Configuring WatchGuard VPN
4In the Local Firebox IP field, enter an IP address from a reserved network not in
use on the local or remote networks.
More information on reserved networks can be found in RFC 1918. You can use the same local VPN IP address for multiple VPN connections when specifying more than
5In the text box to the left of the Add button, enter the IP address in slash notation of any remote network to which access should be granted from the local Firebox .
Click Add.
The remote Firebox must reciprocate by adding the local networks in its Remote Networks box. Because WatchGuard VPN is a
6Click the Encryption tab.
7Under Encryption, select the number of bits used to encrypt the tunnel.
The greater the number of bits, the stronger the encryption.
8Enter the encryption key. Click Make Key.
WatchGuard hashes the encryption key and then displays a key in the bottom panel.
The hashed key must be identical on both Fireboxes. If you are running different versions of WatchGuard Security System software, verify that the hashes match exactly on the two Fireboxes.
9Click the Options tab.
10Enable the Activate WatchGuard VPN checkbox.
11To automatically block sites when the source fails to properly connect to the Firebox, enable the Add Source to Blocked List When Denied checkbox.
12Enable Logging options according to your security policy preferences.
Activating logging often generates a high volume of log entries, significantly slowing the passage of VPN traffic. WatchGuard recommends logging only for debugging purposes.
Changing remote network entries
You cannot edit a remote network entry. You must remove the original and add the new remote network address. From the WatchGuard VPN Setup dialog box:
1Click the network address. Click Remove.
2Click Add.
Add the new network configuration.
Preventing IP spoofing with WatchGuard VPN
There is a potential IP spoofing problem if the remote Firebox IP is on the same network as a remote network. It is theoretically possible to spoof packets from that single IP address (the remote Firebox IP). Although this situation is relatively rare, you can prevent it by disallowing access to internal servers from the remote Firebox IP.
User Guide | 131 |