WSM User Guide - WatchGuard Technologies

Configuring a Gateway6 Configure the Local Settings. In the local ID Type drop-down list, select IP address, Domain Name,or User Domain Name. If you select IP address, you can select the IP address from the adjacentdrop-down list. All configured Firebox interface IP addresses are shown.7 Click Pre-Shared Key or Firebox Certificate to identify the authentication procedure to use. If youselect Pre-Shared Key, type the shared key.You must use the same shared key on the remote device. This shared key must use only standard ASCII characters.NoteYou must start the Certificate Authority if you select certificate-based authentication. For information onthis, see the Certificate Authority chapter earlier in this manual. Also, if you use certificates you must usethe WatchGuard® Log Server for log messages. We do not support third-party certificates.8 You can use the default Phase 1 settings, or you can change the settings If you want to use thedefault setttings, you can move ahead to step 19.Phase 1 applies to the initial phase of the IKE negotiation. It contains authentication, session negotiation, and keychange information.9 From the Authentication drop-down list, select SHA1 or MD5 as the type of authentication.10 From the Encryption drop-down list, select, None, DES or 3DES as the type of encryption.11 From the Mode drop-down list, select Main or Aggressive.Main Mode does not identify the VPN endpoints during negotiation, and is more secure than Aggressive Mode. MainMode also supports Diffie-Hellman group 2. Main Mode is slower than Aggressive Mode because Main Mode mustsend more messages between endpoints.12 If you want to change the Diffie-Hellman group settings and other advanced Phase 1 settings, clickAdvanced.The Phase1 Advanced Settings dialog box appears.13 To change the SA (security association) life, type a number in the SA Life field, and select Hour orMinute from the drop-down list.14 From the Key Group drop-down list, select the Diffie-Hellman group you want. WatchGuardsupports groups 1 and 2.Diffie-Hellman groups are sets of properties used to safely negotiate secret keys across a public medium. Group 2 ismore secure than group 1, but uses more time to make the keys.15 If you want to use NAT devices through the tunnel, select the NAT Traversal check box. To set theKeep-alive interval, type the number of seconds or use the value control to select the number ofseconds you want.NAT Traversal, or UDP Encapsulation, allows traffic to get to the correct destinations. Enable NAT traversal whenyou want to build a BOVPN tunnel between the Firebox and another device that is behind a NAT device.16 To have the Firebox send messages to its IKE peer to keep the VPN tunnel open, select the IKE Keepalivecheck box. To set the Message Interval, type the number of seconds or use the value controlto select the number of seconds you want.17 To set the maximum number of times the Firebox tries to send an IKE keep-alive message before ittries to negotiate Phase 1 again, type the number you want in the Max failures box.User Guide 245