Watchguard V10 User Manual page 349

6
If you want to permit connections initiated in both
directions, select the Gateway to Gateway VPN
checkbox.
If this a bidirectional policy, make sure that the incoming
interface selection is 0 or 2, and not 1.
7 For information on configuring the remaining options
of the policy (QoS action, TOS Marking, NAT/Load
Balancing, Scheduling, and the Advanced Settings) see
those sections in chapter 7, "About Security Policies"
on page 159.
8
Click Done.
9
When you have finished configuring VPN policies,
click Apply to save the settings to the Firebox Vclass
appliance.
Defining an automatic key
Automatic key mode requires use of the IKE protocol to
generate new keys as necessary. Keys, encryption, and
authentication algorithms are negotiated, and then chosen
and used by the two participating security appliances.
To define an automatic key:
1 From the Key Management drop-down list, select
Automatic (IKE).
2 Select the Perfect Forward Secrecy checkbox, if you
want to use this option.
If you select this checkbox, this policy uses new key material
every time it generates a replacement key. If you do not select
this checkbox, key replacement uses the source key material that
generated previous keys.
3 If you selected Perfect Forward Secrecy, select a DH
Group from the drop-down list.
DH (Diffie-Helman) groups enable two peer systems to publicly
exchange and agree on a shared secret key. The numbers
available on the drop-down list (768 and 1024) are the number
of bits used for exponentiation to generate private and public
keys. The larger the number, the greater the protection.
Firebox Vclass User Guide
Defining a VPN Security Policy
N
OTE
317