WatchGuard Technologies FireboxTM System 4.6 manual Changing remote network entries

Configuring WatchGuard VPN

4In the Local Firebox IP field, enter an IP address from a reserved network not in

use on the local or remote networks.

More information on reserved networks can be found in RFC 1918. You can use the same local VPN IP address for multiple VPN connections when specifying more than one—for example, when there are several branch offices connecting to a central office.

5In the text box to the left of the Add button, enter the IP address in slash notation of any remote network to which access should be granted from the local Firebox .

Click Add.

The remote Firebox must reciprocate by adding the local networks in its Remote Networks box. Because WatchGuard VPN is a peer-to-peer situation, each Firebox must have the other’s network listed.

6Click the Encryption tab.

7Under Encryption, select the number of bits used to encrypt the tunnel.

The greater the number of bits, the stronger the encryption.

8Enter the encryption key. Click Make Key.

WatchGuard hashes the encryption key and then displays a key in the bottom panel.

The hashed key must be identical on both Fireboxes. If you are running different versions of WatchGuard Security System software, verify that the hashes match exactly on the two Fireboxes.

9Click the Options tab.

10Enable the Activate WatchGuard VPN checkbox.

11To automatically block sites when the source fails to properly connect to the Firebox, enable the Add Source to Blocked List When Denied checkbox.

12Enable Logging options according to your security policy preferences.

Activating logging often generates a high volume of log entries, significantly slowing the passage of VPN traffic. WatchGuard recommends logging only for debugging purposes.

Changing remote network entries

You cannot edit a remote network entry. You must remove the original and add the new remote network address. From the WatchGuard VPN Setup dialog box:

1Click the network address. Click Remove.

2Click Add.

Add the new network configuration.

Preventing IP spoofing with WatchGuard VPN

There is a potential IP spoofing problem if the remote Firebox IP is on the same network as a remote network. It is theoretically possible to spoof packets from that single IP address (the remote Firebox IP). Although this situation is relatively rare, you can prevent it by disallowing access to internal servers from the remote Firebox IP.