Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Firebox III/X MUVPN
Configuring MUVPN for the Firebox can be done with a local authentication database on the Firebox, or using extended authentication to a Win2000 server IAS server using Radius. For this example it will be done with local authentication. This is recommended unless you are an advanced user familiar with the MUVPN setup and configuration.
To begin, make sure you have downloaded the latest software from the WatchGuard website. The software that comes on the CD does not contain the required strong encryption version, so be sure to download, install, and flash the box once using that strong version if you have not done so already.
In this example the Firebox is in a proper routed mode with a public static IP assigned to its external interface. You cannot use MUVPN if your external interface is DHCP, or PPPoE (unless you have a static PPPoE address assigned to the Firebox). In this example the private network of the Firebox is 192.168.50.0/24
Connect to the Firebox and open policy manager.
Here we will configure the MUVPN user.
Click Network>Remote User
This is the screen where MUVPN is configured. You must have a MUVPN license installed in Setup>Licensed Features in order to configure this option.
Select “Firebox Authenticated Users” and click the “Add button”. Do not change any other options on this page.
After clicking “Add” you will be displayed the MUVPN Wizard.
Click Next
Click on “Add New” to add a new MUVPN user and a pass phrase for them. The pass phrase assigned to them will be entered as the “Shared Key” which is important and will need to be known by the user in order to install the configuration file when installing the MUVPN client later.
After you enter a username and password, the fields will be filled out and you can then click “Next”. Do not click “User is connecting with a Pocket PC”.
You will be prompted with the next screen to use the shared key or certificates. Certificates are an advanced configuration and in this example we want to use the default “shared key” option.
Click “Next”.
Here the wizard automatically puts the trusted private network into the “allow user access to” field. You must assign a Virtual IP address for the MUVPN user and it should be an available IP within the trusted IP range. Here we assign 192.168.50.201
Important Notes: If you assign a virtual IP that is on a defined route on the Firebox, or is assigned to an interface, or defined as a PPTP pool IP address, it will shut down all IPSec including tunnels currently running on your Firebox. To repair this removing the offending MUVPN user or changing the virtual IP will restore it. Always backup your Firebox when saving IPSec changes to your Firebox.
Also, if you need your MUVPN user to have access to more than one subnet, complete the wizard, and then “edit” the MUVPN user and you will be able to add additional networks for the MUVPN user to access. But for the initial configuration you can only add one network.
You should not use the option of “Use default gateway on remote network” for this configuration. This creates a 0.0.0.0 route where all traffic goes to the Firebox over the tunnel when the MUVPN client is enabled. This should only be done by advanced users familiar with MUVPN setup when needed.
Click “Next”.
In the fields above you configure the Tunnel protection options, the above settings are recommended and is the strongest encryption you can enable. Optionally you can use “DES” for the encryption if desired. It is recommended you set the “Key Expires” to every 24 hours instead of every 8192K as this might cause a rekey while passing traffic. Normally this does not cause an issue, but some connections are sensitive to any latency in traffic.
Click “Next”.
You are finished with the MUVPN Wizard and can click “Finish” and click OK back to policy manager. There is one more thing before you are really finished.
Now that the MUVPN user has a connection enabled, you must give them access in your Firebox policy. While you can be restrictive, it is not recommended you do this on your encrypted users until you are seasoned on MUVPN user administration. The best way is to just give them the “ANY” service. It will only apply to users who connect and authenticate with a MUVPN client and are encrypted.
In Policy Manager, click on the + (Add services) button and expand the Packet filters section. You will find the ANY service first in the list. Double click it and change its name to “ANY_IPSec” and click OK.
Now you just need to configure its settings for incoming and outgoing.
The settings for the incoming tab are FROM: “IPSec_Users” (click Add, then double click IPSec_Users). And the TO: field has “trusted”.
The settings for the outgoing tab are just the reverse.
This completes the setup on the Firebox side. Save the changes to the Firebox.
MUVPN client information.
The client configuration is fairly easy. The Firebox has already done the work for you.
Browse to /Program Files/Watchguard/RUVPN/IP of Firebox/WGX
In that folder, you will find a username.wgx file for each user you created. This is an encrypted file that holds all information a client needs to configure itself to connect to the Firebox with your rules which you just configured. That .WGX file needs to be sent to the user installing MUVPN and they need to know the “Shared Key” you gave that MUVPN user as the “Shared Key” is needed to install the .WGX file into the MUVPN client since it is encrypted.
Once the user has the .WGX file for their machine, they will need to either download the MUVPN 6.1.3 lite client from the WatchGuard website, or you can provide it to them by FTP, HTTP or other download method internally.
Important Notes: Keep in mind what kind of connection the user is planning to use with MUVPN. If they are using dial up, using this client for Windows Networking tasks such as using Outlook to your Exchange server, or accessing mapped drives can literally take hours because of the slow speed of dial up. Nothing can be done about this; it is by Microsoft’s design.
Also be aware the client likely will not work with AOL or other ISP’s that use their own custom dialer software. Only built in DUN (Dial Up Networking) by Microsoft is supported. It “may” work with other dialers, but it has not been tested and changes frequently depending on the ISP in question.
Generally any connection by cable modem or DSL will work fine, but also keep in mind that you want to ensure your remote client is not going to be in a situation of being on the same subnet as you are allowing them access to. The same network can’t be in 2 places at once and this creates a networking headache!
For example, if you used 192.168.1.x for your Firebox private network, you have just assigned the standard private IP every Linksys® device in the world ships out with by default, so be sure to let your users with natting devices know the network you are using. If they are using the same at their location they will have to change to another network for their system. This is generally an easy task and they can consult their natting device documentation for how to do this.
Installation of the MUVPN client:
It is recommended you use Windows 2000 or WindowsXP. Server operating systems are not supported and likely will not work.
Note: Any Antivirus should be disabled, and other 3rd party VPN client such as a Cisco VPN client cannot be installed on the same machine. It is also imperative you have downloaded ALL critical updates for your machine as well as any OS updates for your OS that are currently available.
Run the MUVPN lite 6.1.3 installer. You may be prompted that the driver is not signed and may cause problems, click ok on any warnings to continue installing, if you do not it may corrupt the MUVPN client install and cause TCPIP problems. If asked for options, accept all defaults given as there is no need to change these.
If a mistake is made and you cannot uninstall the MUVPN client using the Windows Uninstaller on the control panel you will have to compete a manual uninstallation process described at the following link.
https://www.watchguard.com/support/AdvancedFaqs/muvpn-sn_manualuninstall.asp
When prompted for a .wgx file browse to the folder where the .wgx file has been saved. After you select it, enter the shared key to install it when asked. It will continue and ask you to reboot. Reboot the machine.
When your computer reboots, you will see a new icon in the system tray with a large S in it near your system time. This is the MUVPN client installed and ready. A quick check will verify it is installed properly. Hold your cursor over the MUVPN client icon and it will display “Mobile User VPN” if installed properly.
You do not have to tell the client to connect. Whenever this client is activated (you can activate/deactivate the client by right clicking on it) it will automatically connect when traffic attempts to go to the private network 192.168.50.x and a small gold key will show in the S icon when connected. A simple PING command from the command prompt will verify it is configured properly.
C:\ping 192.168.50.1
Once you can ping, the configuration is complete and all traffic can pass to the private network of the Firebox.
All that remains is name resolution. A resource on the Firebox side will not just show up in network neighborhood as your machine does not know it is even there. The easiest way to connect to servers and workstations sharing files is by simply enabling the WINS service on a server at the Firebox location, and entering the private IP of the WINS server into your Network card TCPIP settings. Go to your Network Connections, click on Properties, then double click on Internet Protocol, click the Advanced button and you will find the WINS tab there where you can enter the private IP of your WINS server.
If you have a WINS server enabled (this just requires the WINS service be installed on your server, no other settings require configuration), you can then use the Find>Computer function to locate your servers and PC’s on the Firebox private network, authenticate to them and map drives, etc. Once you map them once it will be remembered so next time you will not have to do it again.
If you require additional assistance regarding mapping drives and accessing resources, WatchGuard has a FAQ on these issues with lots of helpful information.
https://www.watchguard.com/support/AdvancedFaqs/muvpn-sn_netbios.asp
These issues are not the responsibility of WatchGuard or the product once you can ping. They are a networking issue that needs to be addressed by the network administrator like any other machine that is connected to the local network.
