Configuring a WatchGuard to IPSec Tunnel This document describes the procedures required to configure an IPSec tunnel between two WatchGuard Firebox s (version 2.3.x). The following WatchGuard products support IPSec tunnels: WatchGuard with VPN Feature Key add-on WatchGuard tc The following diagram illustrates the machines and addresses involved in the connection. The examples used in this document are taken from this set-up.
Why Create a Tunnel? Virtual Private Networking (VPN) tunnels enable you to simply and securely connect computers in two locations without requiring expensive, dedicated point-to-point data connections. With VPN, a virtual connection between two branch offices is created over low-cost connections to the Internet. Unlike a simple, un-encrypted Internet connection, a VPN connection eliminates the risk of data being read or altered by outside users as it traverses the Internet. This document describes how to configure two WatchGuard Fireboxes to create IPSec VPN tunnels between branch offices. For more information on setting-up a, see the WatchGuard User Guide. What You Will Need Two WatchGuard s installed, with VPN enabled. The following information from your Internet Service Provider: - Static IP addresses for both Internet connections - Default gateway IP address for both s - Primary domain name service (DNS) IP address - If available, a secondary DNS address - Domain name - Network addresses and subnet masks for both branch office networks. By default, the local network address is 192.168.111.0 and the subnet mask is 255.255.255.0. NOTE The internal networks on either end of the VPN tunnel must use different, network addresses. Special Considerations The following are issues you should take into account before configuring your WatchGuard VPN network: You can connect only two WatchGuard s together. To connect additional networks, upgrade at least one location to a WatchGuard Firebox II configured with the WatchGuard VPN Manager. Each must be able to send messages to the other. If either has a dynamically assigned Internet (IP) Address, the will not be able to find its remote counterpart. Both s must be set to use the same encryption (DES or triple-des) and authentication (MD-5 or SHA-1) methods. When connecting two Windows NT networks, the two networks must be in the same Windows domain or be trusted domains. This is a Microsoft Networking design implementation and is not a limitation of the device. To create an IPSec tunnel between s you must add information to the configuration files of each that is specific to the site, such as public and private 2 WatchGuard with VPN Manager 2.1
Configuring the WatchGuard for VPN IP addresses. It is imperative to keep these addresses straight. WatchGuard recommends making a table of IP addresses such as the one outlined below. For clarity, we will use the example addresses and information in the configuration instructions that follow. VPN Configuration Information (example) Item Description Assigned By Public IP Address Public Subnet Mask Local Network Address Shared Key Encryption Method Authentication Method The IP address that identifies the to the Internet. The overlay of bits that determines which part of the IP address identifies your network. For example, a Class C address licenses 256 addresses and has a netmask of 255.255.255.0. A private network address used by an organization s local network for identifying itself within the network. A local network address cannot be used as a public IP address, nor can the same address be used on both ends of the tunnel. WatchGuard recommends using an address from one of the reserved ranges: 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0/16 255.255.0.0 A phrase stored at both ends of the tunnel to authenticate the transmission as being from the claimed origin. The key can be any phrase, but mixing numerical, special, alphabetical, and uppercase characters improves security. For example, Gu4c4mo!3 is better than guacamole. Encryption method determines how many bits long the key is to encrypt and decrypt communication packets. DES is 56-bit encryption; 3DES is 168-bit, and therefore much more secure. It is also slower and is available outside the U.S. and Canada solely in accordance with the applicable export regulations set forth by the U.S. Department of Commerce, Bureau of Export Administration. Either 3DES or DES may be selected as long as both sides use the same method. Authentication method (MD5 or SHA1) used to code and decode the VPN user s authentications (passwords). Both sides must use the same method. Site A Site B ISP 208.152.24.104 108.200.23.101 ISP 255.255.255.0 255.255.255.0 192.168.3.0 10.10.10.0 Gu4c4mo!3 3DES SHA-1 Gu4c4mo!3 3DES SHA-1 Configuring the WatchGuard for VPN To configure a WatchGuard for an IPSec VPN tunnel, use the Configuration menu to configure the IPSec VPN Settings. The following procedure configures Site A for a tunnel to Site B. You will need to complete this procedure with both s before the tunnel can be established. IPSec Tunnel Configuration 3
From the Management Station of the 1 With your Web browser, go to the Configuration Settings page using the Private IP address of the. The default IP address is: 192.168.111.1. 2 Click Virtual Private Networking. The Virtual Private Networking screen appears. 3 Select Manual VPN from the drop list. Click Configure. The Manual Configuration page appears. 4 Check the box labelled Enable IPSEC Network. 5 Complete the following fields: Secure Gateway Address The external interface of the remote. In our example, this would be 208.152.24.104 for Site A and 108.200.23.101 for Site B. Remote WINS Server The WINS server behind the remote. This is found on an address in the local network address range behind the other site. In our example, we stored the WINS server on a computer on Site B with the IP address 10.10.10.254. (This field is optional.) Remote DNS Server The DNS server behind the remote. This is found on an address in the local network address range behind the other site. In our example, we stored the DNS 4 WatchGuard with VPN Manager 2.1
Verifying the Tunnel server on a computer on Site B with the IP address 10.10.10.253. Note that this can be the same computer that houses the WINS server. (This field is optional.) Remote Domain The remote domain behind the remote device (Site B). This is not applicable for a to IPSec VPN tunnel. Leave blank. (This field is optional.) Shared Key Similar to a password, the phrase is used to authenticate both ends of the tunnel to each other; the shared key must be identical on both sites. In our example, Gu4c4mo!3. Remote Network Address The address of the network on the trusted side of the remote. In our example, we entered the local network address for Site B, 10.10.10.0. Subnet Mask The mask of the network on the trusted side of the remote. In our example, 255.255.255.0 Encryption Method You can use either DES or the more secure 3DES. Whichever you select, it must match the encryption level set for the remote. Authentication Method The algorithm type (such as MD-5 or SHA-1). It must match the authentication method set for the remote. Additional Networks Reachable Through Tunnel This is not applicable for a to IPSec VPN Tunnel. Leave blank. 6 Review the configuration information you have entered. Click Submit at the bottom of the page. 7 A page will appear prompting you to reboot the. Confirm your settings; click Reboot. 8 Repeat steps 1 through 7 for the Site B, using the IP address numbers appropriate to that installation. Make sure that the encryption, authentication method, and shared secret for Site B are exactly the same as for Site A. Verifying the Tunnel The following methods allow you to verify that the tunnel created between the two devices is functional and passing communication packets back and forth. Browse to the remote : Open a Web browser, such as Internet Explorer or Netscape Navigator. Browse to the private IP address of the remote. If the browser finds the site and opens the page, the tunnel is operational. Ping the remote : From a machine behind one, open a command line interface such as MS-DOS Command Prompt (Windows machines). Enter the following command: ping [Remote Local Network Address] In our example, we could start from a machine behind the Site A and enter: ping 10.10.10.20 This would send a ping command to the Site B local network address. If a reply is received from Site B (as opposed to a request timed out ) the tunnel is operational. IPSec Tunnel Configuration 5
Frequently Asked Questions Why do I need a static public address? To create a connection, one must be able to find its partner device. If the addresses were allowed to change, the could not find its remote computer. How do I get a static public IP address? Contact your ISP. Some systems, like many cable modem systems, use dynamically assigned (DHCP) addresses to simplify basic installations. Some providers may also use this feature to discourage users from creating Web servers. These providers usually offer a static IP Address option. How do I connect three or four offices together? To connect more than two offices together, WatchGuard recommends designating one office to be the center of a star network configuration and upgrading it to a WatchGuard Firebox II, or Firebox II FastVPN. You can then manage multiple tunnels to s or other IPSec compliant devices from the central Firebox. In addition, the VPN Manager 2.0 add-on allows quick and easy creation and management of multiple tunnels. How do I troubleshoot the connection? Use the ping method described above. If you can ping the remote and computers behind it, your VPN tunnel is up and running. Any remaining problems probably reside with MS Networking or an application used. When I ping, I am not receiving a reply from the. If you cannot ping the remote, take the following steps to identify the problem: 1 Ping the public address of the remote. Following our example, from Site A, ping 108.200.23.101 (Site B). You should get a reply. If not, verify the Public Network Settings of Site B. If they are correct, verify that computers at Site B can access the internet. If you are still having trouble, contact your ISP. 2 Once you can ping the public address of each, try pinging the private address. From Site A, ping 10.10.10.20. If the tunnel is up, you should get a reply from the remote. If not, re-check the Local Settings page. Make sure that the local DHCP addresses ranges do not overlap. That is, be certain that the internal networks are different. Glossary of Terms DES Data Encryption Scheme A cryptographic mechanism used to encrypt data before placing it in the Internet system. Once the data is encrypted, it is safer to transport via the public Internet system. Without encryption, the data may be easily read by any computer along its route. Tunnel A tunnel is used to route traffic between two networks. Creating a tunnel between two s can join the two local networks, with each maintaining different private addresses. 6 WatchGuard with VPN Manager 2.1
Glossary of Terms VPN Virtual Private Network VPN consists of several technologies to allow two or more networks in different locations to be joined over the Internet. The first, tunneling technology, allows traffic on one network which is destined for the other to be routed to it via the Internet. The second, cryptography technology, assures that intermediaries along the public Internet route cannot read and/or alter messages flowing between locations. Copyright and Patent Information Copyright 1998-2001 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, and LiveSecurity are either a trademark or registered trademark of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. DocVer B-2.3.x- to -1 IPSec Tunnel Configuration 7