From
For a user to make IPSec connections to a Firebox or XTM device behind a different Firebox or XTM device, you must make sure the Enable IPSec Pass-through check box is selected. For example, if mobile employees are at a customer location that has a Firebox or XTM device, they can use IPSec to make IPSec connections to their network. For the local Firebox or XTM device to correctly allow the outgoing IPSec connection, you must also add an IPSec policy to the configuration.
When you enable IPSec pass-through, a policy called WatchGuard IPSec is automatically added to the configuration. The policy allows traffic from any trusted or optional network to any destination. When you disable IPSec pass-through, the WatchGuard IPSec policy is automatically deleted.
Type of Service (TOS) is a set of four-bit flags in the IP header that can tell routing devices to give an IP datagram more or less priority than other datagrams. Fireware XTM gives you the option to allow IPSec tunnels to clear or maintain the settings on packets that have TOS flags. Some ISPs drop all packets that have TOS flags.
If you do not select the Enable TOS for IPSec check box, all IPSec packets do not have the TOS flags. If the TOS flags were set before, they are removed when Fireware encapsulates the packet in an IPSec header.
When the Enable TOS for IPSec check box is selected and the original packet has TOS flags, Fireware XTM keeps the TOS flags set when it encapsulates the packet in an IPSec header. If the original packet does not have the TOS flags set, Fireware XTM does not set the TOS flag when it encapsulates the packet in an IPSec header.
Make sure to carefully consider whether to select this check box if you want to apply QoS marking to IPSec traffic. QoS marking can change the setting of the TOS flag. For more information on QoS marking, see About QoS Marking.
When this option is not enabled, all packets that match the tunnel route specified in the IPSec gateway are sent through the IPSec VPN. If this option is enabled, the Firebox or XTM device uses the routing table to determine whether to send the packet through the IPSec VPN tunnel.
If a default route is used to route a packet
The packet is encrypted and sent through the VPN tunnel, to the interface specified in the VPN gateway configuration.
If a non-default route is used to route a packet
The packet is routed to the interface specified in the non-default route in the routing table. When a non-default route is used, the decision about whether to send the packet through the IPSec VPN tunnel depends on the interface specified in the routing table. If the interface in the non-default route matches the interface in the BOVPN gateway, the packet goes through the BOVPN tunnel configured for that interface. For example, if the BOVPN gateway interface is set to Eth0, and the matched non-default route uses Eth1 as the interface, the packet is not sent through the BOVPN tunnel. However, if the matched non-default route uses Eth0 as the interface, the packet is sent through the BOVPN tunnel.
This feature works with any non-default route (static or dynamic).You can use this feature in conjunction with dynamic routing to enable dynamic network failover from a private network route to an encrypted IPSec VPN tunnel.
For example, consider an organization that sends traffic between two networks, Site A and Site B. They use a dynamic routing protocol to send traffic between the two sites over a private network connection, with no VPN required. The private network is connected to the Eth1 interface of each device. They have also configured a BOVPN tunnel between the two sites to send BOVPN traffic over the local Internet connection, over the Eth0 interface of each device. They want to send traffic over the BOVPN tunnel only if the private network connection is not available.
If they select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box in the Global VPN Settings, the Firebox or XTM device sends traffic over the private network if a dynamic route to that network is present over the Eth1 interface. Otherwise, it sends traffic over the encrypted IPSec BOVPN tunnel on the Eth0 interface.
When you create a VPN gateway, you specify a credential method for the two VPN endpoints to use when the tunnel is created. If you choose to use an IPSec Firebox or XTM device certificate, you can identify an LDAP server that validates the certificate. Type the IP address for the LDAP server. You can also specify a port if you want to use a port other than 389.
Click BOVPN Notification to configure the Firebox or XTM device to send a notification when a BOVPN tunnel is down. A dialog box appears for you to set parameters for the notification.
For information on the options in this dialog box, see Set Logging and Notification Preferences.
This setting does not apply to Mobile VPN with IPSec tunnels.