WatchGuard Technologies FireboxTM System 4.6 Configuring a tunnel with dynamic security

User Guide 127

Branch office VPN with IPSec

5Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC

(160-bit algorithm).

6Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key field. You cannot enter a key here directly.

Using Authenticated Headers (AH)

1 Type or use the SPI scroll control to identify the Security Parameter Index (SPI).

You must select a number between 257 and 1023.

2Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC

(160-bit algorithm).

3Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key

Authentication KeyAuthentication Key

Authentication Key field. You cannot enter a key here directly.

Configuring a tunnel with dynamic security

A tunnel encapsulates packets between two gateways. It specifies encryption type

and/or authentication method. A tunnel also specifies endpoints. The following

describes how to configure a tunnel using a gateway with the isakmp (dynamic) key

negotiation type. From the IPSec configuration dialog box:

1Click Tunnels.

2 To add a new tunnel, click Add.

3 Click a gateway with isakmp (dynamic) key negotiation type to associate with

this tunnel. Click OK.

4 Type a tunnel name.

Policy Manager uses the tunnel name as an identifier.

5Click the Dynamic Security tab.

6Use the Type drop list to select a Security Association Proposal (SAP) type.

Options include: Encapsulated Security Payload (ESP) or Authenticated Headers (AH).

7Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), and SHA1-HMAC

(160-bit authentication algorithm).

8Use the Encryption drop list to select an encryption method.

Options include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit encryption).

9 To have a new key generated periodically, enable the Force Key Expiration

checkbox.

With this option, transparent to the user, the ISAKMP controller generates and negotiates a

new key for the session. For no key expiration, enter 0 (zero) here. If you enable the Force key

expiration checkbox, set the number of kilobytes transferred or hours passed in the session

before a new key is generated for continuat ion of the VPN session.

10 Click OK.

The Configure Tunnels dialog box appears displaying the newly created tunnel. Repeat the tunnel

creation procedure until you have created all tunnels for this particular gateway.

If there are Fireboxes at both ends of the tunnel, the remote administrator

can also enter the encryption and authentication passphrases. If the remote

firewall host is an IPSec-compliant device of other manufacture, the remote

system administrator must enter the literal keys displayed in the Security

Association Setup dialog box when setting up the remote IPSec-compliant

device.