WatchGuard Technologies FireboxTM System 4.6 User Manual

Configuring WatchGuard VPN

132

Configuring incoming services to allow VPN

Because users on the remote Firebox are technically outside the trusted network, you
must configure services to allow traffic through the VPN connection. WatchGuard
recommends the following method:

1

Create a host alias corresponding to the VPN remote networks.

For more information see “Adding a host alias” on page 86.

2

Add the VPN host alias to Incoming and From Outgoing to properties of allowed
services.

For more information, see “Defining service properties” on page 49.

An alternative method is to add the Any service with the following incoming
properties:

• Enabled and allowed

• From: VPN host alias

• To: Any

Verifying successful WatchGuard VPN configuration

To determine whether a configuration has been successful:

• Watch for log entries as the Firebox reboots that show local and remote VPN IP

addresses.

• Check the Firebox status once it has booted. There should be an entry for a VPN

interface directly following the entry for eth2.

• Check the Control Center display for tunnel status.

If none of these indicators is present, review all settings on both Fireboxes, double-
check that the passphrases are the same, and verify the remote IP addresses.