Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Soho6 MUVPN Configuration
Setting up the MUVPN on the Soho6 is a simple task. Configuring the client is more difficult. But once you have completed it once, it is a quick task. Keep in mind what kind of connection you are planning to use with MUVPN. If you are using dial up, using this client for Windows Networking tasks such as using Outlook to your Exchange server, or accessing mapped drives can literally take hours because of your slow speed. Nothing can be done about this; it is by Microsoft’s design.
Also be aware the client likely will not work with AOL or other ISP’s that use their own custom dialer software. Only built in DUN (Dial Up Networking) by Microsoft is supported. It “may” work with other dialers, but it has not been tested and changes frequently depending on the ISP in question.
Generally any connection by cable modem or DSL will work fine, but also keep in mind that you want to ensure your remote client is not going to be in a situation of being on the same subnet as the Soho6. The same network can’t be in 2 places at once and this creates a networking headache!
For example, if you used 192.168.1.x for your Soho6 private network, you have just assigned the standard private IP every Linksys® device in the world ships out with by default, so be sure to let your users with natting devices know the network you are using. If they are using the same at their location they will have to change to another network for their system. This is generally an easy task and they can consult their natting device documentation for how to do this.
This example uses a Soho6 with a public static IP address of 216.254.19.34 assigned to its external interface and the private network 192.168.130.1 on its trusted interface with a mask of 255.255.255.0. The Soho6 MUST hold a public static IP on its external interface. If your Soho6 has an external IP starting in 10.x.x.x / 172.16.x.x-172.31.x.x / 192.168.x.x then it is being natted by another device in front of it. This must be changed so that the Soho6 holds the public IP and is not natted by another device for it to function properly. Consult with your ISP to obtain a public static IP address for your Soho6.
Configuration of the Soho6.
Note: The IPSec packet filter should never be configured on the Soho6. It should remain at “no rule” and you should have the filter “outgoing” on your Soho6 Firewall>Outgoing setting to “allow”. Configuring the IPSec packet filter can cause the tunnel to fail.
Also, you must purchase a MUVPN client license. MUVPN is a licensed feature and this key is required to be installed to enable MUVPN configuration. If you purchase a key, it must be activated and added to the Soho6 in question on the WatchGuard website where it is registered, and a feature key obtained from the WatchGuard website to enter into the unit for the Soho6 to enable the function.
Before starting, it is recommended you have enabled HTTP access to your Soho6 from external and you are remote to the Soho6. To enable this, configure Firewall>Incoming, and set HTTP to “allow”, the service host is the trusted IP of the Soho6 itself. In this scenario it is 192.168.130.1. Scroll to the bottom and click submit. This is very handy if working on this remotely as you will be able to make changes to the Soho6 remotely if needed from wherever you may be.
Now you can access the Soho6 remotely using HTTP://external_ip_of_soho
It is advised you set a username and password on the system security section of the Soho6 to protect it from others who might change the settings or try to hack the system. Do not forget this info or you will have to fully reset the Soho6 to recover it as there is no other way. Also do not configure the “remote configuration” section in system security as this can interfere with MUVPN.
On the main configuration page, click “configure” under MUVPN clients and you will see the following screen.
Click on “Add” and you will be prompted with the configuration screen for a MUVPN user.
Explanation of fields
Username: Any name you choose, but you cannot use spaces and use of odd control characters is not advised. In this configuration it is “MUVPN-User”
Virtual IP address: This is an unused IP address on the private network of the Soho6. This is the IP traffic will appear to come from when an internal resource is accessed by a Mobile User. It is imperative that you do not assign this IP to any other Mobile User, or machine on your internal network. In this configuration below it is 192.168.130.160
Shared Key: This is also a single word with no spaces, but it is recommended you use a word not in a dictionary with upper/lower case letters and a number or other character such as d0nt@ccess! in this configuration below.
Authentication Algorithm: This is the method used to verify that packets sent from the client are not altered en route to or from the Soho6. SHA1 which is the higher level is recommended. SHA1 is used in this configuration below.
Encryption Algorithm: This is the encryption level. Since this connection is non persistent and will rekey everytime you disconnect and reconnect, DES is recommended.
It is used in this document and if you wish to change this setting to 3DES after getting your client connected using DES you may do so. But this ensures easy setup and is enough encryption for most users. DES is used in this configuration below.
VPN Client Type: This will always be Mobile User
WINS and DNS server: This is WINS/DNS info given to the client if you use the Virtual Adapter. This is not recommended unless you are experienced with the MUVPN client and it’s manual configuration. First time users should use the easiest method of getting a working client before changing to more advanced configurations. This is not set in this configuration.
All Traffic Uses Tunnel (0.0.0.0 IP subnet). This forces all traffic through the tunnel, but as stated previously, it is not recommended unless you are an advanced user who has configured the client manually before. In this setup it is not used.
Click Submit and the MUVPN is configured on the Soho itself.
MUVPN Client installation and configuration.
Download the MUVPN 6.1.3 lite client from the WatchGuard website.
It is recommended you use Windows 2000 pro or WindowsXP pro. Server operating systems are not supported and likely will not work.
Note: Any Antivirus should be disabled, and other 3rd party VPN client such as a Cisco VPN client cannot be installed on the same machine. It is also imperative you have downloaded ALL critical updates for your machine as well as any OS updates for your OS that are currently available.
Run the MUVPN lite 6.1.3 installer. You may be prompted that the driver is not signed and may cause problems, click ok on any warnings to continue installing, if you do not it may corrupt the MUVPN client install and cause TCPIP problems. If asked for options, accept all defaults given as there is no need to change these.
If a mistake is made and you cannot uninstall the MUVPN client using the Windows Uninstaller on the control panel you will have to compete a manual uninstallation process described at the following link.
https://www.watchguard.com/support/AdvancedFaqs/muvpn-sn_manualuninstall.asp
When prompted for a .wgx file, click ok or next. The Soho6 does not use .wgx files which are pre-made configuration setup files for the clients if you have a Firebox II/III or X model. It will continue without it and ask you to reboot. Reboot the machine.
When your computer reboots, you will see a new icon in the system tray with a large S in it near your system time. This is the MUVPN client and is ready for configuration. A quick check will verify it is installed properly. Hold your cursor over the MUVPN client icon and it will display “Mobile User VPN” if installed properly.
Right click on the S icon and select “Security Policy Editor” as in the above graphic, and the editor will come up on your screen as below. Right click on “My Connections” and move the cursor to Add>Connection and left click.
Your new connection will be created and we can start matching up the settings for the Soho6.
Expand all the + symbols next to “New Connection” so you can see all the properties. There are many settings we will not use as they do not need to be changed from what it already is set at.
Important: Once the new connection is fully expanded you will see the info above, please select “Security Policy”. You MUST change this setting above for “Select Phase 1 Negotiation Mode” to “Aggressive Mode” or options you need to configure will be grayed out when you try to configure them later in this setup. Select “Aggressive Mode” and we will start from the top once this setting is checked.
Ok, here we go. All of these settings for this example MUVPN client configuration match the MUVPN user that was created on the Soho6 in the beginning of this example. Your own settings will be based on your own network, but you can easily transpose your own info into this scenario once you see how it should be setup properly.
Click on “New Connection”
Go to the “ID Type” and select IP Subnet. This defines what the Soho6 private network is. The network IP ends in a 0 in a standard Soho6 configuration when the Soho6 has a subnet mask of 255.255.255.0 on its trusted interface. Then configure the Mask to be 255.255.255.0.
Next click the checkbox by “Connect using” and “Secure Gateway Tunnel” will already be there. Simply enter the Soho6 public external IP address in this box. In this example above, the Soho6 has a private network of 192.168.130.0 Mask 255.255.255.0 and the external IP of the Soho6 is 216.254.19.34
Now click on “My Identity”.
Under “Select Certificate” set this to “None”. Change the “ID Type” to “E-mail address”.
The “E-mail Address” is the username configured on the Soho6 which is “MUVPN-User”. Remember this must be exact and is case sensitive.
Now click on the “Pre-Shared Key” button and enter the shared key that was configured on the Soho6 which is “d0nt@ccess!” and click ok on the “Pre-shared key” box that popped up.
Next click on the Proposal 1 under “Authentication (Phase 1).
In this configuration, the defaults are kept as is and should not be changed.
Next click on Proposal 1 under “Key Exchange (Phase 2).
This also will not change and should be left as is.
Remember that on these proposals, the only settings that are EVER changed are the Encrypt Alg, and Hash Alg (the only options are MD5/SHA1 and DES/3DES).
Now click on the floppy disk icon to save the new policy to your MUVPN client, close the Security Policy Editor and configuration is complete.
You do not have to tell the client to connect. Whenever this client is activated (you can activate/deactivate the client by right clicking on it) it will automatically connect when traffic attempts to go to the private network 192.168.130.x and a small gold key will show in the S icon when connected. A simple PING command from the command prompt will verify it is configured properly.
C:\ping 192.168.130.1
Once you can ping, the configuration is complete and all traffic can pass to the private network of the Soho6.
All that remains is name resolution. A resource on the Soho6 side will not just show up in network neighborhood as your machine does not know it is even there. The easiest way to connect to servers and workstations sharing files is by simply enabling the WINS service on a server at the Soho6 location, and entering the private IP of the WINS server into your Network card TCPIP settings. Go to your Network Connections, click on Properties, then double click on Internet Protocol, click the Advanced button and you will find the WINS tab there where you can enter the private IP of your WINS server.
If you have a WINS server enabled (this just requires the WINS service be installed on your server, no other settings require configuration), you can then use the Find>Computer function to locate your servers and PC’s on the Soho6 private network, authenticate to them and map drives, etc. Once you map them once it will be remembered so next time you will not have to do it again.
If you require additional assistance regarding mapping drives and accessing resources, WatchGuard has a FAQ on these issues with lots of helpful information.
https://www.watchguard.com/support/AdvancedFaqs/muvpn-sn_netbios.asp
These issues are not the responsibility of WatchGuard or the product once you can ping. They are a networking issue that needs to be addressed by the network administrator like any other machine that is connected to the local network.
