Using dvcp to connect to devices – WatchGuard Technologies FireboxTM System 4.6 User Manual
Page 132
Using DVCP to connect to devices
122
• IP network addresses for the networks communicating with one another.
• A common passphrase, known as a shared secret.
• For WatchGuard VPN only, the local VPN IP address of each Firebox. It must
be selected from a reserved network address that is not in use on either of the
networks being connected. For more information, see RFC 1918 or “Setting Up
Network Address Translation” on page 63.
Using DVCP to connect to devices
Dynamic VPN Configuration Protocol (DVCP) is the WatchGuard-proprietary
protocol that easily creates a virtual private network. The DVCP server is a Firebox
that sits at the center of a distributed array of WatchGuard Firebox, SOHO, and
SOHO|tc clients.
How does DVCP work?
The DVCP option causes the Firebox to act as a server. SOHOs can be DVCP clients,
and Fireboxes can either be DVCP clients or servers. The DVCP server maintains the
connections between two devices by storing all policy information–including
network address range and tunnel properties such as encryption, timeouts, and
authentication. DVCP clients can retrieve this information from the server. The only
information clients need to maintain is an identification name, shared key, and the IP
address of the server External interface.
You use the the DVCP Client Wizard to configure a device as a DVCP server and then
create tunnels to each client Firebox or SOHO. The clients then contact the server and
automatically download the information needed for them to connect securely.
Basic and Enhanced DVCP
WatchGuard offers two types of DVCP:
Basic DVCP simplifies establishing VPN tunnels between SOHO units and
Fireboxes. It cannot manage tunnels between two Fireboxes.
Enhanced DVCP manages tunnels between any two WatchGuard devices: SOHO to
Firebox, Firebox to Firebox, and so on. Enhanced DVCP is available only if the VPN
Manager 2.0 option is installed.
Creating a tunnel to a SOHO or SOHO|tc
The tunnels you create for SOHO clients must be completely distinct from any tunnel
created for branch office VPN. In other words, no addresses in the DVCP client policy
should be in the same address range as any branch office policy.
Both ends of the tunnel must use the same encryption method.