Table of Contents
Advertisement
VPN menu features
IPsec example
To route traffic between the Headquarters and Branch Office networks, an IPSec tunnel must be configured
on both UTM Firewall appliances. This example steps through setting up the branch office, and then steps
through setting up the headquarters for VPN.
Setting up the branch office
Step 1: Enabling IPsec VPN
From the VPN menu, click IPSec. The IPSec VPN Setup page appears.
1
Select the Enable IPSec checkbox.
2
Click Submit.
3
Step 2: Configure a tunnel to connect to the headquarters office
Click Advanced under Tunnel List. The Tunnel Settings page appears.
1
Fill in the Tunnel name field with a description for the tunnel. The name must not contain spaces or start
2
with a number. In this example, enter Headquarters.
Leave the Enable this tunnel checkbox selected.
3
From the Local Interface list, select the interface the IPSec tunnel is to go out on. The options depend
4
on what is currently configured on the UTM Firewall appliance. For the vast majority of setups, this is the
default gateway interface to the Internet. In this example, leave the default gateway interface
option selected.
Note:
Select an interface other than the default gateway when you have more than one Internet connection or
have configured aliased Internet interfaces, and require the IPSec tunnel to run on an interface other than the
default gateway.
From the Keying list, select the type of keying for the tunnel to use. In this example, select the
5
Aggressive Mode option.
From the Local address list, select the type of IPSec endpoint this UTM Firewall appliance has on the
6
interface on which the tunnel is going out. The UTM Firewall appliance can either have a static IP,
dynamic IP or DNS hostname address. If a dynamic DNS service is to be used or there is a DNS
hostname that resolves to the IP address of the port, then the DNS hostname address option should be
selected. In this example, select dynamic IP address.
From the Remote address list, select the type of IPSec endpoint used by the remote party. In this
7
example, select the static IP address option.
If you want to force clients to authenticate using XAUTH, select the Require XAUTH authentication
8
checkbox.
Click Next to configure the Local Endpoint Settings.
9
Step 4: Local endpoint settings
Leave the Initiate Tunnel Negotiation checkbox selected.
1
Note:
This option is not available when the UTM Firewall appliance has a static IP address and the remote party
has a dynamic IP address.
Enter the Required Endpoint ID of the UTM Firewall appliance. In this example, enter: branch@office.
2
This ID is used to authenticate the UTM Firewall appliance to the remote party. It is optional if the
tunnel has a static local IP address and uses Preshared Secrets for authentication. If it is optional and
the field is left blank, the Endpoint ID defaults to the static IP address. The Endpoint ID becomes
required if the tunnel has a dynamic or DNS IP address or if RSA Digital Signatures are used for
authentication.
McAfee UTM Firewall 4.0.4 Administration Guide
285
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
