Creating an ipsec policy – WatchGuard Technologies FireboxTM System 4.6 User Manual

Branch office VPN with IPSec

128

11 After you add all tunnels for this gateway, click OK.

The Configure Gateways dialog box appears.

12 To configure more tunnels for another gateway, click Tunnels. Select a new

gateway and repeat the tunnel creation procedure for that gateway.

13 When all the tunnels are created, click OK.

Creating an IPSec policy

Policies are sets of rules, much like packet filter rules, for defining how outgoing
IPSec packets are built and sent and determining whether incoming IPSec packets can
be accepted. Policies are defined by their endpoints. These are not the same as tunnel
or gateway endpoints–they are the specific hosts or networks attached to the
tunnel’s Fireboxes (or other IPSec-compliant device) that communicate through the
tunnel.

From the IPSec Configuration dialog box:

1

Click Add.

2

Use the Local drop list to select the tunnel type of the IP address behind the local
Firebox.

The tunnel type can be an entire network or a single host.

3

Enter the IP or network address in slash notation for the local host or network.

4

Use the Remote drop list to select the tunnel type of the IP address of the remote
Firebox or IPSec-compliant device.

5

Enter the IP address or network address in slash notation for the remote host or
network.

6

Use the Disposition drop list to select a bypass rule for the tunnel:

Secure

IPSec will encrypt all traffic that matches the rule in associated tunnel policies.

Block

IPSec will not allow traffic that matches the rule in associated tunnel policies.

Bypass

IPSec will not allow traffic that matches the rule in associated tunnel policies.
You cannot bypass a policy that has a network at either endpoint.

7

If you chose Secure as your disposition, use the Tunnel drop list to select a
configured tunnel.

To configure a new tunnel, see “Configuring a tunnel with manual security” on page 126 or

“Configuring a tunnel with dynamic security” on page 127. To display additional information

about the selected tunnel, click More.

8

In the Dst Port field, enter the remote host port.

The remote host port number is optional and is the port to which WatchGuard sends

communication for the policy. To enable communications to all ports, enter 0.

For every tunnel created to a dropped-in device, you must create a host policy

for both sides’ external IP addresses with protection set to Bypass

Bypass

Bypass

Bypass. Otherwise,

traffic to and from the dropped-in device’s external IP address will conflict

with any network policy associated with the VPN.