 3 Troubleshooting the ISP Connection i rca obitu t enat FER EF ARE EHRa a 7 4 ADSL INE aaien RHEIN 7 4 Obtaining a WAN IP POR Sa sass cxedceik ti qa ded hard d deux eodd dE ERR daba E la d ELE rd nta 7 5 Troubleshooting PPPOE or PPPOA nsi nesbvn Festes dba Fr ite niveo Y Lb EI OI Rs redde E US 7 6 Troubleshooting Intemet Browsing 42 5 0 tr ot nb had e o e aoa cio E a dd 7 7 Troubleshooting a TCP IP Network Using the Ping Utility eeeeeeeeeese 7 7 Testing the LAM Path to Your ROWSE cccsiecas ceocraqsussest retia epa cubi sdeesdqeensncosanasctsravienns 7 7 Testing the Path
40. 34 ADSL Modem Router AC power adapter varies by region Category 5 Cat 5 Ethernet cable Telephone cable with RJ 11 connector Microfilters quantity and type vary by region ADSL Modem Router Resource CD including this guide A Printed Quick Installation Guide Warranty and Support Information Cards Two plastic feet that can be used to stand the DG834 ADSL Modem Router on end If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair 2 6 Introduction v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The Modem Router s Front Panel The DG834 ADSL Modem Router front panel shown below contains status LEDs NETGEAR b V Figure 2 1 You can use the LEDs to verify various conditions Table 2 1 lists and describes each LED on the front panel of the modem router These LEDs are green when lit Table 2 1 LED Descriptions Label Activity Description On Power is supplied to the modem router 1 Power Off Power is not supplied to the modem router On The system is initializing 2 Test Off The system is ready and running Blink Amber Indicates ADSL training 3 Internet On Green The Internet port has detected a link with an attached device Blink Green Data is being transmitted or received by the Internet port On Green
41. 4 2 How to Erase the Coni gufreli lt s coosdee cer eek tak pa tein E enne CM Rd dL CA dix Cel a adip 4 2 Upgrading the Modem Router s Firmware coeant eene ttn nnnm hn eniin nna 4 2 How to Upgrade the Modem Router Firmware ccsssscceccsessseceeceeeseeseeeeeeteneaes 4 3 Network Management Information iius isse eniin redutek tane tuk usui d d naa dna Ka a 4 4 Viewing Modem Router Status and Usage Statistics ssssssssssss 4 4 Viewing Attached DEBVIDBS uidisse ecce perta septo ti Ve Pet eR iyserusnaaen nlite 4 8 Viewing Selecting and Saving Logged Information ees 4 8 Examples of Log Messages 2 1 cries cor adi ceti deduci Lord ota edd dune ERI dete saxiaaaus 4 11 Enabling Security Event E mail Notification ceeeceeeeeeeeeen eene eens 4 12 Running Diagnostic Utilities and Rebooting the Modem Router ssssss 4 13 Enabling Remote Management 2 1 maa pertr yt et Rp IR Ya IRAE pe EHI EH RIA SE opidi dn 4 14 Configuring Remote Management eiueeueseeiiesei essa nenne sana atta nha a atta sona da 4 15 Chapter 5 Advanced Configuration Coniguiing Advanced Seb auxussexriteniexsari ku tdda ti ue EE R 5 1 Seting Up A Default DMZ Sever suiisred pac p ia enn Rn OR e d Banc b d da 5 2 Connect Automatically as Required ssssssssssseeeneeenees 5 3 Disable Port Scan and DOS Protection 1iiiseccesisace esses stea
42. 5 255 0 Figure 6 10 Select the Secure in the Connection Security check box Select IP Subnet in the ID Type menu In this example type 192 168 3 1 in the Subnet field as the network address of the DG834 v3 Enter 255 255 255 0 in the Mask field as the LAN Subnet Mask of the DG834 v3 Select All in the Protocol menu to allow all traffic through the VPN tunnel Select the Connect using Secure Gateway Tunnel check box Select IP Address in the ID Type menu below the check box Enter the public WAN IP Address of the DG834 v3 in the field directly below the ID Type menu In this example 22 23 24 25 would be used The resulting Connection Settings are shown in Figure 6 10 3 Configure the Security Policy in the NETGEAR ProSafe VPN Client software In the Network Security Policy list expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear below the connection name Virtual Private Networking Advanced Feature 6 13 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 b Click on the Security Policy subheading to show the Security Policy menu Sj Security Policy Editor NETGEAR ProSafe VPN Client Ele Edi Options Help alexia NETGEAR N Network Security Policy E My Connections r Security Policy toDG834 ai G My Identity Select Phase 1 Negotiation Mode B Security Policy
43. 6 bit key Faster but less secure than 3DES e 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys Authentication select the desired SHA 1 or MD5 Authentication Algorithm and enter the key in the field provided For MDS the keys should be 16 ASCII characters For SHA 1 the keys should be 20 ASCII characters e MD5 128 bits faster but less secure e SHA 1 default 160 bits slower but more secure 6 48 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Virtual Private Networking Advanced Feature 6 49 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 6 50 Virtual Private Networking Advanced Feature v1 1 October 2006 Chapter 7 Troubleshooting This chapter gives information about troubleshooting your DG834 ADSL Modem Router After each problem description instructions are provided to help you diagnose and solve the problem For the common problems listed go to the section indicated Is the router on Have I connected the router correctly Go to Basic Functioning on page 7 1 I can t access the router s configuration with my browser Go to Troubleshooting the Web Configuration Interface on page 7 3 I ve configured the router but I can t access the Internet Go to Troubleshooting the ISP Connection on page 7 4 I can
44. 68 0 1 Cancel Browse Figure B 23 This will cause a continuous ping to be sent to the VPN router After between several seconds and two minutes the ping response should change from timed out to reply C gt ping 192 168 0 1 Pinging 192 168 0 1 with 32 bytes of data Reply from 192 168 0 1 bytes 32 time lt ims TTL 64 Reply from 192 168 8 1 bytes 32 time lt ims TTL 64 Reply from 192 168 8 1 bytes 32 time ims TTL 64 Figure B 24 Once the connection is established you can open the browser of the PC and enter the LAN IP address of the VPN router After a short wait you should see the login screen of the VPN router unless another PC already has the VPN router management interface open Note You can use the VPN router diagnostic utilities to test the VPN connection from the VPN router to the client PC Run ping tests from the Diagnostics link of the VPN router main menu B 26 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Monitoring the VPN Tunnel Telecommuter Example Viewing the PC Client s Connection Monitor and Log Viewer To view information on the progress and status of the VPN client connection open the DG834 ADSL Modem Router Log Viewer 1 To launch this function click on the Windows Start button then select Programs then DG834 ADSL Modem Router then Log Viewer Note Use the active VPN tunnel information and pings
45. 7 DG834 v3 B LAN B 192 168 3 1 255 255 255 0 22 23 24 25 Virtual Private Networking Advanced Feature 6 41 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 Open the DG834 v3 on LAN A management interface and click on VPN Policies VPN Policies Policy Table s Enable Name Type Local Remote ESP Edit Delete Apply Cancel Add Auto Policy Add Manual Policy Figure 6 43 Click Add Auto Policy 4 Enter policy settings see Figure 6 44 General Policy Name GtoG Remote VPN Endpoint Address Type Fixed IP Address Remote VPN Endpoint Address Data 22 23 24 25 Local LAN use default setting Remote LAN IP Address select Subnet address from the pulldown menu Start IP address 192 168 3 1 Subnet Mask 255 255 255 0 IKE Direction Initiator and Responder Exchange Mode Main Mode Diffie Hellman DH Group Group 2 1024 Bit Local Identity Type use default setting Remote Identity Type use default setting Parameters Encryption Algorithm 3DES Authentication Algorithm MD5 6 42 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Pre shared Key 12345678 VPN Auto Policy General Policy Name Remote VPN Endpoint M NetBIOS Enable IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH
46. 92 168 2 3 Figure B 18 b Choose None in the Select Certificate menu c Select Domain Name in the ID Type menu and enter toDG834G com in this example in the box below it Choose Disabled in the Virtual Adapter menu d Inthe Internet Interface box select Intel PRO 100VE Network Connection in this example your Ethernet adapter may be different in the Name menu and enter 192 168 2 3 in this example in the IP Addr box NETGEAR VPN Configuration B 21 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e Click the Pre Shared Key button In the Pre Shared Key dialog box click the Enter Key button Enter the DG834 v3 s Pre Shared Key and click OK In this example 12345678 is entered This field is case sensitive Pre SharedKey _ xi r Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key E OK Cancel Figure B 19 5 Configure the VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration a In the Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol B 22 NETGEAR VPN Configuration v1 1
47. ADSL Firmware Version Modem Status Downstream Speed Upstream Speed VPI These parameters apply to the Local WAN port of the modem router The version of the firmware The connection status of the modem The speed at which the modem is receiving data from the ADSL line The speed at which the modem is transmitting data to the ADSL line The Virtual Path Identifier setting VCI The Virtual Channel Identifier setting Managing Your Network 4 5 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Click the Show Statistics button to display modem router usage statistics as shown in Figure 4 3 below System Up Time 16 54 13 Port Status TxPkts RxPkts Collisions Tx B s Rx B s Up Time WAN PPPoE 1272 1642 0 12 81 04 26 50 LAN 10MM00M 24630 18474 0 72 24 16 54 11 ADSL Link Downstream Upstream Connection Speed 3008 kbps 512 kbps Line Attenuation 50 0 db 28 5 db Noise Margin 9 2 db 20 0 db Poll Interval 10 secs Figure 4 4 This screen shows the following statistics Table 4 1 Router Statistics Fields Field Description WAN LAN or The statistics for the WAN Internet LAN local and Serial ports For each port the Serial Port screen displays Status The link status of the port TxPkts The number of packets transmitted on this port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clea
48. AN 8 Check the VPN Connection Virtual Private Networking Advanced Feature 6 17 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 To check the VPN Connection you can initiate a request from the remote PC to the DG834 v3 s network by using the Connect option in the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b Onthe Windows taskbar click the Start button and then click Run c Type ping t 192 168 3 1 andthen click OK Type the name of a program Folder document or Internet resource and Windows will open it For you Open ping 192 168 0 1 Figure 6 16 This will cause a continuous ping to be sent to the first DG834 v3 After between several seconds and two minutes the ping response should change from timed out to reply C gt ping 192 168 6 1 Pinging 192 168 0 1 with 32 bytes of data Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time ims Figure 6 17 Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote DG834 v3 After a short wait you should see the login scre
49. Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Remote VPN Endpoint select the desired option IP address or Fully Qualified Domain Name and enter the address of the remote VPN endpoint to which you wish to connect Note The remote VPN endpoint must have this VPN Gateway s address entered as its Remote VPN Endpoint Local LAN This identifies which PCs on your LAN are covered by this policy For each selection data must be provided as follows Single address enter an IP address in the Single Start IP address field Typically this setting is used when you wish to make a single Server on your LAN available to remote users Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on your LAN e Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Remote addresses Remote LAN This identifies which PCs on the remote LAN are covered by this policy For each selection data must be provided as follows Single PC no Subnet select this option if there is no LAN only a single PC at the remote endpoint If this option is selected no additional data is required Single address enter an IP address in t
50. C address Note that if the modem router is rebooted the table data is lost until the modem router rediscovers the devices To force the modem router to look for attached devices click the Refresh button Viewing Selecting and Saving Logged Information The modem router will log security related events such as denied incoming service requests hacker probes and administrator logins If you enabled content filtering in the Block Sites menu the Logs page can show you when someone on your network tries to access a blocked site If you enabled e mail notification you will receive these logs in an e mail message If you do not have e mail notification enabled you can view the logs here 4 8 Managing Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 An example of the logs file is shown below Logs Current time 2003 08 26 07 42 13 2003 08 26 06 04 14 Send out NTP reque Tue 2003 08 26 06 04 14 Receive NTP Replay Tue 2003 08 26 07 17 17 Administrator logi Tue 2003 08 26 07 26 19 Administrator logi Tue 2003 08 26 07 26 32 Administrator logi Tue 2003 08 26 07 29 48 Administrator logi Tue 2003 08 26 07 38 12 TCP Packet Sourc Tue 2003 08 26 07 38 39 ICMP Packet Sour Tue 2003 08 26 07 38 42 TCP Packet Sourc Tue 2003 08 26 07 39 43 TCP Packet Sourc Tue 2003 08 26 07 39 49 ICMP Packet Sour Tue 2003 08 26 07 39 49 TCP Packet S
51. Controls to select General mode In General mode one access profile applies to all users e Click Use Per User Controls to select Per User mode In Per User mode each user has an individual access profile pr Note When in Per User mode everyone accessing the Internet through the router is required to log in To configure General mode 1 Enter a password in the Parental Controls Bypass Password box re enter it in the Confirm password box and then click Apply This password allows users to access pages that are blocked by Parental Controls 2 Select the access profile that will apply to all users as follows To select a predefined profile click Apply Profile and then choose a profile from the list b Tocreate a custom profile click Use Custom Settings and then select the check boxes as desired For additional choices click More Categories c To allow unrestricted Internet access click No Restrictions 3 Click Apply To configure Per User mode The User Account Information table in Per User mode shows each user s name access profile and status Users with Active status can access the Internet sites permitted by their access profiles Users with Inactive status cannot log in and cannot access any Internet sites To add a new user 1 Click Add Type the new user s login name and password and then re enter the password in the Confirm password box 2 Select the new user s status To allow Internet
52. DSL port use the cable that was supplied with the DG834 v3 Troubleshooting the Web Configuration Interface If you are unable to access the router s Web Configuration interface from a computer on your local network check the following If you are using an Ethernet connected computer check the Ethernet connection between the computer and the router as described in the previous section Make sure your computer s IP address is on the same subnet as the router If you are using the recommended addressing scheme your computer s address should be in the range of 192 168 0 2 to 192 168 0 254 Follow the instructions in Preparing a Computer for Network Access in Appendix C to configure your computer Note If your computer s IP address is shown as 169 254 x x Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the computer to the router and reboot your computer If your router s IP address was changed and you do not know the current IP address clear the router s configuration to factory defaults This will set the router s IP address to 192 168 0 1 This procedure is explained in Using the Reset button on page 7 9 Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer
53. G834 v3 and the corresponding VPN endpoint gateway or client workstation Using Auto Policy to Configure VPN Tunnels You need to configure matching VPN settings on both VPN endpoints The outbound VPN settings on one end must match to the inbound VPN settings on other end and vice versa See Example of Using Auto Policy on page 6 41 for an example of using Auto Policy Configuring VPN Network Connection Parameters All VPN tunnels on the DG834 ADSL Modem Router require configuring several network parameters This section describes those parameters and how to access them The most common configuration scenarios will use IKE to manage the authentication and encryption keys The IKE protocol performs negotiations between the two VPN endpoints to automatically generate and update the required encryption parameters Click the VPN Policies link of the main menu and then click the Add Auto Policy button to display the VPN Auto Policy menu shown in Figure 6 41 6 36 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Policy Table Enable Name Type Local Remote ESP 192 168 0 0 1 Iv toClient Auto 255 255 255 0 3DES 192 168 0 0 192 168 2 0 2 O TOFML Alo 5555552550 2552552550 PES Edit Delete Apply Cancel Add Auto Policy Add Manual Policy LVPN Auto Policy General Policy Name Remote VPN Endp
54. It may be necessary to use a swapper if you ADSL signal is on pins 1 and 4 or the RJ 11 jack The DG834 ADSL Modem Router uses pins 2 and 3 Obtaining a WAN IP Address If your modem router is unable to access the internet and your Internet LED is green or blinking green you should determine whether the modem router is able to obtain an IP address from the ISP Unless you have been assigned a static IP address your modem router must request an IP address from the ISP You can determine whether the request was successful using the browser interface To check the WAN IP address from the browser interface 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the modem router s configuration at http 192 168 0 1 3 Under the Maintenance heading check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your modem router has not obtained an IP address from your ISP If your router is unable to obtain an IP address from the ISP the problem may be one of the following e Your ISP may require a Multiplexing Method or Virtual Path Identifier Virtual Channel Identifier parameter Verify with your ISP the Multiplexing Method and parameter value and update the router s ADSL Settings accordingly e Your ISP may require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or PPP over ATM PPPOA login e Ifyou have selected a login program you may have incorr
55. Local computers must access the local server using the computer s local LAN address 192 168 0 11 in the example in Figure 3 6 above Attempts by local computers to access the server using the external WAN IP address will fail Outbound Rules Service Blocking The DG834 v3 allows you to block the use of certain Internet services by computers on your network This is called service blocking or port filtering You can define an outbound rule to block Internet access from a local computer based on IP address of the local computer source address IP address of the Internet site being contacted destination address Time of day Type of service being requested service port number Following is an application example of outbound rules Protecting Your Network 3 9 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Outbound Rule Example Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the modem router log any attempt to use Instant Messenger during that blocked period Outbound Services Service AIM TCP 5190 lt i Action Ei ch ed ule otherwis e Allow LAN Users Any x start finish WAN Users Any x start finish o L
56. Maintenance heading of the Main Menu select the Settings Backup menu as seen in Figure 4 1 Enter the full path to the file on your network or click the Browse button to locate the file When you have located the cfg file click the Restore button to upload the file to the modem router 5 The modem router will then reboot automatically How to Erase the Configuration It is sometimes desirable to restore the modem router to the factory default settings This can be done by using the Erase function 1 Toerase the configuration from the Maintenance menu Settings Backup link click the Erase button on the screen 2 The modem router will then reboot automatically After an erase the modem router s password will be password the LAN IP address will be 192 168 0 1 and the modem router s DHCP client will be enabled Note To restore the factory default configuration settings without knowing the login password or IP address you must use the Default Reset button on the rear panel of the modem router See Figure 2 2 on page 2 8 Upgrading the Modem Router s Firmware The software of the DG834 ADSL Modem Router is stored in FLASH memory and can be upgraded as new software is released by NETGEAR Upgrade files can be downloaded from NETGEAR s Web site If the upgrade file is compressed ZIP file you must first extract the binary BIN or IMG file before uploading it to the modem router 4 2 Managing
57. Metric value of 1 will work since the ISDN router is on the LAN This represents the number of routers between your network and the destination This is a direct connection so it is set to 1 Private is selected only as a precautionary security measure in case RIP is activated How to Configure Static Routes 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Main Menu of the browser interface under Advanced click Static Routes to view the Static Routes menu shown in Figure 5 5 Static Routes __ Active Name Destination Gateway 1 vES isan 134 177 0 0 192 168 0 100 Add Edit Delete Figure 5 5 Advanced Configuration 5 11 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 3 To add or edit a Static Route a Click the Add to add a new route or the Edit button to edit an existing route The Static Routes screen will be displayed as shown in Figure 5 6 Static Routes Route Name isdn rtr M Private IV Active Destination IP Address 134 77 o fo _ IP Subnet Mask 255 255 NN bo Gateway IP Address i2 158 fo 100 Metric fi Apply Cancel Figure 5 6 b Type a route name for this static route in the Route Name box under the table This is for identification purpose only c
58. October 2006 Reference Manual for the ADSL Modem Router DG834 v3 b Expand the Authentication subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Authentication INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help Network Security Policy My Connections By toDG834G 3 My Identity z E Security Policy ES Authentication Phase 1 D z D Key Exchange Phase 2 5l Proposal 1 3 Other Connections NETGEAR N Authentication Method and Algorithms Authentication Method Pre Shared Key Encryption and Data Integrity Algorithms Encrypt Alg Triple DES v Hash Alg SHA 1 E Seconds SA Life Unspecified v Key Group Diffie Hellman Group 2 y Figure B 20 c Inthe Authentication Method menu select Pre Shared key d Inthe Encrypt Alg menu select the type of encryption In this example use Triple DES e Inthe Hash Alg menu select SHA 1 f Inthe SA Life menu select Unspecified g Inthe Key Group menu select Diffie Hellman Group 2 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration NETGEAR VPN Configuration B 23 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 a Expand the Key Exchange subheading by double
59. Provider when establishing a VPN tunnel In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider Again the following step by step procedures assume that you have already registered with a DDNS Service Provider and have the configuration information necessary to set up the gateways Step By Step Configuration 1 Login to the DG834 v3 labeled Gateway A as in the illustration Out of the box the DG834 v3 is set for its default LAN address of hitp 192 168 0 1 with its default user name of admin and default password of password For this example we will assume you have set the local LAN address as 10 5 6 1 for Gateway A and have set your own password 2 Click on the Dynamic DNS link on the left side of the Settings management GUI This will take you to the Dynamic DNS Menu 3 Onthe DG834 v3 configure the Dynamic DNS settings a Browse to the Dynamic DNS Setup Screen see Figure B 6 in the Advanced menu B 8 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Dynamic DNS I Use a Dynamic DNS Service Service Provider ww DynDNS org Host Name User Name 1 Password I Use Wildcards Apply Cancel Show Status Figure B 6 b Configure this screen with appropriate account and hostname settings and then click
60. Qy Other Connections Aggressive Mode Use Manuel Key Main Mode Enable Perfect Forward Secrecy PFS PFS Key Group Diffie Hellm IV Enable Replay Detection Figure 6 11 c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834 v3 and either a fixed IP address or a fixed virtual IP address of the VPN client PC 6 14 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 a Inthe Network Security Policy list on the left side of the Security Policy Editor window click on My Identity S security Policy Editor NETGEAR ProSafe VPN Client j xf Eile Edit Options Help aeia tlt NETGEAR N Network Security Policy EL My Connections My Identity E toDG834 E Pre Shared Key G My identity Select Certificate H E Security Policy None zi Qs Other Connections ID Type Port IP Address gt All E Any Virtual Adapter Disabled gt Internal Network IP Address ooo m Internet Interface Name fag ti OTt tizd Padd ary Figure 6 12 b Choose None in the Select Certificate menu c Select IP Address in the ID Type menu If you are using a virtual fixed IP address enter this addre
61. R Inc t mto vyhlasuje e DG834 ADSL Modem Router sp a z kladn Slovak po iadavky a v etky pr slu n ustanovenia Smernice 1999 5 ES Suomi NETGEAR Inc vakuuttaa t ten ett DG834 ADSL Modem Router tyyppinen laite on Finnish direktiivin 1999 5 EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen Svenska H rmed intygar NETGEAR Inc att denna utrustningstyp st r verensst mmelse med Swedish de v sentliga egenskapskrav och vriga relevanta best mmelser som framg r av direktiv 1999 5 EG A printed copy of the EU Declaration of Conformity certificate for this product is provided in the DG834 v3 product package Best tigung des Herstellers Importeurs Es wird hiermit best tigt dab das DG834 ADSL Modem Router gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmaBige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt f r Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby certified that the DG834 ADSL Modem Router has been suppressed in accordance with the conditions set out in the BMPT Amtsbl
62. SL modem modem router 4 port switch and firewall which enables your entire network to safely share an Internet connection that otherwise would be used by a single computer Note If you are unfamiliar with networking and routing refer to Internet Networking and TCP IP Addressing in Appendix C to become more familiar with the terms and procedures used in this manual About the Modem Router The DG834 ADSL Modem Router provides continuous high speed 10 100 Ethernet access between your Ethernet devices With minimum setup you can install and use the modem router within minutes The DG834 ADSL Modem Router provides multiple Web content filtering options plus e mail alerts and logging Parents and network administrators can establish restricted access policies based on time of day Web site addresses and address keywords They can also share high speed ADSL Internet access for up to 253 personal computers The included firewall and Network Address Translation NAT features protect you from hackers The DG834 v3 also supports Trend Micro Home Network Security a bundle of services that includes router based Parental Controls and network wide protection from viruses Trojans spyware spam and other Internet threats Introduction 2 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Key Features The DG834 ADSL Modem Router provides the following features A built in ADSL modem A power
63. Secure Association Main Mode or Manual Keys Perfect Forward Secrecy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds RoadWarrior 12345678 Main Disabled 3DES SHA 1 Group 2 28800 8 hours 3600 1 hour FQDN or Gateway IP VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask WAN IP Address Client toDG834 Dynamic DG834 v3 toClient 192 168 3 1 255 255 255 0 22 23 24 25 Follow this procedure to configure a client to gateway VPN tunnel using the VPN Wizard Virtual Private Networking Advanced Feature v1 1 October 2006 6 7 Reference Manual for the ADSL Modem Router DG834 v3 1 Log in to the DG834 v3 at its LAN address of Attp 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key greatly simplifies setup After creating the policies through VPN Wizard you can always update the parameters through VPN Settings link on the left menu Figure 6 4 2 Fillin the Connection Name and the pre shared key select the type of target end point and
64. Select Private if you want to limit access to the LAN only The static route will not be reported in RIP d Select Active to make this route effective e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the destination is a single host type 255 255 255 255 g Type the Gateway IP Address which must be a router on the same LAN segment as the router h Type a number between 1 and 15 as the Metric value This represents the number of routers between your network and the destination Usually a setting of 2 or 3 works but if this is a direct connection set it to 1 4 Click Apply to have the static route entered into the table 5 12 Advanced Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Universal Plug and Play UPnP Universal Plug and Play UPnP helps devices such as Internet appliances and computers access the network and connect to other devices as needed UPnP devices can automatically discover the services from other registered UPnP devices on the network 1 Click UPnP on the main menu to invoke the UPnP menu UPnP M Turn UPnP On Advertisement Period in minutes se 4 Advertisement Time To Live in hops UPnP Portmap Table Active Protocol Int Port Ext Port IPAddress Apply Cancel Refresh Figure 5 7 2 Fill out the UPnP screen Turn UPnP On UPnP can be enabled or
65. VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel e Use the VPN Status page e Activate the VPN tunnel by pinging the remote endpoint e Start using the VPN tunnel Note Refer to Using Auto Policy to Configure VPN Tunnels on page 6 36 to enable the IKE keepalive capability on an existing VPN tunnel Virtual Private Networking Advanced Feature 6 27 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Using the VPN Status Page to Activate a VPN Tunnel To use the VPN Status screen to activate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 6 30 VPN Status Log Tue 2004 06 22 22 58 26 Tue 2004 06 22 22 58 26 Tue 2004 06 22 22 58 26 Tue 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP SA established GtoG sent QI2 IPsec S established GtoG sent QI2 IPsec S established Retesh Cherbog VPN Status Figure 6 30 3 Click on VPN Status Figure 6 30 to get the Current VPN Tunnels SAs screen Figure 6 31 Click on Connect for the VPN tunnel you want to activate J Current YPN Tunnels SAs Microsoft Internet Explorer Current VPN Tunnels SAs SPI In SPI Out PolicyName Remote Endpoint Action SLifeTime HLifeTime aa185e44 at bfcb fromDG8346
66. VPN features e Supports 5 VPN connections e Supports industry standard VPN protocols The DG834 ADSL Modem Router supports standard Manual or IKE keying methods standard MD5 and SHA 1 authentication methods and standard DES and 3DES encryption methods It is compatible with many other VPN products e Supports 3DES encryption for maximum security e VPN Wizard based on VPNC recommended settings Auto Sensing and Auto Uplink LAN Ethernet Connections With its internal 4 port 10 100 switch the DG834 v3 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network The local LAN ports are autosensing and capable of full duplex or half duplex operation The modem router incorporates Auto Uplink technology Each local Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Content Filtering With its content filtering feature the DG834 v3 prevents objectionable content from reaching your PCs The modem router allows you to control access to Internet content by screening for keywords within Web addresses You can configure the modem router t
67. Vfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations v1 1 October 2006 Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling WProduct and Publication Details Model Number Publication Date Product Family Product Name Home or Business Product Language Publication Part Number Change History DG834 v3 October 2006 Modem Router DG834 ADSL Modem Router Home English 202 10153 01 Version Date Published Change Description 1 0 January 2006 Original publication 1 1 October 2006 Removed NETBIOS feature v1 1 October 2006 vi v1 1 October
68. Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Upgrade the Modem Router Firmware Note NETGEAR recommends that you back up your configuration before doing a firmware upgrade After the upgrade is complete you may need to restore your configuration settings 1 Download and unzip the new software file from NETGEAR The Web browser used to upload new firmware into the modem router must support HTTP uploads NETGEAR recommends using Microsoft Internet Explorer 5 0 or above or Netscape Navigator 4 7 or above 2 Log in to the modem router at its default LAN address of Attp 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 3 From the Main Menu of the browser interface under the Maintenance heading select the Modem Router Upgrade heading to display the menu shown in Figure 4 2 Router Upgrade Locate and Select the Upgrade File from your Hard Disk Cosi Ges Figure 4 2 4 Inthe Modem Router Upgrade menu click the Browse to locate the binary BIN or IMG upgrade file 5 Click Upload Note When uploading software to the modem router it is important not to interrupt the Web browser by closing the window clicking a link or loading a new page If the browser is interrupted it may corrupt the software When the upload is
69. a trusted user enter that computer s IP address in the Trusted IP Address box and click Apply 3 4 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 You can specify one trusted user which is a computer that will be exempt from blocking and logging Since the trusted user will be identified by an IP address you should configure that computer with a fixed IP address 7 Click Apply to save your settings ___ Note The Block Sites feature is disabled when the Trend Micro Home Security feature is enabled This is because the Trend security system has incorporates its own site blocking capability Firewall Rules Firewall rules are used to block or allow specific traffic passing through from one side of the router to the other Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the DG834 v3 are e Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN side to the outside You can define additional rules that will specify exceptions to the default rules By adding custom rules you can block or allow ac
70. an http documentation netgear com dg634 ita 208 10029 01 Spanish http documentation netgear com dg634 esp 208 10030 01 Swedish http documentation netgear com dg854 sve 208 10031 01 Introduction 2 9 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 10 v1 1 October 2006 Introduction Chapter 3 Protecting Your Network This chapter describes how to use the basic firewall features of the DG834 ADSL Modem Router to protect your network It also describes how to configure Trend Micro Home Network Security Protecting Access to Your DG834 ADSL Modem Router For security reasons the modem router has its own user name and password Also after a period of inactivity for a set length of time the administrator login will automatically disconnect When prompted enter admin for the modem router User Name and password for the modem router Password You can use procedures below to change the modem router s password and the amount of time for the administrator s login timeout Note The user name and password are not the same as any user name or password your may use to log in to your Internet connection NETGEAR recommends that you change this password to a more secure password The ideal password should contain no dictionary words from any language and should be a mixture of both upper and lower case letters numbers and symbols Your password can be up to 30 characters How to Change the Bui
71. anaging Your Network v1 1 October 2006 Chapter 5 Advanced Configuration This chapter describes how to configure the advanced features of your DG834 ADSL Modem Router Configuring Advanced Security The DG834 ADSL Modem Router provides a variety of advanced features such as Setting up a Demilitarized Zone DMZ Server Connecting Automatically as Required Disabling Port Scan and DOS Protection Responding to a Ping on the Internet WAN Port MTU Size Flexibility on configuring your LAN TCP IP settings Using the Router as a DHCP Server Configuring Dynamic DNS Configuring Static Routes These features are discussed below Advanced Configuration 5 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Setting Up A Default DMZ Server The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT The modem router is programmed to recognize some of these applications and to work properly with them but there are other applications that may not function well In some cases one local computer can run the application properly if that computer s IP address is entered as the Default DMZ Server Note For security reasons you should avoid using the Default DMZ Server feature When a computer is designated as the Default DMZ Server it loses much of the protection of the firewall and is exposed to many exploits from
72. ber 2006 Reference Manual for the ADSL Modem Router DG834 v3 3 4 Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next Enter the WAN IP address of the remote VPN gateway e g Step 2 of 3 Remote IP address or the Internet name 2223 4 2 5 VPN Wizard What is the remote WAN s IP address or Internet name Back Next Cancel Figure 6 23 Identify the IP addresses at the target endpoint which can use this tunnel and click Next Enter the LAN IP settings of the remote VPN gateway e IP Address e g 192 168 3 1 e Subnet Mask e g 255 255 255 0 VPN Wizard Step 3 of 3 Secure Connection Remote Accessibility What is the remote LAN IP address and Subnet Mask IP Address il Subnet Mask L I l l Back Next Cancel Figure 6 24 Virtual Private Networking Advanced Feature 6 23 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The Summary screen below displays Please verify your inputs Connection Name GtoG Remote VPN Endpoint 22 23 24 25 Remote Client Access By Subnet Remote IP 192 168 3 1 255 255 255 0 Remote ID Local Client Access By subnet Local IP 192 168 0 1 255 255 255 0 Local ID You can click here to view the VPNC recommended parameters Please click Done to apply the changes Figure 6 25 6 24 Virtual Private Networking
73. ber 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Set Up a Client to Gateway VPN Configuration Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway see Figure 6 3 involves the following two steps Step I Configuring the Client to Gateway VPN Tunnel on the DG834 v3 on page 6 6 uses the VPN Wizard to configure the VPN tunnel between the remote PC and network gateway e Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC on page 6 11 configures the NETGEAR ProSafe VPN Client endpoint VPN Tunnel 22 23 24 25 0 0 0 0 pP PC Running NETGEAR PCs ProSafe VPN Client Figure 6 3 Step 1 Configuring the Client to Gateway VPN Tunnel on the DG834 v3 ____ Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 6 2 on page 6 4 If you have special requirements not covered by these VPNC recommended parameters refer to How to Set Up VPN Tunnels in Special Circumstances on page 6 36 to set up the VPN tunnel The worksheet below identifies the parameters used in the following procedure A blank worksheet is at Planning a VPN on page 6 3 6 6 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Table 6 1 VPN Tunnel Configuration Worksheet Connection Name Pre Shared Key
74. cess based on the service or application source or destination IP addresses and time of day You can also choose to log traffic that matches or does not match the rule you have defined You can change the order of precedence of rules so that the rule that applies most often will take effect first See Order of Precedence for Rules on page 3 11 for more details Protecting Your Network 3 5 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 To access the rules configuration of the DG834 v3 click the Firewall Rules link on the main menu then click Add for either an Outbound or Inbound Service Firewall Rules Outbound Services E Enable Service Name Action LANUsers WAN Servers Log Default Yes Any ALLOW always Any Any Never Ada Edit Move Delete Inbound Services Enable Service Name Action LAN Server IP address WAN Users Log Default Yes Any BLOCK always Any Match Add Edit Move Delete Figure 3 4 e To edit an existing rule select its button on the left side of the table and click Edit e To delete an existing rule select its button on the left side of the table and click Delete To move an existing rule to a different position in the table select its button on the left side of the table and click Move At the script prompt enter the number of the desired new position and click OK Inbound Rules Port Forwarding Because the DG834 v3 uses Network
75. cked Initiator and Responder both incoming and outgoing connections are allowed Exchange Mode ensure the remote VPN endpoint is set to use Main Mode Diffie Hellman DH Group the Diffie Hellman algorithm is used when exchanging keys The DH Group setting determines the number of bit size used in the exchange This value must match the value used on the remote VPN Gateway Local Identity Type select the desired option to match the Remote Identity Type setting on the remote VPN endpoint WAN IP Address your Internet IP address Fully Qualified Domain Name your domain name e Fully Qualified User Name your name E mail address or other ID Local Identity Data enter the data for the selection above If WAN IP Address is selected no input is required Remote Identity Type select the desired option to match the Local Identity Type setting on the remote VPN endpoint IP Address the Internet IP address of the remote VPN endpoint Fully Qualified Domain Name the Domain name of the remote VPN endpoint Virtual Private Networking Advanced Feature 6 39 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Fully Qualified User Name the name E mail address or other ID of the remote VPN endpoint Remote Identity Data enter the data for the selection above If IP Address is selected no input is required Parameters Encryption Algorithm encryption Alg
76. cket to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the ping utility in your computer Testing the LAN Path to Your Router You can ping the router from your computer to verify that the LAN path to your router is set up correctly To ping the router from a PC running Windows 95 or later 1 From the Windows toolbar click the Start button and select Run 2 Inthe field provided type Ping followed by the IP address of the router as in this example ping 192 168 0 1 3 Click OK You should see a message like this one Pinging IP address with 32 bytes of data If the path is working you see this message Troubleshooting 7 7 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you see this message Request timed out If the path is not functioning correctly you could have one of the following problems e Wrong physical connections Make sure the LAN port LED is on If the LED is off follow the instructions in LAN or Internet Port LEDs Not On on page 7 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and router e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are bot
77. click Next to proceed Note The Connection Name is arbitrary and not relevant to how the configuration functions VPN Wizard Enter the new Connection Name e g RoadWarrior Step 1 of 3 Connection Name and Remote IP Type se en Enter the pre shared key Connection Name x P y Mes eid Mm e g 12345678 This VPN tunnel C A remote VPN Gateway willconnectto A remote VPN client single PC Select the radio button A remote VPN client single PC Back Next Cancel Figure 6 5 6 8 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The Summary screen below displays VPN Wizard Summary Please verify your inputs Connection Name RoadWarrior Remote VPN Endpoint Client PC Remote Client Access Single PC no Subnet Remote IP Dynamic Remote ID Local Client Access By subnet Local IP 192 158 3 1 255 255 255 0 Local ID You can click here to view the VPNC recommended parameters Please click Done to apply the changes Figure 6 6 Virtual Private Networking Advanced Feature 6 9 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 To view the VPNC recommended authentication and encryption settings used by the VPN Wizard click the here link see Figure 6 6 Click Back to return to the Summary screen VPN Consortium VPNC Recommendation The following parameters are recommended by the VPNC a
78. complete your modem router will automatically restart The upgrade process will typically take about one minute In some cases you may need to clear the configuration and reconfigure the modem router after upgrading Managing Your Network 4 3 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Network Management Information The DG834 v3 provides a variety of status and usage information which is discussed below Viewing Modem Router Status and Usage Statistics From the Main Menu under Maintenance select Modem Router Status to view the screen in Figure 4 3 Router Status Account Name Firmware Version ADSL Port MAC Address IP Address Network Type IP Subnet Mask Domain Name Server LAN Port MAC Address IP Address DHCP IP Subnet Mask Modem ADSL Firmware Version Modem Status DownStream Connection Speed UpStream Connection Speed VPI vcl 0 01 14 00 09 5b 70 46 26 63 199 31 112 PPPOE 255 255 255 255 206 13 31 12 00 09 5b 70 46 26 192 168 0 1 On 255 255 255 0 1 00 05 00 Connected 1538 kbps 160 kbps 35 Show Statistics Connection Status Figure 4 3 The Modem Router Status menu provides status and usage information This screen shows the following parameters v1 1 October 2006 Managing Your Network Reference Manual for the ADSL Modem Router DG834 v3 Table 4 1 Menu 3 2 Modem Router Status Fields Field Descriptio
79. ct Disconnect Close Window 192 168 10 13 255 255 255 255 Figure 4 5 Clicking the Renew button updates the status information This screen shows the following statistics Table 4 1 Connection Status Fields for PPPoA Field Description Connection Time The time elapsed since the last connection to the Internet via the ADSL port Connecting to The connection status Sender Negotiation ON or OFF Authentication ON or OFF IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider Network Mask The Network Mask assigned to the WAN port by the ADSL Internet Service Provider Managing Your Network 4 7 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the modem router has discovered on the local network From the Main Menu of the browser interface under the Maintenance heading select Attached Devices to view the table shown in Figure 4 6 Attached Devices DHCP Addresses IP Address Device Name MAC Address 192 168 0 2 PSERVER 00 c0 02 34 45 16 2 192 168 0 3 GEARGUY XP2 00 d0 59 e1 f8 5d 3 192 168 0 4 BLACKDELL 00 09 5b 0f db 13 4 192 168 0 5 OLD 00 c0 4f29 bf c8 5 192 168 0 6 GEARGUY XP2 00 d0 59 d8 10 20 Figure 4 6 For each device the table shows the IP address Device Name if available and the Ethernet MA
80. ction Name Pre Shared Key Secure Association Main Mode or Manual Keys Perfect Forward Secrecy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds FQDN or Gateway IP VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask WAN IP Address To set up a VPN connection you must configure each endpoint with specific identification and connection information describing the other endpoint You must configure the outbound VPN settings on one end to match the inbound VPN settings on other end and vice versa Virtual Private Networking Advanced Feature 6 3 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 This set of configuration information defines a security association SA between the two VPN endpoints When planning your VPN you must make a few choices first e Will the local end be any device on the LAN a portion of the local network as defined by a subnet or by a range of IP addresses or a single PC e Will the remote end be any device on the remote LAN a portion of the remote network as defined by a subnet or by a range of IP addresses or a single PC e Will either endpoint use Fully Qualified Domain Names FQDNs FQDNSs supplied by Dynamic DNS providers see The Use of a Fully Qualified Domain Na
81. d tobacco products Includes sites that glamorize or otherwise encourage alcohol or tobacco use Does not include sites that sell alcohol or tobacco as a subset of another business Gambling Sites where users can place bets or participate in betting pools including lotteries online Also includes sites that provide information assistance recommendations or training on placing bets or participating in games of chance Does not include sites that sell gambling related products or machines Also does not include offline casino and hotel sites unless meeting one of the foregoing criteria e Hacking Proxy Avoidance Sites providing information on illegal or questionable access to or use of communications equipment and software or that provide information on how to bypass proxy server features or gain unauthorized access to URLs e egal Drugs Sites that promote offer sell supply or advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants and chemicals and related paraphernalia 3 20 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e J llegal Questionable Sites that advocate or advise on performing illegal acts such as service theft evading law enforcement fraud burglary techniques and plagiarism Also includes sites that provide or sell questionable educational materials such as term papers Intimate Apparel Swi
82. deklarc ka DG834 ADSL Modem Router atbilst Direktivas 1999 Latvian 5 EK b tiskaj m prasibam un citiem ar to saistitajiem noteikumiem Lietuvig iuo NETGEAR Inc deklaruoja kad is DG834 ADSL Modem Router atitinka esminius Lithuanian reikalavimus ir kitas 1999 5 EB Direktyvos nuostatas Nederlands Hierbij verklaart NETGEAR Inc dat het toestel DG834 ADSL Modem Router in Dutch overeenstemming is met de essenti le eisen en de andere relevante bepalingen van richtlijn 1999 5 EG v1 1 October 2006 Malti Hawnhekk NETGEAR Inc jiddikjara li dan DG834 ADSL Modem Router jikkonforma Maltese mal tiijiet essenzjali uma provvedimenti orajn relevanti li hemm fid Dirrettiva 1999 5 EC Magyar Alul rott NETGEAR Inc nyilatkozom hogy a DG834 ADSL Modem Router megfelel a Hungarian vonatkoz alapvet k vetelm nyeknek s az 1999 5 EC ir nyelv egy b el r sainak Polski Niniejszym NETGEAR Inc ooewiadcza e DG834 ADSL Modem Router jest zgodny z Polish zasadniczymi wymogami oraz pozosta ymi stosownymi postanowieniami Dyrektywy 1999 5 EC Portugu s NETGEAR Inc declara que este DG834 ADSL Modem Router est conforme com os Portuguese requisitos essenciais e outras disposi es da Directiva 1999 5 CE Slovensko NETGEAR Inc izjavlja da je ta DG834 ADSL Modem Router v skladu z bistvenimi Slovenian zahtevami in ostalimi relevantnimi dolo ili direktive 1999 5 ES Slovensky NETGEA
83. disabled for automatic device configuration The default setting for UPnP is enabled If disabled the Router will not allow any device to automatically control the resources such as port forwarding mapping of the Router Advertisement Period The Advertisement Period is how often the Router will advertise broadcast its UPnP information This value can range from 1 to 1440 minutes The default period is for 30 minutes Shorter durations will ensure that control points have current device status at the expense of additional network traffic Longer durations may compromise the freshness of the device status but can significantly reduce network traffic e Advertisement Time To Live The time to live for the advertisement is measured in hops steps for each UPnP packet sent A hop is the number of steps allowed to propagate for each UPnP advertisement before it disappears The number of hops can range from 1 to 255 The default value for the advertisement time to live is 4 hops which should be fine for most home networks If you notice that some devices are not being updated or reached correctly then it may be necessary to increase this value a little Advanced Configuration 5 13 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e UPnP Portmap Table The UPnP Portmap Table displays the IP address of each UPnP device that is currently accessing the Router and which ports Internal and External that device has open
84. documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Internet Networking and TCP IP Addressing Wireless Communications Preparing a Computer for Network Access Virtual Private Networking VPN Glossary http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm http documentation netgear com reference enu glossary index htm Related Documents C 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 v1 1 October 2006 Related Documents
85. dyndns org Select the Use a dynamic DNS service check box Select the name of your dynamic DNS Service Provider Type the Host Name that your dynamic DNS service provider gave you The dynamic DNS service provider may call this the domain name If your URL is myName dyndns org then your Host Name is myName Type the User Name for your dynamic DNS account Type the Password or key for your dynamic DNS account Advanced Configuration 5 9 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 9 If your dynamic DNS provider allows the use of wildcards in resolving your URL you can select the Use wildcards check box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org 10 Click Apply to save your configuration Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the dynamic DNS service will not work because private addresses will not be routed on the Internet Using Static Routes Static Routes provide additional routing information to your router Under normal circumstances the router has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on yo
86. e yourname dyndns org User Name Password Use wildcards Apply Cancel Show Status Figure B 9 NETGEAR VPN Configuration B 11 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 c Click Show Status The resulting screen should show Update OK good see Figure B 10 A Dynamic DNS Details Microsoft Internet Explorer TTB Dynamic DNS Update OK good TZO com TZO service is not enabled ngDDNS ngDDNs amp service is not enabled Done o dep Internet A Figure B 10 5 Configure the DG834 v3 as in the Gateway to Gateway procedures using the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 being certain to use appropriate network addresses for the environment The LAN Addresses used in this example are as follows Device LAN IP Address LAN Subnet Address DG834 v3 10 5 6 1 255 255 255 0 FVL328 172 23 9 1 255 255 255 0 In Step 1 enter toFVL328 for the Connection Name In Step 2 enter fv1328 dyndns org for the remote WAN s IP address a In Step 3 enter the following IP Address 172 23 9 1 e Subnet Mask 255 255 255 0 6 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 being certain to use appropriate network addresses for the environment B 12 NETGEAR VPN Configuration v1 1
87. e NETGEAR ProSafe VPN Client Note Before installing the DG834 ADSL Modem Router software be sure to turn off any virus protection or firewall software you may be running on your PC 1 Install the NETGEA ProSafe VPN Client on the remote PC and reboot You may need to insert your Windows CD to complete the installation b If you do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message NETGEAR VPN Configuration B 17 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 c Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary d The system should show the ProSafe icon amp in the system tray after rebooting e Double click the system tray icon to open the Security Policy Editor 2 Adda new connection a Runthe NETGEAR ProSafe Security Policy Editor program and create a VPN Connection b From the Edit menu of the Security Policy Editor click Add then Connection A New Connection listing appears in the list of policies Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834 v3 on Gateway A ____ Note In this example the Connection Name used on the client side of the VPN
88. e current period 3 2 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Configuring Basic Firewall Services Basic firewall services you can configure include access blocking and scheduling of firewall security These topics are presented below Blocking Keywords Sites and Services The modem router provides a variety of options for blocking Internet based content and communications services With its content filtering feature the DG834 ADSL Modem Router prevents objectionable content from reaching your PCs The modem router allows you to control access to Internet content by screening for keywords within Web addresses Key content filtering options include Keyword blocking of HTTP traffic e Outbound Service Blocking limits access from your LAN to Internet locations or services that you specify as off limits e Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing e Blocking unwanted traffic from the Internet to your LAN The section below explains how to configure your modem router to perform these functions How to Block Keywords and Sites The DG834 ADSL Modem Router allows you to restrict access to Internet content based on functions such as Web addresses and Web address keywords 1 Login to the modem router at its default LAN address of http 192 168
89. e log is sent daily or weekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent it is cleared from the modem router s memory If the modem router cannot e mail the log file the log buffer may fill up In this case the modem router overwrites the log and discards its contents Running Diagnostic Utilities and Rebooting the Modem Router The DG834 ADSL Modem Router has a diagnostics feature You can use the diagnostics menu to perform the following functions from the modem router Ping an IP Address to test connectivity to see if you can reach a remote host Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the DNS server configuration is working Display the Routing Table to identify what other modem routers the modem router is communicating with Managing Your Network 4 13 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e Reboot the modem router to enable new network configurations to take effect or to clear problems with the modem router s network connection From the Main Menu of the browser interface under the Maintenance heading select the Modem Router Diagnostics heading to display the menu shown in Figure 4 9 Diagnostics Ping an IP address IP Address j Ping Perform a DNS Lookup Internet Name Lookup
90. e rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure your router to clone or spoof the MAC address from the authorized PC Refer to the ADSL Modem Router Setup Manual for details see Table 2 1 on page 2 9 Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings changing the router s administration password to password and the IP address to 192 168 0 1 You can erase the current configuration and restore factory defaults in two ways e Use the Erase function of the Web Configuration Manager see Backing Up Restoring or Erasing Your Settings on page 4 1 e Use the Default Reset button on the rear panel of the router Use this method for cases when the administration password or IP address is not known Using the Reset button To restore the factory default configuration settings without knowing the administration password or IP address you must use the Default Reset button on the rear panel of the router 1 Press and hold the Default Reset button until the Test LED turns on about 10 seconds 2 Release the Default Reset button and wait for the router to reboot Troubleshooting 7 9 v1 1
91. eck that you are using the 12 V DC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Test LED Never Turns On or Test LED Stays On When the router is turned on the Test LED turns on for about 10 seconds and then turns off If the Test LED does not turn on or if it stays on there is a fault within the router If you experience problems with the Test LED e Cycle the power to see if the router recovers and the LED blinks for the correct amount of time If all LEDs including the Test LED are still on one minute after power up e Cycle the power to see if the router recovers e Clear the router s configuration to factory defaults This will set the router s IP address to 192 168 0 1 This procedure is explained in Using the Reset button on page 7 9 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made check the following e Make sure that the Ethernet cable connections are secure at the router and at the hub or Workstation e Make sure that power is turned on to the connected hub or workstation 7 2 Troubleshooting v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Be sure you are using the correct cable When connecting the router s WAN A
92. ect your Time Zone This setting will be used for the blocking schedule according to your local time zone and for time stamping log entries Select the Adjust for daylight savings time check box if your time zone is currently in daylight savings time Note If your region uses Daylight Savings Time you must manually select Adjust for Daylight Savings Time on the first day of Daylight Savings Time and clear it at the end Enabling Daylight Savings Time will cause one hour to be added to the standard time 4 The modem router has a list of NETGEAR NTP servers If you would prefer to use a particular NTP server as the primary server enter its IP address under Use this NTP Server 5 Click Apply to save your settings 3 14 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Schedule Firewall Services If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu you can set up a schedule for when blocking occurs or when access is not restricted 1 Log in to the modem router at its default LAN address of Attp 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 2 Select the Schedule link of the Security menu to display menu shown above in Figure 3 11 To block Internet services based on a schedule select Every Day or
93. ection Name used on the client side of the VPN tunnel is toDG834 and it does not have to match the Road Warrior Connection Name used on the gateway side of the VPN tunnel see Figure 6 5 because Connection Names are arbitrary to how the VPN tunnel functions m3 Tip Choose Connection Names that make sense to the people using and E administrating the VPN Si security Policy Editor NETGEAR ProSafe VPN Client Options Help Fi alexa 4 NETGEAR SN Network Security Policy r Connection Security Secure Only Connect Manually C Non secure amp C Block r Remote Party Identity and Addressing ID Type Any v IP Address Any ID 0 0 0 0 Protocol All v Port j Tunnel z Connect using Secure Gateway Figure 6 9 6 12 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 mom mo k a Sl Security Policy Editor NETGEAR ProSafe YPN Client Ele Edt Options Help 2 83 Fc Xx PA Network Security Policy EC My Connections Gl Other Connections Mask r Connection Security hd EEDGESE Secure I Only Connect Manually C Nonsecure a C Block Remote Party Identity and Addressing ID Type IP Subnet z Subnet 192 168 3 1 Protocol All v Pot J e I Connect using Secure Gateway Tunnel M ID Type IP Address x 22 23 24 25 NETGEAR S 255 25
94. ectly set the Service Name User Name and Password See Troubleshooting PPPoE or PPPoA below Troubleshooting 7 5 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Your ISP may check for your computer s host name Assign the computer Host Name of your ISP account to the modem router in the browser based Setup Wizard Your ISP only allows one Ethernet MAC address to connect to Internet and may check for your computer s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the router s MAC address OR Configure your router to spoof your computer s MAC address This can be done in the Basic Settings menu Refer to the ADSL Modem Router Setup Manual for details see Table 2 1 on page 2 9 Troubleshooting PPPoE or PPPoA The PPPoA or PPPoA connection can be debugged as follows 1 2 3 4 5 Access the Main Menu of the router at http 192 168 0 1 Under the Maintenance heading select the Router Status link Click the Connection Status button If all of the steps indicate OK then your PPPoE or PPPoA connection is up and working If any of the steps indicates Failed you can attempt to reconnect by clicking Connect The modem router will continue to attempt to connect indefinitely If you cannot connect after several minutes you may be using an incorrect Service Name User Name or Password There also may be a provisioning
95. ed The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address 3 To save cancel or refresh the table Click Apply to save the new settings to the Router Click Cancel to disregard any unsaved changes c Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP devices 5 14 Advanced Configuration v1 1 October 2006 Chapter 6 Virtual Private Networking Advanced Feature This chapter describes how to use the virtual private networking VPN features of the DG834 ADSL Modem Router VPN communications paths are called tunnels VPN tunnels provide secure encrypted communications between your local network and a remote network or computer This chapter is organized as follows e Overview of VPN Configuration on page 6 1 provides an overview of the two most common VPN configurations Client to Gateway and Gateway to Gateway Planning a VPN on page 6 3 provides a worksheet for recording the configuration parameters of the VPN you want to set up along with the VPN Committee VPNC recommended default parameters set by the VPN Wizard e VPN Tunnel Configuration on page 6 5 summarizes the three ways to configure a VPN tunnel VPN Wizard recommended for most situations Auto Policy and Manual Policy e How to Set Up a Client to Gateway VPN Configuration on page 6 6 provides the steps needed to configure a VPN tun
96. eld The remote VPN endpoint must have these IP addresses entered as its Remote addresses Remote LAN This identifies which PCs on the remote LAN are covered by this policy For each selection data must be provided as follows 6 38 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Single PC no Subnet select this option if there is no LAN only a single PC at the remote endpoint If this option is selected no additional data is required The typical application is a PC running the VPN client at the remote end Single address Enter an IP address in the Single Start IP address field This must be an address on the remote LAN Typically this setting is used when you wish to access a server on the remote LAN e Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on the remote LAN e Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Local addresses IKE Direction Type this setting is used when determining if the IKE policy matches the current traffic Select the desired option e Responder only incoming connections are allowed but outgoing connections will be blo
97. en of the Modem Router unless another PC already has the DG834 v3 management interface open 6 18 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer 1 To launch this function click on the Windows Start button then select Programs then NETGEAR ProSafe VPN Client then Log Viewer 2 The Log Viewer screen for a successful connection is shown below VPN StatusiLog Sun 2002 09 08 12 01 35 Sun 2002 09 08 12 01 35 Tue 2005 05 24 20 46 33 Tue 2005 05 24 20 46 35 Tue 2005 05 24 20 46 35 Tue 2005 05 24 20 46 36 Tue 2005 05 24 20 50 41 Tue 2005 05 24 20 50 41 Tue 2005 05 24 20 50 41 Tue 2005 05 24 20 50 42 Tue 2005 05 24 20 50 42 added connection description fromDG834 adding interface ipsecO pppO 67 116 6 4 fromDG834G responding to Main Mode fr fromDG834G sent MR3 ISAKMP SA establ fromDG834G responding to Quick Mode fromDG834G IPsec SA established deleting connection fromDbG834G instan deleting connection fromDG834G shutting down interface ipsecO pppO 67 added connection description frombG834 adding interface ipsecO pppO 67 116 6 4 a Refresh Clear Log VPN Status Figure 6 18 Note Use the active VPN tunnel information and pings to determine whether a failed BA connection is due t
98. enter the following e IP Address 172 23 9 1 e Subnet Mask 255 255 255 0 B 2 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 VPN Policies Policy Table Enable Name Type Local Remote 10 5 6 1 n 172239 1 1 E wEVE28 Auto 966 255 265 0 2552552550 SDES Add Auto Policy Figure B 2 Delete Appl Cancel Add Manual Policy Click VPN Policies under Advanced VPN to invoke this screen General Policy Name Remote VPN Endpoint M NetBIOS Enable IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time Enable PFS Perfect Forward Security toFVL328 Address Type Address Data 22 23 24 25 Ping IP Address Subnet address v Single Start address 8 T7 Finish address 3T 3T SE Subnet Mask 5 Subnet address j Single Start IP address 1 Finish IP address a Ti 3 17 LIE Subnet Mask 255 TS tn en N in a Main Mode n a 3DES v SHA 1 j 12345678 28800 Seconds Back Cancel Fixed IP Address x NETGEAR VPN Configuration v1 1 October 2006 B 3 Reference Manual for the ADSL Modem Router DG834 v3
99. et address 192 168 0 1 in this example 255 255 255 0 Single address 192 168 2 3 in this example 4 Remote NAT router must have Address Reservation set and VPN Passthrough enabled Main Mode Fully Qualified Domain Name fromDG834G com in this example Fully Qualified Domain Name toDG834G com in this example 3DES 12345678 in this example 3600 B 16 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 Click Apply when done to get the VPN Policies screen VPN Policies Policy Table amp Enabe Name tye Local Remote ESP 7 192 188 0 1 fromDG834G Auto 182 158 2 3 3DES 255 255 255 0 Edit Delete Apply Cancel Add Auto Policy Add Manual Policy gi Figure B 14 To view or modify the tunnel settings select the radio button next to the tunnel entry and click Edit Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office This procedure describes how to configure the DG834 ADSL Modem Router We will assume the PC running the client has a dynamically assigned IP address The PC must have a VPN client program installed that supports IPSec in this case study the NETGEAR VPN ProSafe Client is used Go to the NETGEAR website Attp www netgear com and select VPNO1L_VPNOSL in the Product Quick Find drop down menu for information on how to purchase th
100. etwork This chapter describes how to perform network management tasks with your DG834 ADSL Modem Router Backing Up Restoring or Erasing Your Settings The configuration settings of the DG834 ADSL Modem Router are stored in a configuration file in the modem router This file can be backed up to your computer restored or reverted to factory default settings The procedures below explain how to do these tasks How to Back Up the Configuration to a File 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Maintenance heading of the Main Menu select the Backup Settings menu as seen in Figure 4 1 Backup Settings Save a Copy of Current Settings Restore Saved Settings from a File Revert to Factory Default Settings Figure 4 1 Click Backup to save a copy of the current settings Store the cfg file on a computer on your network Managing Your Network 4 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Restore the Configuration from a File 1 Login to the modem router at its default LAN address of hitp 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the
101. ful true firewall Easy Web based setup for installation and management Extensive Internet protocol support Trustworthy VPN Communications over the Internet VPN Wizard for easy VPN configuration Auto Sensing and Auto Uplink LAN Ethernet connections Content filtering Support for Trend Micro Home Network Security These features are discussed below A Powerful True Firewall Unlike simple Internet sharing NAT routers the DG834 v3 is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN Blocks access from your LAN to Internet locations or services that you specify as off limits Logs security incidents The DG834 v3 will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the modem router to email the log to you at specified intervals You can also configure the modem router to send immediate alert messages to your email address or email pager whenever a significant event occurs 2 2 Introduction v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Easy Installation and Management You can install configure and operate the DG834 v3 within minutes after c
102. ful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna ncrease the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help Federal Communications Commission FCC Radiation Exposure Statement This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment In order to avoid the possibility of exceeding the FCC radio frequency exposure limits human proximity to the antenna shall not be less than 20 cm 8 inches during normal operation v1 1 October 2006 European Union Statement of Compliance Hereby NETGEAR Inc declares that this modem router is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC esky NETGEAR Inc t mto prohlaSuje Ze tento DG834 ADSL Modem Router je ve shodi se Czech z kladn mi po adavky a dal mi pgislusnymi ustanoven mi smirnice 1999 5 ES Dansk Undertegnede NETGEAR Inc erkl rer herved at f lgende udstyr DG834 ADSL Danish Modem Router overholder de vaesentlige krav og evrige relevante krav i direktiv
103. gs menu otherwise the router s LAN IP address e Secondary DNS Server if you entered a Secondary DNS address in the Basic Settings menu WINS Server short for Windows Internet Naming Service Server determines the IP address associated with a particular Windows computer A WINS server records and reports a list of names and IP address of Windows PCs on its local network If you connect to a remote network that contains a WINS server enter the server s IP address here This allows your PCs to browse the network using the Network Neighborhood feature of Windows Reserved IP addresses When you specify a reserved IP address for a computer on the LAN that computer will always receive the same IP address each time it access the router s DHCP server Reserved IP addresses should be assigned to servers that require permanent IP settings To reserve an IP address 1 Click the Add button 2 Inthe IP Address box type the IP address to assign to the computer or server Choose an IP address from the router s LAN subnet such as 192 168 0 x 3 Type the MAC Address of the computer or server Tip If the computer is already present on your network you can copy its MAC address from the Attached Devices menu and paste it here 4 Click Apply to enter the reserved address into the table Note The reserved address will not be assigned until the next time the computer contacts the router s DHCP server Reboot the computer or access its IP configu
104. h installed and configured on your PC or workstation Verify that the IP address for your router and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 IP address where IP address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies Check that your PC has the IP address of your router listed as the default modem router If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel Verify that the IP address of the router is listed as the default modem router as described in Preparing a Computer for Network Access in Appendix C Check to see that the network address of your PC the portion of the IP address specified by the netmask is different from the network address of the remote device Check that your cable or DSL modem is connected and functioning If your ISP assigned a host name to your PC enter that host name as the Account Name in the Basic Settings menu 7 8 Troubleshooting v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Your ISP could b
105. hange subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help gt ll NETGEAR N Network Security Policy LJ My Connections IPSec Protocols dB toDG834G Seconds KBytes G My Identity SA Life Unspecified v a Security Policy Co Eg Authentication Phase 1 mcos None J Proposal 1 E a Key Exchange Phase 2 I Encapsulation Protocol ESP BB Eosen EneptAg Tile DES sl Gl Other Connections Hash Alg SHA1 z Encapsulation Tunne X Authentication Protocol AH Figure 6 15 In the SA Life menu select Unspecified In the Compression menu select None Check the Encapsulation Protocol ESP checkbox In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834 v3 in Table 6 1 on page 7 In this example use Triple DES In the Hash Alg menu select SHA 1 In the Encapsulation menu select Tunnel Leave the Authentication Protocol AH checkbox unchecked 7 Savethe VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router s L
106. hat need to be set on both sides Check that there are no firewall restrictions Table B 1 Profile Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway not PC Client to Gateway Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing NETGEAR Gateway A Static IP address NETGEAR Gateway B Static IP address NETGEAR VPN Configuration B 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 10 5 6 0 24 VPNC Example 172 23 9 0 24 Network Interface Addressing Gateway A Gateway B ANE 14 15 16 17 22 23 24 25 10 5 6 1 WAN IP WAN IP ERE 172 23 9 1 DG834 FVL328 Figure B 1 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834 v3 asp Step By Step Configuration 1 Configure the DG834 v3 as in the Gateway to Gateway procedures using the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 being certain to use appropriate network addresses for the environment The LAN Addresses used in this example are as follows Device WAN IP Address LAN IP Address LAN Subnet Mask DG834 v3 14 15 16 17 10 5 6 1 255 255 255 0 FVL328 22 23 24 25 172 23 9 1 255 255 255 0 In Step 1 enter toFVL328 for the Connection Name In Step 2 enter 22 23 24 25 for the remote WAN s IP address a In Step 3
107. he Single Start IP address field This must be an address on the remote LAN Typically this setting is used when you wish to access a server on the remote LAN e Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on the remote LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Local addresses ESP Configuration ESP Encapsulating Security Payload provides security for the payload data sent through the VPN tunnel SPI enter the required security policy indexes SPIs Each policy must have unique SPIs These settings must match the remote VPN endpoint The in setting here must match the out setting on the remote VPN endpoint and the out setting here must match the in setting on the remote VPN endpoint Virtual Private Networking Advanced Feature 6 47 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Encryption select the desired Encryption Algorithm and enter the key in the field provided For 3DES the keys should be 24 ASCII characters and for DES the keys should be 8 ASCII characters e DES the Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 5
108. he parameters and action will be logged Not match traffic of this type which does not match the parameters and action will be logged Inbound Rule Example Allowing Videoconferencing If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown in Figure 3 6 CU SeeMe connections are allowed only from a specified range of external IP addresses In this case we have also specified logging of any incoming CU SeeMe requests that do not match the allowed parameters Inbound Services Service CU SEEME TCP UDP 7648 24032 Action ALLOW always vj Send to LAN Server 24 Jj198 JO p HH WAN Users Address Range v starr 134 177 B8 i fnish 134 1v7 Be 25a Log Figure 3 6 3 8 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Considerations for Inbound Rules If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dynamic DNS feature in the Advanced menu so that external users can always find your network If the IP address of the local server computer is assigned by DHCP it may change when the computer is rebooted To avoid this use the Reserved IP address feature in the LAN IP menu to keep the computer s IP address constant
109. how the Modem Router sends and receives RIP packets Both is the default When set to Both or Out Only the modem router will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives When set to None it will not send any RIP packets and will ignore any RIP packets received Advanced Configuration 5 5 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e RIP Version This controls the format and the broadcasting method of the RIP packets that the modem router sends It recognizes both formats when receiving By default this is set for RIP 1 RIP 1 is universally supported RIP 1 is probably adequate for most networks unless you have an unusual network setup RIP 2 carries more information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B uses subnet broadcasting RIP 2M uses multicasting Note If you change the LAN IP address of the modem router while connected through the browser you will be disconnected You must then open a new connection to the new IP address and log in again DHCP By default the modem router will function as a DHCP Dynamic Host Configuration Protocol server allowing it to assign IP DNS server and default gateway addresses to all computers connected to the modem router s LAN The assigned default gateway address is the LAN address of the route
110. ime If this happens try the pings a second SE time DG834 v3 with FQDN to FVL328 This appendix is a case study on how to configure a VPN tunnel from a NETGEAR DG834 v3 to a FVL328 using a Fully Qualified Domain Name FQDN to resolve the public address of one or both routers This case study follows the VPN Consortium interoperability profile guidelines found at Attp www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Check that there are no firewall restrictions B 6 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Table B 1 Profile Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway not PC Client to Gateway Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing NETGEAR Gateway A Fully Qualified Domain Name FQDN NETGEAR Gateway B FDQN 10 5 6 0 24 VPNC Example 172 23 9 0 24 Network Interface Addressing Gateway A Gateway B WAN IP WAN IP LANIP guum C D 10 5 6 1 dg834
111. ing NETGEAR PCs ProSafe VPN Client Figure 6 1 A VPN client access allows a remote PC to connect to your network from any location on the Internet In this case the remote PC is one tunnel endpoint running the VPN client software The DG834 ADSL Modem Router on your network is the other tunnel endpoint See How to Set Up a Client to Gateway VPN Configuration on page 6 6 to set up this configuration Gateway to Gateway VPN Tunnels e Gateway to Gateway VPN Tunnels provide secure access between networks such as a branch or home office and a main office see Figure 6 2 A VPN Tunnel B DG834 VPN Firewall DG834 VPN Firewall INTERNET zi LJ LJ PCs Figure 6 2 6 2 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 A VPN between two or more NETGEAR VPN enabled routers is a good way to connect branch or home offices and business partners over the Internet VPN tunnels also enable access to network resources across the Internet In this case use DG834 v3s on each end of the tunnel to form the VPN tunnel end points See How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 to set up this configuration Planning a VPN When you set up a VPN it is helpful to plan the network configuration and record the configuration parameters on a worksheet Table 6 1 VPN Tunnel Configuration Worksheet Conne
112. k aa qren tta TER tk aai 5 3 viii v1 1 October 2006 Respond to Ping en f temet WAN POT iusesssciaiese iiid pur beer rdde tok btt rait ad oca 5 4 MIV bc qp T cT 5 4 Conngenng LAN IF Seige sson o o o s 5 4 e d IHE 5 6 Howto Configure LAN TCP IP Settings 1i ce stt xa rx kettle k aua E kata uaa 5 8 Coniguing Dynami DNG A 5 8 Howto Configure Dynami DNS ssenssanosiios diaa 5 9 Bereken re e c e En 5 10 udstel zigs T 5 10 How t Configure Static ROUES 12i cuta ke doiuk hada ku kk kat kai 5 11 Universal Plug and Play UPMP e 5 13 Chapter 6 Virtual Private Networking Advanced Feature Overview of VPN Configuration 2 d reddidi id dascu caansanbinetansaiocstaacdsodtaaaavon i 6 1 b lientdo Gateoay VPN TORIS i oa err d ra ded Esc o COP RR 6 2 Galewayto Galeway VIEN Tunnels iusque vin aer PIERERA HEP EE Keri da eHhR Ee FPo REF FHEAR ARS ES 6 2 Planning a VPN 6 3 VPN RII Ete pta T o o EENEN SEEEN EATEN ENATS EEEREN 6 5 How to Set Up a Client to Gateway VPN Configuration ssseeeeneeee 6 6 Step 1 Configuring the Client to Gateway VPN Tunnel on the DG834 v3 6 6 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC 6 11 How to Set Up a Gateway to Gateway VPN Configuration eseees 6 20 Pia rM Rel er 6 27 PEWA a VFN TANG Er an 6
113. lt In Password 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router http 192 168 0 1 Figure 3 1 Protecting Your Network 3 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 From the Main Menu of the browser interface under the Maintenance heading select Set Password to bring up the menu shown in Figure 3 2 Set Password Old Password SetPassword Repeat New Password Administrator login times out after idle for 95 minutes Figure 3 2 To change the password first enter the old password and then enter the new password twice Click Apply to save your changes Note After changing the password you will be required to log in again to continue the configuration If you have backed up the modem router settings previously you should do a new backup so that the saved settings file includes the new password Changing the Administrator Login Timeout For security the administrator s login to the modem router configuration will timeout after a period of inactivity To change the login timeout period 1 Inthe Set Password menu type a number in Administrator login times out field The suggested default value is 5 minutes 2 Click Apply to save your changes or click Cancel to keep th
114. ly In this case you can use a commercial dynamic DNS service that will allow you to register your domain to their IP address and will forward traffic directed at your domain to your frequently changing IP address 5 8 Advanced Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The router contains a client that can connect to a dynamic DNS service provider To use this feature you must select a service provider and obtain an account with them After you have configured your account information in the router whenever your ISP assigned IP address changes your router will automatically contact your dynamic DNS service provider log in to your account and register your new IP address How to Configure Dynamic DNS 1 8 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router From the Main Menu of the browser interface under Advanced select Dynamic DNS to display the page below Dynamic DNS C Use a Dynamic DNS Service Service Provider www DynDNS org v Host Name User Name Password Use Wildcards Figure 5 4 Access the Web site of one of the dynamic DNS service providers whose names appear in the Service Provider box and register for an account For example for dyndns org go to www
115. ly Apply the current settings Cancel Clear the current settings Selecting What Information to Log Besides the standard information listed above you can choose to log additional information Those optional selections are as follows e Attempted access to blocked site Connections to the Web based interface of the modem router e Modem Router operation start up get time etc e Known DoS attacks and Port Scans 4 10 Managing Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Saving Log Files on a Server You can choose to write the logs to a computer running a syslog program To activate this feature select to Broadcast on Lan or enter the IP address of the server where the Syslog file will be written Examples of Log Messages Following are examples of log messages In all cases the log entry shows the timestamp as Day Year Month Date Hour Minute Second Activation and Administration Tue 2002 05 21 18 48 39 NETGEAR activated This entry indicates a power up or reboot with initial time entry Tue 2002 05 21 18 55 00 Administrator login successful IP 192 168 0 2 Thu 2002 05 21 18 56 58 Administrator logout IP 192 168 0 2 This entry shows an administrator logging in and out from IP address 192 168 0 2 Tue 2002 05 21 19 00 06 Login screen timed out IP 192 168 0 2 This entry shows a time out of the administrator login Wed
116. manual is dedicated to a major topic Use the Print button on the browser toolbar to print the page contents Printing a Chapter Use the PDF of This Chapter link at the top left of any page Note Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Click the PDF of This Chapter link at the top right of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window Click the print icon in the upper left of the window gu Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this feature Printing the Full Manual Use the Complete PDF Manual link at the top left of any page Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window Click the print icon in the upper left of the window gu Tip If your printer supports printing two pages on a single sheet of paper you 2 ki Aider can save paper and printer ink by selecting this feature 1 2 About This Manual v1 1 October 2006 Chapter 2 Introduction This chapter describes the features of the NETGEAR DG834 ADSL Modem Router The DG834 ADSL Modem Router is a combination of a built in AD
117. mber then your modem router is attempting to make an ADSL connection with the service provider The LED should turn green within several minutes If the Internet LED does not turn green disconnect all telephones on the line If this solves the problem reconnect the telephones one at a time being careful to use a microfilter on each telephone If the microfilters are connected correctly you should be able to connect all your telephones If disconnecting telephones does not result in a green Internet LED there may be a problem with your wiring If the telephone company has tested the ADSL signal at your Network Interface Device NID then you may have poor quality wiring in your house 7 4 Troubleshooting v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Internet LED Off If the Internet LED is off disconnect all telephones on the line If this solves the problem reconnect the telephones one at a time being careful to use a microfilter on each telephone If the microfilters are connected correctly you should be able to connect all your telephones If disconnecting telephones does not result in a green Internet LED the problem may be one of the following e Check that the telephone company has made the connection to your line and tested it e Verify that you are connected to the correct telephone line If you have more than one phone line be sure that you are connected to the line with the ADSL service
118. me FQDN on page B 8 can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request Otherwise the side using a dynamic IP address must always be the initiator e What method will you use to configure your VPN tunnels The VPN Wizard using VPNC defaults see Table 6 2 The typical automated Internet Key Exchange IKE setup see Using Auto Policy to Configure VPN Tunnels on page 6 36 A Manual Keying setup in which you must specify each phase of the connection see Using Manual Policy to Configure VPN Tunnels on page 6 46 Table 6 2 Parameters Recommended by the VPNC and Used in the VPN Wizard Parameter Factory Default Secure Association Main Mode Authentication Method Pre shared Key Encryption Method 3DES Authentication Protocol SHA 1 Diffie Hellman DH Group Group 2 1024 bit Key Life 8 hours IKE Life Time 1 hour e What level of IPSec VPN encryption will you use DES The Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys e What level of authentication will you use 6 4 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 MDS 128 bit
119. msuit Sites that contain images of swimsuits intimate apparel or other suggestive clothing Does not include sites selling undergarments as a subset of another business Nudity Sites containing nude or seminude depictions of the human body Such depictions need not be sexual in intent or effect May include sites containing nude paintings or photo galleries of an artistic nature This category includes nudist or naturist sites e Pornography Sites that contain sexually explicit material Sex Education Sites that provide information sometimes graphic on reproduction sexual development safe sex practices sexuality birth control and sexual development Also includes sites that offer tips for better sex as well as products used for sexual enhancement e Violence Hate Racism Sites depicting or advocating physical harm to people or property Includes sites that convey hostility or aggression toward or the denigration of an individual or group on the basis of race religion gender nationality ethnic origin and so forth Weapons Sites that sell review or describe guns knives martial arts devices and related accessories Does not include sites that promote weapons collecting or groups that either support or oppose weapons ownership Protecting Your Network 3 21 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 3 22 Protecting Your Network v1 1 October 2006 Chapter 4 Managing Your N
120. n Account Name The Host Name assigned to the modem router in the Basic Settings menu Firmware Version ADSL Port MAC Address IP Address Network Type IP Subnet Mask Domain Name Server DNS Displays the modem router firmware version These parameters apply to the Internet ADSL port of the modem router Displays the Ethernet MAC address being used by the Internet ADSL port of the modem router Displays the IP address being used by the Internet ADSL port of the modem router If no address is shown the modem router cannot connect to the Internet The network type depends on your ISP This field displays the IP Subnet Mask being used by the Internet ADSL port of the modem router Displays the DNS Server IP addresses being used by the modem router These addresses are usually obtained dynamically from the ISP LAN Port MAC Address IP Address DHCP IP Subnet Mask These parameters apply to the Local ADSL port of the modem router Displays the Ethernet MAC address being used by the Local LAN port of the modem router Displays the IP address being used by the Local LAN port of the modem router The default is 192 168 0 1 If OFF the modem router will not assign IP addresses to PCs on the LAN If ON the modem router will assign IP addresses to PCs on the LAN Displays the IP Subnet Mask being used by the Local LAN port of the modem router The default is 255 255 255 0 Modem
121. nd used in the VPN Wizard Secure Association Main Mode Authentication Methad Pre shared Key Encryption Protocol 3DES Authentication Protocol SHA 1 Key Life 8 hours IKE Life Time 1 hour NETBIOS Enabled Figure 6 7 3 Click Done on the Summary screen see Figure 6 6 to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled VPN Policies Policy Table a Enable Name Type Local Remote ESP 1 RoadWarrior Auto 192 168 3 1 255 255 255 0 3DES Figure 6 8 6 10 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 To view or modify the tunnel settings select the radio button next to the tunnel entry and click Edit Note Refer to Using Auto Policy to Configure VPN Tunnels on page 6 36 to enable the IKE keep alive capability on an existing VPN tunnel Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC This procedure describes how to configure the NETGEAR ProSafe VPN Client We will assume the PC running the client has a dynamically assigned IP address The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec Go to the NETGEAR website Aittp www netgear com and select VPNO1L_VPNOSL in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client Note Before i
122. ne the status of a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 6 35 6 30 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Log this log shows the details of recent VPN activity including the building of the VPN tunnel If there is a problem with the VPN tunnel refer to the log for information about what might be the cause of the problem e Click Refresh to see the most recent entries Click Clear Log to delete all log entries VPN Status Log Tue 2004 06 22 22 58 26 GtoG initiating Main Mode 2004 06 22 22 58 26 GtoG ISAKMP S4 established 2004 06 22 22 58 26 GtoG sent QIZ IPsec SA established 2004 06 22 22 58 27 GtoG sent QI2 IPsec 34 established Retest _CieerLog veNSteus Figure 6 35 3 Click on VPN Status Figure 6 30 to get the Current VPN Tunnels SAs screen Figure 6 31 This table lists the following data for each active VPN Tunnel e SPI each SA has a unique SPI Security Parameter Index for traffic in each direction For Manual key exchange the SPI is specified in the Policy definition For Automatic key exchange the SPI is generated by the IKE protocol e Policy Name the name of the VPN policy associated with this SA e Remote Endpoint the IP addre
123. nel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client e How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 provides the steps needed to configure a VPN tunnel between two network gateways using the VPN Wizard e VPN Tunnel Control on page 6 27 provides the step by step procedures for activating verifying deactivating and deleting a VPN tunnel once the VPN tunnel has been configured e How to Set Up VPN Tunnels in Special Circumstances on page 6 36 provides the steps needed to configure VPN tunnels when there are special circumstances and the VPNC recommended defaults of the VPN Wizard are inappropriate The two alternatives for configuring VPN tunnels are Auto Policy and Manual Policy Overview of VPN Configuration Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways The DG834 v3 supports both of these types of VPN configurations The DG834 ADSL Modem Router supports up to five concurrent tunnels Virtual Private Networking Advanced Feature 6 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Client to Gateway VPN Tunnels Client to Gateway VPN Tunnels provide secure access from a remote PC such as a telecommuter connecting to an office network see Figure 6 1 VPN Tunnel DA Tjr f 6 PC LJ LJ Runn
124. nstalling the NETGEAR ProSafe VPN Client software be sure to turn off any virus protection or firewall software you may be running on your PC 1 Install the NETGEAR ProSafe VPN Client on the remote PC and reboot e You may need to insert your Windows CD to complete the installation e Ifyou do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message e Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary e The system should show the ProSafe icon SS in the system tray after rebooting e Double click the system tray icon to open the Security Policy Editor 2 Adda new connection as follows a Runthe NETGEAR ProSafe Security Policy Editor program and using the VPN Tunnel Configuration Worksheet on page 6 7 create a VPN Connection Virtual Private Networking Advanced Feature 6 11 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 b From the Edit menu of the Security Policy Editor click Add then Connection A New Connection listing appears in the list of policies Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834 v3 on LAN A Note In this example the Conn
125. o log and report attempts to access objectionable Internet sites Trend Micro Home Network Security This service bundle from Trend Micro has three components e Trend Micro dashboard This component is free for unlimited use From the dashboard you can Scan your computer and entire network for security vulnerabilities View individual computer and network wide security reports Introduction 2 5 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Detect and remove spyware View attempts to access content restricted by Parental Controls Purchase subscriptions for Parental Controls and Trend Micro Internet Security Trend Micro Internet Security You can install this program on up to 10 computers and try it free for 60 days Its features include Real time and scheduled scanning to remove viruses Trojans spyware and other Internet threats Personal firewall Network intruder detection Anti spam Router based Parental Controls This service restricts home network users from viewing inappropriate Web content It is free for 60 days and when you register your free trial of Trend Micro Internet Security your free use of Parental Controls is automatically extended to one year For instructions on activating these services refer to Trend Micro Home Network Security on page 3 15 Whats in the Box The product package should contain the following items DG8
126. o the VPN tunnel or some reason outside the VPN tunnel 3 The Connection Monitor screen for this connection is shown below J Connection Monitor NETGEAR ProSafe VPN Client Global Statistics Non Secured Packets 411798 Secured Packets 85 A Close eset Dropped Packets 10 Secured Data KBytes Detail Cx MyConnectionsNoDG834 192 168 2 2 255 255 255 255 19216831 2552552580 22 23 24 25 ALL ALL ALL Figure 6 19 Virtual Private Networking Advanced Feature 6 19 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 In this example you can see the following e The DG834 v3 has a public IP WAN address of 22 23 24 25 e The DG834 v3 has a LAN IP address of 192 168 3 1 e The VPN client PC has a dynamically assigned address of 192 168 2 2 While the connection is being established the Connection Name field in this menu will say SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol shown in the illustration above Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN connection in order to have normal Internet access How to Set Up a Gateway to Gateway VPN Configuration Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters lis
127. og Always Apply Figure 3 7 The parameters are Service From this list select the application or service to be allowed or blocked The list already displays many common services but you are not limited to these choices Use the Add Custom Service feature to add any additional services or applications that do not already appear e Action Choose how you want this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu LAN Users These settings determine which packets are covered by the rule based on their source LAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields 3 10 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Single address enter the required address in the Start field e WAN Users These settings determine which packets are covered by the rule based on their destination WAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the required address in the Start field Log You can select whether the traffic will be logged The choices are
128. oint IV NetBIOS Enable IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time Enable PFS Perfect Forward Security Address Type Dynamic IP address z Address Data n a Ping IP Address i 311 Subnet address z Single Start address Finish address 1 qjs Th Subnet Mask Single PC no Subnet z Single Start IP address Finish IP address oog Jd HU TW Subnet Mask Responder only Main Mode IP Address 3DES gt Auto H 3600 Seconds Back Cancel Figure 6 41 Virtual Private Networking Advanced Feature 6 37 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The DG834 v3 VPN tunnel network connection fields are defined as follows General These settings identify this policy and determine its major characteristics Policy Name Enter a unique name to identify this policy This name is not supplied to the remote VPN endpoint It is used only to help you manage the policies Remote VPN Endpoint If the remote endpoint has a dynamic IP address select Dynamic IP address No Address Data input is required You can set up multiple remote dynamic IP policies but only one such policy can be enabled at a
129. onnecting it to the network The following features simplify installation and management tasks Browser based management Browser based configuration allows you to easily configure your modem router from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface Smart Wizard A wizard built into the modem router automatically senses the type of Internet connection asking you only for the information required for your type of ISP account Remote management The modem router allows you to log in to the Web management interface from a remote location via the Internet For security you can limit remote management access to a specified remote IP address or range of addresses or you can choose a nonstandard port number Diagnostic functions The modem router incorporates built in diagnostic functions such as Ping DNS lookup and remote reboot These functions allow you to test Internet connectivity and reboot the modem router You can use these diagnostic functions directly from the DG834 v3 when you are connected on the LAN or when you are connected over the Internet via the remote management function Visual monitoring The modem router s front panel LEDs provide an easy way to monitor its status and activity Flash erasable programmable read only memory EPROM for firmware upgrades Protocol Supp
130. orithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway DES and 3DES are supported e DES the Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES e 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys Authentication Algorithm authentication Algorithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway Auto MD5 and SHA 1 are supported Auto negotiates with the remote VPN endpoint and is not available in responder only mode e MD5 128 bits faster but less secure e SHA 1 default 160 bits slower but more secure Pre shared Key the key must be entered both here and on the remote VPN Gateway SA Life Time this determines the time interval before the SA Security Association expires It will automatically be re established as required While using a short time period or data amount increases security it also degrades performance It is common to use periods over an hour 3600 seconds for the SA Life Time This setting applies to both IKE and IPSec SAs IPSec PFS Perfect Forward Secrecy if enabled security is enhanced by ensuring that the key is changed at regular intervals Also even if one key is broken subsequent keys are no easier to break
131. ort The DG834 v3 supports Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP Internet Networking and TCP IP Addressing in Appendix C provides further information on TCP IP The Ability to Enable or Disable IP Address Sharing by NAT The DG834 v3 allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your Internet service provider ISP This technique known as Network Address Translation NAT allows the use of an inexpensive single user ISP account This feature can also be turned off completely while using the DG834 v3 if you want to manage the IP address scheme yourself Introduction 2 3 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 e Automatic Configuration of Attached PCs by DHCP The DG834 v3 dynamically assigns network configuration information including IP modem router and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network e DNS Proxy When DHCP is enabled and no DNS addresses are specified the modem router provides its own address as a DNS server to the attached PCs The modem router obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN e Classical IP RFC 1577 Some Inte
132. ourc 2003 08 26 07 41 29 TCP Packet Sourc ail Refresh Clear Log Send Log Include in Log Vv Attempted access to blocked sites V Connections to the Web based interface of this Router M Router operation start up get time etc M Known DoS attacks and Port Scans Syslog Disable C Broadcast on LAN C Send to this Syslog server IP address Apply Cancel Figure 4 7 Log entries are described in Table 4 1 below Managing Your Network 4 9 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Table 4 1 Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action Source IP Source port and interface The type of event and what action was taken if any The IP address of the initiating device for this log entry The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or Web site Destination port and interface The service port number of the destination device and whether it s on the LAN or WAN Log action buttons are described in Table 4 2 below Table 4 2 Security Log action buttons Field Description Refresh Refresh the log screen Clear Log Clear the log entries Send Log Email the log immediately App
133. problem with your ISP Note Unless you connect manually the modem router will not authenticate using PPPoE or PPPoA until data is transmitted to the network 7 6 Troubleshooting v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Troubleshooting Internet Browsing If your modem router can obtain an IP address but your computer is unable to load any Web pages from the Internet e Your computer may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www addresses to numeric IP addresses Typically your ISP will provide the addresses of one or two DNS servers for your use If you entered a DNS address during the modem router s configuration reboot your computer and verify the DNS address as described in Preparing a Computer for Network Access in Appendix C Alternatively you can configure your computer manually with DNS addresses as explained in your operating system documentation e Your computer may not have the modem router configured as its TCP IP modem router If your computer obtains its information from the modem router by DHCP reboot the computer and verify the modem router address as described in Preparing a Computer for Network Access in Appendix C Troubleshooting a TCP IP Network Using the Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an echo request pa
134. r Collisions The number of collisions on this port since reset or manual clear Tx B s The current line utilization percentage of current bandwidth used on this port Rx B s The average line utilization for this port Up Time The time elapsed since the last power cycle or reset ADSL Link The statistics for the upstream and downstream ADSL link These statistics will be of Downstream or interest to your technical support representative if you are having problems obtaining Upstream or maintaining a connection Connection Typically the downstream speed is faster than the upstream speed Speed 4 6 Managing Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Table 4 1 Router Statistics Fields continued Field Description Line Attenuation The line attenuation will increase the further you are physically located from your ISP s facilities Noise Margin This is the signal to noise ratio and is a measure of the quality of the signal on the line Poll Interval Specifies the interval at which the statistics are updated in this window Click Stop to freeze the display Click the Connection Status button to display modem router connection status as shown in Figure 4 5 below Connection Status Connection Time Connecting to Server Negotiation 00 00 00 Connected ON Authentication ON Getting IP Addresses Getting Network Mask Conne
135. r IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings of the router are satisfactory See Internet Networking and TCP IP Addressing in Appendix C for an explanation of DHCP and information about how to assign IP addresses for your network Use Router as DHCP server If another device on your network will be the DHCP server or if you will manually configure the network settings of all of your computers clear the Use router as DHCP server check box Otherwise leave it selected Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address These addresses should be part of the same IP address subnet as the router s LAN IP address Using the default addressing scheme you should define a range between 192 168 0 2 and 192 168 0 254 although you may want to save part of the range for devices with fixed addresses 5 6 Advanced Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 The router will deliver the following parameters to any LAN device that requests DHCP e An IP Address from the range you have defined e Subnet Mask e Gateway IP Address is the router s LAN IP address Primary DNS Server if you entered a Primary DNS address in the Basic Settin
136. ration and force a DHCP release and renew To edit or delete a reserved address entry 1 Click the button next to the reserved address you want to edit or delete 2 Click Edit or Delete Advanced Configuration 5 7 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Configure LAN TCP IP Settings 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router From the Main Menu under Advanced click the LAN IP Setup link to view the menu shown in Figure 5 3 LAN IP Setup LAN TCPAP Setup IP Address 192 168 O ME IP Subnet Mask 255 zss zss o RIP Direction None RIP Version Disable Use Router as DHCP Server Starting IP Address 192 i168 O 2 Ending IP Address 192 168 0 254 Address Reservation z IP Address Device Name MAC Address Figure 5 3 Enter the TCP IP DHCP or Reserved IP parameters Click Apply to save your changes Configuring Dynamic DNS If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequent
137. rent The connection will fail if both are using the NETGEAR default address range of 192 168 0 x Virtual Private Networking Advanced Feature 6 21 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Follow this procedure to configure a gateway to gateway VPN tunnel using the VPN Wizard 1 Log in to the DG834 v3 on LAN A at its default LAN address of hitp 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key greatly simplifies setup After creating the policies through VPN Wizard you can always update the parameters through VPN Settings link on the left menu Figure 6 21 2 Fillin the Connection Name and the pre shared key select the type of target end point and click Next to proceed Enter the new Connection Name VPN Wizard e g GtoG Step 1 of 3 Connection Name and Remote IP Type Antie heny Enter the pre shared key onnection Name What is the pre shared oA e g 12345678 key This VPN tunnel will A remote VPN Gateway connectto C Aremote VPN client ddp CMM Select the radio button A remote VPN Gateway Back Next Cancel Figure 6 22 6 22 Virtual Private Networking Advanced Feature v1 1 Octo
138. rental Controls menu shown below Click this banner to install the Trend Micro dashboard and set up your Trend Micro account Trend Micro Parental Controls Enable Parental Controls O Never O Per Schedule Always Parental Controls Access Log Get 1 Year of Parental Controls From September 19 2005 Free Enable Trend Micro Home 7 Category Access Attempts Times Accessed Hetwork Security How AdultMature 0 0 Pornography 0 Select the Parental Controls Mode Sex Education 0 0 Use General Controls Use Per User Controls Intimate Apparel Swimsuit 0 0 Nudity 0 0 Alcohol Tobacco 0 0 Illegal Questionabl 0 0 General Controls kii f Gambling 0 0 Parental Controls Bypass Password Violence Hate Racism 0 0 Confirm password Weapons 0 0 Access Control O No Restrictions Illegal Drugs 0 0 Apply Profile General v Hacking Proxy Avoidance 0 0 Use Custom Settings o 3 TT Figure 3 13 To configure Parental Controls Click Always to turn on Parental Controls all the time e Click Never to turn off Parental Controls e Click Per Schedule to turn on Parental Controls at the times specified on the Schedule page Note After changing Parental Controls settings click Apply to save changes 3 18 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 To select Parental Controls Mode e Click Use General
139. rity Policy T amp ea a Select Phase 1 Negotiation Mode G Au enu Main Mode Security Policy Ex Authentication Phase 1 Aggressive Mode E Proposal 1 C Use M l E D Key Exchange Phase 2 enne d Proposal 1 Ds Other Connections Enable Perfect Forward Secrecy PFS Ditie Hetman Group 2 Enable Replay Detection Figure B 17 c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834 v3 and either a fixed IP address or a fixed virtual IP address of the VPN client PC B 20 NETGEAR VPN Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 a Inthe Network Security Policy list on the left side of the Security Policy Editor window click My Identity INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help a NETGEAR N Network Security Policy L My Connections My Identity By toDG834G Pre Shared Key G Select Certificate E E Security Policy None ES Authentication Phase 1 ID Type Pot A3 Proposal 1 D Key Exchange Phase 2 Domain Nane zi zi J Proposal toDG834G com Other Connections Virtual Adapter Disabled M Intemet Interface Name 1 Intel R PRO 100 VE Network Connection IP Addr 1
140. rnet service providers in Europe for example use Classical IP in their ADSL services In such cases the modem router is able to use the Classical IP address from the ISP e PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an ADSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your computer e PPP over ATM PPPoA PPP over ATM is a protocol for connecting remote hosts to the Internet over an ADSL connection by simulating an ATM connection Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned The modem router contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address e Universal Plug and Play UPnP UPnP is a networking architecture that provides compatibility between networking technologies UPnP compliant routers provide broadband users at home and small businesses with a seamless way to participate in online games videoconferencing and other peer to peer services 2 4 Introduction v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Virtual Private Networking VPN The DG834 ADSL Modem Router provides a secure encrypted connection between your local area network LAN and remote networks or clients It includes the following
141. rvices Select this check box and then click Apply to enable the Security Service features on this page automatic updates and Client Virus Protection Status information e Automatically check for update components Select this check box to automatically check for updates to Trend Micro scanning components Choose the desired checking interval from the list and then click Apply 3 16 Protecting Your Network v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Note If your ISP bills by the amount of time or traffic you use set the update frequency to once a day Client Virus Protection Status Provides information on all computers on your network IP Address The computer s IP address Computer Name The name of the computer as shown in Control Panel System Antivirus Software The type of antivirus software installed on the computer Virus Def File Version The version of the virus pattern file in use by the antivirus software Scan Engine The version of the scan engine in use by the antivirus software Status Indicates if the virus pattern file or scan engine require updating if no recognized antivirus software is found the status is Potential Threat Protecting Your Network 3 17 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Parental Controls Settings Click Parental Controls under Content Filtering on the Main menu to get the Trend Micro Pa
142. ry telecommuter example VPN Consortium Scenario Scenario 1 Type of VPN PC client to gateway with client behind NAT router Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing Gateway Fully Qualified Domain Name FQDN Client Dynamic 192 168 0 1 24 Telecommuter Example Gateway A LAN IP WAN IP WAN IP m T Nil 192 168 0 1 FQDN 0 0 0 0 ntgr dyndns org fromDG834G com toDG834G com Router at employer s main office Figure B 12 Client B NAT Router B I 192 168 2 3 Router PC running NETGEAR ProSafe VPN Client at telecommuter s home office v1 1 October 2006 NETGEAR VPN Configuration Reference Manual for the ADSL Modem Router DG834 v3 Setting Up the Client to Gateway VPN Configuration Telecommuter Example Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway involves the following two steps Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office configures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Follow this procedure to configure a client to gateway VPN tunnel by filling out the VPN Auto Policy
143. s Send to LAN Server i92 j 289 j g 99 WAN Users Any v start finish Log Never M Figure 3 5 The parameters are e Service From this list select the application or service to be allowed or blocked The list already displays many common services but you are not limited to these choices Use the Services menu to add any additional services or applications that do not already appear e Action Choose how you want this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu e Send to LAN Server Enter the IP address of the computer or server on your LAN which will receive the inbound traffic covered by this rule e WAN Users These settings determine which packets are covered by the rule based on their source WAN IP address Select the desired option Protecting Your Network 3 7 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the required address in the Start field Log You can select whether the traffic will be logged The choices are Never no log entries will be made for this service Always any traffic for this service type will be logged Match traffic of this type which matches t
144. s Policy Table Enable Name Type Local Remote ESP G 1 Iv ReadWarrior Auto 192 168 3 1 255 255 255 0 3DES Figure 6 37 3 Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel perform the following steps 1 Login to the Modem Router Virtual Private Networking Advanced Feature 6 33 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 Openthe DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 6 38 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP SA established GtoG sent QI2 IPsec 5A established GtoG sent QI2 IPsec Si established Retesh CHerLog veNsteiie Figure 6 38 3 Click VPN Status Figure 6 38 to get the Current VPN Tunnels SAs screen Figure 6 39 Click Drop for the VPN tunnel you want to deactivate Current VPN Tunnels SAs g SPI In SPI Out Policy Name Remote Endpoint Action SLiteTime HLifeTime 1 sa8a064080 3779227165 RoadWiarrior 192 168 2 2 Drop 28716 28715 Figure 6 39 Deleting a VPN Tunnel To delete a VPN tunnel 6 34 Virtual Private Networking Advanced Feature v1 1 October
145. s faster but less secure SHA 1 160 bits slower but more secure Note NETGEAR publishes additional interoperability scenarios with various gateway and client software products Look on the NETGEAR web site at www netgear com for these interoperability scenarios VPN Tunnel Configuration There are two tunnel configurations and three ways to configure them e Use the VPN Wizard to configure a VPN tunnel recommended for most situations See How to Set Up a Client to Gateway VPN Configuration on page 6 6 See How to Set Up a Gateway to Gateway VPN Configuration on page 6 20 e See Using Auto Policy to Configure VPN Tunnels on page 6 36 when the VPN Wizard and its VPNC defaults see Table 6 2 on page 6 4 are not appropriate for your special circumstances but you want to automate the Internet Key Exchange IKE setup e See Using Manual Policy to Configure VPN Tunnels on page 6 46 when the VPN Wizard and its VPNC defaults see Table 6 2 on page 6 4 are not appropriate for your special circumstances and you must specify each phase of the connection You manually enter all the authentication and key parameters You have more control over the process however the process is more complex and there are more opportunities for errors or configuration mismatches between your DG834 v3 and the corresponding VPN endpoint gateway or client workstation Virtual Private Networking Advanced Feature 6 5 v1 1 Octo
146. s of the remote VPN gateway IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 e Preshared Key e g 12345678 7 Usethe VPN Status screen to activate the VPN tunnel by performing the following steps Note The VPN Status screen is only one of three ways to active a VPN tunnel See Activating a VPN Tunnel on page 6 27 for information on the other ways a Openthe DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 6 28 VPN Status Log Tue 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP Si established GtoG sent QIZ IPsec S established GtoG sent QI2 IPsec Sa established Retesh CiesrLog VPNs Figure 6 28 6 26 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 b Click on VPN Status Figure 6 30 to get the Current VPN Tunnels SAs screen Figure 6 29 Click on Connect for the VPN tunnel you want to activate LEITET t VPN Tunnels SAs Microsoft Internet Explorer lBl x Current VPN Tunnels SAs spidn Spi oup PolicyName Remote Endpoint Action SLifeTime HLifeTime 2 GtoG Connect E Done DOO dap Internet A Figure 6 29 c Look atthe VPN Status Log screen Figure 6 28 to verify that the tunnel is connected
147. s shipped preconfigured to use private IP addresses on the LAN side and to act as a DHCP server The modem router s default LAN IP configuration is e LAN IP addresses 192 168 0 1 e Subnet mask 255 255 255 0 5 4 Advanced Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 These addresses are part of the Internet Engineering Task Force IETF designated private address range for use in private networks and should be suitable in most applications If your network has a requirement to use a different IP addressing scheme you can make those changes in this menu LAN IP Setup LAN TCP IP Setup IP Address 192 168 0 JE IP Subnet Mask 255 255 255 0 RIP Direction None v RIP Version Disable Use Router as DHCP Server Starting IP Address 192 168 o j2 Ending IP Address 192 168 0 254 Address Reservation IP Address Device Name MAC Address Figure 5 2 The LAN TCP IP Setup parameters are e IP Address This is the LAN IP address of the modem router e JP Subnet Mask This is the LAN Subnet Mask of the modem router Combined with the IP address the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or modem router RIP Direction RIP Router Information Protocol allows a modem router to exchange routing information with other routers The RIP Direction selection controls
148. ss in the Internal Network IP Address box Otherwise leave this box empty d In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable or DSL line You may also choose Any if you will be switching between adapters or if you have only one adapter e Click the Pre Shared Key button In the Pre Shared Key dialog box click the Enter Key button Enter the DG834 v3 s Pre Shared Key and click OK In this example 12345678 is entered This field is case sensitive Pre Shared Key r Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key Figure 6 13 Virtual Private Networking Advanced Feature 6 15 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 5 Configure the VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the DG834 v3 configuration a Inthe Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b Expand the Authentication subheading by double clicking its name or clicking on the
149. ss on the remote VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero the SA Security Association will re negotiated Virtual Private Networking Advanced Feature 6 31 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 HLifeTime Secs the remaining Hard Lifetime for this SA in seconds When the Hard Lifetime becomes zero the SA Security Association will be terminated It will be re established if required Current VPN Tunnels SAs e SPI In SPI Out Policy Name Remote Endpoint Action SLifeTime HLifeTime 1 3389064080 3779227165 RoadWarrior 192 168 2 2 Drop 28716 28715 Figure 6 36 Deactivating a VPN Tunnel Sometimes a VPN tunnel must be deactivated for testing purposes There are two ways to deactivate a VPN tunnel e Policy table on VPN Policies page e VPN Status page 6 32 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel To use the VPN Policies page to deactivate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834 v3 management interface and click on VPN Policies to get the VPN Policies screen Figure 6 38 VPN Policie
150. t to reply 4 Note Use Ctrl C to stop the pinging Virtual Private Networking Advanced Feature 6 29 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 CiN gt ping 192 168 6 1 Pinging 192 168 0 1 with 32 bytes of data Reply from 192 168 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time ims Figure 6 33 Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote DG834 v3 After a short wait you should see the login screen of the Modem Router unless another PC already has the DG834 v3 management interface open e Gateway to Gateway Configuration test the VPN tunnel by pinging the remote network from a PC attached to the DG834 v3 a Open command prompt i e Start gt Run gt cmd b ping 192 168 3 1 Pinging 192 168 3 1 with 32 bytes of data Reply from 192 168 3 1 bytes 32 time 2 ms TTL 254 Reply from 192 168 3 1 bytes 32 time 16ms TTL 254 Reply from 192 168 3 1 bytes 32 time 2 ms TTL 254 Figure 6 34 Note The pings may fail the first time If so then try the pings a second time Start Using a VPN Tunnel to Active It To use a VPN tunnel use a Web browser to go to a URL whose IP address or range is covered by the policy for that VPN tunnel Verifying the Status of a VPN Tunnel To use the VPN Status page to determi
151. t access to as few external IP addresses as practical e To allow access from any IP address on the Internet select Everyone e To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range e To allow access from a single IP address on the Internet select Only this Computer Enter the IP address that will be allowed access 5 Specify the Port Number that will be used for accessing the management interface Managing Your Network 4 15 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management Web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP 6 Click Apply to have your changes take effect When accessing your modem router from the Internet you will type your modem router s WAN IP address in your browser s Address in IE or Location in Netscape box followed by a colon and the custom port number For example if your external address is 134 177 0 123 and you use port number 8080 enter in your browser http 134 177 0 123 8080 Note In this case the http must be included in the address 4 16 M
152. t remember the router s configuration password Go to Restoring the Default Configuration and Password on page 7 9 I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 7 9 Basic Functioning After you turn on power to the router the following sequence of events should occur 1 When power is first applied verify that the Power LED is on see The Modem Router s Front Panel on page 2 7 for an illustration and explanation of the LEDs 2 Verify that the Test LED lights within a few seconds indicating that the self test procedure is running 3 After approximately 10 seconds verify that a The Test LED is not lit b The LAN port LEDs are lit for any local ports that are connected Troubleshooting 7 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 c The WAN port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is green If the port is 10 Mbps the LED will be amber If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your router is turned on e Make sure that the power cord is properly connected to your router and that the power supply adapter is properly connected to a functioning power outlet e Ch
153. take you to the Trend Micro Web site to open your Trend Micro account Note Because of overlapping functionality the Block Sites feature described in How to Block Keywords and Sites on page 3 3 is disabled if you enable Trend Micro Home Security Protecting Your Network 3 15 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Security Service Settings Click Security Service under Content Filtering on the Main menu to get the Security Service Settings menu shown below Security Service Settings Enable Trend Micro Security Services Get 1 Year of Parental Controls N Free Enable Trend Micro Horne Hetwork Security How E A Update Checking Interval Click this banner to install the Trend Micro dashboard and set up your Trend Micro account C Automatically check for update components Check for update components every 30 minutes Apply Client Virus Protection Status Antivirus Virus Def Scan Engine Software File Version Version amp IP Address Computer Status Figure 3 12 To install Home Network Security click the Trend Micro banner and then follow the on screen instructions For assistance refer to the Home Network Security Quick Start Guide included on the NETGEAR Resource CD You can download this document and the Home Network Security User s Guide at http www trendmicro com en support tmss netgear e Enable Trend Micro Security Se
154. ted in Table 6 2 on page 4 If you have special requirements not covered by these VPNC recommended parameters refer to How to Set Up VPN Tunnels in Special Circumstances on page 36 to set up the VPN tunnel Follow this procedure to configure a gateway to gateway VPN tunnel using the VPN Wizard A VPN Tunnel B 14 15 16 17 22 23 24 25 DG834 VPN Firewall DG834 VPN Firewall I S PCs PCs Figure 6 20 6 20 Virtual Private Networking Advanced Feature v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 Set the LAN IPs on each DG834 v3 to different subnets and configure each properly for the Internet The examples below assume the following settings Table 6 1 VPN Tunnel Configuration Worksheet Connection Name GtoG Pre Shared Key 12345678 Secure Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour FQDN or Gateway IP VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask WAN IP Address DG834 v3 A GW A 192 168 0 1 255 255 255 0 14 15 16 17 DG834 v3 B GW B 192 168 3 1 255 255 255 0 22 23 24 25 Note The LAN IP address ranges of each VPN endpoint must be diffe
155. the Internet If compromised the computer can be used to attack your network Incoming traffic from the Internet is normally discarded by the modem router unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu Instead of discarding this traffic you can have it forwarded to one computer on your network This computer is called the Default DMZ Server How to Configure a Default DMZ Server To assign a computer or server to be a Default DMZ server follow these steps 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 5 2 Advanced Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 2 From the Main Menu under Advanced click the WAN Setup link to view the page shown in Figure 5 1 WAN Setup v Connect Automatically as Required Disable Port Scan and DOS Protection Default DMZ Server Respond to Ping on Internet WAN Port MTU Size in bytes 1492 Figure 5 1 Select the Default DMZ Server check box 4 Type the IP address for that server 5 Click Apply to save your changes Connect Automatically as Required Normally this option should be enabled so that an Internet connection will be made automatically
156. tion A Manual VPN policy requires all settings for the VPN tunnel to be manually input at each end both VPN endpoints Click the VPN Policies link of the main menu and then click the Add Manual Policy radio button to display the Manual Keys menu shown in Figure 6 48 TETOR VPN Manual Policy Policy Table Enable Name Type Local Remote ESP General 192 168 0 0 i 1 MH ftoCientjauto 56 255255 0 3DES Policy Name 192 168 0 0 192 168 2 0 Remote VPN Endpoint Address Type C 2 O TOM Auto 255 255 255 0 2552552550 DE8 ype Fixed IP Address Edit Delet i elete M NETBIOS Enable Local LAN Apply Cancel IP Address Subnet address Aeta Single Start address 192 168 Finish address ER Address Data 317 1 Subnet Mask 255 Remote LAN IP Address Single PC no subnet v Single Start IP address Finish IP address Subnet Mask J ESP Configuration SPI Incoming Hex 3 Characters SPI Outgoing Hex 3 Characters Encryption 3DES Key DES 8 chars 3DES 24 chars Authentication SHA 1 Key MDS 16 chars SHA 1 20 chars Back Cancel Figure 6 48 General The DG834 v3 VPN tunnel network connection fields are defined as follows Policy Name enter a unique name to identify this policy This name is not supplied to the remote VPN endpoint It is used only to help you manage the policies 6 46 Virtual Private Networking
157. to a new position in the table Services Services are functions performed by server computers at the request of client computers For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the DG834 v3 already holds a list of many service port numbers you are not limited to these choices Use the procedure below to create your own service definitions How to Define Services 1 Login to the modem router at its default LAN address of Attp 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 2 Select the Services link of the Security menu to display the Services menu shown in Figure 3 9 Services Service Table Service Type Ports
158. ur network Static Route Example As an example of when a static route is needed consider the following case e Your primary Internet access is through a cable modem to an ISP e You have an ISDN router on your home network for connecting to the company where you are employed This router s address on your LAN is 192 168 0 100 e Your company s network is 134 177 0 0 When you first configured your router two implicit static routes were created A default route was created with your ISP as the modem router and a second static route was created to your local network for all 192 168 0 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your router will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s firewall In this case you must define a static route telling your router that 134 177 0 0 should be accessed through the ISDN router at 192 168 0 100 The static route would look like Figure 5 6 5 10 Advanced Configuration v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 In this example e The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses e The Modem Router IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192 168 0 100 A
159. ut This Manual This chapter describes the intended audience scope conventions and formats of this manual Audience Scope Conventions and Formats This reference manual assumes that the reader has basic to intermediate computer and Internet skills However basic computer network Internet firewall and VPN technologies tutorial information is provided in the Appendices and on the Netgear website This guide uses the following typographical conventions Table 1 1 Typographical Conventions italics Emphasis books CDs URL names bold User input fixed Screen text file and server names extensions commands IP addresses This guide uses the following formats to highlight special messages This manual is written for the DG834 ADSL Modem Router according to these specifications Note This format is used to highlight information of importance or special interest Table 1 2 Manual Scope Product Version DG834 ADSL Modem Router Manual Publication Date October 2006 Note Product updates are available on the NETGEAR Inc Web site at http kbserver netgear com About This Manual 1 1 v1 1 October 2006 Reference Manual for the ADSL Modem Router DG834 v3 How to Print this Manual To print this manual you can choose one of the following several options according to your needs Printing a Page in the HTML View Each page in the HTML version of the
160. wall Services sn csaiesctusadererioad dae ada dad ad e e Rc ER ARRA 3 3 Blocking Keywords Sites and Services ssesssssssssssessseeenees 3 3 Howto Block Keywords and SIIS 1iccuicuececuia iecur dues bcr dabo recedente au te dep e LE DR IUEUE 3 3 vii v1 1 October 2006 Firewall RUES auccceobrcceov rdiet cob diu ecr addc obedit cus ebur ETER cob gbets roseo DeL ER AE 3 5 inbound Rules Port Forwarding ueste center sppu ra ue ou PARQUES Fa tetigi saa dei oo Fed 3 6 CNulbpuand Rules Service Blocking unesasa ki rr nint RREY Er EF PERSE RCE OR COHEN Rare te RA 3 9 Order of Precedence for RUGS iiis icone trt ttt b portta tpe ERE isih LES hr R ia 3 11 por ETT 3 12 How RGURID Ae unc 3 12 Setting Times and Scheduling Firewall Services eeeeeeeeeenennn 3 13 ROWO Sel ro TIME ZONE aaa 3 13 How to Schedule Firewall SOFVIGGS 1 22 ca cemere irt duni utt rnnt utut oc tt 3 15 Trend Micro Home Network Security 1 siies siena tta ka rana eia ER dd e sE EB EAR UUR EX Ra kd da 3 15 clle Senice SSNS e Rania ied nee 3 16 Parontal Control Sabe ck apnea ah a candice rrt cea nin fa cana Hia e ama nsec ova RR 3 18 Chapter 4 Managing Your Network Backing Up Restoring or Erasing Your Settings iocos serta e oo dece go tede is 4 1 Howto Back Up the Configuration to a File 1 erotik ebat iie beret nek 4 1 How to Restore the Configuration from a File 0 cccccscseessccseseeesseeeseeeessceeseeeesennees
Download Pdf Manuals
Related Search