Watchguard Firebox X15 User Manual page 197

4
From the Encryption Algorithm drop-down list, select the type
of encryption.
The options are DES-CBC or 3DES-CBC.
5 Type the number of kilobytes and the number of hours until the
IKE negotiation expires.
To make the negotiation never expire, enter zero (0). For example, 24
hours and zero (0) kilobytes means that the phase 1 key is negotiated
every 24 hours no matter how much data
6
Select the group number from the Diffie-Hellman Group drop-
down list. WatchGuard supports group 1 and group 2.
Diffie-Hellman groups securely negotiate secret keys through a public
network. Group 2 is more secure than group 1, but uses more processing
power and more time.
7
Select the Send IKE Keep Alive Messages check box to help
find when the tunnel is down.
Select this check box to send short packets across the tunnel at regular
intervals. This helps the two devices to see if the tunnel is up. If the Keep
Alive packets get no response after three tries, the Firebox X Edge starts
the tunnel again.
The IKE Keep Alive feature is different from the VPN Keep Alive
feature in "VPN Keep Alive," on page 186.
If your Firebox X Edge is behind a device that does
Network Address Translation (NAT)
The Firebox X Edge can use NAT-Traversal. This means that you can
make VPN tunnels if your ISP does NAT (Network Address Transla-
tion) or if your Edge's external interface is connected to a device
that does NAT. Watchguard recommends that the Edge's external
interface have a public IP address. If that is not possible, use this
section for more information.
Devices that do NAT frequently have some basic firewall features
built into them. To make a VPN tunnel to your Firebox X Edge when
the Edge is behind a device that does NAT, the NAT device must let
the traffic through. These ports and protocols must be open on the
NAT device:
• UDP port 500 (IKE)
• UDP Port 4500 (NAT Traversal)
• IP Protocol 50 (ESP)
User Guide
Manual VPN: Setting Up Manual VPN Tunnels
has passed.
N N
OTE OTE
183