Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Edge MUVPN Configuration
Setting up the MUVPN on the Edge is fairly straightforward, but if one item is missed, it won’t function at all. Configuring the client is easier with the addition of the importable .wgx configuration file, and can also be configured manually. Once you have completed it the first time, it is a quick and easy task to add additional users.
Keep in mind what kind of connection you are planning to use with MUVPN. If you are using dial up, using this client for Windows Networking tasks such as using Outlook to your Exchange server, or accessing mapped drives can literally take hours because of your slow speed. Nothing can be done about this; it is Microsoft’s design.
Also be aware the client likely will not work with AOL or other ISP’s that use their own custom dialer software. Only built in DUN (Dial Up Networking) by Microsoft is supported. It “may” work with other dialers, but it has not been tested and changes frequently depending on the ISP in question.
Generally any connection by cable modem or DSL will work fine, but also keep in mind that you want to ensure your remote client’s private IP address is not going to be in a situation of being on the same subnet as the Edge’s trusted network addresses. The same network can’t be in 2 places at once and this creates a networking headache!
For example, if you used 192.168.1.x for your Edge private network, you have just assigned the standard private IP every Linksys® device in the world ships out with by default, so be sure to let your users with NAT devices know the network you are using. If they are using the same at their location they will have to change to another network for their system. This is generally an easy task and they can consult their NAT device documentation for how to do this.
This example uses the Firebox X Edge with a public static IP address of 216.254.19.34 assigned to its external interface and the private network 192.168.130.1 on its trusted interface with a mask of 255.255.255.0. The Edge MUST hold a public static IP on its external interface. If your Edge has an external IP starting in 10.x.x.x / 172.16.x.x-172.31.x.x / 192.168.x.x then it is being NAT translated by another device in front of it. This must be changed so that the Edge holds the public IP and is not being NAT translated by another device for it to function properly with the least difficulty. Consult with your ISP to obtain a public static IP address for your Edge.
Configuration of the Edge.
Note: The IPSec packet filter on Firewall>Incoming should never be configured on the Edge if you are using MUVPN. It should remain at “no rule” and you should have the filter “Outgoing” on your Edge Firewall>Outgoing setting to “allow”. Configuring the IPSec packet filter can cause the tunnel to fail.
Before starting, it is recommended you have enabled HTTPS access to your Edge from external and you are remote to the Edge. To enable this, configure Firewall>Incoming, and set HTTPS to “allow”, the service host is the trusted IP of the Edge itself. In this scenario it is 192.168.130.1. Scroll to the bottom and click submit. This is very handy if working on this remotely as you will be able to make changes to the Edge remotely if needed from wherever you may be.
Now you can access the Edge remotely using HTTPS://external_ip_of_Edge
After you get the HTTPS warning, you can enter the user/pass you normally use to connect to the Edge configuration pages.
Before you configure the MUVPN client, you must configure
MUVPN client and user settings on the Firebox X Edge.
Things to know before you start:
Some MUVPN client settings apply to all of the Edge’s MUVPN connections.
Select Firebox Users > Settings to configure these:
• If you want to make the .wgx file read-only so that the user
cannot change the security policy, select the Make the MUVPN
client security policy read-only check box.
Note: In the release version 7.0 and 7.0.1 versions of the Edge firmware the .wgx file is locked automatically. If you uncheck the readonly box and submit it will unlock the files. This is resolved in version 7.1 but is not available to the public yet. If you import a locked policy you cannot change or delete the policy in the MUVPN client but you can overwrite it with an unlocked policy or a different .wgx file.
Locked out of the MUVPN client? If you import a locked policy and do not have an unlocked policy to overwrite it, click HERE to download a default security policy which is unlocked. Import this policy by double clicking it on your desktop and it will be unlocked again.
• Set how the virtual adapter works on the client (Disabled,
Preferred, or Required). The remote MUVPN computers can use
a virtual adapter to get network settings, an IP address, and
WINS and DNS address assignments. You can set the virtual
adapter rule for your mobile users to:
Virtual Adapter Settings
Disabled
The mobile user does not use a virtual adapter to connect with
the MUVPN client. This means that the MUVPN client is not
assigned a WINS or DNS address. Because of this, make sure the
computer has proper WINS and DNS addresses configured in the
main network card settings. If you only have a few users you can configure this easily by having them edit their network settings and declaring the WINS server and/or DNS information. The user can enter your DNS server for their primary DNS and have their ISP DNS info as the secondary.
Preferred
If the virtual adapter is in use or it is not available, the mobile
user does not use a virtual adapter to connect with the MUVPN
client. This is the default value.
If the virtual adapter is available, the remote computer is
assigned the WINS and DNS addresses you entered in the Firebox
Users > Settings area of the Edge configuration pages.
Required
The mobile user must use a virtual adapter to connect with the
MUVPN client. If the virtual adapter is not available on the
MUVPN client computer, the VPN cannot connect.
The remote computer is assigned WINS and DNS addresses you
entered in the Firebox Users > Settings area of the Edge
configuration pages.
• Type the IP addresses of the DNS and WINS servers that you
want the MUVPN clients to receive.
Note: Avoid installing a 0.0.0.0 route .wgx file and switching to a non 0.0.0.0 route .wgx file. Switching between a 0.0.0.0 route and a network only route has been known to cause potential problems. This issue should be resolved in the next Firebox software release.
Enabling MUVPN access for a Firebox user account:
1 Add a new Firebox user or edit an existing Firebox user. For a new user, expand Firebox Users and click “new user”. An example is below.
2 Click the MUVPN tab.
3 Select the Enable MUVPN for this account check box.
4 Type a shared key in the applicable field.
The .wgx file is encrypted with this shared key. The user enters the shared
key when the .wgx file is imported. Do not give the shared key to anyone
that is not authorized to use this Firebox Users account.
5 Type the virtual IP address in the applicable field.
The virtual IP address must be an address on the Firebox X Edge trusted
network that is not used. This address is used by the remote computer to
connect to the Firebox X Edge.
6 From the Authentication Algorithm drop-down list, select the
type of authentication. SHA1-HMAC is recommended.
The options are MD5-HMAC and SHA1-HMAC.
7 From the Encryption Algorithm drop-down list, select the type
of encryption.
The options are DES-CBC and 3DES-CBC.
8 Set MUVPN key expiration in kilobytes or hours. The default
values are 8192 KB and 24 hours, respectively.
Note: In most situations you can set this to 0 KB and 24 hours so the client will only rekey the tunnel if it is connected for 24 hours or more. Rekeys can sometimes cause a terminal service or other sensitive connections to drop and there is little risk to increasing this rekey time so it is recommended.
9 Select Mobile User from the VPN Client Type drop-down list.
10 Do not select this check box “traffic uses tunnel (0.0.0.0/0 IP Subnet)”. This will force all traffic through the tunnel and for most applications you are only connecting to the Edge trusted network. Using 0.0.0.0 introduces unique problems which users can encounter and should only be used in special situations. If you use this option the user needs to be aware of how to enable/disable the client and troubleshoot their machine if needed. In this example we will not use a 0.0.0.0 routing policy.
11 Click Submit and you will see “Configuration Changes Accepted”.
12 Click on “Firebox Users” in the left menu and you will see the user you just added.
Click on the .wgx file by the user you created and save it to the desktop. This is needed to configure the client. Email or transport this file by floppy or other means to the client machine desktop.
Note: If you desire, you can configure the client manually. Manually configuring the client is described in the next section.
MUVPN Client installation and configuration.
Download the MUVPN 6.1.3 lite client from the WatchGuard website.
It is recommended you use Windows 2000 pro or WindowsXP pro. Server operating systems such as Windows 2000 Server or Windows 2003 Server are not supported and will not work.
Note: Any Antivirus should be disabled, and other 3rd party VPN client such as a Cisco VPN client cannot be installed on the same machine. It is also imperative you have downloaded ALL critical updates for your machine as well as any OS updates for your OS that are currently available. Be aware that SP2 is not supported until the Firebox 7.3 software is released with an updated MUVPN client. The link which follows discusses this more in depth.
https://www.watchguard.com/archive/showhtml.asp?pack=14939
Run the MUVPN lite 6.1.3 installer. You may be prompted that the driver is not signed and may cause problems. Click ok on any warnings to continue installing. If you do not, it may corrupt the MUVPN client install and cause TCPIP problems. If asked for options, accept all defaults given as there is no need to change these. This is resolved as well in the next software release for the Firebox X.
If a mistake is made and you cannot uninstall the MUVPN client using the Windows Uninstaller on the control panel you will have to compete a manual uninstallation process described at the following link.
https://www.watchguard.com/support/AdvancedFaqs/muvpn-sn_manualuninstall.asp
When prompted for a .wgx file, browse to where you have your .wgx file saved and enter the shared key for the user when asked. The client will tell you the configuration is complete when the shared key is accepted. You will need to reboot the machine when asked. If you are going to configure the MUVPN client manually, just click next when prompted for a .wgx file and installation will continue.
Note: Skip over to the manual configuration of the client below if you are configuring manually.
When your computer reboots, you will see a new icon in the system tray with a large S in it near your system time. This is the MUVPN client and is ready for configuration. A quick check will verify it is installed properly. Hold your cursor over the MUVPN client icon and it will display “Mobile User VPN” if installed properly.
This completes the setup. You should be able to ping the Edge trusted IP address. You do not need to tell the client to connect although you can if you right click on the SafeNet icon. Pinging the trusted IP of the Edge or any other IP in the remote network will build the tunnel and a yellow key will show in the SafeNet icon.
Manual configuration of the MUVPN client.
Right click on the S icon and select “Security Policy Editor” as in the above graphic, and the editor will come up on your screen as below. Right click on “My Connections” and move the cursor to Add>Connection and left click.
Your new connection will be created and we can start matching up the settings for the Edge.
Expand all the + symbols next to “New Connection” so you can see all the properties. There are many settings we will not use as they do not need to be changed from what it already is set at.
Important: Once the new connection is fully expanded you will see the info above, please select “Security Policy”. You MUST change this setting above for “Select Phase 1 Negotiation Mode” to “Aggressive Mode” or options you need to configure will be grayed out when you try to configure them later in this setup. Select “Aggressive Mode” and we will start from the top once this setting is checked.
Ok, here we go. All of these settings for this example MUVPN client configuration match the MUVPN user that was created on the Edge in the beginning of this example. Your own settings will be based on your own network, but you can easily transpose your own info into this scenario once you see how it should be setup properly.
Click on “New Connection”
Go to the “ID Type” and select IP Subnet. This defines what the Edge private network is. The network IP ends in a 0 in a standard Edge configuration when the Edge has a subnet mask of 255.255.255.0 on its trusted interface. Then configure the Mask to be 255.255.255.0.
Next click the checkbox by “Connect using” and “Secure Gateway Tunnel” will already be there. Simply enter the Edge public external IP address in this box. In this example above, the Edge has a private network of 192.168.130.0 Mask 255.255.255.0 and the external IP of the Edge is 216.254.19.34
Now click on “My Identity”.
Under “Select Certificate” set this to “None”. Change the “ID Type” to “E-mail address”.
The “E-mail Address” is the username configured on the Edge which is “MUVPN-User”. Remember this must be exact and is case sensitive.
Now click on the “Pre-Shared Key” button and enter the shared key that was configured on the Edge which is “d0nt@ccess!” and click ok on the “Pre-shared key” box that popped up.
Next click on the Proposal 1 under “Authentication (Phase 1).
In this configuration, the defaults are kept as is and should not be changed.
Next click on Proposal 1 under “Key Exchange (Phase 2).
This also will not change and should be left as is.
Remember that on these proposals, the only settings that are EVER changed are the Encrypt Alg, and Hash Alg (the only options are MD5/SHA1 and DES/3DES).
Now click on the floppy disk icon to save the new policy to your MUVPN client, close the Security Policy Editor and configuration is complete.
You do not have to tell the client to connect. Whenever this client is activated (you can activate/deactivate the client by right clicking on it) it will automatically connect when traffic attempts to go to the private network 192.168.130.x and a small gold key will show in the S icon when connected. A simple PING command from the command prompt will verify it is configured properly.
C:\ping 192.168.130.1
Once you can ping, the configuration is complete and all traffic can pass to the private network of the Edge.
All that remains is name resolution. A resource on the Edge side will not just show up in network neighborhood as your machine does not know it is even there. The easiest way to connect to servers and workstations sharing files is by simply enabling the WINS service on a server at the Edge location, and entering the private IP of the WINS server into your Network card TCPIP settings. Go to your Network Connections, click on Properties, then double click on Internet Protocol, click the Advanced button and you will find the WINS tab there where you can enter the private IP of your WINS server.
If you have a WINS server enabled (this just requires the WINS service be installed on your server, no other settings require configuration), you can then use the Find>Computer function to locate your servers and PC’s on the Edge private network, authenticate to them and map drives, etc. Once you map them once it will be remembered so next time you will not have to do it again.
If you require additional assistance regarding mapping drives and accessing resources, WatchGuard has a FAQ on these issues with lots of helpful information.
https://www.watchguard.com/support/AdvancedFaqs/muvpn-sn_netbios.asp
These issues are not the responsibility of WatchGuard or the product once you can ping. They are a networking issue that needs to be addressed by the network administrator like any other machine that is connected to the local network.
