WatchGuard Technologies FireboxTM System 4.6 Branch office VPN with IPSec

Branch office VPN with IPSec

124

You can also change the network range of a WatchGuard client. However, when you

save the configuration to the server, it automatically triggers the client to reboot and

load the new policy.

From Policy Manage r:

1 Select Ne t w o rk => B r an c h O f fi c e V PN => B a s ic D VC P.

2 Select the tunnel policy. Click Edit.

The DVCP Client Wizard opens and displays the tunnel properties.

3Use the Next and Back buttons to move through the DVCP Client Wizard and

reconfigure tunnel properties. When complete, click Finish.

4 Save the configuration file to the Firebox.

The next time the client contacts the server, it will automatically note the tunnel policy change

and download the modifications. If the network address range on a client has changed, the client

automatically restarts.

Removing a tunnel to a device

When a tunnel is removed, the DVCP client can no longer communicate with the

server. The next time the DVCP client tries to contact the server, contact will be

denied. If these settings were never manually configured, the client will use

192.168.111.0/24 as the DHCP network range.

From Policy Manage r:

1 Select Ne t w o rk => B r an c h O f fi c e V PN => B a s ic D VC P.

2 Select the tunnel policy. Click Remove.

The policy is removed from the DVCP Configuration dialog box.

Defining a Firebox as an Enhanced DVCP Client

If a Firebox is part of a DVCP VPN setup, enable it as a client and configure its

settings.

From Policy Manage r:

1 Select Network => Enhanced DVCP Client.

2 Enable the Enable this Firebox as a DVCP Client checkbox.

3In the Firebox Name field, specify the name of the Firebox.

4 To log messages for the DVCP client, enable the Enable debug log messages for

the DVCP Client checkbox.

5 To add DVCP servers that the client can communicate with, click Add.

6 Enter the IP address. Enter the scared secret. Click OK.

Branch office VPN with IPSec

IPSec is a protocol that encrypts and/or authenticates traffic at the IP level between

any mix of arbitrary hosts and security gateways. For more information about IPSec

Contents

Main Disclaimer Copyright and Patent Information WatchGuard Technologies, Inc. Firebox System Software End-User License Agreement Page Declaration of Conformity FCC Certification CE Notice CSA Statement Table of Contents PART I PART III PART II Page PART IV PART V PART I Introduction Welcome to WatchGuard WatchGuard Firebox System components WatchGuard Firebox WatchGuard Control Center WatchGuard security suite LiveSecurity Service Minimum requirements Software requirements Web browser requirements Hardware require ments PART II WatchGuard Services Page LiveSecurity broadcasts Activating the LiveSecurity Service Page Page Accessing frequently asked questions (FAQ) Known issues Getting Internet technical support Getting telephone support Training WatchGuard Interactive Training System (WITS) Instructor-led courses WatchGuard users group Subscribing to wg-users@watchguard.com Unsubscribing from wg-users@watchguard.com Contributing to wg-users@watchguard.com Online Help Starting WatchGuard Online Help Searching for topics Copying the Help system to additional platforms Online Help system requirements Context-sensitive Help Currently available options VPN Manager High Availability Mobile User VPN SpamScreen Obtaining WatchGuard options PART III Configuring a Security Policy Page What is a Firebox? Placing a Firebox within a network Internet Opening a configuration file Opening a configuration from the Firebox Opening a configuration from a local hard disk Saving a configuration file Saving a configuration to the local hard disk Resetting Firebox passphrases Tips for creating secure passphrases Setting the time zone Reinitializing a misconfigured Firebox Page Center Navigating the WatchGuard Control Center Starting the Control Center and connecting to a Firebox Control Center components QuickGuide Front panel Firebox and VPN tunnel status Page Traf fic Moni tor Working with the Control Center Connecting to a Firebox Changing the polling rate Setting the maximum number of log messages Manipulating the Traffic Monitor Policy Manager Changing the Policy Manager view Firebox Monitors LogViewer HostWatch Historical Reports LiveSecurity Event Processor Page Running the QuickSetup wizard Setting up a drop-in network Setting up a routed network Adding a secondary network Defining a network route Defining a host route Changing an interface IP address Setting the default gateway Entering WINS and DNS server addresses Defining a Firebox as a DHCP server Adding a new subnet Page Page Configuring default packet handling Blocking a site permanently Removing a blocked site Changing the auto-block duration Logging and notification for blocked sites Blocking a port permanently Removing a blocked port Logging and notification for blocked ports Blocking sites temporarily with service settings Configuring a service to temporarily block sites Viewing the Blocked Sites list Adding an existing service Creating a new service Defining service properties Adding incoming service properties Adding outgoing service properties Adding addresses to service properties Working with wg_ icons Configuring services for authentication Modifying a service Deleting a service Setting up proxy services Configuring an SMTP proxy service Page Configuring an FTP proxy service Configuring an HTTP proxy service Service precedence Page Page How WebBlocker works Reverting to old WebBlocker databases Logging and WebBlocker Prerequisites to using WebBlocker Configuring the WebBlocker service Activating WebBlocker Scheduling operational and non-operational hours Setting privileges Creating WebBlocker exceptions Manually downloading the WebBlocker database Translation What is dynamic NAT? Using simple dynamic NAT Enabling simple dynamic NAT Adding dynamic NAT entries Reordering dynamic NAT entries Using service-based NAT Enabling service-based NAT Configuring service-based NAT exceptions Configuring a service for incoming static NAT Adding external IP addresses Setting static NAT for a service Page Page Notification Ensure logging with failover logging WatchGuard logging architecture Designating Event Processors for a Firebox Adding an Event Processor Enabling Syslog logging Editing an Event Processor setting Removing an Event Processor Reordering Event Processors Synchronizing Event Processors Setting up the LiveSecurity Event Processor Installing the Event Processor program Running an Event Processor on Windows 98 Running an Event Processor on Windows NT or Windows 2000 Viewing the Event Processor Starting and stopping the Event Processor Setting the log encryption key Setting global logging and notification preferences Setting the interval for log rollover Scheduling log reports Controlling notification Customizing logging and notification by service or option Setting logging and notification for a service Setting logging and notification for default packet-handling options Setting logging and notification for blocked sites and ports Management Connecting a Firebox with OOB management Enabling the Management Station Preparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Preparing a Windows 2000 Management Station for OOB Configuring the Firebox for OOB Establishing an OOB connection Page PART IV Administering a Security Policy Page Implementing Authentication Using host aliases Adding a host alias Modifying a host alias Removing a host alias What is user authentication? User authentication types How user authentication works Configuring Firebox authentication Configuring Windows NT Server authentication Configuring RADIUS server authentication Configuring CRYPTOCard server authentication Configuring SecurID authentication Using authentication to define remote user VPN access Firebox Monitors Starting Firebox Monitors and connecting to a Firebox Setting Firebox Monitors view properties Bandwidth Meter ServiceWatch StatusReport Page Page Page Authentication list Blocked Sites list HostWatch Connecting to a Firebox Replaying a log file Controlling the HostWatch display Modifying view properties Page Files Viewing files with LogViewer Starting LogViewer and opening a log file Setting LogViewer preferences Searching for specific entries Copying and exporting LogViewer data Displaying and hiding fields Working with log files Consolidating logs from multiple locations Copying log files Forcing the rollover of log fi les Setting log encryption keys Page Activity Starting Historical Reports Viewing the reports list Creating and editing reports Creating a new report Specifying report sections Specifying a report time span Consolidating report sections Setting report properties Exporting reports Exporting reports to HTML format Exporting a report to WebTrends for Firewalls and VPNs Exporting a report to a text file Using report filters Creating a new filter Editing a filter Deleting a filter Applying a filter Scheduling and running reports Scheduling a report Manually running a report Report sections and consolidated sections Page Consolidated Sections Page PART V WatchGuard Virtual Private Networking Page Private Networking Configuration checklist Using DVCP to connect to devices How does DVCP work? Basic and Enhanced DVCP Creating a tunnel to a SOHO or SOHO|tc Editing a tunnel to a device Removing a tunnel to a device Defining a Firebox as an Enhanced DVCP Client Branch office VPN with IPSec Configuring a gateway Configuring a tunnel with manual security Configuring a tunnel with dynamic security Creating an IPSec policy Changing IPSec policy order Configuring services for branch office VPN with IPSec Configuring WatchGuard VPN WatchGuard VPN configuration models Setting up WatchGuard VPN Changing remote network entries Preventing IP spoofing with WatchGuard VPN Configuring incoming services to allow VPN Verifying successful WatchGuard VPN configuration Remote User VPN Configuration checklist Configuring shared servers for RUVPN Adding remote access users Adding a member to built-in RUVPN user groups Configuring services to allow incoming RUVPN By individual service Using the Any service Configuring the Firebox for Remote User PPTP Activating Remote User PPTP Entering IP addresses for Remote User sessions Configuring the Firebox for Mobile User VPN Purchasing a Mobile User VPN license Entering license keys Preparing Mobile User VPN configuration files Saving the configuration to a Firebox Distributing the software and configuration files Configuring debugging options Debugging Mobile User VPN Debugging Remote User VPN (PPTP) User VPN Preparing the client computers Remote host operating system Windows 95/98 platform preparation Windows NT platform preparation Setting up RUVPN for Windows 2000 Configuring the remote host for RUVPN with PPTP Using Remote User PPTP Starting Remote User PPTP Running Remote User PPTP Configuring debugging options Page Index A B C D E F G H I J K L M N O P Page Q R S T U V W Z