Configuring a VPN Gateway

A gateway is a connection point for one or more VPN tunnels. The VPN gateway contains the Phase 1 ISAKMP settings, including the information that a device needs to establish an authenticated and encrypted VPN tunnel with another device. Internet Security Association and Key Management Protocol (ISAKMP) is a protocol to authenticate network traffic between two devices.

To start IPSec tunnel negotiation, one VPN endpoint must connect to the other. To create a manual VPN tunnel, you must configure the VPN gateway at each endpoint.

In this exercise, we will configure the VPN gateway on the Kunstler HQ Firebox to look for the remote gateway at the new NYC sales office. The NYC Firebox has a static external IP address of

  1. Open WatchGuard System Manager and connect to the KunstlerHQ Firebox. Open Policy Manager.
  2. Select VPN > Branch Office Gateways. Click Add.
  3. In the Gateway Name text box, type KunstlerHQGateway.
    This name identifies the Gateway only in Policy Manager.
  4. In the Remote Gateway Settings section, complete the fields with the information provided in this table:



    Gateway IP IP Address
    ID Type IP Address
    If the remote gateway had a dynamic IP address, you would have to select Any in the Gateway IP drop-down list. You would select Domain Name from the ID Type drop-down list. Set the domain name to the fully qualified domain name (FQDN) of the other VPN endpoint. If a FQDN is not available, use a user domain name. If the VPN remote gateway has a dynamic IP address, the remote gateway must initiate all tunnel negotiations.
  5. Make sure the Local Settings ID Type drop-down list is set to IP Address. Type the external IP address of the KunstlerHQ Firebox
  6. In the Credential Method section, make sure that Pre-Shared Key is selected. Type Timpani as the pre-shared key. You must use the same pre-shared key in the configuration of the remote device gateway.
    If you select to authenticate with certificates, you must start the Certificate Authority on your WatchGuard Management Server. See the WatchGuard System Manager User Guide for more information. WatchGuard does not support the use of third-party certificates at this time.
  7. In the Phase 1 Settings group box, keep the default settings to enable SHA1 authentication, DES encryption, and Main Mode for phase 1 IKE negotiation.
    Main mode protects the identities of the VPN endpoints during negotiation, and is more secure than Aggressive mode. Main Mode also supports Diffie-Hellman group 2. But, Main mode results in more messages being sent between endpoints and is slower than Aggressive mode. You must use Aggressive mode when you configure VPN tunnels with a dynamic IP address on the VPN endpoint.


Return to Top

Copyright 1996 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use