NETGEAR UTM5-100NAS Network Hardware User Manual


 
ProSecure Unified Threat Management (UTM) Appliance Reference Manual
Virtual Private Networking Using IPsec Connections 7-43
v1.0, January 2010
Assigning IP Addresses to Remote Users (Mode Config)
To simplify the process of connecting remote VPN clients to the UTM, use the Mode Config
feature to assign IP addresses to remote users, including a network access IP address, subnet mask,
WINS server, and DNS address from the UTM. Remote users are given IP addresses available in a
secured network space so that remote users appear as seamless extensions of the network.
Mode Config Operation
After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote
user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask,
WINS server, and DNS address from the UTM. The Mode Config feature allocates an IP address
from the configured IP address pool and activates a temporary IPsec policy, using the information
that is specified in the Traffic Tunnel Security Level section of the Mode Config record (on the
Add Mode Config Record screen that is shown in Figure 7-26 on page 7-45).
Configuring Mode Config Operation on the UTM
To configure Mode Config on the UTM, you first must create a Mode Config record, and then
select the Mode Config record for an IKE policy:
1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs appear with the IKE
Policies screen in view.
Note: You select the RADIUS authentication protocol (PAP or CHAP) on the Edit
IKE Policy screen or Add IKE Policy screen (see “Configuring XAUTH for
VPN Clients” on page 7-39).
Note: After configuring a Mode Config record, you must manually configure an IKE
policy and select the newly-created Mode Config record from the ‘Select Mode
Config Record’ pull-down menu (see “Configuring Mode Config Operation on the
UTM” on page 7-43. You do not need to make changes to any VPN policy.
Note: An IP address that is allocated to a VPN client is released only after the VPN client
has gracefully disconnected or after the SA liftetime for the connection has timed
out.