WatchGuard Technologies FireboxTM System 4.6 Configuring a gateway

User Guide 125

Branch office VPN with IPSec

and how WatchGuard implements branch office VPN with IPSec, see the Network

Security Handbook.

From Policy Manage r:

• Select N e tw o r k => Br a n c h O f f i ce V P N => IP S e c .

Configuring a gateway

A gateway specifies endpoints for one or more tunnels. The standard specified for a

gateway, such as isakmp automated key negotiation, becomes the standard for

tunnels created with the gateway.

Adding a gateway

From the IPSec Configuration dialog box:

1Click Gateways.

2 To add a gateway, click Add.

3 Enter the gateway name.

This name identifies a gateway only within Policy Manager.

4Use the Key Negotiation Type drop list to select either isakmp (dynamic) or

Manual.

For more information, see “Configuring a tu nnel with dynamic security” on page 127 and

“Configuring a tunnel with manual security” on page126.

5In the Remote Gateway IP field, enter the IP address of the Firebox (or other

IPSec-compliant host) at the other end of the gateway.

6 Enter the shared key.

The Shared Key field is available only for ISAKMP-negotiated gateways. The same key must be

entered at the remote gateway.

7Click OK.

The Configure Gateways dialog box appears listing the newly configured gateway. Repeat the

Add Gateway procedure to add additional gateways.

8 When you finish adding gateways, click OK to return to the IPSec Configuration

dialog box.

Editing a gateway

From the Configure Gateways dialog box:

1 Click the gateway. Click Edit.

The IPSec Gateway dialog box appears.

2 Make changes according to your security policy preferences.

3Click OK.

• Determine the tunnel and policy endpoints

• Select an encryption method

• Select an authentication method

Contents

Main Disclaimer Copyright and Patent Information WatchGuard Technologies, Inc. Firebox System Software End-User License Agreement Page Declaration of Conformity FCC Certification CE Notice CSA Statement Table of Contents PART I PART III PART II Page PART IV PART V PART I Introduction Welcome to WatchGuard WatchGuard Firebox System components WatchGuard Firebox WatchGuard Control Center WatchGuard security suite LiveSecurity Service Minimum requirements Software requirements Web browser requirements Hardware require ments PART II WatchGuard Services Page LiveSecurity broadcasts Activating the LiveSecurity Service Page Page Accessing frequently asked questions (FAQ) Known issues Getting Internet technical support Getting telephone support Training WatchGuard Interactive Training System (WITS) Instructor-led courses WatchGuard users group Subscribing to wg-users@watchguard.com Unsubscribing from wg-users@watchguard.com Contributing to wg-users@watchguard.com Online Help Starting WatchGuard Online Help Searching for topics Copying the Help system to additional platforms Online Help system requirements Context-sensitive Help Currently available options VPN Manager High Availability Mobile User VPN SpamScreen Obtaining WatchGuard options PART III Configuring a Security Policy Page What is a Firebox? Placing a Firebox within a network Internet Opening a configuration file Opening a configuration from the Firebox Opening a configuration from a local hard disk Saving a configuration file Saving a configuration to the local hard disk Resetting Firebox passphrases Tips for creating secure passphrases Setting the time zone Reinitializing a misconfigured Firebox Page Center Navigating the WatchGuard Control Center Starting the Control Center and connecting to a Firebox Control Center components QuickGuide Front panel Firebox and VPN tunnel status Page Traf fic Moni tor Working with the Control Center Connecting to a Firebox Changing the polling rate Setting the maximum number of log messages Manipulating the Traffic Monitor Policy Manager Changing the Policy Manager view Firebox Monitors LogViewer HostWatch Historical Reports LiveSecurity Event Processor Page Running the QuickSetup wizard Setting up a drop-in network Setting up a routed network Adding a secondary network Defining a network route Defining a host route Changing an interface IP address Setting the default gateway Entering WINS and DNS server addresses Defining a Firebox as a DHCP server Adding a new subnet Page Page Configuring default packet handling Blocking a site permanently Removing a blocked site Changing the auto-block duration Logging and notification for blocked sites Blocking a port permanently Removing a blocked port Logging and notification for blocked ports Blocking sites temporarily with service settings Configuring a service to temporarily block sites Viewing the Blocked Sites list Adding an existing service Creating a new service Defining service properties Adding incoming service properties Adding outgoing service properties Adding addresses to service properties Working with wg_ icons Configuring services for authentication Modifying a service Deleting a service Setting up proxy services Configuring an SMTP proxy service Page Configuring an FTP proxy service Configuring an HTTP proxy service Service precedence Page Page How WebBlocker works Reverting to old WebBlocker databases Logging and WebBlocker Prerequisites to using WebBlocker Configuring the WebBlocker service Activating WebBlocker Scheduling operational and non-operational hours Setting privileges Creating WebBlocker exceptions Manually downloading the WebBlocker database Translation What is dynamic NAT? Using simple dynamic NAT Enabling simple dynamic NAT Adding dynamic NAT entries Reordering dynamic NAT entries Using service-based NAT Enabling service-based NAT Configuring service-based NAT exceptions Configuring a service for incoming static NAT Adding external IP addresses Setting static NAT for a service Page Page Notification Ensure logging with failover logging WatchGuard logging architecture Designating Event Processors for a Firebox Adding an Event Processor Enabling Syslog logging Editing an Event Processor setting Removing an Event Processor Reordering Event Processors Synchronizing Event Processors Setting up the LiveSecurity Event Processor Installing the Event Processor program Running an Event Processor on Windows 98 Running an Event Processor on Windows NT or Windows 2000 Viewing the Event Processor Starting and stopping the Event Processor Setting the log encryption key Setting global logging and notification preferences Setting the interval for log rollover Scheduling log reports Controlling notification Customizing logging and notification by service or option Setting logging and notification for a service Setting logging and notification for default packet-handling options Setting logging and notification for blocked sites and ports Management Connecting a Firebox with OOB management Enabling the Management Station Preparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Preparing a Windows 2000 Management Station for OOB Configuring the Firebox for OOB Establishing an OOB connection Page PART IV Administering a Security Policy Page Implementing Authentication Using host aliases Adding a host alias Modifying a host alias Removing a host alias What is user authentication? User authentication types How user authentication works Configuring Firebox authentication Configuring Windows NT Server authentication Configuring RADIUS server authentication Configuring CRYPTOCard server authentication Configuring SecurID authentication Using authentication to define remote user VPN access Firebox Monitors Starting Firebox Monitors and connecting to a Firebox Setting Firebox Monitors view properties Bandwidth Meter ServiceWatch StatusReport Page Page Page Authentication list Blocked Sites list HostWatch Connecting to a Firebox Replaying a log file Controlling the HostWatch display Modifying view properties Page Files Viewing files with LogViewer Starting LogViewer and opening a log file Setting LogViewer preferences Searching for specific entries Copying and exporting LogViewer data Displaying and hiding fields Working with log files Consolidating logs from multiple locations Copying log files Forcing the rollover of log fi les Setting log encryption keys Page Activity Starting Historical Reports Viewing the reports list Creating and editing reports Creating a new report Specifying report sections Specifying a report time span Consolidating report sections Setting report properties Exporting reports Exporting reports to HTML format Exporting a report to WebTrends for Firewalls and VPNs Exporting a report to a text file Using report filters Creating a new filter Editing a filter Deleting a filter Applying a filter Scheduling and running reports Scheduling a report Manually running a report Report sections and consolidated sections Page Consolidated Sections Page PART V WatchGuard Virtual Private Networking Page Private Networking Configuration checklist Using DVCP to connect to devices How does DVCP work? Basic and Enhanced DVCP Creating a tunnel to a SOHO or SOHO|tc Editing a tunnel to a device Removing a tunnel to a device Defining a Firebox as an Enhanced DVCP Client Branch office VPN with IPSec Configuring a gateway Configuring a tunnel with manual security Configuring a tunnel with dynamic security Creating an IPSec policy Changing IPSec policy order Configuring services for branch office VPN with IPSec Configuring WatchGuard VPN WatchGuard VPN configuration models Setting up WatchGuard VPN Changing remote network entries Preventing IP spoofing with WatchGuard VPN Configuring incoming services to allow VPN Verifying successful WatchGuard VPN configuration Remote User VPN Configuration checklist Configuring shared servers for RUVPN Adding remote access users Adding a member to built-in RUVPN user groups Configuring services to allow incoming RUVPN By individual service Using the Any service Configuring the Firebox for Remote User PPTP Activating Remote User PPTP Entering IP addresses for Remote User sessions Configuring the Firebox for Mobile User VPN Purchasing a Mobile User VPN license Entering license keys Preparing Mobile User VPN configuration files Saving the configuration to a Firebox Distributing the software and configuration files Configuring debugging options Debugging Mobile User VPN Debugging Remote User VPN (PPTP) User VPN Preparing the client computers Remote host operating system Windows 95/98 platform preparation Windows NT platform preparation Setting up RUVPN for Windows 2000 Configuring the remote host for RUVPN with PPTP Using Remote User PPTP Starting Remote User PPTP Running Remote User PPTP Configuring debugging options Page Index A B C D E F G H I J K L M N O P Page Q R S T U V W Z