Watchguard Firebox X20E User Manual page 215

Type the number of kilobytes and the number of hours until the IKE negotiation expires.
5
To make the negotiation never expire, enter zero (0). For example, 24 hours and zero (0) kilobytes
means that the phase 1 key is negotiated every 24 hours no matter how much data
Select the group number from the Diffie-Hellman Group drop-down list. The Edge supports
6
Diffie-Hellman groups 1, 2, and 5. Diffie-Hellman groups securely negotiate secret keys through a
public network. Diffie-Hellman groups 2 and 5 use larger key modules and are more secure, but
they require more processor time. Each side of the VPN tunnel must use the same Diffie-Hellman
Group.
Select the Send IKE Keep Alive Messages check box to help find when the tunnel is down.
7
When this check box is selected, the Edge sends short packets across the tunnel at regular
intervals. This helps the two devices to see whether the tunnel is up. If the Keep Alive packets get
no response after three tries, the Firebox X Edge starts the tunnel again.
The IKE Keep Alive feature is different from the VPN Keep Alive feature in "VPN Traffic Control," on page 205.
Select the Enable Dead Peer Detection (DPD) check box to check the status of the remote
8
gateway when you want to use VPN failover. During a DPD check, the Firebox pings the remote
gateway and waits for a response. If there is no response, VPN failover occurs and the Firebox will
use the next available remote gateway. You can configure the amount of time before each ping
timeout in seconds, and the maximum number of ping attempts.
If your Edge is behind a device that does NAT
The Firebox X Edge e-Series can use NAT Traversal. This means that you can make VPN tunnels if your
ISP does NAT (Network Address Translation) or if the external interface of your Edge is connected to a
device that does NAT. We recommend that the Firebox X Edge external interface have a public IP
address. If that is not possible, use this section for more information.
Devices that do NAT frequently have some basic firewall features built into them. To make a VPN tun-
nel to your Firebox X Edge e-Series when the Edge is behind a device that does NAT, the NAT device
must let the traffic through. These ports and protocols must be open on the NAT device:
UDP port 500 (IKE)
•
UDP port 4500 (NAT Traversal)
•
IP protocol 50 (ESP)
•
Speak with the NAT device's manufacturer for information on opening these ports and protocols on
the NAT device.
If your Firebox X Edge e-Series external interface has a private IP address, you cannot use an IP address
as the local ID type in the Phase 1 settings. Because private IP addresses cannot get through the Inter-
net, the other device cannot find the private external IP address of your Edge through the Internet.
If the NAT device to which the Firebox X Edge is connected has a dynamic public IP address:
•
- First, set the device to Bridge Mode. In Bridge Mode, the Edge gets the public IP address on its
external interface. Refer to the manufacturer of your NAT device for more information.
- Set up Dynamic DNS on the Firebox X Edge. For information, see "Registering with the
Dynamic DNS Service" on page 70. In the Phase 1 settings of the Manual VPN, set the local ID
type to Domain Name. Enter the DynDNS domain name as the Local ID. The remote device
must identify your Edge by domain name and it must use your Edge's DynDNS domain name
in its Phase 1 setup.
If the NAT device to which the Firebox X Edge is connected has a static public IP address:
•
- In the Phase 1 settings of the Manual VPN, set the local ID type drop-down list to Domain
Name. Enter the public IP address assigned to the NAT device's external interface as the local
User Guide
Manual VPN: Setting Up Manual VPN Tunnels
has passed.
203