Branch office VPN with IPSec

9Use the Protocol drop list to limit the protocol used by the policy.

Options include: * (specify ports but not protocol), TCP, and UDP.

10In the Src Port field, enter the local host port.

The local host port number is optional and is the port from which WatchGuard sends all communication for the policy. To enable communication from all ports, enter 0.

11Click OK.

The IPSec Configuration dialog box appears listing the newly created policy. Policies are initially listed in the order in which they were created.

Changing IPSec policy order

WatchGuard handles policies in the order listed, from top to bottom, on the IPSec configuration dialog box. Initially, the policies are listed in the order created. You must manually reorder the policies from more specific to less specific to ensure that sensitive connections are routed along the higher-security tunnels. In general, WatchGuard recommends the following policy order:

Host to host

Host to network

Network to host

Network to network

Policies must be set to the same order at both ends of the tunnel. For more information about IPSec policy order, see the Network Security Handbook.

From the IPSec Configuration dialog box:

To move a policy up in the list, click the policy. Click Move Up.

To move a policy down in the list, click the policy. Click Move Down.

Configuring services for branch office VPN with IPSec

Users on the remote Firebox are technically outside the trusted network; you must therefore configure the Firebox to allow traffic through the VPN connection. A quick method is to create a host alias corresponding to the VPN remote networks and hosts. Then, use either the host alias or individually enter the remote VPN networks and hosts when configuring the following service properties:

Incoming

Enabled and Allowed

From: Remote VPN network, hosts, or host alias

To: trusted or selected hosts

Outgoing

Enabled and Allowed

From: trusted network or selected hosts

To: Remote VPN network, hosts, or host alias

For more information, see “Defining service properties” on page 49, and “Adding a host alias” on page 86.

User Guide

129

Page 138 Page 140
Page 139
Image 139
WatchGuard Technologies FireboxTM System 4.6 manual Changing IPSec policy order, Src Port field, enter the local host port
Page 138 Page 140
Top Page Image Contents