Configuring a WatchGuard SOHO to SOHO or Firebox IPSec Tunnel

Configuring a WatchGuard SOHO to
SOHO or Firebox IPSec Tunnel with
VPN Manager 2.1
WatchGuard VPN Manager is an add-on module that enables you to monitor Firebox
traffic and tunneling activities at a glance. This guide describes how to use the VPN
Manager 2.1 to configure IPSec tunnels between a WatchGuard device (SOHO or
Firebox II) and WatchGuard SOHO (firmware version 2.3.x). For more information
about configuring tunnels and devices with the VPN Manager 2.1, see the VPN
Manager 2.1 Guide.
NOTE
In the following documentation, “Firebox II” is used to refer to the Firebox II family of WatchGuard
firewalls, which includes the Firebox II, Firebox II Plus, and Firebox II FastVPN.
Version 2.3.x of the SOHO firmware, together with VPN Manager 2.1 allow the
creation of two types of SOHO tunnels: Telecommuter and SOHO. VPN Manager also
allows tunnels to be created for a WatchGuard SOHO whether it has a static or
dynamic IP address.
The following WatchGuard devices support IPSec tunnels:
• WatchGuard Firebox II, Firebox II Plus, Firebox II FastVPN
• WatchGuard SOHO with VPN Feature Key add-on
• WatchGuard SOHO|tc
Creating An Internet Distributed Enterprise
Dynamic VPN Configuration Protocol (DVCP) is the WatchGuard-proprietary
protocol that enables you to easily create a network of your branch offices,
commuters, and mobile workers using the Internet. WatchGuard refers to such a
network as the Internet Distributed Enterprise (IDE). In an IDE, the Firebox II sits as
the center point in a distributed array of WatchGuard SOHO and SOHO|tc clients
(and/or Firebox IIs).
How Does DVCP Work?
The DVCP option allows the Firebox II to act as a DVCP server. All the policy
information including network address range and tunnel properties, such as
encryption, timeouts, and authentication, reside on the Firebox II. WatchGuard
SOHO and SOHO|tc devices are the clients. The only information required by the
client is an identification name, shared key, and the IP address of the Firebox II
External interface.
Use the DVCP Client Wizard to configure the Firebox II to support DVCP tunnels.
Through the wizard you define tunnel and device properties for each SOHO or
Firebox device. The clients will contact the Firebox II and automatically download all
the information needed to connect securely to the Firebox II. Then, you can create
tunnels between these devices defined in the Wizard.
The WatchGuard SOHO can securely connect an entire network to a Firebox II. The
DVCP server on the Firebox II assigns a network range to each SOHO client. The
SOHO client in turn uses DHCP to dynamically assign addresses to the network.
Thus, computers behind a SOHO can connect through a secure tunnel to the network
protected by the Firebox II.
Configuring the SOHO as a DVCP Client
Before a tunnel can be set up, the SOHO must be configured as a client of the DVCP
Server. Configuration steps are different depending on whether the SOHO is
statically addressed SOHO or dynamically addressed. Follow the steps below
appropriate for the SOHO you are configuring.
NOTE
For a SOHO to be configured as a DVCP client, for VPN tunnels, it must have the VPN feature
enabled. Please see the SOHO User Guide for details on how to enable the VPN Feature Key. The
VPN Manager must also have been configured, and a DVCP Server defined. Please see the VPN
Manager 2.1 Guide.
SOHO with Static IP Address
To enable a SOHO with a static IP address as a DVCP client:
1
With your Web browser, go to the SOHO Configuration Settings page using the
Private IP address of the SOHO.
The default IP address is: 192.168.111.1.
2
3
4
2
Click System Administration.
The System Administration page appears.
Click Remote Configuration.
The Remote Configuration page appears.
Enter a read-write and read-only pass phrase.
The read-write and read-only pass phrases will be used by the DVCP server to communicate with
the SOHO.
WatchGuard SOHO with VPN Manager 2.1
Configuring the SOHO’s Tunnel Type
SOHO with Dynamic IP Address
To enable a SOHO with a dynamically assigned IP address as a DVCP client:
1
With your Web browser, go to the SOHO Configuration Settings page using the
Private IP address of the SOHO.
The default IP address is: 192.168.111.1.
2
3
4
5
6
Click Virtual Private Networking.
The Virtual Private Networking page appears.
Select VPN Manager SOHO from the drop-down list.
Click Configure.
The VPN Manager SOHO page appears.
Check Enable IPSec Network.
Enter the following:
DVCP Server Address
Enter the IP address of the DVCP Server (defined in VPN Manager) to which this
device will be a client.
User ID
Use the IP address or any identifying name or number. The same ID must be entered
in the VPN Manager when adding the device.
Shared Secret
Enter a pass phrase for use between the client and server. The same secret must be
entered in the VPN Manager when adding the device.
Configuring the SOHO’s Tunnel Type
Types of SOHO Tunnels
When using the VPN Manager to create a SOHO VPN, there are two types of tunnels
that can be created: VPN Manager Telecommuter tunnel and VPN Manager SOHO
tunnel. Before configuring the virtual private network, determine which type should
be used for the tunnel you are configuring:
• Telecommuter –allows only one computer behind the SOHO to access the
resources at the other end of the tunnel. This tunnel can be used for telecommuters who have a SOHO protecting the home network, and who are connecting in to
the corporate network. The home network may consist of multiple computers,
belonging to various family members. This tunnel allows you to restrict access to
the one computer on the network that is used by your employee for telecommuting.
• SOHO – allows multiple computers behind the SOHO to access the resources at
the other end of the tunnel. This tunnel can be used to connect branch offices protected by the SOHO to the corporate network.
Configuring a Telecommuter Tunnel
A Telecommuter tunnel connects a single computer behind the SOHO to resources at
the other end of the tunnel. (See “Types of SOHO Tunnels“ on page 3.) Telecommuter
tunnels require steps to be performed on the SOHO, then on the VPN Manager. To
IPSec Tunnel Configuration
3
configure a SOHO device for a Telecommuter IPSec tunnel using DVCP, have the
following information available:
• DVCP Server Address This is the IP address of the External interface of the Firebox II designated as the DVCP Server
• User ID Uniquely identifies the SOHO device to the Firebox II
• Shared Secret Must be the same on both the Firebox II and the SOHO device
• Private IP Address Allowed to Use VPN This is the address of the computer
behind the SOHO
From the Management Station of the SOHO device:
1
With your Web browser, go to the SOHO Configuration Settings page using the
Private IP address of the SOHO.
The default IP address is: 192.168.111.1.
2
3
4
5
6
7
4
Click Virtual Private Networking.
The Virtual Private Networking page appears.
Select VPN Manager Telecommuter from the drop down list. Click Configure.
The VPN Manager Telecommuter page appears.
Check Enable IPSec Network.
Enter the DVCP Server Address.
The DVCP Server Address is the IP address of the Firebox II External interface.
Enter the User ID.
The User ID uniquely identifies the SOHO to the Firebox II. The User ID must be the same value
as the Client Name specified in the DVCP Client Wizard on the Firebox II.
Enter the Shared Secret.
Like a password, the phrase is used to authenticate both ends of the tunnel to each other. The
shared secret must be identical on both sides.
WatchGuard SOHO with VPN Manager 2.1
Configuring the SOHO’s Tunnel Type
8
9
Enter the Private IP Address Allowed to Use VPN.
This is the IP address of the computer behind the SOHO.
Click Submit.
10 Review the settings. Click Reboot.
Next, a policy must be created for the Telecommuter tunnel in the VPN Manager. A
SOHO that has been enabled for a VPN Manager Telecommuter tunnel does not have
an associated policy. In the VPNs tab of the VPN Manager:
1
2
3
Under the Devices folder, select the device.
Right-click the device and select Insert Policy.
The Device Policy dialog box appears.
Enter the following:
Policy Name
Enter a friendly name of your choosing.
Type
Select Telecommuter Tunnel from the drop-down list.
Virtual IP Address Behind the Firebox
Enter a free IP address on the Trusted network of the (remote) Firebox to which the
SOHO is connecting.
Private IP Allowed to Use Tunnel
Enter the IP address of the trusted host behind the SOHO (the telecommuter’s
computer). Use the same address entered on the SOHO VPN configuration.
Configuring a SOHO Tunnel
A SOHO tunnel connects multiple (or single) resources behind the SOHO to
resources at the other end of the tunnel. (See “Types of SOHO Tunnels“ on page 3.) To
configure a SOHO device for IPSec tunnels using DVCP, have the following
information available:
• DVCP Server Address This is the IP address of the Firebox II External interface
• User ID Uniquely identifies the SOHO device to the Firebox II
• Shared Secret Must be the same on both the Firebox II and the SOHO device
From the Management Station of the SOHO device:
1
With your Web browser, go to the SOHO Configuration Settings page using the
Private IP address of the SOHO.
The default IP address is: 192.168.111.1.
2
3
Click Virtual Private Networking
The Virtual Private Networking page appears.
Select VPN Manager SOHO from the drop down list. Click Configure.
The VPN Manager SOHO page appears.
IPSec Tunnel Configuration
5
4
5
6
7
Check Enable IPSec Network.
Enter the DVCP Server Address.
The DVCP Server Address is the IP address of the External interface of the Firebox II
designated as the DVCP server.
Enter the User ID.
The User ID uniquely identifies the SOHO to the Firebox II. The User ID must be the same value
as the Client Name specified in the DVCP Client Wizard on the Firebox II.
Enter the Shared Secret.
Like a password, the phrase is used to authenticate both ends of the tunnel to each other. The
shared secret must be identical on both sides.
8
Click Submit.
9
Review the settings. Click Reboot.
Configuring the Tunnels in the VPN Manager
Adding the Devices
Before a tunnel can be created, the tunnel’s endpoints, each VPN “device,” must be
added to the VPN Manager as such.
From the Management Station of the VPN Manager:
1
2
3
4
5
6
6
Select either the Device or the VPNs tab. Select Edit => Insert Device.
The WatchGuard Device Wizard appears.
Click Next.
Enter a Display Name for the device.
This is a name of your own choosing. It is not tied to the device’s DNS name.
From the Device Type drop-down list, select the device type
For example, SOHO or Firebox II.
Enter the host name or IP address.
This is the DNS name, not the name you entered in Step 3.
Enter the status (read-only) and configuration (read-write) pass phrases.
These must be at least seven characters long.
WatchGuard SOHO with VPN Manager 2.1
Configuring the Tunnels in the VPN Manager
7
8
9
Set the Initial Lease Time-out, if necessary.
This is the amount of time that the configuration is run before the device contacts the DVCP
server to see if its configuration has changed.
Click Next.
The Wizard displays the DNS and WINS Settings for the DHCP window.
Enter any WINS or DNS server IP addresses you want in your configuration.
Click Next.
If you are not using DNS or WINS servers, ignore this page, and click Next.
The Wizard displays the Contact Information page.
10 Enter any contact information you want on-record for contacting administrators
of this Firebox. Click Next.
The information on this panel is optional. The Wizard displays the Gather Information and
Configure Device information panel.
11 Click Next.
When complete, the Wizard displays the message “New Device Successfully Changed.”
12 Click Close.
The Wizard uploads the new configuration to the DVCP Server and exits.
Creating the Tunnel
There is more than one way to designate end-points in a tunnel and work through the
VPN Manager Configuration Wizard: drag-and-drop or menu-driven. Either method
can be used with either tunnel type. However, a tunnel for a dynamically addressed
SOHO must be created via the menu, rather than drag-and-drop.
Drag-and-Drop Tunnel Creation
NOTE
This method cannot be used to create tunnels for dynamically addressed SOHO devices.
From the Management Station of the VPN Manager:
1
Click the Device tab.
IPSec Tunnel Configuration
7
2
Click the device name of one of the tunnel endpoints to highlight it and drag it to
the device name of the other tunnel endpoint.
This launches the VPN Manager Configuration Wizard starting with the dialog box that shows
(in two list boxes) the two endpoint devices you selected via drag-and-drop.
3
4
5
For each device (endpoint), select a policy template from the drop-down list.
The policy template determines the resources available through the tunnel. Resources can be a
network or a host.
The listbox displays any policy templates you have added to VPN Manager.
Click Next.
The Wizard displays the Security Template dialog box.
Select the Security Template appropriate for the level of security and type of
authentication to be applied to this tunnel.
The listbox displays any templates you have added to VPN Manager.
6
8
Click Next.
The Wizard displays the DVCP configuration.
WatchGuard SOHO with VPN Manager 2.1
Configuring the Tunnels in the VPN Manager
7
Enable the checkbox labelled Restart devices now to download VPN
configuration. Click Finish to restart the devices and deploy the VPN tunnel.
Menu-Driven Tunnel Creation
NOTE
This method must be used to create tunnels for dynamically addressed SOHO devices.
From the Management Station of the VPN Manager:
1
2
3
Click the VPNs tab.
Select Edit => Create a New VPN.
This launches the VPN Manager Configuration Wizard.
Click Next.
The Wizard displays two list boxes that each list all the devices registered in VPN Manager. You
will be selecting one device from each listbox as endpoints of a tunnel.
IPSec Tunnel Configuration
9
4
5
6
7
10
Select a device from each listbox as endpoints of the tunnel you are setting up.
Select the policy templates for each device.
The listbox displays any templates that you have added to VPN Manager.
Click Next.
The Wizard displays the Security Template dialog box.
Choose the security template you want for this VPN. Click Next.
The Wizard displays the DVCP configuration.
WatchGuard SOHO with VPN Manager 2.1
Configuring the Tunnels in the VPN Manager
8
Enable the checkbox labelled Restart devices now to download VPN
configuration. Click Finish to restart the devices and deploy the VPN tunnel.
Copyright and Patent Information
Copyright© 1998 - 2001 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, and LiveSecurity are either a trademark or registered trademark of WatchGuard Technologies, Inc. in
the United States and other countries. This product is covered by one or more pending patent applications.
DocVer B-2.3-SOHO to VPNmgr2-1
IPSec Tunnel Configuration
11