Branch office VPN with IPSec

11After you add all tunnels for this gateway, click OK.

The Configure Gateways dialog box appears.

12To configure more tunnels for another gateway, click Tunnels. Select a new gateway and repeat the tunnel creation procedure for that gateway.

13When all the tunnels are created, click OK.

Creating an IPSec policy

Policies are sets of rules, much like packet filter rules, for defining how outgoing IPSec packets are built and sent and determining whether incoming IPSec packets can be accepted. Policies are defined by their endpoints. These are not the same as tunnel or gateway endpoints–they are the specific hosts or networks attached to the tunnel’s Fireboxes (or other IPSec-compliant device) that communicate through the tunnel.

From the IPSec Configuration dialog box:

1Click Add.

2Use the Local drop list to select the tunnel type of the IP address behind the local

Firebox.

The tunnel type can be an entire network or a single host.

3Enter the IP or network address in slash notation for the local host or network.

4Use the Remote drop list to select the tunnel type of the IP address of the remote Firebox or IPSec-compliant device.

5Enter the IP address or network address in slash notation for the remote host or network.

6Use the Disposition drop list to select a bypass rule for the tunnel:

Secure

IPSec will encrypt all traffic that matches the rule in associated tunnel policies.

Block

IPSec will not allow traffic that matches the rule in associated tunnel policies.

Bypass

IPSec will not allow traffic that matches the rule in associated tunnel policies. You cannot bypass a policy that has a network at either endpoint.

For every tunnel created to a dropped-in device, you must create a host policy for both sides’ external IP addresses with protection set to Bypass. Otherwise, traffic to and from the dropped-in device’s external IP address will conflict with any network policy associated with the VPN.

7If you chose Secure as your disposition, use the Tunnel drop list to select a

configured tunnel.

To configure a new tunnel, see “Configuring a tunnel with manual security” on page 126 or “Configuring a tunnel with dynamic security” on page 127. To display additional information about the selected tunnel, click More.

8In the Dst Port field, enter the remote host port.

The remote host port number is optional and is the port to which WatchGuard sends communication for the policy. To enable communications to all ports, enter 0.

128

Page 137 Page 139
Page 138
Image 138
WatchGuard Technologies FireboxTM System 4.6 manual Creating an IPSec policy, Block, Bypass
Page 137 Page 139
Top Page Image Contents