WatchGuard Technologies FireboxTM System 4.6 User Manual

Page 139

Advertising
background image

User Guide

129

Branch office VPN with IPSec

9

Use the Protocol drop list to limit the protocol used by the policy.

Options include: * (specify ports but not protocol), TCP, and UDP.

10 In the Src Port field, enter the local host port.

The local host port number is optional and is the port from which WatchGuard sends all

communication for the policy. To enable communication from all ports, enter 0.

11 Click OK.

The IPSec Configuration dialog box appears listing the newly created policy. Policies are

initially listed in the order in which they were created.

Changing IPSec policy order

WatchGuard handles policies in the order listed, from top to bottom, on the IPSec
configuration dialog box. Initially, the policies are listed in the order created. You
must manually reorder the policies from more specific to less specific to ensure that
sensitive connections are routed along the higher-security tunnels. In general,
WatchGuard recommends the following policy order:

• Host to host

• Host to network

• Network to host

• Network to network

Policies must be set to the same order at both ends of the tunnel. For more
information about IPSec policy order, see the Network Security Handbook.

From the IPSec Configuration dialog box:

• To move a policy up in the list, click the policy. Click Move Up.

• To move a policy down in the list, click the policy. Click Move Down.

Configuring services for branch office VPN with IPSec

Users on the remote Firebox are technically outside the trusted network; you must
therefore configure the Firebox to allow traffic through the VPN connection. A quick
method is to create a host alias corresponding to the VPN remote networks and hosts.
Then, use either the host alias or individually enter the remote VPN networks and
hosts when configuring the following service properties:

Incoming

• Enabled and Allowed

• From: Remote VPN network, hosts, or host alias

• To: trusted or selected hosts

Outgoing

• Enabled and Allowed

• From: trusted network or selected hosts

• To: Remote VPN network, hosts, or host alias

For more information, see “Defining service properties” on page 49, and “Adding a
host alias” on page 86.

Advertising
Popular Brands
Popular manuals