Configuring a VPN Gateway
is a connection point for one or more VPN tunnels. The VPN gateway contains
the Phase 1 ISAKMP settings, including the information that a device needs to
establish an authenticated and encrypted VPN tunnel with another device. Internet
Security Association and Key Management Protocol (ISAKMP) is a protocol
to authenticate network traffic between two devices.
To start IPSec tunnel negotiation, one VPN endpoint must connect to the other. To create a manual VPN tunnel, you must configure the VPN gateway at each endpoint.
In this exercise, we will configure the VPN gateway on the Kunstler HQ Firebox to look for the remote gateway at the new NYC sales office. The NYC Firebox has a static external IP address of 220.127.116.11/24.
- Open WatchGuard System
Manager and connect to the KunstlerHQ Firebox. Open Policy Manager.
- Select VPN > Branch
Office Gateways. Click Add.
- In the Gateway Name text
box, type KunstlerHQGateway.
- This name identifies the Gateway
only in Policy Manager.
- In the Remote Gateway
Settings section, complete the fields with the information provided in
- If the remote gateway had a
dynamic IP address, you would have to select Any in the Gateway IP drop-down
list. You would select Domain Name from the ID Type drop-down list. Set
the domain name to the fully qualified domain name (FQDN) of the other
VPN endpoint. If a FQDN is not available, use a user domain name. If the
VPN remote gateway has a dynamic IP address, the remote gateway must initiate
all tunnel negotiations.
- Make sure the Local Settings
ID Type drop-down list is set to IP Address. Type the external
IP address of the KunstlerHQ Firebox 18.104.22.168.
- In the Credential
Method section, make sure that Pre-Shared Key is selected. Type
Timpani as the pre-shared key.
You must use the same pre-shared key in the configuration of the remote device
- If you select to authenticate
with certificates, you must start the Certificate Authority on your WatchGuard
Management Server. See the WatchGuard System Manager User Guide for more
information. WatchGuard does not support the use of third-party certificates
at this time.
- In the Phase 1 Settings
group box, keep the default settings to enable SHA1 authentication,
DES encryption, and Main Mode for phase 1 IKE negotiation.
- Main mode protects the identities
of the VPN endpoints during negotiation, and is more secure than Aggressive
mode. Main Mode also supports Diffie-Hellman group 2. But, Main mode results
in more messages being sent between endpoints and is slower than Aggressive
mode. You must use Aggressive mode when you configure VPN tunnels with
a dynamic IP address on the VPN endpoint.
Return to Top
Copyright © 1996 - 2005 WatchGuard Technologies, Inc. All rights reserved.