User's Manual
Table Of Contents
- WatchGuard® Firebox® X Edge User Guide
- Certifications and Notices
- Declaration of Conformity
- Notice to Users
- WatchGuard Firebox Software
- End-User License Agreement
- Copyright, Trademark, and Patent Information
- Limited Hardware Warranty
- Abbreviations Used in this Guide
- CHAPTER 1 Introduction to Network Security
- CHAPTER 2 Installing the Firebox® X Edge
- CHAPTER 3 Configuration and Management Basics
- CHAPTER 4 Changing Your Network Settings
- Using the Network Setup Wizard
- Configuring the External Network
- Configuring the Trusted Network
- Configuring the Optional Network
- Enabling the optional network
- Changing the IP address of the optional network
- Using DHCP on the optional network
- Setting optional network DHCP address reservations
- Configuring the optional network for DHCP relay
- Using static IP addresses for optional computers
- Adding computers to the optional network
- Requiring encrypted connections
- Making Static Routes
- Viewing Network Statistics
- Registering with the Dynamic DNS Service
- Enabling the WAN Failover Option
- Enabling External Modem Failover
- CHAPTER 5 Setting up the Firebox X Edge Wireless
- CHAPTER 6 Configuring Firewall Settings
- CHAPTER 7 Configuring Logging
- CHAPTER 8 Configuring WebBlocker
- CHAPTER 9 Configuring Virtual Private Networks
- CHAPTER 10 Configuring the MUVPN Client
- CHAPTER 11 Managing the Firebox® X Edge
- Viewing Current Sessions and Users
- About User Authentication
- Adding or Editing a User Account
- About Seat Licenses
- Selecting HTTP or HTTPS for Firebox Management
- Changing the HTTP Server Port
- Setting up VPN Manager Access
- Updating the Firmware
- Activating Upgrade Options
- Enabling the Model Upgrade Option
- Configuring Additional Options
- Viewing the Configuration File
- APPENDIX A Firebox®X Edge Hardware
- Index
Configuring Virtual Private Networks
116 WatchGuard Firebox X Edge
N
OTE
N
OTE
The IKE Keep Alive feature is different from the VPN Keep Alive
feature described in“VPN Keep Alive,” on page 117.
Phase 2 settings
Phase 2 negotiates the data management security association for
the tunnel. The tunnel uses this phase to create IPSec tunnels
and encapsulate and decapsulate data packets.
You can use the default Phase 2 settings to simplify configuration.
N
OTE
N
OTE
Make sure that the Phase 2 configuration is the same on both
devices.
To change the Phase 2 settings:
1 Select the authentication method from the Authentication
Algorithm drop-down list.
2 Select the encryption algorithm from the Encryption Algorithm
drop-down list.
3 If you are using Perfect Forward Secrecy, select the Enable
Perfect Forward Secrecy checkbox.
This option makes sure that each new key is derived from a new Diffie-
Hellman exchange. This option makes the negotiation more secure, but
requires more time.
4 Type the number of kilobytes and the number of hours until the
IKE negotiation expires.
5 Type the IP address of the local network and the remote
network that must use Phase 2 negotiation.
Network addresses must be entered in “slash” notation (also known as
Classless Inter Domain Routing or CIDR notation). For more information
on entering IP addresses in slash notation, see the following FAQ:
http:/
/www.watchguard.com/support/advancedfaqs/general_slash.asp.
6 Click Add.