Changing remote network entries, Preventing ip spoofing with watchguard vpn – WatchGuard Technologies FireboxTM System 4.6 User Manual

Page 141

Advertising
background image

User Guide

131

Configuring WatchGuard VPN

4

In the Local Firebox IP field, enter an IP address from a reserved network not in
use on the local or remote networks.

5

In the text box to the left of the Add button, enter the IP address in slash notation
of any remote network to which access should be granted from the local Firebox .
Click Add.

The remote Firebox must reciprocate by adding the local networks in its Remote Networks box.

Because WatchGuard VPN is a peer-to-peer situation, each Firebox must have the other’s

network listed.

6

Click the Encryption tab.

7

Under Encryption, select the number of bits used to encrypt the tunnel.

The greater the number of bits, the stronger the encryption.

8

Enter the encryption key. Click Make Key.

WatchGuard hashes the encryption key and then displays a key in the bottom panel.

9

Click the Options tab.

10 Enable the Activate WatchGuard VPN checkbox.

11 To automatically block sites when the source fails to properly connect to the

Firebox, enable the Add Source to Blocked List When Denied checkbox.

12 Enable Logging options according to your security policy preferences.

Activating logging often generates a high volume of log entries, significantly slowing the passage

of VPN traffic. WatchGuard recommends logging only for debugging purposes.

Changing remote network entries

You cannot edit a remote network entry. You must remove the original and add the
new remote network address. From the WatchGuard VPN Setup dialog box:

1

Click the network address. Click Remove.

2

Click Add.

Add the new network configuration.

Preventing IP spoofing with WatchGuard VPN

There is a potential IP spoofing problem if the remote Firebox IP is on the same
network as a remote network. It is theoretically possible to spoof packets from that
single IP address (the remote Firebox IP). Although this situation is relatively rare,
you can prevent it by disallowing access to internal servers from the remote Firebox
IP.

More information on reserved networks can be found in RFC 1918. You can

use the same local VPN IP address for multiple VPN connections when

specifying more than one—for example, when there are several branch offices

connecting to a central office.

The hashed key must be identical on both Fireboxes. If you are running

different versions of WatchGuard Security System software, verify that the

hashes match exactly on the two Fireboxes.

Advertising
Popular Brands
Popular manuals