Configuring WatchGuard VPN

Configuring incoming services to allow VPN

Because users on the remote Firebox are technically outside the trusted network, you must configure services to allow traffic through the VPN connection. WatchGuard recommends the following method:

1Create a host alias corresponding to the VPN remote networks.

For more information see “Adding a host alias” on page 86.

2Add the VPN host alias to Incoming and From Outgoing to properties of allowed services.

For more information, see “Defining service properties” on page 49.

An alternative method is to add the Any service with the following incoming properties:

Enabled and allowed

From: VPN host alias

To: Any

Verifying successful WatchGuard VPN configuration

To determine whether a configuration has been successful:

Watch for log entries as the Firebox reboots that show local and remote VPN IP addresses.

Check the Firebox status once it has booted. There should be an entry for a VPN interface directly following the entry for eth2.

Check the Control Center display for tunnel status.

If none of these indicators is present, review all settings on both Fireboxes, double- check that the passphrases are the same, and verify the remote IP addresses.

132

Page 142
Image 142
WatchGuard Technologies FireboxTM System 4.6 manual Configuring incoming services to allow VPN