Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

Configuring a WatchGuard SOHO toSOHO IPSec TunnelThis document describes the procedures required to configure an IPSec tunnelbetween two WatchGuard Firebox SOHOs (version 2.3.x).The following WatchGuard SOHO products support IPSec tunnels:• WatchGuard SOHO with VPN Feature Key add-on• WatchGuard SOHO|tcThe following diagram illustrates the machines and addresses involved in theconnection. The examples used in this document are taken from this set-up.

Why Create a Tunnel?Virtual Private Networking (VPN) tunnels enable you to simply and securely connectcomputers in two locations without requiring expensive, dedicated point-to-pointdata connections. With VPN, a virtual connection between two branch offices iscreated over low-cost connections to the Internet. Unlike a simple, un-encryptedInternet connection, a VPN connection eliminates the risk of data being read oraltered by outside users as it traverses the Internet.This document describes how to configure two WatchGuard SOHO Fireboxes tocreate IPSec VPN tunnels between branch offices. For more information on setting-upa SOHO, see the WatchGuard SOHO User Guide.What You Will Need• Two WatchGuard SOHOs installed, with VPN enabled.• The following information from your Internet Service Provider:- Static IP addresses for both SOHO Internet connections- Default gateway IP address for both SOHOs- Primary domain name service (DNS) IP address- If available, a secondary DNS address- Domain name- Network addresses and subnet masks for both branch office networks. Bydefault, the local network address is 192.168.111.0 and the subnet mask is255.255.255.0.NOTEThe internal networks on either end of the VPN tunnel must use different, network addresses.Special ConsiderationsThe following are issues you should take into account before configuring yourWatchGuard SOHO VPN network:• You can connect only two WatchGuard SOHOs together. To connect additionalnetworks, upgrade at least one location to a WatchGuard Firebox II configuredwith the WatchGuard VPN Manager.• Each SOHO must be able to send messages to the other SOHO. If either SOHOhas a dynamically assigned Internet (IP) Address, the SOHO will not be able tofind its remote counterpart.• Both SOHOs must be set to use the same encryption (DES or triple-DES) andauthentication (MD-5 or SHA-1) methods.• When connecting two Windows NT networks, the two networks must be in thesame Windows domain or be trusted domains. This is a Microsoft Networkingdesign implementation and is not a limitation of the SOHO device.To create an IPSec tunnel between SOHOs you must add information to theconfiguration files of each SOHO that is specific to the site, such as public and private2 WatchGuard SOHO with VPN Manager 2.1

Configuring the WatchGuard SOHO for VPNIP addresses. It is imperative to keep these addresses straight. WatchGuardrecommends making a table of IP addresses such as the one outlined below. Forclarity, we will use the example addresses and information in the configurationinstructions that follow.VPN Configuration Information (example)Item Description AssignedByPublic IPAddressPublic SubnetMaskLocal NetworkAddressShared KeyEncryptionMethodAuthenticationMethodThe IP address that identifies the SOHO to theInternet.The overlay of bits that determines which partof the IP address identifies your network. Forexample, a Class C address licenses 256addresses and has a netmask of255.255.255.0.A private network address used by anorganization’s local network for identifyingitself within the network. A local networkaddress cannot be used as a public IP address,nor can the same address be used on both endsof the tunnel. WatchGuard recommends usingan address from one of the reserved ranges:10.0.0.0 — 255.0.0.0172.16.0.0 — 255.240.0.0192.168.0.0/16 — 255.255.0.0A phrase stored at both ends of the tunnel toauthenticate the transmission as being fromthe claimed origin. The key can be any phrase,but mixing numerical, special, alphabetical,and uppercase characters improves security.For example, “Gu4c4mo!3” is better than“guacamole”.Encryption method determines how many bitslong the key is to encrypt and decryptcommunication packets. DES is 56-bitencryption; 3DES is 168-bit, and thereforemuch more secure. It is also slower and isavailable outside the U.S. and Canada solely inaccordance with the applicable exportregulations set forth by the U.S. Department ofCommerce, Bureau of Export Administration.Either 3DES or DES may be selected as longas both sides use the same method.Authentication method (MD5 or SHA1) usedto code and decode the VPN user’sauthentications (passwords). Both sides mustuse the same method.Site ASite BISP 208.152.24.104 108.200.23.101ISP 255.255.255.0 255.255.255.0SOHOownerSOHOownerSOHOownerSOHOowner192.168.3.0 10.10.10.0Gu4c4mo!33DESSHA-1Gu4c4mo!33DESSHA-1Configuring the WatchGuard SOHO for VPNTo configure a WatchGuard SOHO for an IPSec VPN tunnel, use the SOHOConfiguration menu to configure the IPSec VPN Settings. The following procedureconfigures Site A for a tunnel to Site B. You will need to complete this procedure withboth SOHOs before the tunnel can be established.IPSec Tunnel Configuration 3

From the Management Station of the SOHO1 With your Web browser, go to the SOHO Configuration Settings page using thePrivate IP address of the SOHO.The default IP address is: 192.168.111.1.2 Click Virtual Private Networking.The Virtual Private Networking screen appears.3 Select Manual SOHO VPN from the drop list. Click Configure.The Manual Configuration page appears.4 Check the box labelled Enable IPSEC Network.5 Complete the following fields:Secure Gateway AddressThe external interface of the remote SOHO. In our example, this would be208.152.24.104 for Site A and 108.200.23.101 for Site B.Remote WINS ServerThe WINS server behind the remote SOHO. This is found on an address in the localnetwork address range behind the other site. In our example, we stored the WINSserver on a computer on Site B with the IP address 10.10.10.254. (This field is optional.)Remote DNS ServerThe DNS server behind the remote SOHO. This is found on an address in the localnetwork address range behind the other site. In our example, we stored the DNS4 WatchGuard SOHO with VPN Manager 2.1

Verifying the Tunnelserver on a computer on Site B with the IP address 10.10.10.253. Note that this can bethe same computer that houses the WINS server. (This field is optional.)Remote DomainThe remote domain behind the remote device (Site B). This is not applicable for aSOHO to SOHO IPSec VPN tunnel. Leave blank. (This field is optional.)Shared KeySimilar to a password, the phrase is used to authenticate both ends of the tunnel toeach other; the shared key must be identical on both sites. In our example,Gu4c4mo!3.Remote Network AddressThe address of the network on the trusted side of the remote SOHO. In our example,we entered the local network address for Site B, 10.10.10.0.Subnet MaskThe mask of the network on the trusted side of the remote SOHO. In our example,255.255.255.0Encryption MethodYou can use either DES or the more secure 3DES. Whichever you select, it must matchthe encryption level set for the remote SOHO.Authentication MethodThe algorithm type (such as MD-5 or SHA-1). It must match the authenticationmethod set for the remote SOHO.Additional Networks Reachable Through TunnelThis is not applicable for a SOHO to SOHO IPSec VPN Tunnel. Leave blank.6 Review the configuration information you have entered. Click Submit at thebottom of the page.7 A page will appear prompting you to reboot the SOHO. Confirm your settings;click Reboot.8 Repeat steps 1 through 7 for the Site B SOHO, using the IP address numbersappropriate to that installation. Make sure that the encryption, authenticationmethod, and shared secret for Site B are exactly the same as for Site A.Verifying the TunnelThe following methods allow you to verify that the tunnel created between the twoSOHO devices is functional and passing communication packets back and forth.• Browse to the remote SOHO: Open a Web browser, such as Internet Explorer orNetscape Navigator. Browse to the private IP address of the remote SOHO. If thebrowser finds the site and opens the page, the tunnel is operational.• Ping the remote SOHO: From a machine behind one SOHO, open a command lineinterface such as MS-DOS Command Prompt (Windows machines). Enter the followingcommand:ping [Remote SOHO Local Network Address]In our example, we could start from a machine behind the Site A SOHO and enter:ping 10.10.10.20This would send a ping command to the Site B local network address. If a reply isreceived from Site B (as opposed to a “request timed out”) the tunnel is operational.IPSec Tunnel Configuration 5

Frequently Asked QuestionsWhy do I need a static public address?To create a connection, one SOHO must be able to find its partner device. If theaddresses were allowed to change, the SOHO could not find its remote computer.How do I get a static public IP address?Contact your ISP. Some systems, like many cable modem systems, use dynamicallyassigned (DHCP) addresses to simplify basic installations. Some providers may alsouse this feature to discourage users from creating Web servers. These providersusually offer a static IP Address option.How do I connect three or four offices together?To connect more than two offices together, WatchGuard recommends designating oneoffice to be the center of a star network configuration and upgrading it to aWatchGuard Firebox II, or Firebox II FastVPN. You can then manage multiple tunnelsto SOHOs or other IPSec compliant devices from the central Firebox. In addition, theVPN Manager 2.0 add-on allows quick and easy creation and management ofmultiple tunnels.How do I troubleshoot the connection?Use the ping method described above. If you can ping the remote SOHO andcomputers behind it, your VPN tunnel is up and running. Any remaining problemsprobably reside with MS Networking or an application used.When I ping, I am not receiving a reply from the SOHO.If you cannot ping the remote SOHO, take the following steps to identify the problem:1 Ping the public address of the remote SOHO.Following our example, from Site A, ping 108.200.23.101 (Site B). You should get a reply. Ifnot, verify the Public Network Settings of Site B. If they are correct, verify that computers atSite B can access the internet. If you are still having trouble, contact your ISP.2 Once you can ping the public address of each SOHO, try pinging the privateaddress.From Site A, ping 10.10.10.20. If the tunnel is up, you should get a reply from the remoteSOHO. If not, re-check the Local Settings page. Make sure that the local DHCP addressesranges do not overlap. That is, be certain that the internal networks are different.Glossary of TermsDES – Data Encryption SchemeA cryptographic mechanism used to encrypt data before placing it in the Internetsystem. Once the data is encrypted, it is safer to transport via the public Internetsystem. Without encryption, the data may be easily read by any computer along itsroute.TunnelA tunnel is used to route traffic between two networks. Creating a tunnel betweentwo SOHOs can join the two local networks, with each maintaining different privateaddresses.6 WatchGuard SOHO with VPN Manager 2.1

Glossary of TermsVPN – Virtual Private NetworkVPN consists of several technologies to allow two or more networks in differentlocations to be joined over the Internet. The first, tunneling technology, allows trafficon one network which is destined for the other to be routed to it via the Internet. Thesecond, cryptography technology, assures that intermediaries along the publicInternet route cannot read and/or alter messages flowing between locations.Copyright and Patent InformationCopyright© 1998 - 2001 WatchGuard Technologies, Inc. All rights reserved.WatchGuard, Firebox, and LiveSecurity are either a trademark or registered trademark of WatchGuard Technologies, Inc. inthe United States and other countries. This product is covered by one or more pending patent applications.DocVer B-2.3.x-SOHO to SOHO-1IPSec Tunnel Configuration 7