Watchguard Firebox FireboxTM System 4.6 User Manual page 137

Watchguard firebox system user guide

Hide thumbs Also See for Firebox FireboxTM System 4.6:

Reference manual (78 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

page of 170

/ 170
Contents
Table of Contents
Bookmarks

Table of Contents

Branch office VPN with IPSec

Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC

(160-bit algorithm).

Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key field. You cannot enter a key here directly.

Using Authenticated Headers (AH)

Type or use the SPI scroll control to identify the Security Parameter Index (SPI).

You must select a number between 257 and 1023.

Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC

(160-bit algorithm).

Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key

If there are Fireboxes at both ends of the tunnel, the remote administrator

can also enter the encryption and authentication passphrases. If the remote

firewall host is an IPSec-compliant device of other manufacture, the remote

system administrator must enter the literal keys displayed in the Security

Association Setup dialog box when setting up the remote IPSec-compliant

device.

Configuring a tunnel with dynamic security

A tunnel encapsulates packets between two gateways. It specifies encryption type

and/or authentication method. A tunnel also specifies endpoints. The following

describes how to configure a tunnel using a gateway with the isakmp (dynamic) key

negotiation type. From the IPSec configuration dialog box:

Click Tunnels.

To add a new tunnel, click Add.

Click a gateway with isakmp (dynamic) key negotiation type to associate with

this tunnel. Click OK.

Type a tunnel name.

Policy Manager uses the tunnel name as an identifier.

Click the Dynamic Security tab.

Use the Type drop list to select a Security Association Proposal (SAP) type.

Options include: Encapsulated Security Payload (ESP) or Authenticated Headers (AH).

Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), and SHA1-HMAC

(160-bit authentication algorithm).

Use the Encryption drop list to select an encryption method.

Options include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit encryption).

To have a new key generated periodically, enable the Force Key Expiration

checkbox.

With this option, transparent to the user, the ISAKMP controller generates and negotiates a

new key for the session. For no key expiration, enter 0 (zero) here. If you enable the Force key

expiration checkbox, set the number of kilobytes transferred or hours passed in the session

before a new key is generated for continuation of the VPN session.

10 Click OK.

The Configure Tunnels dialog box appears displaying the newly created tunnel. Repeat the tunnel

creation procedure until you have created all tunnels for this particular gateway.

User Guide

Authentication Key

Authentication Key field. You cannot enter a key here directly.

Authentication Key

127

Table of Contents

Related Products for Watchguard Firebox FireboxTM System 4.6

Watchguard 4RE

Watchguard Firebox 4500

Watchguard Firebox FireboxTM System 4.6 User Manual page 137

Related Manuals for Watchguard Firebox FireboxTM System 4.6

Related Products for Watchguard Firebox FireboxTM System 4.6

Table of Contents