WatchGuard Technologies FireboxTM System 4.6 manual Configuring a tunnel with dynamic security

Branch office VPN with IPSec

5Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC (160-bit algorithm).

6Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key field. You cannot enter a key here directly.

Using Authenticated Headers (AH)

1Type or use the SPI scroll control to identify the Security Parameter Index (SPI).

You must select a number between 257 and 1023.

2Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC (160-bit algorithm).

3Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key field. You cannot enter a key here directly.

If there are Fireboxes at both ends of the tunnel, the remote administrator can also enter the encryption and authentication passphrases. If the remote firewall host is an IPSec-compliant device of other manufacture, the remote system administrator must enter the literal keys displayed in the Security Association Setup dialog box when setting up the remote IPSec-compliant device.

Configuring a tunnel with dynamic security

A tunnel encapsulates packets between two gateways. It specifies encryption type and/or authentication method. A tunnel also specifies endpoints. The following describes how to configure a tunnel using a gateway with the isakmp (dynamic) key negotiation type. From the IPSec configuration dialog box:

1Click Tunnels.

2To add a new tunnel, click Add.

3Click a gateway with isakmp (dynamic) key negotiation type to associate with this tunnel. Click OK.

4Type a tunnel name.

Policy Manager uses the tunnel name as an identifier.

5Click the Dynamic Security tab.

6Use the Type drop list to select a Security Association Proposal (SAP) type.

Options include: Encapsulated Security Payload (ESP) or Authenticated Headers (AH).

7Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), and SHA1-HMAC (160-bit authentication algorithm).

8Use the Encryption drop list to select an encryption method.

Options include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit encryption).

9To have a new key generated periodically, enable the Force Key Expiration

checkbox.

With this option, transparent to the user, the ISAKMP controller generates and negotiates a new key for the session. For no key expiration, enter 0 (zero) here. If you enable the Force key expiration checkbox, set the number of kilobytes transferred or hours passed in the session before a new key is generated for continuation of the VPN session.

10Click OK.

The Configure Tunnels dialog box appears displaying the newly created tunnel. Repeat the tunnel creation procedure until you have created all tunnels for this particular gateway.