Configuring a WatchGuard SOHO to SOHO IPSec Tunnel
Configuring a WatchGuard SOHO to SOHO IPSec Tunnel Configuring a WatchGuard SOHO to SOHO IPSec Tunnel
Why Create a Tunnel?Virtual Private Networking (VPN) tunnels enable you to simply and securely connectcomputers in two locations without requiring expensive, dedicated point-to-pointdata connections. With VPN, a virtual connection between two branch offices iscreated over low-cost connections to the Internet. Unlike a simple, un-encryptedInternet connection, a VPN connection eliminates the risk of data being read oraltered by outside users as it traverses the Internet.This document describes how to configure two WatchGuard SOHO Fireboxes tocreate IPSec VPN tunnels between branch offices. For more information on setting-upa SOHO, see the WatchGuard SOHO User Guide.What You Will Need• Two WatchGuard SOHOs installed, with VPN enabled.• The following information from your Internet Service Provider:- Static IP addresses for both SOHO Internet connections- Default gateway IP address for both SOHOs- Primary domain name service (DNS) IP address- If available, a secondary DNS address- Domain name- Network addresses and subnet masks for both branch office networks. Bydefault, the local network address is 192.168.111.0 and the subnet mask is255.255.255.0.NOTEThe internal networks on either end of the VPN tunnel must use different, network addresses.Special ConsiderationsThe following are issues you should take into account before configuring yourWatchGuard SOHO VPN network:• You can connect only two WatchGuard SOHOs together. To connect additionalnetworks, upgrade at least one location to a WatchGuard Firebox II configuredwith the WatchGuard VPN Manager.• Each SOHO must be able to send messages to the other SOHO. If either SOHOhas a dynamically assigned Internet (IP) Address, the SOHO will not be able tofind its remote counterpart.• Both SOHOs must be set to use the same encryption (DES or triple-DES) andauthentication (MD-5 or SHA-1) methods.• When connecting two Windows NT networks, the two networks must be in thesame Windows domain or be trusted domains. This is a Microsoft Networkingdesign implementation and is not a limitation of the SOHO device.To create an IPSec tunnel between SOHOs you must add information to theconfiguration files of each SOHO that is specific to the site, such as public and private2 WatchGuard SOHO with VPN Manager 2.1
Configuring the WatchGuard SOHO for VPNIP addresses. It is imperative to keep these addresses straight. WatchGuardrecommends making a table of IP addresses such as the one outlined below. Forclarity, we will use the example addresses and information in the configurationinstructions that follow.VPN Configuration Information (example)Item Description AssignedByPublic IPAddressPublic SubnetMaskLocal NetworkAddressShared KeyEncryptionMethodAuthenticationMethodThe IP address that identifies the SOHO to theInternet.The overlay of bits that determines which partof the IP address identifies your network. Forexample, a Class C address licenses 256addresses and has a netmask of255.255.255.0.A private network address used by anorganization’s local network for identifyingitself within the network. A local networkaddress cannot be used as a public IP address,nor can the same address be used on both endsof the tunnel. WatchGuard recommends usingan address from one of the reserved ranges:10.0.0.0 — 255.0.0.0172.16.0.0 — 255.240.0.0192.168.0.0/16 — 255.255.0.0A phrase stored at both ends of the tunnel toauthenticate the transmission as being fromthe claimed origin. The key can be any phrase,but mixing numerical, special, alphabetical,and uppercase characters improves security.For example, “Gu4c4mo!3” is better than“guacamole”.Encryption method determines how many bitslong the key is to encrypt and decryptcommunication packets. DES is 56-bitencryption; 3DES is 168-bit, and thereforemuch more secure. It is also slower and isavailable outside the U.S. and Canada solely inaccordance with the applicable exportregulations set forth by the U.S. Department ofCommerce, Bureau of Export Administration.Either 3DES or DES may be selected as longas both sides use the same method.Authentication method (MD5 or SHA1) usedto code and decode the VPN user’sauthentications (passwords). Both sides mustuse the same method.Site ASite BISP 208.152.24.104 108.200.23.101ISP 255.255.255.0 255.255.255.0SOHOownerSOHOownerSOHOownerSOHOowner192.168.3.0 10.10.10.0Gu4c4mo!33DESSHA-1Gu4c4mo!33DESSHA-1Configuring the WatchGuard SOHO for VPNTo configure a WatchGuard SOHO for an IPSec VPN tunnel, use the SOHOConfiguration menu to configure the IPSec VPN Settings. The following procedureconfigures Site A for a tunnel to Site B. You will need to complete this procedure withboth SOHOs before the tunnel can be established.IPSec Tunnel Configuration 3
- Page 1: Configuring a WatchGuard SOHO toSOH
- Page 5 and 6: Verifying the Tunnelserver on a com
- Page 7: Glossary of TermsVPN - Virtual Priv
<strong>Configuring</strong> the <strong>WatchGuard</strong> <strong>SOHO</strong> for VPNIP addresses. It is imperative <strong>to</strong> keep these addresses straight. <strong>WatchGuard</strong>recommends making a table of IP addresses such as the one outlined below. Forclarity, we will use the example addresses and information in the configurationinstructions that follow.VPN Configuration Information (example)Item Description AssignedByPublic IPAddressPublic SubnetMaskLocal NetworkAddressShared KeyEncryptionMethodAuthenticationMethodThe IP address that identifies the <strong>SOHO</strong> <strong>to</strong> theInternet.The overlay of bits that determines which par<strong>to</strong>f the IP address identifies your network. Forexample, a Class C address licenses 256addresses and has a netmask of255.255.255.0.A private network address used by anorganization’s local network for identifyingitself within the network. A local networkaddress cannot be used as a public IP address,nor can the same address be used on both endsof the tunnel. <strong>WatchGuard</strong> recommends usingan address from one of the reserved ranges:10.0.0.0 — 255.0.0.0172.16.0.0 — 255.240.0.0192.168.0.0/16 — 255.255.0.0A phrase s<strong>to</strong>red at both ends of the tunnel <strong>to</strong>authenticate the transmission as being fromthe claimed origin. The key can be any phrase,but mixing numerical, special, alphabetical,and uppercase characters improves security.For example, “Gu4c4mo!3” is better than“guacamole”.Encryption method determines how many bitslong the key is <strong>to</strong> encrypt and decryptcommunication packets. DES is 56-bitencryption; 3DES is 168-bit, and thereforemuch more secure. It is also slower and isavailable outside the U.S. and Canada solely inaccordance with the applicable exportregulations set forth by the U.S. Department ofCommerce, Bureau of Export Administration.Either 3DES or DES may be selected as longas both sides use the same method.Authentication method (MD5 or SHA1) used<strong>to</strong> code and decode the VPN user’sauthentications (passwords). Both sides mustuse the same method.Site ASite BISP 208.152.24.104 108.200.23.101ISP 255.255.255.0 255.255.255.0<strong>SOHO</strong>owner<strong>SOHO</strong>owner<strong>SOHO</strong>owner<strong>SOHO</strong>owner192.168.3.0 10.10.10.0Gu4c4mo!33DESSHA-1Gu4c4mo!33DESSHA-1<strong>Configuring</strong> the <strong>WatchGuard</strong> <strong>SOHO</strong> for VPNTo configure a <strong>WatchGuard</strong> <strong>SOHO</strong> for an <strong>IPSec</strong> VPN tunnel, use the <strong>SOHO</strong>Configuration menu <strong>to</strong> configure the <strong>IPSec</strong> VPN Settings. The following procedureconfigures Site A for a tunnel <strong>to</strong> Site B. You will need <strong>to</strong> complete this procedure withboth <strong>SOHO</strong>s before the tunnel can be established.<strong>IPSec</strong> <strong>Tunnel</strong> Configuration 3
Change language