Creating An Ipsec Policy - Watchguard Firebox FireboxTM System 4.6 User Manual

Watchguard firebox system user guide

Hide thumbs Also See for Firebox FireboxTM System 4.6:

Reference manual (78 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

page of 170

/ 170
Contents
Table of Contents
Bookmarks

Table of Contents

Branch office VPN with IPSec

11 After you add all tunnels for this gateway, click OK.

The Configure Gateways dialog box appears.

12 To configure more tunnels for another gateway, click Tunnels. Select a new

gateway and repeat the tunnel creation procedure for that gateway.

13 When all the tunnels are created, click OK.

Creating an IPSec policy

Policies are sets of rules, much like packet filter rules, for defining how outgoing

IPSec packets are built and sent and determining whether incoming IPSec packets can

be accepted. Policies are defined by their endpoints. These are not the same as tunnel

or gateway endpoints–they are the specific hosts or networks attached to the

tunnel's Fireboxes (or other IPSec-compliant device) that communicate through the

tunnel.

From the IPSec Configuration dialog box:

Click Add.

Use the Local drop list to select the tunnel type of the IP address behind the local

Firebox.

The tunnel type can be an entire network or a single host.

Enter the IP or network address in slash notation for the local host or network.

Use the Remote drop list to select the tunnel type of the IP address of the remote

Firebox or IPSec-compliant device.

Enter the IP address or network address in slash notation for the remote host or

network.

Use the Disposition drop list to select a bypass rule for the tunnel:

Secure

IPSec will encrypt all traffic that matches the rule in associated tunnel policies.

Block

IPSec will not allow traffic that matches the rule in associated tunnel policies.

Bypass

IPSec will not allow traffic that matches the rule in associated tunnel policies.

You cannot bypass a policy that has a network at either endpoint.

For every tunnel created to a dropped-in device, you must create a host policy

for both sides' external IP addresses with protection set to Bypass

traffic to and from the dropped-in device's external IP address will conflict

with any network policy associated with the VPN.

If you chose Secure as your disposition, use the Tunnel drop list to select a

configured tunnel.

To configure a new tunnel, see "Configuring a tunnel with manual security" on page 126 or

"Configuring a tunnel with dynamic security" on page 127. To display additional information

about the selected tunnel, click More.

In the Dst Port field, enter the remote host port.

The remote host port number is optional and is the port to which WatchGuard sends

communication for the policy. To enable communications to all ports, enter 0.

128

Bypass. Otherwise,

Bypass

Table of Contents

Related Products for Watchguard Firebox FireboxTM System 4.6

Watchguard 4RE

Watchguard Firebox 4500

Creating An Ipsec Policy - Watchguard Firebox FireboxTM System 4.6 User Manual

Creating an IPSec policy

Related Manuals for Watchguard Firebox FireboxTM System 4.6

Related Products for Watchguard Firebox FireboxTM System 4.6

Table of Contents