Configuring a tunnel with dynamic security – WatchGuard Technologies FireboxTM System 4.6 User Manual

Page 137

Advertising
background image

User Guide

127

Branch office VPN with IPSec

5

Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC

(160-bit algorithm).

6

Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key field. You cannot enter a key here directly.

Using Authenticated Headers (AH)

1

Type or use the SPI scroll control to identify the Security Parameter Index (SPI).

You must select a number between 257 and 1023.

2

Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC

(160-bit algorithm).

3

Click Key. Enter a passphrase. Click OK.

The passphrase appears in the Authentication Key

Authentication Key

Authentication Key

Authentication Key field. You cannot enter a key here directly.

Configuring a tunnel with dynamic security

A tunnel encapsulates packets between two gateways. It specifies encryption type
and/or authentication method. A tunnel also specifies endpoints. The following
describes how to configure a tunnel using a gateway with the isakmp (dynamic) key
negotiation type. From the IPSec configuration dialog box:

1

Click Tunnels.

2

To add a new tunnel, click Add.

3

Click a gateway with isakmp (dynamic) key negotiation type to associate with
this tunnel. Click OK.

4

Type a tunnel name.

Policy Manager uses the tunnel name as an identifier.

5

Click the Dynamic Security tab.

6

Use the Type drop list to select a Security Association Proposal (SAP) type.

Options include: Encapsulated Security Payload (ESP) or Authenticated Headers (AH).

7

Use the Authentication drop list to select an authentication method.

Options include: None (no authentication), MD5-HMAC (128-bit algorithm), and SHA1-HMAC

(160-bit authentication algorithm).

8

Use the Encryption drop list to select an encryption method.

Options include: None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit encryption).

9

To have a new key generated periodically, enable the Force Key Expiration
checkbox.

With this option, transparent to the user, the ISAKMP controller generates and negotiates a

new key for the session. For no key expiration, enter 0 (zero) here. If you enable the Force key

expiration checkbox, set the number of kilobytes transferred or hours passed in the session

before a new key is generated for continuation of the VPN session.

10 Click OK.

The Configure Tunnels dialog box appears displaying the newly created tunnel. Repeat the tunnel

creation procedure until you have created all tunnels for this particular gateway.

If there are Fireboxes at both ends of the tunnel, the remote administrator

can also enter the encryption and authentication passphrases. If the remote

firewall host is an IPSec-compliant device of other manufacture, the remote

system administrator must enter the literal keys displayed in the Security

Association Setup dialog box when setting up the remote IPSec-compliant

device.

Advertising
Popular Brands
Popular manuals