Manual IPSec with Fireware

WatchGuard® Made Simple

This site is for common setup practices as well as tips and tricks for WatchGuard® Firewall products and contain editorial content. While every effort is made to ensure all information is correct and concise, no warranty of any kind is expressed or implied, and all information is provided on an "as is" basis.

WatchGuard® is not affiliated with this site and all trademarks and graphics referenced are the property of WatchGuard Technologies Inc. or their respective owners. All other content is the property of Fireboxsupport.com and may not be reproduced without permission.

PLEASE REFRESH THE PAGES IF YOU HAVE VISITED PREVIOUSLY! - NEW CONTENT ADDED! 01/02/2007

Common Practices

Fireware Pro

Configurations and examples

Firebox SSL VPN

Firebox Core SSL VPN

Firebox X Core/Edge

Setup -

Branch Office VPN (IPSec) - Firebox/Soho

Proxy Configuration

Webblocker Configuration

Remote User configuration using MUVPN & PPTP

Spamscreen®

High Availability

Troubleshooting -

Firebox X Resetting

Rebuilding your configuration

Backing Up/Restoring your Firebox Image.

WatchGuard Support Programs

Top

MoneyCentral Stock Quote

Enter (WGRD)

Manual IPSec with Fireware

- Contributed by Charles Cooper

This example will illustrate the creation of a manual BOVPN tunnel between a Firebox X700 using WFS and a Firebox X1000 using Fireware. Both units will have fictitious public IP addresses on the primary External interface. Both units will be in Routed mode and will be using private networks on the Trusted interface.

Firebox X700 (WFS) Firebox X1000 (Fireware)

<--------------->

External interface: 1.1.1.2 External interface: 2.2.2.2

Trusted interface: 10.10.69.1/24 Trusted interface: 192.168.69.1/24

Configuration of FBX700 using WFS:

(A BOVPN tunnel can only operate from the primary IP address of the External interface (eth0). It will not operate from an Alias IP address or an IP address from a Secondary Network on the External interface.)

There are four steps in creating a BOVPN tunnel with WFS:

1) Creating a Gateway

2) Creating a Tunnel

3) Creating an IPSec Route

4) Adding a policy to pass traffic

The network information is needed from both devices to create a manual BOVPN tunnel.

To begin creating a manual BOVPN tunnel, you will need to go into Policy Manager -> Network menu -> Branch Office VPN -> Manual IPSec…

1) On the IPSec Configuration dialog box, you must configure a Gateway, by clicking the Gateways… button.

As shown below, this is the Configure Gateways dialog box:

The Configure Gateways dialog box allows you to Add, Edit, or Remove gateways to remote devices.

For this example, we will add a gateway to the FBX1000, so we will click the Add… button.

As shown below, this is what the Remote Gateway dialog box looks like, before you start configuring it:

The Remote Gateway will be the device to which you want to build the manual BOVPN tunnel.

You should apply a name to your Remote Gateway that can distinguish it from other devices; use a name that shows the remote device’s location or the type of device. For this example, the type of device will work well: FBX1000.

As shown below, we use the public IP address that has been assigned to the External interface of the FBX1000. We used a shared key that must be used for both Fireboxes:

When you click the More>> button, the Phase 1 settings appear.

We do not make any changes to the Phase 1 settings for this example.

(The default Phase 1 settings in WFS are different than the default Phase 1 settings in Fireware, so we will change the default Phase 1 settings in Fireware.)

Click OK to go back to the Configure Gateways dialog box.

As shown below, we have our Remote Gateway configured:

Click OK to go back to the IPSec Configuration dialog box.

2) On the IPSec Configuration dialog box, we will need to create a tunnel, by clicking the Tunnels… button.

As shown below, we have the FBX1000 gateway, which we created, in the list of gateways for the tunnel to use:

Select the gateway and click OK to continue to configure the tunnel.

As shown below, this is the Configure Tunnel dialog box to configure the tunnel:

We name our tunnel To_FBX1000, because we wish to show which device the tunnel is going to:

As shown below, these are the default WFS Phase 2 settings of the tunnel:

For this example, we will only be changing the Force Key Expiration option.

We change the kilobytes from ‘8192’ to ‘0’. This makes the tunnel re-key itself based on the number of hours it is active, instead of by how much data moves through it.

The Timeout Negotiation for Phase 1 is set to 24 hours. Because of this, the number of hours used for the Force Key Expiration on Phase 2 should be a common denominator of 24, which would be 24, 12, 8, 6, 4, 2, or 1 hour. For this example, we have decided to use the default setting of 24 hours.

Click OK to go back to the Configure Tunnels dialog box.

As shown below, we now have a tunnel with the name To_FBX1000 bound to the FBX1000 gateway:

Click OK to go back to the IPSec Configuration dialog box.

3) On the IPSec Configuration dialog box, we need to create an IPSec Routing Policy to direct traffic through the manual BOVPN tunnel.

When creating an IPSec Routing Policy, you need to make sure that there are no other network that are behind your Firebox or routes to networks that are behind other devices that overlap each other. This can cause problems with routing of traffic through the BOVPN tunnel.

As shown below, the IPSec Configuration dialog box gives us the options to Add, Edit, or Remove IPSec Routing Policies:

For this example, we will need to add an IPSec Routing Policy, so we will click the Add… button.

As shown below, these are the default settings of the Add Routing Policy dialog box:

For Local, we need to indicate the Trusted network of the FBX700: 10.10.69.0/24 .

For Remote, we need to type the Trusted network of the FBX1000: 192.168.69.0/24 .

Because we only have one tunnel configured, the Tunnel drop-down list uses the To_FBX1000 tunnel.

Click OK to go back to the IPSec Configuration dialog box.

As shown below, we specified the IPSec Routing Policy to use the To_FBX1000 tunnel:

Click OK to go back to Policy Manager.

4) Even though we now have the gateway, a tunnel bound to the gateway, and an IPSec route directing traffic through the BOVPN tunnel, we don’t have a service allowing traffic through the BOVPN tunnel.

You can specify a service to allow only specific ports to pass traffic through a BOVPN tunnel, but for this example we are going to use an ANY service.

As shown below, from the Policy Manager, select Edit menu -> Add Service…

Expand the Packet Filters folder:

In Packet Filters, select the Any service:

Click the Add… button.

As shown below, this is what the default of the Any service will look like:

For this example, we name the Any service FBX700<>FBX1000, because it shows where the traffic is going to and coming from.

Click OK to continue configuring the Any service.

By default, a new service will have the Incoming tab set to Enabled and Denied.

Set the Incoming tab to Enabled and Allowed.

We need to add the FBX1000 Trusted network to the Incoming FROM list area.

Click the Add… button, click the Add Other… button, change the type to Network IP Address, set the value to 192.168.69.0/24, and click OK.

Click OK again to go back to the service properties.

As shown below, the Trusted network of the FBX1000 now shows in the FROM field:

We will need to add the FBX700 Trusted network to the Incoming TO list area.

Click the Add… button, click the Add Other… button, change the type to Network IP Address, set the value to 10.10.69.0/24, and click OK.

Click OK again to go back to the service properties.

As shown below, the Trusted network of the FBX700 now shows in the FROM field:

For the Outgoing tab, we will need to list the FBX700 and FBX1000 network in the reverse order.

As shown below, the Trusted network for the FBX700 (10.10.69.0/24) is in the Outgoing FROM field and the Trusted network for the FBX1000 (192.168.69.0/24) is in the Outgoing TO field:

Click OK to go back to Policy Manager.

As shown below, we have an Any service allowing traffic through the BOVPN tunnel:

Save the configuration to the FBX700.

Configuring the FBX1000 using Fireware:

(A BOVPN tunnel can only operate from the primary IP address of the primary External interface (eth0). Even if you create other External interfaces in Fireware, you will not be able to operate BOVPN tunnels from those secondary External interfaces.)

There are two steps in creating a BOVPN tunnel with Fireware:

1) Creating a gateway

2) Creating a tunnel

(In Fireware, the policy to allow traffic to pass through the BOVPN tunnel will be created automatically.)

1) We need to create a gateway for the FBX700.

From the Policy Manager, select VPN -> Branch Office Gateways…

On the Gateways dialog box click the Add… button.

As shown below, these are the default settings of the New Gateway dialog box:

As shown below, we have given the gateway a name (FBX700), the IP address of the remote gateway (1.1.1.2), the local IP address (2.2.2.2), the same pre-shared key that was specified on the FBX700, and the same Authentication and Encryption settings:

Click the Advanced… button.

As shown below, these are the default settings for the Phase 1 Advanced Settings dialog box:

We need to match the same settings as the FBX700.

As shown below, we changed the Phase 1 SA Life to 24 hours:

Click OK to go back to the New Gateway dialog box.

Click OK again to go back to the Gateways dialog box.

As shown below, we now have a gateway configured for the FBX700:

2) We need to create a tunnel to bind to the FBX700 gateway.

From the Policy Manager, select VPN -> Branch Office Tunnels…

In the Branch Office IPSec Tunnels dialog box click the Add… button:

As shown below, these are the default settings of the New Tunnel dialog box:

We need to name the tunnel, specify which gateway the tunnel uses, set the Phase 2 negotiation to match the Phase 2 settings used on the FBX700, and add a Local-Remote Pair for the tunnel.

As shown below, we have given the new tunnel the name To_FBX700 and the tunnel uses the only available gateway (FBX700):

(If you have more than one gateway configured, make sure the Gateway drop-down list shows the correct gateway.)

Click the New Phase 2 Proposal button.

As shown below, these are the default settings of the Phase 2 Proposal dialog box:

You can give the Phase 2 proposal a new name, if you choose to do that. For this example, we leave the name at the default.

We need to change the Encryption and the Force Key Expiration to match the Phase 2 settings of the FBX700.

As shown below, we have change the encryption to 3DES and changed the expiration settings to 24 hours and 0 kb.

Click OK to go back to the New Tunnel dialog box.

For this example, we disable PFS (Perfect Forward Secrecy).

Click the Add… button to add a Local-Remote Pair. (This is similar to the IPSec Routing Policy in WFS.)

Click the … button to add the Local-Remote networks and then click the OK button.

As shown below, we have added the Local network of the FBX1000 (192.168.69.0/24) and the Remote network of the FBX700 (10.10.69.0/24):

Click OK to go back to Policy Manager.

As shown below, the Branch Office VPN tab now shows a BOVPN tunnel configured to go from the FBX1000 to the FBX700:

Save the configuration to the FBX1000.

Afterwards, the tunnel negotiates between the FBX1000 and the FBX700.

Test further by trying to ping through the BOVPN tunnel.

Top User Forum