Watchguard Firebox X15 User Manual page 271

To change Phase 1 configuration:
1. Select the negotiation mode from the Mode drop-down list. You can use Main Mode only when the
two devices have static IP addresses. If one or both of the devices have external IP addresses that are
dynamically assigned, you must use Aggressive Mode.
2. Enter the local ID and remote ID. Select the ID types—IP Address or Domain Name—from the drop-
down lists. Make sure this configuration is the same as the configuration on the remote device.
Note that on the other device, the local ID type and remote ID type are reversed.
o If your Firebox X Edge or remote VPN device has a static external IP address, set the local ID type
to IP Address. Type the external IP address of the Edge or device as the local ID.
o If your Firebox X Edge or remote VPN device has a dynamic external IP address, you must select
Aggressive Mode and the device must use Dynamic DNS. For more information, see
Dynamic DNS
of the device as the local ID.
If your Firebox X Edge external interface has a private IP address instead of a public IP address, then
your ISP or the Internet access device connected to the Edge's external interface (modem or router)
does Network Address Translation (NAT). See
Edge's external interface has a private IP address.
3. Select the type of authentication from the Authentication Algorithm drop-down list. The options are
MD5-HMAC (128-bit authentication) or SHA1-HMAC (160-bit authentication). SHA1-HMAC is more
secure.
4. From the Encryption Algorithm drop-down list, select the type of encryption. The options, from least
secure to most secure, are DES-CBC, 3DES-CBC, AES (128 bit), AES (192 bit), and AES (256 bit).
5. Type the number of kilobytes and the number of hours until the IKE negotiation expires. To make the
negotiation never expire, enter zero (0). For example, 24 hours and zero (0) kilobytes means that the
phase 1 key is negotiated every 24 hours no matter how much data has passed.
6. Select the group number from the Diffie-Hellman Group drop-down list. The Edge supports Diffie-
Hellman groups 1, 2, and 5. Diffie-Hellman groups securely negotiate secret keys through a public
network. Diffie-Hellman groups 2 and 5 use larger key modules and are more secure, but they require
more processor time. Each side of the VPN tunnel must use the same Diffie-Hellman Group.
7. Select the Send IKE Keep Alive Messages check box to help find when the tunnel is down. When this
check box is selected, the Edge sends short packets across the tunnel at regular intervals. This helps the
two devices to see whether the tunnel is up. If the Keep Alive packets get no response after three tries,
the Firebox X Edge starts the tunnel again.
8. Select the Enable Dead Peer Detection (DPD) check box to check the status of the remote gateway
when you want to use VPN failover. During a DPD check, the Firebox pings the remote gateway and
waits for a response. If there is no response, VPN failover occurs and the Firebox will use the next
available remote gateway. You can configure the amount of time before each ping timeout in seconds,
and the maximum number of ping attempts.
User Guide
service. Set the local ID type to Domain Name. Enter the DynDNS domain name
If your Edge is behind a device that does NAT
Branch Office Virtual Private Networks
if your
About the
259