About Vpn Failover - Watchguard Firebox X20E User Manual

About VPN Failover

You must have two Firebox X Edge devices or one Firebox X Edge and a second device that uses
•
IPSec standards. Examples of these devices are a Firebox III, Firebox X Core, Firebox X Peak, or a
Firebox SOHO 6. You must enable the VPN option on the other device if it is not already active.
You must have an Internet connection.
•
The ISP for each VPN device must let IPSec go across their networks.
•
Some ISPs do not let you create VPN tunnels on their networks unless you upgrade your Internet
service to a level that supports VPN tunnels. Speak with the ISP to make sure they let you use
these ports and protocols:
- UDP Port 500 (Internet Key Exchange or IKE)
- UDP Port 4500 (NAT traversal)
- IP Protocol 50 (Encapsulating Security Payload or ESP)
If the other side of the VPN tunnel is a WatchGuard Firebox X and each Firebox is under
•
WatchGuard System Manager management, you can use the Managed VPN option. Managed
VPN is easier to configure than Manual VPN. You must get information from the administrator of
the Firebox X on the other side of the VPN to use this option.
You must know whether the IP address assigned to your Firebox X Edge external interface is
•
static or dynamic. To learn about IP addresses, see Chapter 2, "Installing the Firebox X Edge e-
Series. "
Your Firebox X Edge e-Series model tells you the number of VPN tunnels that you can create on
•
your Edge. You can purchase a model upgrade for your Edge to make more VPN tunnels, as
described in "Enabling the Model Upgrade Option" on page 50.
If you connect two Microsoft Windows NT networks, they must be in the same Microsoft
•
Windows domain, or they must be trusted domains. This is a Microsoft Networking issue, and not
a limit of the Firebox X Edge e-Series.
If you want to use the DNS and WINS servers from the network on the other side of the VPN
•
tunnel, you must know the IP addresses of these servers.
The Firebox X Edge can give WINS and DNS IP addresses to the computers on its trusted network
if those computers get their IP addresses from the Edge using DHCP. If you want to give the
computers the IP addresses of WINS and DNS servers on the other side of the VPN,
those addresses into the DHCP settings in the trusted network setup. For information on how to
configure the Edge to give DHCP addresses, see "Using DHCP on the trusted network" on
page 60.
You must know the network address of the private (trusted) networks behind your Firebox X
•
Edge e-Series and of the network behind the other VPN device, and their subnet masks.
The private IP addresses of the computers behind your Firebox X Edge cannot be the same as the IP
addresses of the computers on the other side of the VPN tunnel. If your trusted network uses the same IP
addresses as the office to which it will create a VPN tunnel, then your network or the other network must
change their IP address arrangement to prevent IP address conflicts.
About VPN Failover
Failover is an important function of networks that require a high degree of availability. If a system fails
or becomes unavailable, failover automatically shifts the functionality of the failed or unavailable sys-
tem to a backup system. On the Firebox X Edge e-Series, you can define up to eight multiple remote
gateways for the VPN endpoint. The Edge uses Dead Peer Detection (DPD) technology to check the
health of the remote gateway. It uses the next available remote gateway when it cannot send or
receive traffic from the primary remote gateway. The first remote gateway in the list is the primary
remote gateway.
A WAN failover event also causes a VPN failover to occur.
198
you can type
Firebox X Edge e-Series