Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Manual IPSec between a Firebox III/X to a Soho 6/TC
Firebox configuration -
In this example the Firebox has a static public IP address of 66.44.15.2
Configuring Firebox 1 - 66.44.15.2
Connect to the local Firebox with system manager and open policy manager.
Go to the Manual IPSec configuration.
If the BOVPN option or Remote User option is grayed out you are configured either in PPPoE mode on external and have not defined your static IP, or the external interface is set to DHCP. You must have a static IP to create a Manual IPSec tunnel or Remote User.
Click “Gateways” to add a Gateway. The Gateway is the public IP of the opposing Firebox to create a tunnel to, and also holds the Phase 1 IPSec settings.
After clicking “add” you configure the Gateway. The Gateway IP is the remote IP of the Soho6; the shared key will be the same on each side and should be a word or mix of characters that is not in a dictionary.
Click the “More” button to see the Phase 1 settings. Below are the defaults for Phase 1 and do not need to be altered for this configuration.
Click OK, and the gateway you configured will appear in your list
Click on the “Tunnels” button and click the “Add” button and you are prompted to select the Gateway bound to the new Tunnel setting. The Tunnel setting holds the Phase 2 IPSec settings. Click the Gateway you just created previously and click OK.
Click OK,
Give the tunnel a unique name, it is common to use the word Gateway in Gateway names, or Tunnel in Tunnel names.
Click on the Phase 2 settings Tab.
Set your options here, generally the only change recommended is to set the Key Expiration to 0 (zero) K and 24 hours. This will cause the tunnel to change its keys automatically every day.
Click OK all the way back to the IPSec routing policy page.
Then click the “Add” button in the lower center of the configuration screen and you will be prompted with the “Add routing policy” prompt.
You are making a network to network tunnel so be sure to change this from “host” for the local and remote networks.
Note: All settings on each unit must match exactly. The only exceptions are the routing policies will be reversed on the remote box, and the gateway IP will be the opposing box. All other settings must match exactly.
Remember that /24 network IP’s are a .0 IP address in their last digit. This defines the entire network and you do not use the trusted IP of either Firebox here.
Click OK, and OK again and you will be back to the policy manager.
On this Firebox all that remains is to configure the ANY service to allow traffic from the remote private network of the Soho6 into the local one.
You do not generally want to restrict traffic in the IPSec configuration; you do this in policy as the Firebox will regulate traffic in this manner.
In this configuration, click the “add service” icon and add the packet filter “ANY” and name it “ANY_IPSec”
Configure this service to allow the remote network incoming to your local Trusted network.
Click the outgoing tab and it is configured to be the exact reverse of the incoming tab.
Click OK and save this to your local Firebox.
This completes setup for the Firebox III/X.
-------------------------------------------------------------
Soho6/TC configuration
The Soho6 has a static public IP of 216.254.19.34 assigned to its external interface. It is required you have a public static IP on the Firebox III/X and Soho6/TC in order to complete a reliable tunnel. If you have a private address assigned to your Soho6 it will not work properly. Generally if your router is natting your public address, you can have your ISP bridge your connection in order to have a public static IP assigned directly to the Soho6.
On the Soho Config page, click on "Manual VPN, then click "Add Gateway".
Submit this information and a tunnel should create and you will be able to ping between the networks and all traffic is allowed transparently between them.
