Configuring a VPN Gateway

A gateway is a connection point for one or more VPN tunnels. The VPN gateway contains the Phase 1 ISAKMP settings, including the information that a device needs to establish an authenticated and encrypted VPN tunnel with another device. Internet Security Association and Key Management Protocol (ISAKMP) is a protocol to authenticate network traffic between two devices.

To start IPSec tunnel negotiation, one VPN endpoint must connect to the other. To create a manual VPN tunnel, you configure the VPN gateway at each endpoint.

In this exercise, you configure the VPN gateway on the Kunstler HQ Firebox to look for the remote gateway at the new NYC sales office. The NYC Firebox has a static external IP address of




At least one BOVPN gateway must be able to locate the other on the network--usually the Internet. It is important that both can find their peer so the tunnel can (re)negotiate in response to traffic generated from either end. Knowing details like the peer's IP address reduces the chance of negotiating with an unwanted gateway, especially a man-in-the middle or spoofed gateway.

  1. Open WatchGuard System Manager and connect to the KunstlerHQ Firebox. Open Policy Manager.
  2. Select VPN > Branch Office Gateways. Click Add.
  3. In the Gateway Name text box, type KunstlerHQGateway.
    This name identifies the Gateway only in Policy Manager.
  4. In the Remote Gateway Settings section, complete the fields with the information provided in this table:



    Gateway IP IP Address
    ID Type IP Address
    If the remote gateway has a dynamic IP address, you select Any in the Gateway IP drop-down list. You select Domain Name from the ID Type drop-down list. Set the domain name to the fully qualified domain name (FQDN) of the other VPN endpoint. A DNS server capable of resolving the FQDN must be configured on the FB
  5. If a FQDN is not available, use a user domain name. If the VPN remote gateway has a dynamic IP address, the remote gateway must initiate all tunnel negotiations.
  6. Make sure the Local Settings ID Type drop-down list is set to IP Address. Type the external IP address of the KunstlerHQ Firebox
  7. In the Credential Method section, make sure that Pre-Shared Key is selected. Type Timpani as the pre-shared key. You must use the same pre-shared key in the configuration of the remote device gateway.
    If you decide to authenticate with certificates, you must start the Certificate Authority on your WatchGuard Management Server. See the WatchGuard System Manager User Guide for more information. WatchGuard does not support the use of third-party certificates at this time.
  8. In the Phase 1 Settings group box, keep the default settings to enable SHA1 authentication, DES encryption, and Main Mode for phase 1 IKE negotiation.
    Main mode protects the identities of the VPN endpoints during negotiation, and is more secure than Aggressive mode. Main Mode also supports Diffie-Hellman group 2. You must use Aggressive mode when you configure VPN tunnels with a dynamic IP address on the VPN endpoint.


Return to Top

Copyright 1996 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use