About Vpn Failover - Watchguard Firebox X15 User Manual

Branch Office Virtual Private Networks
What you need to create a VPN
Before you configure your WatchGuard Firebox X Edge VPN network, read these requirements:
You must have two Firebox X Edge devices or one Firebox X Edge and a second device that uses IPSec
standards. Examples of these devices are a Firebox III, Firebox X Core, Firebox X Peak, or a Firebox SOHO
6. You must enable the VPN option on the other device if it is not already active.
You must have an Internet connection.
The ISP for each VPN device must let IPSec go across their networks.
Some ISPs do not let you create VPN tunnels on their networks unless you upgrade your Internet
service to a level that supports VPN tunnels. Speak with the ISP to make sure they let you use these
ports and protocols:
o UDP Port 500 (Internet Key Exchange or IKE)
o UDP Port 4500 (NAT traversal)
o IP Protocol 50 (Encapsulating Security Payload or ESP)
If the other side of the VPN tunnel is a WatchGuard Firebox X and each Firebox is under WatchGuard
System Manager management, you can use the Managed VPN option. Managed VPN is easier to
configure than Manual VPN. To use this option, you must get information from the administrator of the
Firebox X on the other side of the VPN tunnel.
You must know whether the IP address assigned to your Firebox X Edge external interface is static or
dynamic. To learn about IP addresses, see About IP addresses.
Your Firebox X Edge e-Series model tells you the number of VPN tunnels that you can create on your
Edge. You can purchase a model upgrade for your Edge to make more VPN tunnels, as described in
Upgrade your Firebox X Edge
If you connect two Microsoft Windows NT networks, they must be in the same Microsoft Windows
domain, or they must be trusted domains. This is a Microsoft Networking issue, and not a limit of the
Firebox X Edge e-Series.
If you want to use the DNS and WINS servers from the network on the other side of the VPN tunnel, you
must know the IP addresses of these servers.
The Firebox X Edge can give WINS and DNS IP addresses to the computers on its trusted network if
those computers get their IP addresses from the Edge using DHCP.
If you want to give the computers the IP addresses of WINS and DNS servers on the other side of the
VPN, you can type those addresses into the DHCP settings in the trusted network setup. For
information on how to configure the Edge to give DHCP addresses, see
trusted network.
You must know the network address of the private (trusted) networks behind your Firebox X Edge e-
Series and of the network behind the other VPN device, and their subnet masks.
The private IP addresses of the computers behind your Firebox X Edge cannot be the same as the IP
addresses of the computers on the other side of the VPN tunnel. If your trusted network uses the
same IP addresses as the office to which it will create a VPN tunnel, then your network or the other
network must change their IP address arrangement to prevent IP address conflicts.

About VPN Failover

Failover is an important function of networks that require a high degree of availability. If a system fails or
becomes unavailable, failover automatically shifts the functionality of the failed or unavailable system to a
backup system. On the Firebox X Edge e-Series, you can define up to eight multiple remote gateways for the
VPN endpoint. The Edge uses Dead Peer Detection (DPD) technology to check the health of the remote
gateway. It uses the next available remote gateway when it cannot send or receive traffic from the primary
remote gateway. The first remote gateway in the list is the primary remote gateway.
A WAN failover event also causes a VPN failover to occur.
254
model.
Enable DHCP server on the
Firebox X Edge e-Series