Technical Document Creating a VPN GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6
Contents INTRODUCTION 1 Supported Encryption and Authentication Methods 1 Addresses Used in Examples 1 Documentation 2 Additional Documentation 2 GTA FIREWALL CONFIGURATION 4 Configuring the VPN Object 4 General Settings 4 Phase 1 Settings 4 Phase 2 Settings 5 Configuring the VPN 6 Creating the Remote Access Filters 7 Allowing ESP Connections 7 Allowing UDP Connections 8 Creating IP Pass Through Filters 10 Allowing Inbound Connections 10 Allowing Outbound Connections 11 WATCHGUARD FIREWALL CONFIGURATION 12 General Settings 12 Phase 1 Settings 12 Phase 2 Settings 13 ii GTA Firewall to WatchGuard Firebox SOHO 6 VPN Contents
GTA Firewall to WatchGuard Firebox SOHO 6 VPN Contents iii
I n t r o d u c t i o n This document is written for the administrator who has both a GTA Firewall and a WatchGuard Firebox SOHO 6 operating on a network and requires a VPN (Virtual Private Network) to utilize both firewalls. Documentation was developed using a GB-250 running GB-OS 3.7.1 and a WatchGuard Firebox SOHO 6 running version 6.1.43 Boot ROM 4.14 and is written with the assumption that the reader has a strong working knowledge of TCP/IP, WatchGuard administration utilities and GB-OS system software. Note This example configuration assumes both firewalls have static IP addresses. S u p p o r t e d E n c r y p t i o n a n d A u t h e n t i c a t i o n M e t h o d s The following methods of encryption and authentication are supported for this configuration: Supported Encryption Supported Authentication Table 1.1: Supported Encryption and Authentication Methods DES or 3DES SHA1 or MD5 Supported Key Groups (Phase 1) Diffie-Hellman Group 1 or 2 When configuring Phase 2, PFS (Perfect Forward Secrecy) must be enabled on the WatchGuard firewall and Diffie-Hellman Group 2 must be used on the GTA firewall. A d d r e s s e s U s e d i n E x a m p l e s The following IP addresses are used as examples in this document: Table 1.2: Addresses Used in Examples WatchGuard Firebox SOHO 6 External IP Address 199.120.255.78 Protected Network IP Address 192.168.111.0/24 GTA Firewall External IP Address 199.120.225.77 Protected Network IP Address 192.168.70.0/24 GTA Firewall to WatchGuard Firebox SOHO 6 VPN Introduction 1
D o c u m e n t a t i o n A few conventions are used in this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections. Bold Italics Italics Blue Underline SMALL CAPS Monospace Font Condensed Bold BOLD SMALL CAPS Emphasis Publications Clickable hyperlink (email address, web site or in-pdf link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links A d d i t i o n a l D o c u m e n t a t i o n For instructions on installation, registration and setup of a GTA Firewall, see your GTA Firewall s Product Guide. For optional features, see the appropriate Feature Guide. Manuals and other documentation can be found on the GTA website (www.gta.com). Documents on the website are either in plain text (*.txt) or Portable Document Format (*.pdf), which requires Adobe Acrobat Reader 5.0 or greater. A free copy of the program can be obtained from Adobe at www.adobe.com. 2 GTA Firewall to WatchGuard Firebox SOHO 6 VPN Introduction
GTA Firewall to WatchGuard Firebox SOHO 6 VPN Introduction 3
G TA F i r e w a l l C o n f i g u r a t i o n Log into the GTA Firewall s web interface using an administrative account and follow the instructions below to set up a GTA firewall to WatchGuard Firebox SOHO 6 VPN. Configuring the GTA firewall consists of four parts: Configuring the VPN Object Configuring the VPN Configuring Remote Access Filters Configuring Pass Through Filters Note GTA recommends that the NTP service be enabled on any GTA firewall using a VPN. C o n f i g u r i n g t h e V P N O b j e c t To configure the VPN object, navigate to Objects>VPN Objects and create a new VPN Object. Doing so will prompt you with the Edit/Insert VPN Object screen. G e n e r a l S e t t i n g s Enter the following information for the general settings of the VPN object: Table 2.1: General Settings Disable Description Name Authentication Required Local Gateway Force Mobile Protocol Local Network IP Address GTA Firewall to WatchGuard GTA Firewall to WG <EXTERNAL> <USE ADDRESS> Enter the IP address of the GTA firewall s protected network (e.g., 192.168.70.0/24). P h a s e 1 S e t t i n g s Under the PHASE 1 SETTINGS section of the screen, enter the following information: 4 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration
Table 2.2: Phase 1 Settings Force NAT-T Protocol Exchange Local Identity Encryption Method Hash Algorithm Key Group Lifetime DPD Interval <MAIN> <IP Address>, leave the text field blank. <3DES> <HMAC-SHA1> <Diffie-Hellman Group 1 (768 bits)> 360 minutes 30 seconds Note It is important that LOCAL IDENTITY be left as <IP Address> with the text field blank. P h a s e 2 S e t t i n g s Under the PHASE 2 SETTINGS section of the screen, enter the following information: Table 2.3: Phase 2 Settings Encryption Method Hash Algorithm Key Group Lifetime <3DES> <HMAC-SHA1> <Diffie-Hellman Group 2 (1024 bits)> 90 minutes Note It is important that KEY GROUP be set <Diffie-Hellman Group 2 (1024 bits)>. GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 5
Figure 2.1: Configuring the VPN Object Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. C o n f i g u r i n g t h e V P N To configure the VPN, navigate to Authorization>VPN and create a new VPN. Doing so will prompt you with the Edit/Insert VPN screen. Table 2.4: Configuring the VPN Disable IPSec Key Mode Description Local identity VPN Object Remote Gateway Remote Network Pre-shared Secret IKE GTA Firewall to WG Leave field blank <IKE> Enter the external IP address of the WatchGuard Firebox SOHO 6 (e.g., 199.120.225.78). Select <USE ADDRESS> and enter the IP ADDRESS of the WatchGuard Firebox SOHO 6 s protected network (e.g., 192.168.111.0/24) Enter a pre-shared secret. 6 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration
Figure 2.2: Configuring the VPN Once all the necessary information has been filled out, click OK to commit the changes. C r e a t i n g t h e R e m o t e A c c e s s F i l t e r s To create remote access filters to accept IKE and ESP connections from the WatchGuard firewall, navigate to Filters>Remote Access. A l l o w i n g E S P C o n n e c t i o n s Click the Insert icon to insert a new remote access filter. Doing so will prompt you with the Insert Remote Access Filter Screen. Table 2.5: Allowing ESP Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address Source Ports Destination Address Destination Ports VPN: Allow ESP connections (GTA Firewall to WG) <ACCEPT> <ANY> <ESP> <5 - notice> Select <USE ADDRESS> and enter the external IP ADDRESS of the WatchGuard Firebox SOHO 6 (e.g., 199.120.255.78) <EXTERNAL> GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 7
Figure 2.3: Allowing ESP Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. A l l o w i n g U D P C o n n e c t i o n s Click the Insert icon to insert a new remote access filter. Doing so will prompt you with the Insert Remote Access Filter Screen. Table 2.6: Allowing UDP Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address VPN: Allow UDP connections (GTA Firewall to WG) <ACCEPT> <ANY> <UDP> <5 - notice> Select <USE ADDRESS> and enter the external IP ADDRESS of the WatchGuard Firebox SOHO 6 (e.g., 199.120.255.78) Source Ports Destination Address <EXTERNAL> Destination Ports 500 4500 8 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration
Figure 2.4: Allowing UDP Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 9
C r e a t i n g I P P a s s T h r o u g h F i l t e r s To create remote access filters to accept IKE and ESP connections from the WatchGuard firewall, navigate to Pass Through>Filters. A l l o w i n g I n b o u n d C o n n e c t i o n s Click the Insert icon to insert a new pass through filter. Doing so will prompt you with the Insert Pass Through Filter Screen. Table 2.7: Allowing Inbound Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address Source Ports Destination Address Destination Ports VPN: Allow inbound (GTA Firewall to WG) <ACCEPT> <EXTERNAL> <ALL> <5 - notice> Select <USE ADDRESS> and enter the IP ADDRESS of the WatchGuard Firebox SOHO 6 s protected network (e.g., 192.168.111.0/24) Select <USE ADDRESS> and enter the IP ADDRESS of the GTA firewall s protected network (e.g., 192.168.111.0/24) Figure 2.5: Allowing Inbound Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. 10 GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration
A l l o w i n g O u t b o u n d C o n n e c t i o n s Click the Insert icon to insert a new pass through filter. Doing so will prompt you with the Insert Pass Through Filter Screen. Table 2.8: Allowing outbound Connections Disable Description Type Interface Protocol Priority Authentication Required Action Coalesce Time Based Traffic Shaping Source Address Source Ports Destination Address Destination Ports VPN: Allow outbound (GTA Firewall to WG) <ACCEPT> <PROTECTED> <ALL> <5 - notice> Select <USE ADDRESS> and enter the IP ADDRESS of the GTA firewall s protected network (e.g., 192.168.70.0/24) Select <USE ADDRESS> and enter the IP ADDRESS of the WatchGuard Firebox SOHO 6 s protected network (e.g., 192.168.111.0/24) Figure 2.6: Allowing Outbound Connections Once all the necessary information has been filled out, click OK and then SAVE to commit the changes. GTA Firewall to WatchGuard Firebox SOHO 6 VPN GTA Firewall Configuration 11
Wa t c h G u a r d F i r e w a l l C o n f i g u r a t i o n Log into the WatchGuard Firebox SOHO 6 s web interface using an administrative account and follow the instructions below to set up a GTA firewall to WatchGuard Firebox SOHO 6 VPN. Navigate to VPN>Manual VPN and click ADD. Doing so will prompt you with the Add Gateway screen. G e n e r a l S e t t i n g s These general settings are user defined. Table 2.1: General Settings Name Shared Key User defined name for the VPN (e.g., GTA). User defined shared key. Must match the Pre-shared Secret field located under Authorization>VPN on the GTA firewall. P h a s e 1 S e t t i n g s Under the PHASE 1 SETTINGS section of the screen, enter the following information: Mode Local ID Table 2.1: Phase 1 Settings <Main Mode> Enter the WatchGuard Firebox SOHO 6 s external IP address (e.g., 199.120.255.78). Set the TYPE to <IP Address>. Remote ID Enter the GTA firewall s external IP address (e.g., 199.120.225.77). Set the TYPE to <IP Address>. Authentication Algorithm Negotiation Expiration in Kilobytes Negotiation Expiration in Hours Diffie-Helman Group <1> Enable Perfect Forward Secrecy Generate IKE Keep Alive Messages <SHA1-HMAC> or <MD5> 0 2 (Value should be less than or equal to the GTA firewall s SA Lifetime.) Checked 12 GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration
Figure 2.1: Phase 1 Settings P h a s e 2 S e t t i n g s Under the PHASE 2 SETTINGS section of the screen, enter the following information: Authentication Method Encryption Algorithm Negotiation Expiration in kilobytes Negotiation Expiration in Hours Negotiation Expiration in Kilobytes Configure Local and Remote Network Local Network Remote Network Table 2.2: Phase 1 Settings <SHA1-HMAC> <3DES-CBC> 0 1 (Value should be less than or equal to the GTA firewall SA Lifetime.) 0 Enter the WatchGuard Firebox SOHO 6 s protected network IP address (e.g., 192.168.111.0/24). Enter the GTA firewall s protected network IP address (e.g., 192.168.70.0/24). GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration 13
Figure 2.2: Phase 2 Settings Once all the necessary information has been filled out, click SUBMIT to commit the changes. Your GTA firewall to WatchGuard Firebox SOHO 6 VPN is now in place. You can test the functionality of the VPN by pinging from one host on one firewall s protected network to another host on the other firewall s protected network. 14 GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration
GTA Firewall to WatchGuard Firebox SOHO 6 VPN WatchGuard Firewall Configuration 15