Académique Documents
Professionnel Documents
Culture Documents
Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
TRAINING
www.watchguard.com/training
training@watchguard.com
ii
SUPPORT
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
Table of Contents
Exercise 1: Configure a Single-WAN XTM Device and a Multi-WAN XTM Device ....... 48
Exercise 2: Configure a Manual VPN and between the Single-WAN XTM Device and the
Multi-WAN XTM Device ................................................................................................... 51
Exercise 3: Configure a BOVPN Virtual Interface Between a Single-WAN XTM Device and
a Multi-WAN XTM Device ................................................................................................ 56
Exercise 4: BOVPN Virtual Interface with Metric-Based failover ................................. 61
Exercise 5: BOVPN Virtual Interface and Dynamic Routing ........................................ 70
Configure XTM Device A ............................................................................................................ 70
Configure XTM Device B ............................................................................................................ 72
75
76
76
77
79
79
79
iii
Use Mobile VPN with IPSec With a Mac OS X or iOS Device ..................................... 87
Configure the XTM Device ......................................................................................................... 87
Configure the VPN Client on an iOS Device ............................................................................. 88
Configure the VPN Client on a Mac OS X Device ..................................................................... 88
Exercise 2: Configure Mobile VPN with IPSec and Prepare Mobile VPN Client
Configuration Files .......................................................................................................... 96
Exercise 3: Restrict Mobile VPN with IPSec Users by Policy ..................................... 101
Exercise 4: Use the Shrew Soft IPSec VPN Client ...................................................... 104
Install the Shrew Soft VPN Client ............................................................................................ 104
Connect and Disconnect the Shrew Soft VPN Client ............................................................ 105
Exercise 5: Configure the XTM device for Mobile VPN with SSL ............................... 107
Activate the XTM Device for SSL VPN ..................................................................................... 107
Add Users to the SSLVPN-Users Group .................................................................................. 109
Restrict SSL VPN Users by Policy ............................................................................................ 110
Exercise 6: Change the Port Used for Mobile VPN with SSL ..................................... 112
Exercise 7: Use the Mobile VPN with SSL Client ........................................................ 113
Install the Mobile VPN with SSL Client ................................................................................... 113
Connect with the Mobile VPN with SSL Client ....................................................................... 114
iv
Introduction
What You Will Learn
Fireware XTM offers two methods to manually create a secure branch office virtual private network
(BOVPN) connections between networks at different sites. In this training module you learn:
Exercises
This course includes step-by-step exercises to show you how to configure VPNs in a multi-WAN
environment. Before you start the exercises, make sure to read Exercises Before You Begin, on
page 46. This section has a list of the equipment and software you need for the exercises, and gives you
basic information about how to prepare your device.
A branch office VPN (BOVPN) enables computers at one office to securely transmit private data through
an untrusted public network to computers at another office. The BOVPN provides these benefits:
Privacy or confidentiality of the data The VPN uses encryption to guarantee that traffic between
the two offices is secret. An attacker that intercepts the traffic cannot understand it.
Data integrity The VPN guarantees that the data that passes through it has not been altered in
transit.
Data authentication The VPN guarantees that data that passes through the tunnel actually
comes from one of the two endpoints of the VPN, and not from some attacker on the Internet.
Direct private IP address to private IP address communication The computers at the two offices
communicate as if they were not behind devices configured with Network Address Translation
(NAT). The data tunnels through NAT for a transparent connection between the devices.
One gateway device at each location completes the IPSec encapsulation process for all the computers
behind the gateway device. The computers at each location do not need any special software and they
are not aware that the IPSec encapsulation process takes place.
The XTM device looks at traffic that comes from and goes to computers on its protected networks. It
knows what traffic to encrypt and send to the other office based on the source and destination IP
address of the traffic and the VPN settings.
IPSec is built on a collection of several different protocols. BOVPNs can have more than 30 settings. The
configuration on your XTM device must mirror the configuration of its peer device. We will look at every
setting in the XTM device VPN configuration to give you the information you need to make successful
VPNs every time.
(NAT), the VPN negotiations can move to UDP port 4500, and all subsequent traffic between the
two devices uses UDP port 4500. NAT-T prevents the NAT device from interfering with the IPSecencoded traffic by re-encapsulating it in an additional layer of UDP and IP headers.
IP Protocol 50 Encapsulating Security Payload (ESP)
After VPN negotiations succeed, traffic between the two sites can be securely and privately sent
over the tunnel with ESP. ESP authenticates and encrypts the traffic and encapsulates it in new IP
datagrams with IP protocol 50. The ESP traffic may or may not be re-encapsulated in UDP port 4500
packets, depending on whether NAT-T is used.
IP protocol 51 Authentication Header (AH)
Similar to ESP, AH encapsulates VPN traffic between the two sites after VPN negotiations succeed.
AH does not encrypt traffic, however, it only guarantees that the traffic came from the correct
source and that it was not tampered with in transit. Because AH does not provide privacy
(encryption), it is rarely used for IPSec VPNs today.
IP protocol 50 and 51 are not ports; no ports are associated with ESP or AH. ESP and AH are distinct IP
protocols, like ICMP (IP protocol 1), TCP (IP protocol 6), or UDP (IP protocol 17).
Phase 1
The main purpose of Phase 1 is to set up a secure encrypted channel through which the two devices
can negotiate Phase 2. When Phase 1 finishes successfully, the devices quickly move to Phase 2
negotiations. If Phase 1 fails, the devices cannot begin Phase 2.
Phase 1 negotiations can use one of two modes: Main Mode or Aggressive Mode. We discuss the two
modes in more detail in a subsequent section.
Phase 2
The purpose of Phase 2 negotiations is for the two peers to agree on a set of parameters that define
what traffic can go over the VPN, and how to encrypt and authenticate the traffic. This agreement is
called a Security Association.
Phase 1 negotiations
are often called IKE
negotiations or
ISAKMP negotiations.
Depending on the
mode used, they are
also called Aggressive
Mode Negotiations or
Main Mode
Negotiations.
Phase 2 negotiations
are often called IPSec
negotiations or Quick
Mode negotiations.
When to Use It
Managed BOVPN
Managed BOVPN tunnels are useful if you want to create and manage a
large number of tunnels between Firebox or XTM devices managed by a
WatchGuard Management Server. On the Management Server, you can
create Security Templates and VPN Firewall Policy Templates that can be
used for one or more managed VPN tunnels. The templates make it easier
to configure a large number of VPN tunnels with consistent settings.
Manual BOVPN
BOVPN Virtual
Interface
For a VPN tunnel between two XTM devices that use Fireware XTM OS
v11.8 or higher, you can configure a BOVPN virtual interface. A BOVPN
virtual interface separates the routing from the security associations. This
enables you to use this type of tunnel in many different network routing
scenarios, some of which are described in the subsequent section.
If you want to route traffic between two IPv6 networks through an IPv4
BOVPN tunnel, you must use a BOVPN virtual interface. IPv6 virtual
interface routes are supported in Fireware XTM v11.9 and higher.
IPSec is built on a
collection of open
standards, protocols,
and algorithms that
include:
Internet Key
Exchange (IKE)
protocol
Oakley key
determination
protocol
Diffie-Hellman key
exchange algorithm
Internet Security
Association and Key
Management Protocol
(ISAKMP)
Authentication
Header (AH)
Encapsulating
Security Payload (ESP)
Encryption algorithms:
DES
3DES
AES (128, 192, or 256bit key length)
Authentication
algorithms:
HMAC-SHA1
HMAC-SHA2
HMAC-MD5
IPSec operates at the
Network layer, Layer 3,
of the OSI (Open
Systems
Interconnection)
Reference Model.
The encryption key for the two devices is used as a symmetric key for encrypting data. The security
of the resulting encryption key comes from the extreme difficulty of solving certain mathematical
problems in reverse (the discrete logarithm problem). Only the two parties involved in the key
exchange can get the shared key, and the key is never sent over the wire.
ESP
Encapsulating Security Payload
Defined in RFC 2406, ESP provides confidentiality and integrity of data. ESP takes the original data
payload of a data packet and replaces it with encrypted data. It adds integrity checks to be sure that
the data is not altered in transit, and that the data came from the proper source.
The Internet Assigned Numbers Authority (IANA) assigns a number to each protocol. For ESP, the IP
protocol number is 50. (Compare to TCP, which is assigned IP protocol number 6, and UDP, IP
protocol number 17.)
Hash
A mathematical transform applied to a set of data.
This transform takes a string of bits as input and produces an output called the hash or hash value.
(The hash value is normally much smaller than the original data input.) A hash is generally a oneway function. It is not possible to find the original input if the only data you have is the hash. There
are different hash algorithms, but for any given input and any given algorithm, the hash value is
always the same.
If two entities each have a set of data and they want to see if they are the same data set without
actually exchanging the data, they can both use the same hash algorithm to compute the hash of
their own data set. Next, they exchange the hash values that they each compute and compare
them. If the two hash values match, then the input data is the same on each side. If the hash values
do not match, then the data sets are not identical.
VPN traffic uses a variation of the hash method called a Hashed Message Authentication Code or
HMAC (sometimes also called a Keyed HMAC). Similar to the normal use of hash functions, each VPN
peer computes hashes of data to guarantee the datas integrity. In addition, each side mixes the
data with a secret key before the hash is computed. This guarantees the authenticity of the data;
each side knows that the data came from the authorized peer and not an imposter or attacker.
IKE
Internet Key Exchange
Defined in RFC 2409, IKE specifies methods to obtain authenticated keying material for use with
ISAKMP.
IKE peer
The entity to which your XTM device makes a VPN tunnel.
The IKE peer is typically another IPSec device such as another firewall, or a remote users computer
with software that can make an IPSec VPN tunnel.
IPSec
A collection of cryptography-based services and security protocols to protect communication
between entities that send traffic through an untrusted network (such as the public Internet).
ISAKMP
Internet Security Association and Key Management Protocol
Defined in RFC 2408, ISAKMP provides a framework to use to authenticate a communicating peer,
for key generation techniques, and to manage (negotiate, form, and destroy) Security Associations.
IKE and Oakley operate within this framework.
Key expiration
Phase 1 and Phase 2 session and encryption keys change periodically.
This makes sure an attacker cannot get access to a large data set with the same encryption keys.
When a key must change, the appliance declares the current key no longer valid and negotiates a
new key with the IKE peer.
Main Mode
One of the two modes that Phase 1 VPN negotiations can use.
It uses a total of six messages between the two IKE peers. Main Mode gives protection to the
identities of the two IKE peers.
MD5
Message Digest 5
This is a hash algorithm. Verification of the MD5 sum provides data integrity (a guarantee that the
data has not changed in transit). In IPSec, authentication of the data (a guarantee that the data
came from the proper source) is achieved by enhancing the hash with a shared secret key (see
HMAC explanation in the definition of hash). MD5 is not considered as strong a hash algorithm as
SHA-1.
Oakley
Oakley Key Determination Protocol
This is a protocol for two parties to agree on a secret key. RFC 2412 describes the protocol named
Oakley, by which two authenticated parties can agree on secure and secret keying material. The
basic mechanism is the Diffie-Hellman key exchange algorithm.
PFS
Perfect Forward Secrecy
A guarantee that the keying material used to generate one encryption key is not used to generate a
new encryption key. If one key is compromised, it gives the attacker no information about
subsequent encryption keys.
Quick Mode
The mode that Phase 2 VPN negotiations use.
Quick Mode is the only mode that Phase 2 uses. The two IKE peers exchange three messages to
complete Quick Mode.
Replay
An attack that captures data packets sent from one IKE peer to another, and then sends them to the
recipient again.
The attacker can get information about the IPSec implementation from the responses it gets from
the recipient. Fireware XTM uses the sequence numbers in ESP packets to reject duplicate packets
and old packets, to protect against replay attacks.
SA
Security Association
Phase 1 SAs are
sometimes called
ISAKMP SAs. Phase 2
SAs are usually called
IPSec SAs.
This is a contract between two IPSec endpoints. The SA is an abstract object that contains all the
information necessary for two entities to exchange data securely. Successful completion of each
part of VPN negotiations, Phase 1 and Phase 2 negotiations, results in an SA.
There is only one Phase 1 SA between two IKE peers. The Phase 1 SA defines encryption and
authentication parameters that protect all Phase 2 negotiations.
The Phase 2 SA is unidirectional. If a tunnel is a bidirectional tunnel (traffic can go in and out of the
protected network), each peer has one incoming SA and one outgoing SA for that tunnel. Thus,
each tunnel has at least one Phase 2 SA, and usually has two. However, there can be multiple
tunnels between two IKE peers. Each Tunnel Route you add to the Branch Office Tunnel results in
at least one unique Phase 2 SA (and usually two, because most tunnels are bidirectional) when
Phase 2 negotiations finish.
SHA-1 and SHA-2
Secure Hash Algorithm 1 and Secure Hash Algorithm 2
These are types of hash algorithms called cryptographic hash functions. They provide data integrity
(a guarantee that the data has not changed in transit) as well as authentication of the data (a
guarantee that the data came from the proper source). SHA-1 is considered a stronger hash
algorithm than MD5. SHA-2 is stronger than SHA-1, but is more computationally intensive.
SPI
Security Parameters Index
This is a unique 32-bit number that identifies an IPSec (Phase 2) SA. The SPI number is an identifier
in the header of every IPSec data packet. This number tells the receiving gateway device to which
IPSec data flow the packet belongs. The SPI number is not bidirectional. Each device keeps an SPI
number for traffic it sends (outgoing SPI) and an SPI number for traffic it receives (incoming SPI).
Traffic selector
The configuration parameter that tells the gateway device what traffic should be handled by IPSec.
Traffic selectors in Fireware XTM are called tunnel routes. Traffic selectors consist of source IP
addresses and destination IP addresses. Each peer has a reverse match of the other peers traffic
selectors. If one peer has subnet A as the local part of its traffic selector and subnet B as the remote
part of its traffic selector, then the other peer has subnet B as local and subnet A as remote.
When a data packet comes in from a host on an internal network, Fireware XTM checks to see if the
source and destination IP addresses of the packet match a traffic selector. If they do, and if there is a
policy to allow the traffic, then Fireware XTM encapsulates the data packet in IPSec and sends it to
the IPSec peer.
In versions of Fireware XTM prior to v11.3.1, the XTM devices always used IPSec to process the traffic
when a traffic selector matches. In Fireware XTM v11.3.1 and later, the XTM device does a route
lookup first. If a traffic flow matches an IPSec traffic selector, but a route to the destination also
exists in the devices local routing table (not in the devices default route), the device can honor that
route. To configure the XTM device to honor non-default routes and use them to take precedence
over IPSec traffic selectors, in VPN settings (select VPN > VPN Settings), select the Enable the use
of non-default (static or dynamic) routes to determine if IPSec is used check box.
Tunnel
The virtual path between two locations on the Internet that have a VPN between them.
This virtual path is called a tunnel because data packets are encapsulated inside ESP headers and
trailers, and inside a new IP header. Thus, two computers behind two IKE gateways can send packets
to private IP addresses, effectively tunneling through the public Internet.
10
11
3. Click Add.
The New Gateway dialog box appears. The subsequent sections discuss the different parts of this dialog box.
12
You specify which method the peers use in the New Gateway dialog box, on the General Settings tab,
in the Credential Method section.
Pre-Shared Key
The pre-shared key is a way for each device to prove that it is the authorized IKE peer for this VPN. The
devices use the pre-shared key, along with the Phase 1 identifier, to verify that the remote peer is the
correct entity and not an imposter. Do not give the pre-shared key to anyone except the administrator
of the remote IKE peer device.
If you use a pre-shared key, make sure to choose characters that are difficult to guess. You can use a
string of numbers, upper and lower-case letters, and punctuation marks. The pre-shared key must
exactly match the pre-shared key that the remote device uses.
We recommend that you use pre-shared keys for your first VPN. They are easier to configure than
certificates, and it is less likely that you will make an error.
13
When your XTM device responds to IKE negotiations from the peer, your XTM device must decide:
Does my configuration allow me to negotiate with this device, based on the way the device
identifies itself and the source IP address of the IKE packets?
If I specified more than one external interface for this peer to use for negotiations, did the IKE
packets come to the correct one?
The Use modem for
failover check box
appears only if serial
modem failover is
enabled in the device
network settings.
You specify how the XTM device answers these question when you configure the Gateway Endpoints
at the bottom of the New Gateway dialog box.
Each row in the Gateway Endpoints list in Figure 5 represents one set of gateway endpoints. You can
add more than one set of gateway endpoints if either device has more than one external interface it
can use to send and receive IKE negotiations. This allows VPN Failover to occur.
An IPSec device can terminate a specific VPN on only one interface at a time. However, if a device has
more than one external interface and one of them is not available, your XTM device can try to negotiate
the VPN through a different external interface. You can also use a modem for VPN failover, if you have
enabled serial modem failover on the device.
Modem failover is
supported on XTM 2
Series, 3 Series, and 5
Series devices, and
Firebox T10 devices.
14
This dialog box has two separate sections used to define a set of gateway endpoints:
Local Gateway This section is for identification of the local gateway (at the top), and is used to
configure how this XTM device identifies itself.
Remote Gateway This section is for identification of the remote gateway (at the bottom), and is
used to configure how the XTM device expects the peer to identify itself.
A set of gateway endpoints is a set of Phase 1 identifier information for each IKE peer (your XTM device
and the remote device). Phase 1 identifiers are used like this:
Each side configures its device to send identifying information (Phase 1 ID) to the other side during
Phase 1. The ID has a specific type and a value for that type.
Each side also specifies an ID type and a value for that ID type for the remote device. This tells the
local device what to expect from the remote device during Phase 1 negotiations.
Each devices Phase 1 identifier must exactly match what the other device expects to receive. If the
ID information that one device sends to its peer does not match what the peer expects, IKE
negotiations fail.
15
Each device can use one of four types of identifiers, or Phase 1 ID types:
After each ID type we
show the common
representation of the
ID type as it is defined
in the relevant RFCs.
For example, with the
IP Address ID Type, the
IKE RFCs define the ID
type ID_IPv4_ADDR.
IP Address (ID_IPv4_ADDR)
The value for this ID type must be a dotted-decimal IP address, without a subnet mask. This is
almost always the IP address assigned to the device interface that terminates the VPN.
In some network topologies, the value for the IP address ID type can instead be the IP address of a
device configured for Network Address Translation (NAT) that is between the IPSec device and the
Internet. In these cases, the NAT device has a one-to-one NAT mapping that sends all ports and
protocols to the IPSec device behind it.
Domain Name (ID_FQDN)
The value for this ID type is a string of text. This is usually a fully qualified domain name (such as
example.domain.com or myexample.com) that has a record in the DNS system for the IP address
assigned to the external interface.
It is not necessary for this name to have a corresponding record in DNS. The value for this ID type
can also be a simple name that serves only as a Phase 1 identifier, but does not have an address
record in DNS.
If your XTM device has a static IP address on the external interface and you publish a DNS record for
this IP address, you can use the domain name for the Phase 1 identifier. To learn your XTM device IP
address, the other device can send a DNS query for the domain name. However, in these cases you
usually use the IP address for the Phase 1 identifier because the IP address never changes.
If your XTM device has a dynamic IP address and you use the Dynamic DNS service, you can use the
DynDNS host name for your Phase 1 identifier, for example, myexample.dyndns.org. The dynamic
DNS service lets the remote peer find your XTM device with a DNS query even when your XTM
device IP address changes often, so that the peer can initiate IKE negotiations.
Remember, this ID type is intended to relate to a DNS record but it is not necessary. Consider this
scenario:
IPSec device A has a dynamic IP address but does not use a dynamic DNS service. Thus the
DNS system has no record for device As external interface. Device A can use Domain Name
for its ID type, and the value can be a string of text that does not have a record in the DNS
system.
This is the only identifier information that the other IKE peer, device B, knows about device A.
When device B wants to initiate IKE negotiations to make the VPN to device A, device B sends
a DNS query to resolve this name to an IP address. The DNS query fails and device B cannot
find device A.
In this scenario, device A must be the initiator. IKE negotiations can succeed in this scenario
as long as all other parameters match. Aggressive Mode must be used.
If you use certificates for the credential method, the value for this ID type is the DNS Name or
Domain Name field in the certificate. When you view the certificate with a Windows certificate
viewer, the certificate field name is DNS Name, and it is listed as a Subject Alternative Name.
If you enable VPN failover to a modem, you must configure the local gateway to use an ID (rather
than an IP address) for the gateway ID type. The ID does not need to match an actual domain
name.
16
17
The details you include in the Local Gateway section depend on how the external interface is
configured:
In versions prior to
11.x, the IP Address
drop-down list in
Figure 7 shows the IP
addresses for all the
XTM device interfaces.
Be careful to not select
an optional or trusted
IP address. The XTM
device can terminate
BOVPNs only on
external interfaces.
If your XTM device has a static public IP address on the external interface, your XTM device should
use the external interface IP address to identify itself to the remote device.
Select the By IP Address option. In the IP Address text box, select or type the external interface IP
address.
If your XTM device has a dynamic IP address on the external interface (DHCP or PPPoE), the IP
address assigned to your XTM device external interface changes often, so the remote peer cannot
expect your XTM device to use the external interface IP address as the IKE identifier.
In this case, you must select the By Domain Information option. Then click Configure.
Figure 8: Local Gateway ID information if the XTM device has a dynamic address
18
If you use pre-shared keys for the credential method, you can specify two different types of Domain
Information identifier:
By Domain Name
If you registered your own domain name, use that name. Because the remote peer will usually send
a DNS query to find your XTM device IP address, the DNS system should always resolve this domain
name to the external IP address of your XTM device.
If you use the Dynamic DNS capability of the XTM device, you can use the DynDNS domain name
that you register. This way, the remote device can find your XTM device by DNS lookup.
It is not necessary for the DNS system to have a record associated with the name you use here. If
the DNS system does not have a record for this domain name, then the remote device cannot find
your XTM device by DNS lookup. In this case, your XTM device must be the one to initiate the IKE
negotiations.
Remember that the remote peer usually does a DNS query to resolve this name to an IP address,
even when the DNS system has no such record. If you do not register a DNS name for your XTM
device (whether DynDNS or a static record), you should use the next ID type, User ID on Domain, so
that the remote peer does not waste CPU cycles with an unnecessary DNS query.
By User ID on Domain
Use this ID type if the DNS system has no address record for your XTM device external interface IP
address. In this case, your XTM device must be the initiator.
If the XTM device has a certificate available and you use certificates for the credential method in
Figure 4, one additional option appears in the Figure 9 dialog box:
By x500 Name:
Figure 10: Local Gateway ID information if you use certificates for the credential method
You can use this type of local gateway identifier only if you use certificates for the credential
method. The X500 name is the distinguished name in the certificate you select for this gateway.
This name appears in the certificate as the Subject Name.
When you use certificates for credentials and you select By Domain Information for the local
gateway identifier, you cannot edit the value for the local ID type you select. Policy Manager
automatically puts the correct value for the ID type you select, based on the information in the
XTM device certificate.
19
For this XTM device to find the remote device, one of these conditions must be true:
The XTM device must know the IP address of the peer ahead of time.
If the remote device has a static IP address, select Static IP address and type the IP address in the
IP Address text box.
The XTM device must know a domain name that the DNS service can resolve to an IP address.
If the XTM device
cannot find the peer
with one of those
methods, then it
cannot initiate
negotiations. It must
wait for the other
device to initiate
negotiations.
20
When you use Domain Name or User ID @ Domain to specify the remote gateway ID, the Attempt to
resolve check box controls whether the XTM device attempts to resolve the domain.
Select the Attempt to resolve check box if the remote gateway uses dynamic DNS to maintain a
mapping between a dynamic IP address and a domain name.
To specify how the XTM device starts negotiations, in the New Gateway dialog box, select the Phase 1
Settings tab.
21
The XTM device can use one of three methods to start IKE negotiations:
The two devices agree
on all the same Phase 1
parameters regardless
of which mode is used.
The difference is the
number of packet
exchanges and how
much information
each packet contains.
Main Mode
Main Mode IKE negotiations require a total of six messages (three two-way exchanges of
information). The peers never exchange their identities in the clear.
Use Main Mode when both devices have static external IP addresses.
If you use pre-shared keys for the credential method, to use Main Mode, both sides must use an IP
address as the Phase 1 ID.
If one side or the other does not use an IP address for the Phase 1 ID type, you can use Main Mode
only if you use certificates for the credential method.
The XTM device will not use Aggressive Mode if you select Main Mode.
Aggressive Mode
Aggressive Mode IKE negotiations require a total of four messages. Each message includes more
information than in a Main Mode exchange. This makes Aggressive Mode more efficient than Main
Mode, but not as secure, because the peers exchange their identities without encryption.
Use Aggressive Mode when one of the devices has a dynamic external IP address, or both have
dynamic IP addresses. An exception is possible when you use certificates for the credential method
instead of pre-shared keys. See the previous description about Main Mode.
Main failback to Aggressive
To start IKE negotiations, the XTM device sends a Main Mode packet. If the remote gateway device
rejects the first packet, the XTM device sends an Aggressive Mode packet to try to start IKE
negotiations again.
When the XTM device is the responder, it completes either a Main Mode or an Aggressive Mode
exchange, depending on the way the peer initiates IKE negotiations.
Select this option if it is possible for the remote peer to use Main Mode, but you want negotiations
to succeed if the remote peer can only use Aggressive Mode.
22
When the IKE peers agree to use NAT Traversal, they make an additional step for each data packet sent
over the VPN. After an IPSec device encapsulates a data packet inside the IPSec wrapper, it
encapsulates it one more time inside a UDP wrapper.
By re-encapsulating traffic in UDP packets, the IKE peers can overcome the problems that IPSec has
with some implementations of NAT.
Traffic goes over UPD port 4500 when NAT Traversal is used.
How the Peers Detect Whether One of Them is Behind a NAT Device
If the peers can both use NAT-T, the second IKE packet from each peer includes a part called the NATDiscovery payload. The NAT-Discovery payload that one device sends includes the result of a
computation that is based on the source and destination IP addresses and the source and destination
ports of the packet when it leaves the IKE device.
When the peer device gets the NAT-Discovery payload, it performs the same computation in reverse,
based on the same type of information. However, the receiving end does the computation based on
the information it sees for the packet (which can be different from the information the sending device
sees when a NAT device is between the two).
Both sides compare the results of their own computation with the corresponding value each gets from
the other side. If one or both of the devices is behind a NAT, then the two results of the same
computation do not match because NAT changes the source IP addresses, the source ports, or both.
The mismatch means that there is a NAT device in front of one of the IKE peers.
If the values do match, then no NAT is detected and the devices do not use NAT-T. Even though both
devices can use NAT-T, it is not necessary if neither device is behind a NAT.
23
The NAT device maintains this map for only a short time when there is no traffic that matches the map.
If the device does not see traffic that uses the NAT map for a certain amount of time, it closes the NAT.
NAT timeouts for UDP traffic are typically much lower than NAT timeouts for TCP connections.
If UDP-encapsulated traffic is sent from behind the NAT device, NAT is opened on the NAT device.
To keep the IPSec tunnel active when NAT-T is used, the IPSec devices keep the NAT map alive. The
IPSec device behind a NAT sends a NAT-T keep-alive packet to keep the NAT map active. The peer that
receives the NAT keep-alive packet replies with a keep-alive ACK to keep the NAT active on the remote
NAT device.
The Keep-Alive Interval affects your XTM device only if your XTM device is the IKE peer behind the
NAT. It specifies how often your device sends a NAT keep-alive packet to keep the NAT map active on
the NAT device in front of the XTM device.
When the remote IKE peer is behind a NAT, it has its own settings for the keep-alive interval. Your XTM
device responds to the NAT keep-alive messages it gets from the other side, but your XTM device does
not influence the interval that the peer uses between the keep-alives it sends.
IKE Keep-alive and Dead Peer Detection (DPD, discussed in the next section) messages enable the XTM
device to detect if the IKE peer is still alive. For VPN failover, either IKE Keep-alive or DPD is the method
the XTM device uses to determine whether to fail over to another gateway endpoint pair.
This is the only part of the gateway configuration that is not actually part of the Phase 1 negotiations.
This setting is only to enable or disable the option, and to specify the interval between the messages.
For IKE Keep-alive to work, each peer must be able to respond to the keep-alive messages sent by the
other side.
All WatchGuard
products respond to
IKE Keep-alive
messages. However,
they are specific to
WatchGuard products,
so other vendors
appliances might not
respond.
24
When both peers can use IKE Keep-alive messages, each device sends a Hello packet (the IKE Keep-alive
message) to the other side at regular intervals. When a device receives an IKE Keep-alive packet, it
returns an acknowledgement (a keep-alive ACK) to the peer that sent the message. When the sending
peer gets the ACK, it knows that the remote peer is still alive and that the Phase 1 SA between them is
still valid.
If a device sends a specified number of keep-alive messages that get no response, the device closes the
VPN and tries to start tunnel negotiations again.
If you use VPN failover and the maximum number of keep-alive failures is reached, the XTM device
starts negotiations with the next gateway endpoints pair in the list (see Figure 5). If there is only one
pair in the list, the device starts IKE negotiations again with that pair.
For a fast VPN failover, we recommend you set the Message interval to a low value, such as 10
seconds, and set the Max failures to a lower value, such as 2.
If you have only one gateway endpoint pair for the gateway (you do not use VPN failover), keep the
default settings.
For a VPN to a third-party device (not a WatchGuard product) we recommend you do not use this
option. To configure the XTM device to not send keep-alive messages, clear the IKE Keep-alive
check box.
For a VPN to any Firebox or XTM device that can use Dead Peer Detection, we recommend you do
not use this option. To configure the device to not send keep-alive messages, clear the IKE Keepalive check box.
Dead Peer Detection (RFC3706) is a traffic-based detection of an inactive peer. It works in a similar (but
more intelligent) way to IKE Keep-alive. When Dead Peer Detection (DPD) is enabled, the XTM device
sends a DPD probe (a message similar to the IKE Keep-alive message) only if traffic is not received from
the peer for a specified length of time, and data is waiting to be sent to that peer. This method is more
scalable than IKE Keep-alive messages because DPD probes are sent only when no traffic is received
from the other side for some amount of time. (Compare this to the IKE Keep-alives mechanism, which
sends keep-alive messages at regular intervals regardless of the health of the tunnel.)
In the Traffic idle timeout text box, set the amount of time traffic can be idle before the XTM
device sends a DPD probe to the peer.
In the Max retries text box, set the number of times the XTM device should send a DPD probe
before the peer is declared dead because it received no response.
Dead Peer Detection is an industry standard that is used by most IPSec devices. If it is supported by the
devices on both ends, we recommend you use Dead Peer Detection instead of IKE Keep-alive,
particularly for VPN failover.
Note
Do not select both IKE Keep-alive and Dead Peer Detection. Use one or the other, but not both. Use
Dead Peer Detection if both endpoint devices support it.
25
The Transform Settings list includes the Phase 1 transforms the XTM device can send for this VPN.
To add a transform, click Add.
To edit a transform, select a transform in the list and click Edit.
The Phase 1 Transform dialog box appears.
The Phase 1 transform settings must exactly match the settings for the Phase 1 transform that the IKE
peer accepts, or IKE negotiations fail. The items you can set in the transform are:
Authentication
Authentication ensures that the information received is exactly the same as the information sent.
You can use SHA1, MD5, or SHA2 with 256, 384, or 512-bit key strength as the algorithm the peers
use to authenticate IKE messages from each other. SHA2 is the most secure.
Encryption
Encryption keeps the data confidential. You can select DES, 3DES, or AES with 128, 192, or 256-bit
key strength. AES is the most secure.
SA Life
When Phase 1 is completed, the two peers have a Phase 1 Security Association (SA). This SA is
valid for only a certain amount of time. After the Phase 1 SA expires, any new Phase 2 renegotiation
requires the two peers to also renegotiate Phase 1.
Some IKE peers can also specify an amount of data, in KB, that can pass through the VPN before the
Phase 1 SA Life expires. Fireware XTM does not specify a data lifetime. In general, if the peer
requires a value for Phase 1 SA data limit, you set the peer to use 0 KB to specify no KB timeout.
Key Group
The Diffie-Hellman Group specifies the length of a mathematical parameter used for the DiffieHellman key exchange. You can select group 1, 2, or 5. A higher number indicates a more secure
key exchange.
Because there are many different possible combinations of values for the four items in the Phase 1 SA
proposal, it is always better to get the exact Phase 1 parameters that the remote peer uses. Try not to
guess, or to rely on multiple possibilities.
In some situations, however, the administrator of the remote device may give you incomplete
information. Or, the peer device may have certain IKE or IPSec settings hard-coded and the
configuration might not show these settings. In other words, the administrator might not know what
the device will send or accept for some parameter and cannot configure it. In these situations, get as
much information as you can. Tell the administrator of the peer device to check the manufacturers
documentation to discover the values for hard-coded parameters.
Note
You can add more than one Phase 1 transform only if you use Main Mode for Phase 1. If you use
Aggressive Mode, you can only have one Phase 1 transform in the gateway configuration.
27
Figure 18: The newly configured gateway appears in the Gateways list.
28
3. Click Add.
The New Tunnel dialog box appears.
Figure 20: New tunnel. Make sure to select the correct gateway.
4. In the Tunnel Name text box, type a friendly name for the tunnel.
For this example, we type Main_Office_Tunnel.
Fireware XTM does not send this name to the peer device. It is only used to identify the tunnel in your devices
configuration.
The subsequent sections describe the purpose of each element in the tunnel configuration.
29
Because the Phase 2 IDs are part of the Phase 2 Security Association (SA), they are sent as part of the
Phase 2 negotiations. Fireware XTM supports three types of Phase 2 IDs:
Host IP address [ID_IPV4_ADDR]
This is a simple dotted-decimal IP address. For example, 192.168.50.200.
Network IP Address [ID_IPV4_ADDR_SUBNET]
This is a dotted-decimal IP address that represents a subnet, followed by the slash notation of the
subnet mask. Although you use slash notation for the network IP address, Fireware XTM sends the
Phase 2 ID as a dotted-decimal IP address followed by a dotted-decimal subnet mask.
For example, if the network IP address is 192.168.50.0/24, Fireware XTM sends the Phase 2 ID as:
192.168.50.0 255.255.255.0
IP address range [ID_IPV4_ADDR_RANGE]
This is a range of IP addresses. The range you specify includes the first IP address and the last IP
address you specify, as well as every IP address in between.
When you add tunnel routes on the Addresses tab of the New Tunnel dialog box, you specify the
Phase 2 IDs.
Figure 21: The Addresses tab for this tunnel includes IP subnets for the Phase 2 IDs.
The remote IKE peer must have the same type of Phase 2 IDs and they must be the reverse of the Phase
2 IDs on your XTM device.
30
The devices on both ends of the tunnel must use Fireware XTM v11.x to enable this option. When you
enable broadcast routing, the tunnel supports broadcasts only to the limited broadcast IP address,
255.255.255.255. Local subnet broadcast traffic is not routed through the tunnel. (A local subnet
broadcast is also called a directed broadcast, such as the 192.168.1.255 in the 192.168.1.0/24 network).
If you select this option, make sure to configure Helper Addresses.
Figure 23: The Addresses tab for this tunnel shows the IP subnets in bold, to indicate that broadcast routing
is enabled for this tunnel.
31
We recommend that
you use IP addresses
that are not used by
any local or remote
network to ensure that
the addresses do not
conflict with any other
device.
If broadcast routing through the tunnel is enabled for the added tunnel routes, the tunnel resources
appear in bold. When broadcast routing is enabled, you must configure Helper Addresses,. We
recommend you use IP addresses in a private network IP address range that is not used by any local
network or by any remote network connected through a VPN. The XTM device uses these addresses as
the endpoints of the GRE tunnel (General Routing Encapsulation tunnel protocol) inside the IPSec
BOVPN tunnel. The XTM device sends the broadcast traffic through the GRE tunnel.
The remote IKE peer must use the same Helper Addresses, and they must be the reverse of your XTM
device Helper Addresses.
When broadcast routing is not enabled the tunnel resources are not bold and the Helper Addresses are
not required.
Broadcast routing is not supported through a BOVPN virtual interface.
Like broadcast over BOVPN, multicast over VPN requires that you add Helper Addresses in the tunnel
configuration to negotiate the GRE Tunnel.
32
The settings in Figure 24 show that the XTM device is enabled to send multicast traffic. This means that
the origination IP address is a host within the trusted interface network.
Origination IP The IP address of the multicast sending device at one end of the tunnel.
Group IP A reserved multicast group IP address that is associated with recipients of the
multicast traffic.
Input Interface The XTM device internal interface with the subnet that holds the origination IP
address as one of its hosts.
The settings in Figure 25 show that the XTM device is enabled to receive multicast traffic. The
origination IP address is an address on the other end of the tunnel.
Origination IP and Group IP The same values as in the tunnel configuration of the sending
XTM device.
Output Interface The XTM device internal interfaces where the multicast traffic is routed. The
receiving hosts must be located on one of the selected internal interfaces.
The multicast settings for a BOVPN virtual interface are exactly the same as the multicast settings in a
tunnel, except that helper addresses are not required for a BOVPN virtual interface.
33
Peers Agree on Whether to Use Perfect Forward Secrecy and Which DiffieHellman Group to Use for PFS
At the top of the New Tunnel dialog box Phase 2 Settings tab, you specify whether to use Perfect
Forward Secrecy (PFS) and which Diffie-Hellman group to use to generate new keying material.
34
1. In the New Tunnel dialog box, select the Phase 2 Settings tab.
2. From the IPSec Proposals list, select a Phase 2 proposal.
Or, click Add to create a new proposal.
35
3. In the Proposal Details section, configure these options for the new Phase 2 proposal:
Name
Type a name for the proposal. Fireware XTM does not send this name to the IKE peer; it is only for
your identification purposes.
Type
Most often, you select ESP (Encapsulating Security Payload). ESP provides authentication and
encryption of the data that passes over the VPN. The other option, AH (Authentication Header),
provides no encryption to the data that passes over the VPN. AH only provides authentication of
the data. (If you select AH, the Encryption drop-down list in Figure 28 is not available.
Authentication
Authentication ensures that the information received is exactly the same as the information sent.
You can select SHA2, SHA1, or MD5 as the algorithm the peers use to authenticate IKE messages
from each other. SHA2 is the most secure.
Encryption
Encryption keeps the data confidential.
You can select DES, 3DES, or AES with 128, 192, or 256-bit key strength. AES is the most secure.
Force Key Expiration
The longer a Phase 2 encryption key is in use, the more data an attacker has for mounting an
attack on the key. Phase 2 expiration can happen based on the amount of time passed since the
SA was created, the amount of data that goes over the VPN since the SA was created, or both.
- Select the Time check box to expire the key after a quantity of time. Type or select the
quantity of time that must pass to force the key to expire.
- Select the Traffic check box to expire the key after a quantity of traffic. Type or select the
number of kilobytes of traffic that must pass to force the key to expire.
If both Force Key Expiration options are disabled, the key expiration interval is set to 8 hours.
36
How the XTM Device Detects That the IPSec Peer Gateway is Down
The XTM device detects that the IPSec peer gateway is down in two ways:
IKE Keep-alive or DPD messages get no response
Ethernet link failure is detected on an external interface
37
To use certificates with a VPN, each gateway endpoint must have these certificates:
The CA certificate from the certification authority that issued the certificate for the local device.
Your XTM device must verify the client certificate for the local device (see the subsequent point). It
does this with the CA certificate from the authority that issued the client certificate. Make sure you
import the CA certificate before you import the client certificate. This enables the XTM device to
verify the client certificate.
The client certificate for the local device.
For your XTM device, this is the certificate that your XTM device sends to its VPN peer. The peer
device verifies this certificate by checking it against a CA certificate.
The CA certificate from the certification authority that issued the remote devices IPSec certificate.
When your XTM device receives an IPSec certificate from its IKE peer, it must have a way to verify
the peers certificate. It does this with the CA certificate of the certification authority that signed
the remote peers certificate.
Only client certificates
appear in Policy
Manager; you do not
manage CA certificates
with Policy Manager.
Use Firebox System
Manager to see CA
certificates.
The certificates that your XTM device can use to prove its identity appear in New Gateway dialog box
in the Select the certificate to be used for the Gateway list (see Figure 4). Items in this list can be
certificates that were issued by a WatchGuard Management Server, or certificates issued by a thirdparty certification authority that you manually import to the XTM device.
38
If you choose not to create a managed VPN between two managed XTM devices, you can use Policy
Manager to manually set up a VPN between them. You can use the certificates issued by the
Management Server when you create a manual VPN.
The WatchGuard Management Server automatically sends an IPSec certificate to the managed XTM
device, and it appears at the bottom of the New Gateway dialog box. You can use this certificate to
create a VPN to another Firebox or XTM device if both devices are managed by the same WatchGuard
Management Server. The Management Server also automatically sends each managed XTM device the
CA certificate so that each XTM device can verify the certificate that its peer sends in Phase 1. You do
not manually import any certificates (described in the next section) if you use these certificates.
2. Click .
Or, select View > Certificates.
The Certificates dialog box for this XTM device appears.
Certificates must be in
Base-64 format.
You must provide the XTM device configuration (read-write) passphrase to import a certificate.
After you import the certificate and open Policy Manager, it will appear at the bottom of the New Gateway
dialog box.
39
A certification authority can revoke a certificate that it previously issued. When it does this, the
certification authority declares that it no longer guarantees the authenticity of the certificate, or the
identity of the certificate holder. To keep your certificate-based VPNs secure, the XTM device must have
access to a list of the revoked certificates, called a Certificate Revocation List (CRL).
To manually import the CRL, in the Certificates dialog box, click Import Certificate / CRL. After you
import this list, the XTM device consults it before it accepts a certificate from any IKE peer.
The XTM device can also consult a CRL server to see if a certificate is revoked.
To select the location of the CRL server:
3. Select the Enable LDAP server for certificate verification check box.
4. In the Server text box, type the IP address or domain name for the LDAP server that hosts the CRL.
The two most common
protocols used to
check CRLs are LDAP
and HTTP. Fireware
XTM v11.x can only use
LDAP to check CRLs,
not HTTP.
40
The XTM device can only use LDAP to check certificates against this CRL server. Change the port
number in the Port text box only if the LDAP server listens on a non-standard port for LDAP.
5. Click OK.
Automatically Add Policies That Allow Traffic Over All Ports And Protocols
When you select the Add this tunnel to the BOVPN-Allow policies check box in the tunnel or BOVPN
virtual interface configuration, Policy Manager automatically adds the Any policy to your
configuration. This policy allows all traffic through the VPN. You can remove this policy only when you
clear the Add this tunnel to the BOVPN-Allow policies check box in every tunnel.
41
42
When you run the VPN diagnostic report, Fireware XTM temporarily increases the diagnostic log level
for the selected gateway, and then collects detailed log data about the gateway and all associated
tunnels. At the end of the specified duration, the report is generated, and the log levels return to their
previous levels.
43
The VPN Diagnostic Report has six sections. The first two sections show the configuration settings for
the selected gateway and all tunnels that use that gateway.
Gateway Summary Shows a summary of the gateway configuration, including the
configuration of each configured gateway endpoint
Tunnel Summary Shows a summary of the tunnel configuration for all tunnels that use the
selected gateway
The last five sections show run-time information based on the log message data collected when the
report was run.
Run-time Info (bvpn routes) For a BOVPN virtual interface, shows the static and dynamic
routes that use the selected BOVPN virtual interface, and the metric for each route.
Run-time Info (gateway IKE_SA) Shows the status of the IKE (Phase 1) security association for
the selected gateway
Run-time Info (tunnel IPSEC_SA) Shows the status of the IPSec tunnel (Phase 2) security
association for active tunnels that use the selected gateway
Run-time Info (tunnel IPSec_SP) Shows the status of the IPSec tunnel (Phase 2) security policy
for active tunnels that use the selected gateway
Related Logs Shows tunnel negotiation log messages, if a tunnel negotiation occurs during the
time period that you run the diagnostic report
The information provided by the VPN Diagnostic Report can help you see the status of tunnel
negotiations, and help you determine what caused the tunnel negotiations to fail.
The VPN Diagnostic Report is especially helpful if you have multiple tunnels, because it helps you to
focus on just the one you want to troubleshoot.
44
You can use the gateway IP addresses to filter the log messages to find log messages related to a
specific gateway.
If you use this method to troubleshoot your BOVPN tunnels, you might need to increase the diagnostic
log level for IKE traffic in order to see enough detailed log information.
To change the diagnostic log level for IKE traffic:
You can still edit BOVPN gateway, tunnel, and virtual interface settings.
The tunnels associated with a disabled BOVPN gateway are disabled.
Disabled tunnel routes do not appear in the Status Report.
BOVPN virtual interface routes are not added to the routing table.
Disabled tunnels and BOVPN virtual interfaces are disabled in the BOVPN-Allow.out and BOVPNAllow.in policies.
45
Training Environment
The exercises in this training assume the following network configuration:
The training environment must include the following network equipment in order to support all of the
exercises in this course.
Two network hubs or switches, each with enough interfaces for the instructor and all of the student
XTM devices to connect.
- One switch is the primary external network for the student devices
- One switch is the secondary external network (WAN2) for the student devices in the MultiWAN failover exercises
Instructor XTM device connected to both switches and configured to act as the default gateway for
the external networks for student devices. The instructor XTM device must be configured with
these addresses:
- Eth0 (External) Use appropriate addressing for a training environment with an Internet
connection. (This is optional - Internet access is not required for these exercises)
- Eth1 (Trusted) 203.0.113.1/24 The default gateway for the primary external interface on
student devices.
- Eth2 (Trusted) 192.51.100.1 The default gateway for the secondary external interfaces
for student devices configured for multi-WAN
46
Firewall Configuration
If your XTM device is not yet configured, run the Quick Setup Wizard and select Routed Mode.
47
Exercise 1:
In this exercise, you configure a single-WAN XTM device and a multi-WAN XTM device. The network
configuration in this exercise is a prerequisite for all subsequent VPN exercises.
After you complete Exercise 1, you can complete the subsequent exercises in any order.
Network Topology
This diagram shows the two XTM devices and their external interfaces connected to the Internet.
The training environment is set up to simulate the Internet connections. For these exercises, you will
configure XTM device A with one external interface and configure XTM device B with two external
interfaces.
In these exercises you work with a partner. Student A configures the single-WAN XTM device (XTM
Device A). Student B configures the multi-WAN XTM device (XTM Device B). These exercises require that
you configure two XTM devices with different IP addresses. For the instructions in these exercises, we
assume each device is configured by a different student. The student numbers in the IP addresses are
represented as A and B. The configuration settings shown in these exercises assume that:
Site A is configured by student A, who is assigned student number 10
Site B is configured by Student B, who is assigned student number 20
In all of these exercises, when you configure the network settings, use the student numbers your
instructor gives you.
Replace the A in the IP address with the student number of the student who manages the Site A
device.
Replace the B in the IP address with the student number of the student who manages the Site B
device.
48
2. Set the IP address for Interface 0 to 203.0.113.A/24, and the default gateway to
203.0.113.1.
3. Click OK to return to Policy Manager.
4. Save the configuration to the XTM device.
49
XTM Device B
1. Connect one end of an Ethernet cable to the device Interface 6.
2. Connect the other end of this Ethernet cable to the hub or switch that connects to the 198.51.100.x
network.
50
Exercise 2:
When your XTM device has only one external interface, and you create a VPN to an XTM device that has
more than one external interface, your XTM device has more than one remote gateway to select for IKE
negotiations. If one of the external interfaces on the remote XTM device does not respond, your XTM
device can try another external interface at the remote peer.
Conversely, if your XTM device has more than one external interface, and one of the interfaces is not
available, it can use the other external interface to create a VPN to its remote peer.
12. To add a second gateway endpoints pair, repeat Steps 612. Make sure to change the Remote
Gateway settings, as described in the subsequent steps.
13. In the Local Gateway section, select By IP Address.
In the IP address text box, type 203.0.113.A.
This part is the same as the previous gateway endpoint pair. Your device has only one external interface.
51
18. In the Dead Peer Detection section, set the Max retries value to 3.
This is set to a lower value than the default to ensure a faster VPN failover.
2. Click Add.
The New Tunnel dialog box appears.
Do not give your
tunnel the same name
as the branch office
gateway.
3. In the Tunnel Name text box, type a friendly name for the tunnel.
For this exercise, type Tunnel_to_Device_B.
4. Click Add and add a new tunnel route.
The Tunnel Route Settings dialog box appears.
5. In the Local text box, type the network address of the trusted interface on your device in slash
notation. Type 10.0.A.0/24.
6. In the Remote text box, type the trusted network address at the remote device.
Type 10.0.B.0/24.
7. Click OK.
The new tunnel route appears in the New Tunnel dialog box in the Addresses list.
8. Make sure the Add this tunnel to the BOVPN-Allow policies check box is selected.
When this check box is selected, Policy Manager automatically adds the BOVPN-Allow.out and BOVPNAllow.in policies that allow all traffic to flow between the two trusted networks.
9. Click OK.
The new tunnel appears in the Branch Office IPSec Tunnels dialog box.
52
12. To add a second gateway endpoints pair, repeat Steps 611. Make sure to change the Local
Gateway settings, as described in the subsequent steps.
13. In the Local Gateway section, select By IP Address.
In the IP address text box, type 198.51.100.B.
14. From the External Interface drop-down list, select WAN2.
This is the most common place to make an error. Make sure to select the interface name that corresponds to
the secondary WAN interface on this device.
19. In the Dead Peer Detection section, set the Max retries value to 3.
This is set to a lower value than the default to ensure a faster VPN failover.
53
2. Click Add.
The New Tunnel dialog box appears.
3. In the Tunnel Name text box, type a friendly name for the tunnel.
For this exercise, type Tunnel_to_Device_A.
4. Click Add and add a new tunnel route.
The Tunnel Route Settings dialog box appears.
5. In the Local text box, type the network address of the trusted interface on your device in slash
notation.
For this exercise, type 10.0.B.0/24.
6. In the Remote text box, type the trusted network address at the remote device, 10.0.A.0/24.
7. Click OK.
The new tunnel route appears in the Addresses list.
8. Make sure the Add this tunnel to the BOVPN-Allow policies check box is selected.
When this option is selected, Policy Manager automatically adds the BOVPN-Allow.out and BOVPN-Allow.in
policies to your configuration. These policies allow all traffic to flow between the two trusted networks.
9. Click OK.
The new tunnel appears in the Branch Office IPSec Tunnels dialog box.
54
Ping from an XTM device interface to the trusted interface on the other device
1. Connect to your device with Firebox System Manager.
2. Select Tools > Diagnostic Tasks.
The Diagnostic Tasks dialog box appears.
55
Exercise 3:
Configure a BOVPN Virtual Interface Between a SingleWAN XTM Device and a Multi-WAN XTM Device
In this exercise, you configure the same VPN tunnels as the previous exercise, except that you configure
them within a BOVPN virtual interface, with static routes defined to the trusted network on the peer
device.
The finished gateway configuration for the BOVPN virtual interface between device A for student 10
and Device B for student 20 looks like this:
4. In the Route To text box, type the network IP address of the private network on the Site B device,
10.0.B.0/24.
5. Click OK.
Branch Office VPN Tunnels
57
2. In the Dead Peer Detection section, set the Max retries value to 3.
This is set to a lower value than the default to ensure a faster VPN failover.
58
The finished gateway configuration for the BOVPN virtual interface between Device B for student 20
and Device A for student 10 looks like this:
4. In the Route To text box, type the network IP address of the private network on the Site A device,
10.0.A.0/24.
5. Click OK.
Branch Office VPN Tunnels
59
2. In the Dead Peer Detection section, set the Max retries value to 3.
This is set to a lower value than the default to ensure a faster VPN failover.
60
Exercise 4:
Because you use routes to define what traffic to send through a BOVPN virtual interface, you can create
more than one BOVPN virtual interface, and set different metrics for routes to the same network. This
enables you to configure a primary tunnel that fails over to a secondary tunnel if the primary tunnel is
not available. For this exercise, you configure the BOVPN virtual interface tunnel to Interface 0 on the
Site B device as the primary, with failover to the WAN2 interface as a secondary tunnel.
61
4. In the Route To text box, type the network IP address of the private network on the Site B device,
10.0.B.0/24.
5. Click OK.
62
4. In the Route To text box, type the network IP address of the private network on the Site B device,
10.0.B.0/24.
5. In the Metric text box, type or select 20.
You set the metric higher for this route than for the same route in the other BOVPN virtual interface because
we do not want the XTM device to use this route unless the route through the primary VPN tunnel is not
available.
6. Click OK.
4. Click Close.
63
3. Click OK.
4. Save the configuration to the XTM device.
15. From the Choose Type drop-down list, select Network IPv4.
16. In the Route To text box, type the network IP address of the private network on the Site A device,
10.0.A.0/24.
17. Click OK.
13. In the Route To text box, type the network IP address of the private network on the Site B device,
10.0.A.0/24.
65
66
Ping from an XTM device interface to the trusted interface on the other device
1. Connect to your device with Firebox System Manager.
2. Select Tools > Diagnostic Tasks.
The Diagnostic Tasks dialog box appears.
The devices start to send the ping traffic through the BOVPN interface bvpn2 that uses XTM Device Bs
secondary WAN interface. Only one to three pings should time out.
67
Each route includes the BOVPN virtual interface device name bvpn1 or bvpn2 to indicate which
tunnel the route uses.
68
If the destination IP address of a packet matches more than one route in the route table, the XTM
device uses the route with the lower metric as the preferred route. This exercise demonstrates that
when the tunnel for a BOVPN virtual interface is down, the XTM device automatically changes the
metric for that route to 255. This enables the XTM device to use another route if one is available. If no
other route to that destination is available, the XTM device continues to try to send the traffic to the
route with the metric of 255.
You can optionally configure the XTM device to completely remove VPN routes when the virtual
interface is down. If the route is completely removed, and there are no other routes that match the
traffic destination, the XTM device sends the traffic through the default route, which could be an
unencrypted connection.
You can select this option in the global VPN settings.
If you select this check box, you must do one of two things to make sure that the VPN routes for a
BOVPN virtual interface are added to the routes table when the tunnel is available. You can either
enable policy-based routing for the BOVPN virtual interface, or, in the BOVPN virtual interface
settings, select the Start Phase1 tunnel when it is inactive check box. This is selected by default
when you configure the BOVPN virtual interface.
69
Exercise 5:
Configuration of
dynamic routing is
described in detail in
the Fireware XTM
Advanced Networking
course.
This exercise demonstrates how you can use a BOVPN virtual interface in a dynamic routing
configuration. This exercise includes a sample OSPF dynamic routing configuration for you to use.
70
7. Edit the second network command to replace the letter A with your student number, so that the IP
address matches your trusted network subnet.
The second network command identifies the subnet that you want the XTM device to advertise a route for.
8. Click OK.
9. Click Yes to add the dynamic routing policies.
10. Save the configuration to the XTM device.
71
73
For example, if Device A is configured by student 10, and Device B is configured by student 20, the
routes on Device A look like this:
The BOVPN virtual interface IP address, and device name bvpn1 appear in the dynamic route.
In this simple example, each device propagates the route for a single private network. Dynamic routing
is most useful when you have more than one local network that you want to distribute routes for. The
advantage of dynamic routing over static routes, is that when your local network changes, you can just
update the local dynamic routing configuration to propagate routes to additional local networks. The
peer device automatically learns the routes and adds them to the routing table. Dynamic routing
eliminates the need to add static VPN routes on each devices for each remote network.
74
75
Round-robin
Failover
Interface Overflow
Routing Table
The Routing module in the Advanced Networking course shows you how to configure static and
dynamic routing in Fireware XTM.
More FAQs
The WatchGuard Knowledge Base provides articles that can help expand your knowledge. For
example, the Knowledge Base has articles about:
- BOVPN Interoperability
- Use NAT through a BOVPN tunnel
- Set up a default route to send all Internet-bound traffic through a BOVPN
- Use tunnel switching to route VPN traffic between two BOVPN tunnels
- Use traffic management with BOVPN tunnels
- Improve availability of your VPN connection
- Configure VPN failover
Search the Knowledge Base at http://customers.watchguard.com.
76
1. True or false? The XTM device uses the Gateway Name as the Phase 1 ID to identify itself to the
remote peer.
2. True or false? If more than one pair of local/remote IP addresses can send traffic over the VPN, then
a unique SA is created for each pair.
3. To add multiple Phase 1 transforms, Phase 1 must be configured in __________ mode. (Select one.)
A)
Default
B)
Quick
C)
Aggressive
D)
Passive
E)
Main
A)
B)
C)
D)
5. True or false? You can configure a maximum of one tunnel per gateway.
6. Which is the most secure encryption method? (Select one.)
A)
SHA2
B)
MD5
C)
AES-128
D)
AES-256
E)
SHA1
F)
3DES
7. True or false? You can specify a BOVPN virtual interface as a destination in a policy.
8. Which of these methods can you use to route traffic through a BOVPN virtual interface? (Select all
that apply.)
A)
B)
C)
D)
77
78
7. True
8. A, C, D
Mobile VPN
Securely Connect Mobile Users
In this module, you will connect to one or more XTM devices. If you take this course with a WatchGuard
Certified Training Partner, your instructor will provide the IP address and passphrases for devices used
in the exercises. For self-instruction, you can safely connect to a XTM device on a production network. It
is helpful to conduct a portion of this exercise from a computer connected to the external network.
79
When you use Mobile VPN, you first configure your XTM device and then the remote client computers.
You use Policy Manager to configure the settings for each user or group of users. For Mobile VPN with
IPSec and Mobile VPN with SSL, Policy Manager creates a Mobile VPN client configuration file that
includes all the settings necessary to connect to the XTM device. You can also configure your policies to
allow or deny traffic from Mobile VPN clients. Mobile VPN users authenticate either to the Firebox user
database on the XTM device or to an external authentication server. In this module, we use the Firebox
authentication method to illustrate the authentication process.
We recommend that
you do not disable
IPSec in the Mobile
VPN with L2TP
configuration.
UDP port 4500 can also be necessary for Mobile VPN with L2TP VPNs when IPSec is enabled. This
port is for NAT Traversal (NAT-T). If either end (the XTM device or the remote client) is behind a
network device that does Network Address Translation, IPSec-encapsulated traffic is reencapsulated in new UDP port 4500 packets. This prevents problems that can occur with some NAT
devices that do not correctly handle IPSec traffic.
While there are subtle advantages and disadvantages to each method, the type of Mobile VPN you
select largely depends on your existing infrastructure and your network policy preferences. The XTM
device can manage all four types of mobile VPN simultaneously. A client computer can be configured
to use one or more VPN connection methods.
Some considerations that may influence your selection of a mobile VPN protocol are:
Encryption support
Client OS support
Authentication server compatibility
VPN tunnel capacity and licensing
Mobile VPN
81
Use this table to compare the characteristics of each mobile VPN protocol:
Mobile VPN
Type
Client OS Support
Authentication Server
Support
Mobile VPN
with PPTP
No client installation.
PPTP is included with
Windows OS
Firebox-DB
RADIUS
Mobile VPN
with IPSec
Firebox-DB
RADIUS*
LDAP
Active Directory
Firebox-DB
RADIUS
LDAP
RSA SecurID
Active Directory
Maximum number of
tunnels varies by XTM
device model.
Pro upgrade for the
Fireware XTM OS is
required for maximum
SSL VPN tunnels.
For more than one
SSL VPN tunnel you
must have a Pro
upgrade.
50 tunnels
Mobile VPN
with SSL
Windows Vista
Windows 7 and 8
Windows XP
Mac OS X 10.5
Mac OS X 10.6 (32bit)
Mobile VPN with SSL also
supports connections
from the OpenVPN
Connect client for
Android and iOS.
Mobile VPN
with L2TP
No client installation
necessary. Mobile VPN
with L2TP VPN supports
connections from most
L2TP VPN v2 clients that
comply with the L2TP
RFC 2661 standard.
WatchGuard Mobile VPN
app for iOS supports:
iOS 5.x and 6.x
Firebox-DB
RADIUS
Active Directory (only
through a RADIUS
server)
Maximum number of
tunnels varies by XTM
device model.
Pro upgrade for the
Fireware XTM OS is
required for maximum
L2TP VPN tunnels.
To support more than
one L2TP VPN tunnel
you must have a Pro
upgrade.
* The Shrew Soft IPSec VPN client is not compatible with 2-factor authentication.
For the base and maximum number of tunnels supported for Mobile VPN with IPSec and Mobile VPN
with SSL and Mobile VPN with L2TP, see the detailed specifications for your XTM device model.
Note
SSL, IPSec, and L2TP VPN support AES-256 encryption. PPTP supports 128 bit (non-AES) encryption.
82
It can be helpful to
think of the group
names in these policies
as aliases for all the
groups and users you
configured in the VPN
configuration.
Regardless of which authentication server you use, you must make sure that these users and
groups exist on the authentication server, for them to connect with Mobile VPN.
Mobile VPN
83
84
User authentication
server
Tunnel authentication
method
Internet Traffic
Force all Internet traffic through the tunnel (default-route VPN). The
VPN client on the Android device does not support split tunneling.
Phase 1
Authentication
Phase 1 Advanced
Settings
SA Life 1 hour.
The VPN client on the iOS device is configured to rekey after 1 hour. If
this profile is only used for connections by VPN client on Android and
iOS devices, set the SA Life to 1 hour to match the client setting.
Key Group Diffie-Hellman Group2
Do not change any other Phase 1 Advanced settings.
Phase 2 Proposal
Phase 2 PFS
Because these settings are the same as the settings required for the native VPN client on Mac OS X and
iOS devices, you can use the same profile for Android, Mac OS X and iOS mobile users.
Mobile VPN
85
7. Type the passphrase received from the administrator to decrypt the file.
8. The WatchGuard Mobile VPN app imports the configuration and creates a VPN connection profile.
9. Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN connection.
86
Many of the VPN tunnel configuration settings in the VPN client on the iOS device are not configurable
by the user. It is very important to configure the settings on your XTM device to match the settings
required by the VPN client on the Mac OS X or iOS device.
The Mobile VPN with IPSec configuration settings on the XTM device must be set to values that are
shown in the subsequent table.
Configuration
User authentication
server
Tunnel authentication
method
Set a Tunnel passphrase. The VPN client on iOS cannot use an RSA
certificate for tunnel authentication.
Internet Traffic
Force all Internet traffic through the tunnel (default-route VPN). The VPN
client on the iOS device does not support split tunneling.
Phase 1
Authentication
Phase 1 Advanced
Settings
SA Life 1 hour.
The VPN client on the iOS device is configured to rekey after 1 hour. If this
profile is only used for connections by VPN client on iOS devices, set the
SA Life to 1 hour to match the client setting.
Key Group Diffie-Hellman Group2
Do not change any other Phase 1 Advanced settings.
Phase 2 Proposal
Phase 2 PFS
Disable PFS. Perfect Forward Secrecy is not supported by the VPN client
on the iOS device.
Mobile VPN
87
Option 1: Use the WatchGuard Mobile VPN app to Import VPN Settings to the iOS Native
VPN Client
1. In Policy Manager, select VPN > Mobile VPN > IPSec.
2. Select the Mobile VPN group. Click Generate.
The .wgm file is generated and encrypted with the passphrase specified in the Mobile VPN with IPSec
configuration.
8. Type the passphrase received from the administrator to decrypt the file.
The WatchGuard Mobile VPN app imports the configuration to create an IPSec VPN configuration profile in
the native iOS VPN client.
Option 2: Manually Configure VPN Settings in the iOS Native VPN Client
1. On the iOS device, select Settings > General > Network > VPN > Add VPN Configuration.
2. Configure these settings in the VPN client:
- Server The external IP address of the XTM device
- Account The user name on the authentication server
- Use Certificate Set this option to OFF
- Group Name The group name in the XTM device Mobile VPN with IPSec configuration
- Secret The tunnel passphrase in the XTM device Mobile VPN with IPSec configuration
- Users Password The password for the user in the authentication server configuration
User authentication
server
Allowed Resources
Tunnel Authentication
Select Use Pre-Shared Key. The WatchGuard Mobile VPN app for iOS
does not support the use of certificates for authentication.
IPSec settings
Use the default settings. The default IPSec settings are compatible
with the native iOS VPN client.
1. In Policy Manager, select VPN > Mobile VPN > L2TP > Mobile Client.
11. Type the encryption password to decrypt the file and import it to the native iOS VPN client.
Now you can select the profile in the native iOS VPN client to start the connection.
Mobile VPN
89
90
Exercise 1:
Successful Company starts with just a few mobile users and decides to use the L2TP client built into the
Windows operating system on their laptop computers. It requires more configuration on the client
than the alternatives, but it is a good way to start to implement a company network policy which
includes remote users.
1. Open WatchGuard System Manager and connect to the XTM device you want to configure.
2. Click
Policy Manager opens the configuration file for the selected XTM device.
3. In Policy Manager, select VPN > Mobile VPN > L2TP > Activate.
The WatchGuard L2TP Setup Wizard welcome page appears.
4. Click Next.
The Select the user authentication servers page appears. Firebox-DB is selected by default.
Mobile VPN
91
8. Click Add.
The Add Address dialog box appears.
9. From the Choose Type drop-down list, select Host Range IPv4.
The Value and To text boxes appear in the dialog box.
Make sure you select
IP addresses that are
not used by any device
behind the XTM device.
13. In the Use Pre-Shared Key text box, type sshh-secret! or another text string at least 8
characters long.
14. Click Next. and then Finish to close the L2TP configuration wizard.
You can review your device configuration to see that the WatchGuard L2TP Setup Wizard made these
changes:
Enabled Mobile VPN with L2TP To see or edit the configuration, select VPN > Mobile VPN >
L2TP > Configure.
Automatically generated two policies:
WatchGuard L2TP This L2TP policy allows L2TP traffic to the XTM device on UDP port 1701.
Allow L2TP Users This Any policy allows the groups and users you configured for L2TP
authentication to get access to resources on your network.
92
7. Click OK.
The user is added to the L2TP-Users group. This user can now use the configured username and passphrase to
authenticate through an L2TP client.
Mobile VPN
93
If the user keeps this check box selected, traffic the remote user sends to the Internet goes through
your XTM device. This is known as default route VPN. To allow this traffic out to the Internet through
your XTM device, you must modify the policies in your device configuration that are to allow
outgoing traffic. Modify these policies to include the L2TP-Users group in the From list and the
external network in the To list.
This gives you, the administrator of the XTM device, control over what type of traffic the remote
users can send to the Internet while are connected to your protected network.
- Make sure that the IP addresses you have added to the L2TP address pool are included in
your dynamic NAT configuration on the XTM device. From Policy Manager, select Network >
NAT.
- Edit your policy configuration to allow connections from the L2TP-Users group through the
external interface. For example, if you use WebBlocker to control web access, add the L2TPUsers group to the proxy policy that is configured with WebBlocker enabled.
If the mobile user clears the Use default gateway on remote network check box
If the remote user clears this check box, then traffic the remote user sends to the Internet does not
go through the XTM device. This is known as split tunneling. If your L2TP VPN users use split
tunneling, it is important that you select the virtual IP address pool carefully. Because of the method
Windows uses to write routes to the local L2TP adapter, the computers L2TP adapter will be able to
route traffic only to the classful subnet of the received virtual IP address.
For example:
If the virtual IP address the mobile user receives for the VPN session is from the 10.1.1.x network,
the L2TP adapter will be able to route traffic to the entire 10.x.x.x/8 network.
(Class A networks are from 0.0.0.1 through 127.255.255.255)
If the virtual address is from the 172.16.1.x network, the L2TP adapter will route traffic only to the
172.16.0.0/16 network.
(Class B networks are from 128.0.0.0 through 191.255.255.255)
If the virtual IP address is from the 192.168.1.x network, the L2TP adapter will route traffic only to
the 192.168.1.0/24 network.
(Class C networks are from 192.0.0.0 through 223.255.255.255)
94
5. If your computer has an existing workplace connection, select No, create a new connection and
click Next.
The How do you want to connect page appears.
7. In the Internet address text box, type the hostname or IP address of the XTM device external
interface.
8. In the Destination name text box, type a name for the Mobile VPN (such as "L2TP to XTM").
9. Select whether you want other people to be able to use this connection.
10. Select the Dont connect now; just set it up so I can connect later check box so that the client
computer does not try to connect at this time.
11. Click Next.
The Type your user name and password page appears.
12. Type the User name and Password for the mobile user.
13. Click Create.
14. Click Close.
15. Click Connect to a Network.
A list of the configured VPN connections appears.
16. Select the name of the VPN connection you just created. Click Connect.
The Connect dialog box appears.
The General tab contains the hostname or IP address you provided in the New Connection Wizard.
You do not need to change anything on this tab unless the IP address of your XTM device changes.
If you wanted to
enable split tunneling,
you would do that in
the Networking tab.
Mobile VPN
95
Exercise 2:
For Mobile VPN with IPSec, the network security administrator controls Mobile VPN with IPSec
configuration files. You use Policy Manager to configure a user group with Mobile VPN with IPSec
access. For each user group with Mobile VPN with IPSec access, a Mobile VPN profile is saved in four
Mobile VPN configuration files with the file extensions *.wgx, *.ini, .vpn, and .wgm. The .wgx, .ini, .vpn,
and .wgx files contain the shared key, user identification, IP addresses, and settings that the VPN client
uses to create a secure tunnel between the remote computer and the XTM device. In this exercise, we
will use the *.vpn file.
Mobile VPN with IPSec generates Mobile VPN client configuration files for three different IPSec VPN
clients:
Shrew Soft VPN Client
WatchGuard added support for the Shrew Soft VPN client in Fireware XTM v11.3.4 and Fireware XTM
v11.4. This client is not supported in earlier versions of Fireware XTM. The Shrew Soft VPN client for
Windows uses the .vpn Mobile VPN client configuration file. The .vpn client configuration file is not
encrypted. We recommend that you use a secure method to distribute this file.
WatchGuard Mobile VPN with IPSec Client
The WatchGuard Mobile VPN with IPSec clients for Windows or Mac OS X use either the .wgx or the
.ini Mobile VPN client configuration file.
WatchGuard Mobile VPN Apps for Android and iOS
The WatchGuard Mobile VPN apps for Android and iOS devices use the .wgm client configuration
file. This file is encrypted with the passphrase in the Mobile VPN with IPSec configuration.
This exercise shows you how to configure the XTM device and deploy the user profile and Shrew Soft
VPN client to a new employee in the IT department of Successful Company.
As a member of the Marketing team, Tim is constantly on the road. The Successful Company network
administrator will use Policy Manager to create a Mobile VPN profile that Tim can use to connect
securely to the Successful Company network.
2. Click Add.
The Add Mobile VPN with IPSec Wizard appears.
3. Click Next.
The Select a user authentication server page appears.
The SecurID
authentication
method is not
supported with the
Shrew Soft VPN client.
The Shrew Soft client
does not support 2factor authentication.
96
6. Click Next.
The Select a tunnel authentication method page appears.
9. Click Next.
The Direct the flow of internet traffic page appears.
10. Click Next to accept the default, more flexible setting that configures the VPN client to send traffic
through the VPN tunnel only when the traffic destination matches a resource you specify.
The Identify the resources accessible through the tunnel page appears.
Mobile VPN
97
16. To specify the IP addresses that will be assigned to the mobile user connections, click Add.
The Add Address dialog box appears.
17. From the Choose Type drop-down list, select Host Range IPv4.
The Value and To text boxes appear in the dialog box.
Make sure you select
IP addresses that are
not used by any device
behind the XTM device.
98
22. To add Tim to the Mobile Users group, select the Add users to Mobile Users check box.
23. Click Finish.
The Authentication Servers dialog box appears.
Mobile VPN
99
26. In the User Information section, type the Name, Description, and Passphrase for Tim.
100
Exercise 3:
In a default configuration, Mobile VPN with IPSec users have full access to XTM device resources with
the Any policy. The Any policy allows traffic on all ports and protocols between the Mobile VPN user
and the network resources available through the Mobile VPN tunnel. To restrict VPN user traffic by port
and protocol, you can delete the Any policy on the Mobile VPN with IPSec tab and replace it with
policies that restrict access.
Mobile VPN
101
4. Select the Mobile VPN with IPSec group for this policy and click OK.
The Add Policies dialog box appears.
5. Add a policy for the traffic that you want to allow from the Mobile VPN user.
For example, expand the Packet Filters list, select the HTTP policy and click Add to add a policy that lets the
Mobile VPN users connect to resources over port 80.
102
6. You can edit this policy to limit the Mobile VPN users to only a subset of the resources in the
Allowed Resources list.
- In the Allowed Resources list, select a resource and click Remove.
- To add a more limited set of resources, such as an individual Host IP address, or a smaller
subnet than the subnet in the listed resource, click Add.
Any resource you add to the Allowed Resources list must be a subset of the original allowed resource.
7. You can also limit the users allowed to use this policy.
To select which members of the Mobile VPN with IPSec group are allowed to use this policy, click
Specify Users.
Mobile VPN
103
Exercise 4:
The Successful Company administrator wants to use the Shrew Soft VPN client to enable remote users
to establish a secure, encrypted connection to their protected network over IPSec. To do this, remote
users must first connect their computers to the Internet and then use the Mobile VPN with IPSec client
to connect to the protected network.
Before you install the client software on your users computers, make sure the remote computer does
not have any other IPSec mobile user VPN client software installed. You should also disable or uninstall
any desktop firewall software (other than Microsoft firewall software) from each remote computer.
To ensure the installation is successful, you must log into the remote computer with local administrator
rights.
104
You can use certificates to authenticate the Mobile VPN users if your XTM device is managed by a
WatchGuard Management Server. If you use Policy Manager to generate the Mobile VPN client
configuration file, the certificates are embedded in the .vpn file and are automatically imported to the
Shrew Soft VPN client when you import the .vpn configuration file.
1. Connect to the Internet through a local area network (LAN) or wide area network (WAN).
2. From the Windows Start menu, start the Shrew Soft VPN Access Manager.
3. Click the Mobile Users.vpn profile icon to select it. Then click Connect.
The Shrew Soft VPN Connect dialog box appears.
Mobile VPN
105
5. Click Connect.
Connection progress appears in the Connect tab.
It can take several seconds for the Shrew Soft VPN client to connect. When the VPN client has
connected, the message Tunnel Enabled appears in the Connect tab.
After the VPN client has connected, you can minimize the Shrew Soft VPN Connect dialog box, but do
not close it. To keep your VPN connection, you must keep the Shrew Soft VPN Connect dialog box
open. You can close the Shrew Soft Access Manager window.
To end the Shrew Soft VPN connection, you can click Disconnect in the Shrew Soft VPN Connect dialog
box, or simply close the Shrew Soft VPN Connect application.
106
Exercise 5:
For security and ease of use, many organizations use Mobile VPN with SSL. With Mobile VPN with SSL,
remote users connect to the XTM device on TCP port 443 where users can download client software
and a client profile to their computers. The client software is also available on the WatchGuard web site.
A XTM device administrator can also download the client software and make it available at other
locations.
In this exercise, we use Policy Manager to activate the XTM device for Mobile VPN with SSL and create a
policy to restrict SSL VPN user access.
4. Select the Force all client traffic through the tunnel check box.
This ensures that all traffic both to and from the remote user computers must pass through the XTM device.
This method is more secure, however, it uses more processing power and bandwidth on the XTM device.
Mobile VPN
107
6. Make sure the check box next to Firebox-DB is selected. This is selected by default.
The group SSLVPN-Users is also added to the configuration by default.
7. Click OK.
Note
If you select other
authentication servers,
such as LDAP, or Active
Directory, make sure
that you add the users
and groups that exist
on those servers to the
Users and Groups list.
In this exercise, you use Firebox-DB as the authentication server. You can optionally select multiple
authentication servers. If you select more than one authentication server, the server at the top of the
list is the default server. The default server is used for authentication unless a user specifies a
different server. To authenticate with a non-default authentication server, the user must include the
server as part of the Username when they log in from the Mobile VPN with SSL client. For example, if
you enable LDAP as a secondary authentication server, LDAP user mbrown must log in as
ldap\mbrown.
TRAINING
www.watchguard.com/training
training@watchguard.com
7. Click OK.
The user is added to the SSLVPN-Users group. The configured username and passphrase can now be used to
authenticate.
Mobile VPN
109
When we activated Mobile VPN with SSL, Policy Manager automatically created a policy to allow all
traffic to resources on the Trusted and Optional networks. In this exercise, the Successful Company
administrator decides to restrict this policy to allow traffic only to their internal HTTP server. In a realworld environment, the administrator might also want to open FTP and SMTP to internal servers.
1. In the Policy Manager Firewall tab, select the Allow SSLVPN-Users policy.
This policy was automatically created when we activated Mobile VPN with SSL. This is an Any policy that
allows all traffic from Mobile VPN with SSL users to all resources on the Trusted and Optional networks.
2. Click .
Or, select Edit > Delete Policy.
A confirmation message appears.
3. Click Yes.
4. Click .
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
5. Expand the Proxies list and select HTTP Proxy. Click Add.
The New Policy Properties dialog box appears.
You can use this policy to control access to the Successful Company web server on the trusted network, or to
control access from SSLVPN-Users to the Internet.
10. In the Selected Members and Addresses list, select Any-Trusted and click Remove.
11. Click OK to close the Add Address dialog box.
The SSLVPN-Users group appears in the New Policy Properties dialog box in the From list.
16. In the Selected Members and Addresses list, select Any-External and click Remove.
110
Mobile VPN
111
Exercise 6:
One of the major advantages of Mobile VPN with SSL is that it uses a port that is commonly open
everywhere. The default port is TCP port 443, the same port used for HTTPS-encrypted web sites such
as online banking and shopping web sites.
It is possible that you might need to change this port if:
Your XTM device is previously configured to allow connections to the devices external interface IP
address over TCP port 443.
The most common reason for this is that you have an HTTPS or SSL web server protected by the
XTM device and you have an HTTPS policy that allows incoming TCP port 443 connections with the
external interface IP address.
AND
You do not have another IP address you can assign to the external interface of your XTM device.
If your XTM device already allows connections to one external IP address over port 443, you cannot use
that same IP address to enable the device to host Mobile VPN with SSL sessions over TCP port 443 at
the same time.
You can change the port that your XTM device uses to host Mobile VPN with SSL sessions:
1. In the Mobile VPN with SSL Configuration dialog box, select the Advanced tab.
2. In the Data channel text box, type or select a new port.
112
If you change the Data channel value, users must manually type this port in the Mobile VPN with SSL
connection dialog box. For example, if you change the data channel to 444, and the XTM device IP
address is 203.0.113.2, the user types 203.0.113.2:444 instead of 203.0.113.2.
If you keep the Data channel port value at the default setting of port 443, the user types only the XTM
devices IP address (it is not necessary to type :443 after the IP address).
To learn more about how to use the Mobile VPN with SSL client software to connect to the XTM device,
see Exercise 7:.
Exercise 7:
In this exercise we authenticate with the SSLVPN User credentials to download and install the SSLVPN
client for Windows. Then we use the client to authenticate to the XTM device.
4. Click Download for the Mobile VPN with SSL client software for Windows.
5. Save the file to the Desktop.
6. Run the WG-MVPN-SSL.exe installation file.
Accept the default settings on each page of the installation wizard.
Mobile VPN
113
instead of
203.0.113.2 in
Each time the Mobile VPN with SSL client connects, it checks for updates to the client configuration.
To start the Mobile VPN with SSL client:
2. In the Server text box, type the IP address of the XTM device.
3. Type the Username.
4. Type the Password.
5. Click Connect.
114
1. True or false? When you force all Internet traffic through a Mobile VPN tunnel, more processing
power and bandwidth is consumed on the XTM device, but the configuration is also more secure.
2. True or false? Other than typing the IP address of the XTM device, and the user credentials, you can
use the Mobile VPN with SSL client as soon as it is installed. There is no need to configure it.
3. What items does the user need to connect with the Shrew Soft Mobile VPN client? (Select all that
apply.)
A)
A shared key
B)
C)
D)
E)
Administrator ID
F)
G)
H)
4. True or false? You can create policies that control Mobile VPN access.
5. True or false? The .vpn client configuration file is not encrypted.
6. Which of these forms of Mobile User VPN are supported by WatchGuard System Manager? (Select
all that apply.)
A)
Active Directory
B)
IPSec
C)
LDAP
D)
PGP
E)
PPTP
F)
L2TP
G)
SSH
H)
SSL VPN
Mobile VPN
115
116