Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X20E
121122123124125126127128129130
Setting Up Manual VPN Tunnels
User Guide 101
N
OTE
N
OTE
The Phase 1 settings must be the same on both devices.
1 Select the negotiation mode for Phase 1 from the drop-down
list. The mode selections are Main Mode and Aggressive Mode.
If the external IP address is dynamic, select Aggressive Mode. If
the external IP address is static, use either mode.
2 If you chose Main Mode, enter the remote IP address in the field
provided.
3 Select the Local ID type and the Remote ID type from the drop-
down list. These must match the settings used on the remote
gateway.
- If you select Main Mode, the Local ID type and the Remote ID
type must contain IP addresses.
- If you select Aggressive Mode, the Remote ID type can be an
IP address or a domain name. If your external IP address is
static, the Local ID type must be an IP address. If your external
IP address is dynamic, the Local ID type can be either a domain
name or an IP address.
4 From the Authentication Algorithm drop-down list, select the
type of authentication.
The options are MD5-HMAC (128-bit authentication) or SHA1-HMAC
(160-bit authentication).
5 From the Encryption Algorithm drop-down list, select the type
of encryption.
The options are DES-CBC or 3DES-CBC.
6 Type the number of kilobytes and the number of hours until
negotiation expiration in the applicable fields.
7 From the Diffie-Hellman Group drop-down list, select the
group number. WatchGuard supports group 1 and group 2.
Diffie-Hellman is a mathematical technique used to securely negotiate
secret keys through a public network. Diffie-Hellman groups are
collections of parameters used to achieve this. Group 2 is more secure
than group 1, but more time is required to calculate group 2 secret keys.
8 Select the Generate IKE Keep Alive Messages checkbox to help
detect when the tunnel is down.
Short packets are sent across the VPN tunnel at regular intervals to see if
the other side agrees that valid Phase 1 security still exists. If the Keep
Alive packets elicit no response three times in a row, the Firebox X Edge
does a rekey to open the tunnel again.