Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6



Similar documents
Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TDVPNWGSOHO

Technical Document. Creating a VPN. GTA Firewall to Linksys Cable/DSL Router TDVPNLINKSYS

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

GNAT Box VPN and VPN Client

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Configuring GTA Firewalls for Remote Access

Chapter 4 Virtual Private Networking

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

How To Industrial Networking

Chapter 8 Virtual Private Networking

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

ISG50 Application Note Version 1.0 June, 2011

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Windows XP VPN Client Example

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configure IPSec VPN Tunnels With the Wizard

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

VPN Wizard Default Settings and General Information

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

VPN. VPN For BIPAC 741/743GE

Chapter 5 Virtual Private Networking Using IPsec

IPSec Pass through via Gateway to Gateway VPN Connection

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Internet. SonicWALL IP SEV IP IP IP Network Mask

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

VPN SECURITY POLICIES

Chapter 6 Basic Virtual Private Networking

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

IPsec VPN Application Guide REV:

Virtual Private Network (VPN)

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Branch Office VPN Tunnels and Mobile VPN

Configure VPN between ProSafe VPN Client Software and FVG318

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

How do I set up a branch office VPN tunnel with the Management Server?

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Cyberoam IPSec VPN Client Configuration Guide Version 4

Lab Configure a PIX Firewall VPN

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

VPN Tracker for Mac OS X

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

HOWTO: How to configure IPSEC gateway (office) to gateway

Understanding the Cisco VPN Client

Using IPSec in Windows 2000 and XP, Part 2

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

VPNC Interoperability Profile

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

Gateway to Gateway VPN Connection

Configuring a VPN between a Sidewinder G2 and a NetScreen

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Verizon Firewall. 1 Introduction. 2 Firewall Home Page

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Watchguard Firebox X Edge e-series

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

How To Install Sedar On A Workstation

Chapter 6 Virtual Private Networking

How to configure VPN function on TP-LINK Routers

OfficeConnect Internet Firewall VPN Upgrade User Guide

This section provides a summary of using network location profiles to identify network connection types. Details include:

Micronet SP881. TheGreenBow IPSec VPN Client Configuration Guide.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Fireware How To Network Configuration

What information will you find in this document?

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

How to configure VPN function on TP-LINK Routers

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

IPSec Network Security Commands

Katana Client to Linksys VPN Gateway

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

How To Set Up Checkpoint Vpn For A Home Office Worker

Implementing and Managing Security for Network Communications

TheGreenBow VPN Client. User Guide

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Administrator's Guide

Broadband Firewall Router with 4-Port Switch/VPN Endpoint

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Cisco RV 120W Wireless-N VPN Firewall

Transcription:

Technical Document Creating a VPN GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

Contents INTRODUCTION 1 Supported Encryption and Authentication Methods 1 Addresses Used in Examples 1 Documentation 2 Additional Documentation 2 GTA FIREWALL CONFIGURATION 4 Configuring the VPN Object 4 General Settings 4 Phase 1 Settings 4 Phase 2 Settings 5 Configuring the VPN 6 Creating the Remote Access Filters 7 Allowing ESP Connections 7 Allowing UDP Connections 8 Creating IP Pass Through Filters 10 Allowing Inbound Connections 10 Allowing Outbound Connections 11 WATCHGUARD FIREWALL CONFIGURATION 12 General Settings 12 Phase 1 Settings 12 Phase 2 Settings 13 ii GTA Firewall to WatchGuard Firebox SOHO 6 VPN Contents

GTA Firewall to WatchGuard Firebox SOHO 6 VPN Contents iii

I n t r o d u c t i o n This document is written for the administrator who has both a GTA Firewall and a WatchGuard Firebox SOHO 6 operating on a network and requires a VPN (Virtual Private Network) to utilize both firewalls. Documentation was developed using a GB-250 running GB-OS 3.7.1 and a WatchGuard Firebox SOHO 6 running version 6.1.43 Boot ROM 4.14 and is written with the assumption that the reader has a strong working knowledge of TCP/IP, WatchGuard administration utilities and GB-OS system software. Note This example configuration assumes both firewalls have static IP addresses. S u p p o r t e d E n c r y p t i o n a n d A u t h e n t i c a t i o n M e t h o d s The following methods of encryption and authentication are supported for this configuration: Supported Encryption Supported Authentication Table 1.1: Supported Encryption and Authentication Methods DES or 3DES SHA1 or MD5 Supported Key Groups (Phase 1) Diffie-Hellman Group 1 or 2 When configuring Phase 2, PFS (Perfect Forward Secrecy) must be enabled on the WatchGuard firewall and Diffie-Hellman Group 2 must be used on the GTA firewall. A d d r e s s e s U s e d i n E x a m p l e s The following IP addresses are used as examples in this document: Table 1.2: Addresses Used in Examples WatchGuard Firebox SOHO 6 External IP Address 199.120.255.78 Protected Network IP Address 192.168.111.0/24 GTA Firewall External IP Address 199.120.225.77 Protected Network IP Address 192.168.70.0/24 GTA Firewall to WatchGuard Firebox SOHO 6 VPN Introduction 1

D o c u m e n t a t i o n A few conventions are used in this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections. Bold Italics Italics Blue Underline SMALL CAPS Monospace Font Condensed Bold BOLD SMALL CAPS Emphasis Publications Clickable hyperlink (email address, web site or in-pdf link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links A d d i t i o n a l D o c u m e n t a t i o n For instructions on installation, registration and setup of a GTA Firewall, see your GTA Firewall s Product Guide. For optional features, see the appropriate Feature Guide. Manuals and other documentation can be found on the GTA website (www.gta.com). Documents on the website are either in plain text (*.txt) or Portable Document Format (*.pdf), which requires Adobe Acrobat Reader 5.0 or greater. A free copy of the program can be obtained from Adobe at www.adobe.com. 2 GTA Firewall to WatchGuard Firebox SOHO 6 VPN Introduction

GTA Firewall to WatchGuard Firebox SOHO 6 VPN Introduction 3

G TA F i r e w a l l C o n f i g u r a t i o n Log into the GTA Firewall s web interface using an administrative account and follow the instructions below to set up a GTA firewall to WatchGuard Firebox SOHO 6 VPN. Configuring the GTA firewall consists of four parts: Configuring the VPN Object Configuring the VPN Configuring Remote Access Filters Configuring Pass Through Filters Note GTA recommends that the NTP service be enabled on any GTA firewall using a VPN. C o n f i g u r i n g t h e V P N O b j e c t To configure the VPN object, navigate to Objects>VPN Objects and create a new VPN Object. Doing so will prompt you with the Edit/Insert VPN Object screen. G e n e r a l S e t t i n g s Enter the following information for the general settings of the VPN object: Table 2.1: General Settings Disable Description Name Authentication Required Local Gateway Force Mobile Protocol Local Network IP Address GTA Firewall to WatchGuard GTA Firewall to WG <EXTERNAL> <USE ADDRESS> Enter the IP address of the GTA firewall s protected network (e.g., 192.168.70.0/24). P h a s e 1 S e t t i n g s Under the PHASE 1 SETTINGS section of the screen, enter the following information: 4 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration

Table 2.2: Phase 1 Settings Force NAT-T Protocol Exchange Local Identity Encryption Method Hash Algorithm Key Group Lifetime DPD Interval <MAIN> <IP Address>, leave the text field blank. <3DES> <HMAC-SHA1> <Diffie-Hellman Group 1 (768 bits)> 360 minutes 30 seconds Note It is important that LOCAL IDENTITY be left as <IP Address> with the text field blank. P h a s e 2 S e t t i n g s Under the PHASE 2 SETTINGS section of the screen, enter the following information: Table 2.3: Phase 2 Settings Encryption Method Hash Algorithm Key Group Lifetime <3DES> <HMAC-SHA1> <Diffie-Hellman Group 2 (1024 bits)> 90 minutes Note It is important that KEY GROUP be set <Diffie-Hellman Group 2 (1024 bits)>. GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 5

Figure 2.1: Configuring the VPN Object Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. C o n f i g u r i n g t h e V P N To configure the VPN, navigate to Authorization>VPN and create a new VPN. Doing so will prompt you with the Edit/Insert VPN screen. Table 2.4: Configuring the VPN Disable IPSec Key Mode Description Local identity VPN Object Remote Gateway Remote Network Pre-shared Secret IKE GTA Firewall to WG Leave field blank <IKE> Enter the external IP address of the WatchGuard Firebox SOHO 6 (e.g., 199.120.225.78). Select <USE ADDRESS> and enter the IP ADDRESS of the WatchGuard Firebox SOHO 6 s protected network (e.g., 192.168.111.0/24) Enter a pre-shared secret. 6 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration

Figure 2.2: Configuring the VPN Once all the necessary information has been filled out, click OK to commit the changes. C r e a t i n g t h e R e m o t e A c c e s s F i l t e r s To create remote access filters to accept IKE and ESP connections from the WatchGuard firewall, navigate to Filters>Remote Access. A l l o w i n g E S P C o n n e c t i o n s Click the Insert icon to insert a new remote access filter. Doing so will prompt you with the Insert Remote Access Filter Screen. Table 2.5: Allowing ESP Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address Source Ports Destination Address Destination Ports VPN: Allow ESP connections (GTA Firewall to WG) <ACCEPT> <ANY> <ESP> <5 - notice> Select <USE ADDRESS> and enter the external IP ADDRESS of the WatchGuard Firebox SOHO 6 (e.g., 199.120.255.78) <EXTERNAL> GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 7

Figure 2.3: Allowing ESP Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. A l l o w i n g U D P C o n n e c t i o n s Click the Insert icon to insert a new remote access filter. Doing so will prompt you with the Insert Remote Access Filter Screen. Table 2.6: Allowing UDP Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address VPN: Allow UDP connections (GTA Firewall to WG) <ACCEPT> <ANY> <UDP> <5 - notice> Select <USE ADDRESS> and enter the external IP ADDRESS of the WatchGuard Firebox SOHO 6 (e.g., 199.120.255.78) Source Ports Destination Address <EXTERNAL> Destination Ports 500 4500 8 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration

Figure 2.4: Allowing UDP Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 9

C r e a t i n g I P P a s s T h r o u g h F i l t e r s To create remote access filters to accept IKE and ESP connections from the WatchGuard firewall, navigate to Pass Through>Filters. A l l o w i n g I n b o u n d C o n n e c t i o n s Click the Insert icon to insert a new pass through filter. Doing so will prompt you with the Insert Pass Through Filter Screen. Table 2.7: Allowing Inbound Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address Source Ports Destination Address Destination Ports VPN: Allow inbound (GTA Firewall to WG) <ACCEPT> <EXTERNAL> <ALL> <5 - notice> Select <USE ADDRESS> and enter the IP ADDRESS of the WatchGuard Firebox SOHO 6 s protected network (e.g., 192.168.111.0/24) Select <USE ADDRESS> and enter the IP ADDRESS of the GTA firewall s protected network (e.g., 192.168.111.0/24) Figure 2.5: Allowing Inbound Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. 10 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration

A l l o w i n g O u t b o u n d C o n n e c t i o n s Click the Insert icon to insert a new pass through filter. Doing so will prompt you with the Insert Pass Through Filter Screen. Table 2.8: Allowing outbound Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address Source Ports Destination Address Destination Ports VPN: Allow outbound (GTA Firewall to WG) <ACCEPT> <PROTECTED> <ALL> <5 - notice> Select <USE ADDRESS> and enter the IP ADDRESS of the GTA firewall s protected network (e.g., 192.168.70.0/24) Select <USE ADDRESS> and enter the IP ADDRESS of the WatchGuard Firebox SOHO 6 s protected network (e.g., 192.168.111.0/24) Figure 2.6: Allowing Outbound Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 11

Wa t c h G u a r d F i r e w a l l C o n f i g u r a t i o n Log into the WatchGuard Firebox SOHO 6 s web interface using an administrative account and follow the instructions below to set up a GTA firewall to WatchGuard Firebox SOHO 6 VPN. Navigate to VPN>Manual VPN and click ADD. Doing so will prompt you with the Add Gateway screen. G e n e r a l S e t t i n g s These general settings are user defined. Table 2.1: General Settings Name Shared Key User defined name for the VPN (e.g., GTA). User defined shared key. Must match the Pre-shared Secret field located under Authorization>VPN on the GTA firewall. P h a s e 1 S e t t i n g s Under the PHASE 1 SETTINGS section of the screen, enter the following information: Mode Local ID Table 2.1: Phase 1 Settings <Main Mode> Enter the WatchGuard Firebox SOHO 6 s external IP address (e.g., 199.120.255.78). Set the TYPE to <IP Address>. Remote ID Enter the GTA firewall s external IP address (e.g., 199.120.225.77). Set the TYPE to <IP Address>. Authentication Algorithm Negotiation Expiration in Kilobytes Negotiation Expiration in Hours Diffie-Helman Group <1> Enable Perfect Forward Secrecy Generate IKE Keep Alive Messages <SHA1-HMAC> or <MD5> 0 2 (Value should be less than or equal to the GTA firewall s SA Lifetime.) Checked 12 GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration

Figure 2.1: Phase 1 Settings P h a s e 2 S e t t i n g s Under the PHASE 2 SETTINGS section of the screen, enter the following information: Authentication Method Encryption Algorithm Negotiation Expiration in kilobytes Negotiation Expiration in Hours Negotiation Expiration in Kilobytes Configure Local and Remote Network Local Network Remote Network Table 2.2: Phase 1 Settings <SHA1-HMAC> <3DES-CBC> 0 1 (Value should be less than or equal to the GTA firewall SA Lifetime.) 0 Enter the WatchGuard Firebox SOHO 6 s protected network IP address (e.g., 192.168.111.0/24). Enter the GTA firewall s protected network IP address (e.g., 192.168.70.0/24). GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration 13

Figure 2.2: Phase 2 Settings Once all the necessary information has been filled out, click SUBMIT to commit the changes. Your GTA firewall to WatchGuard Firebox SOHO 6 VPN is now in place. You can test the functionality of the VPN by pinging from one host on one firewall s protected network to another host on the other firewall s protected network. 14 GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration

GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information