Manual IPSec between a Firebox III/X to another Firebox III/X

In this example we have 2 fireboxes which are going to be configured for a manual IPSec tunnel to connect the 2 networks.  You must have the ability to connect to each Firebox directly from your management station and it is recommended both units have the same software version as you will be saving to each unit with the system manager.  It is not recommended you use terminal services only.  Ensure you have access before you start, someday it will likely save you an unnecessary trip to the remote site.

Any Firebox which is remote to you should have its “WatchGuard” policy open to you.  Only the “incoming” tab is changed, never alter the “outgoing” tab or you can lock yourself out of your own Firebox accidentally.

In this setup, Firebox 1 is local to you at 66.44.15.2 and the Remote unit, Firebox 2 is 12.22.5.50.  To enable remote access for yourself you need to tell Firebox 2 that the IP of your Firebox 66.44.15.2 is allowed to connect to it.

Here is what the change would look like on the remote Firebox to allow this.

Note:  If you wish, you can also just allow the “incoming” tab of the “WatchGuard” policy from ANY to ANY enabled and allowed.  Then when the IPSec configuration is complete, you can alter this back to enable and denied or restricted as before.

Save this change to the remote Firebox.

In this configuration both units are in a proper routed mode with RFC compliant private networks assigned to their respective trusted interfaces, and a public static IP assigned to their external interfaces.

Note:  Ensure you have downloaded the Strong encryption software for the Fireboxes.  If you have not, or you have not installed your BOVPN licenses on the Firebox X model, you will not be able to configure BOVPN.

Firebox 1 has an external IP of 66.44.15.2 with a private network of 192.168.50.0/24

Firebox 2 has an external IP of 12.22.5.50 with a private network of 10.10.10.0/24

Configuring Firebox 1 - 66.44.15.2

Connect to the local Firebox with system manager and open policy manager.

Go to the Manual IPSec configuration.

If the BOVPN option or Remote User option is grayed out you are configured either in PPPoE mode on external and have not defined your static IP, or the external interface is set to DHCP.  You must have a static IP to create a Manual IPSec tunnel or Remote User.

Click “Gateways” to add a Gateway.  The Gateway is the public IP of the opposing Firebox to create a tunnel to, and also holds the Phase 1 IPSec settings.

After clicking “add” you configure the Gateway.  The Gateway IP is the remote IP of the opposing Firebox; the shared key will be the same on each side and should be a word or mix of characters that is not in a dictionary.

Click the “More” button to see the Phase 1 settings.  Below are the defaults for Phase 1 and do not need to be altered for this configuration.

Click OK, and the gateway you configured will appear in your list

Click on the “Tunnels” button and click the “Add” button and you are prompted to select the Gateway bound to the new Tunnel setting.  The Tunnel setting holds the Phase 2 IPSec settings.  Click the Gateway you just created previously and click OK.

Give the tunnel a unique name, it is common to use the word Gateway in Gateway names, or Tunnel in Tunnel names.

Click on the Phase 2 settings Tab.

Set your options here, generally the only change recommended is to set the Key Expiration to 0 (zero) K and 24 hours.  This will cause the tunnel to change its keys automatically every day.

Click OK all the way back to the IPSec routing policy page.

Then click the “Add” button in the lower center of the configuration screen and you will be prompted with the “Add routing policy” prompt.

You are making a network to network tunnel so be sure to change this from “host” for the local and remote networks. 

Note:  All settings on each box must match exactly.  The only exceptions are the routing policies will be reversed on the remote box, and the gateway IP will be the opposing box.  All other settings must match exactly.

Remember that /24 network IP’s are a .0 IP address in their last digit.  This defines the entire network and you do not use the trusted IP of either Firebox here.

Click OK, and OK again and you will be back to the policy manager.

On this Firebox all that remains is to configure the ANY service to allow traffic from the remote private network into the local one.

You do not generally want to restrict traffic in the IPSec configuration; you do this in policy as the Firebox will regulate traffic in this manner.

In this configuration, click the “add service” icon and add the packet filter “ANY” and name it “ANY_IPSec”

Configure this service to allow the remote network incoming to your local Trusted network.

Click the outgoing tab and it is configured to be the exact reverse of the incoming tab.

Click OK and save this to your local Firebox.

This completes setup for Firebox 1.

Next the same configuration on the Remote Firebox is done.

The only changes are the Gateway IP, the routing policy is in reverse, and the ANY service is allowing the 192.168.50.0/24 network in.

Configuring the Remote unit, Firebox 2 – 12.22.5.50

Connect to the remote Firebox with system manager and open policy manager.

Go to the Manual IPSec configuration.

Click “Gateways” to add a Gateway.  The Gateway is the public IP of the Local Firebox you are behind currently to create a tunnel to, and also holds the Phase 1 IPSec settings.

After clicking “add” you configure the Gateway.  The Gateway IP is the IP of the opposing Firebox, the shared key will be the same on each side and should be a word or mix of characters that is not in a dictionary.

Click the “More” button to see the Phase 1 settings.  Below are the defaults for Phase 1 and do not need to be altered for this configuration.

Click on the “Tunnels” button and click the “Add” button and you are prompted to select the Gateway bound to the new Tunnel setting.  The Tunnel setting holds the Phase 2 IPSec settings.  Click the Gateway you just created previously and click OK.

Give the tunnel a unique name, it is common to use the word Gateway in Gateway names, or Tunnel in Tunnel names.

Click on the Phase 2 settings Tab.

Set your options here, generally the only change recommended is to set the Key Expiration to 0 (zero) K and 24 hours.  This will cause the tunnel to change its keys automatically every day.

Click OK all the way back to the IPSec routing policy page.

Then click the “Add” button in the lower center of the configuration screen and you will be prompted with the “Add routing policy” prompt.

You are making a network to network tunnel so be sure to change this from “host” for the local and remote networks. 

Note:  All settings on each box must match exactly.  The only exceptions are the routing policies will be reversed on the remote box, and the gateway IP will be the opposing box.  All other settings must match exactly.

Remember that /24 network IP’s are a .0 IP address in their last digit.  This defines the entire network and you do not use the trusted IP of either Firebox here.

Click OK, and OK again and you will be back to the policy manager.

On this Firebox all that remains is to configure the ANY service to allow traffic from the remote private network into the local one.

You do not generally want to restrict traffic in the IPSec configuration; you do this in policy as the Firebox will regulate traffic in this manner.

In this configuration, click the “add service” icon and add the packet filter “ANY” and name it “ANY_IPSec”

Configure this service to allow the remote network incoming to your local Trusted network.

Click the outgoing tab and it is configured to be the exact reverse of the incoming tab.

Click OK and save this to your remote Firebox.

This completes setup for Firebox 2.

After Saving this configuration to the remote Firebox you should be able to ping between the networks.  Use the actual trusted interface on the remote box for the ping test.  If you can ping the trusted interface, but not internal machines, you likely have a default gateway not configured properly, or the ANY service is not configured properly.

When the tunnel is established you will see a + sign in the System Manager “front panel” tab next to “Branch Office VPN Tunnels” and it will display the packet traffic in count by packet and by Kb traffic.