WatchGuard Technologies FireboxTM System 4.6 User Manual
User Guide
131
Configuring WatchGuard VPN
4
In the Local Firebox IP field, enter an IP address from a reserved network not in
use on the local or remote networks.
use on the local or remote networks.
5
In the text box to the left of the Add button, enter the IP address in slash notation
of any remote network to which access should be granted from the local Firebox .
Click Add.
of any remote network to which access should be granted from the local Firebox .
Click Add.
The remote Firebox must reciprocate by adding the local networks in its Remote Networks box.
Because WatchGuard VPN is a peer-to-peer situation, each Firebox must have the other’s
network listed.
6
Click the Encryption tab.
7
Under Encryption, select the number of bits used to encrypt the tunnel.
The greater the number of bits, the stronger the encryption.
8
Enter the encryption key. Click Make Key.
WatchGuard hashes the encryption key and then displays a key in the bottom panel.
9
Click the Options tab.
10 Enable the Activate WatchGuard VPN checkbox.
11 To automatically block sites when the source fails to properly connect to the
Firebox, enable the Add Source to Blocked List When Denied checkbox.
12 Enable Logging options according to your security policy preferences.
Activating logging often generates a high volume of log entries, significantly slowing the passage
of VPN traffic. WatchGuard recommends logging only for debugging purposes.
Changing remote network entries
You cannot edit a remote network entry. You must remove the original and add the
new remote network address. From the WatchGuard VPN Setup dialog box:
new remote network address. From the WatchGuard VPN Setup dialog box:
1
Click the network address. Click Remove.
2
Click Add.
Add the new network configuration.
Preventing IP spoofing with WatchGuard VPN
There is a potential IP spoofing problem if the remote Firebox IP is on the same
network as a remote network. It is theoretically possible to spoof packets from that
single IP address (the remote Firebox IP). Although this situation is relatively rare,
you can prevent it by disallowing access to internal servers from the remote Firebox
IP.
network as a remote network. It is theoretically possible to spoof packets from that
single IP address (the remote Firebox IP). Although this situation is relatively rare,
you can prevent it by disallowing access to internal servers from the remote Firebox
IP.
More information on reserved networks can be found in RFC 1918. You can
use the same local VPN IP address for multiple VPN connections when
specifying more than one—for example, when there are several branch offices
connecting to a central office.
The hashed key must be identical on both Fireboxes. If you are running
different versions of WatchGuard Security System software, verify that the
hashes match exactly on the two Fireboxes.