VPN Tracker for Mac OS X
How-to:
Interoperability with
WatchGuard Firebox
1. Introduction
This document describes how VPN Tracker can be used to establish a connection between a Macintosh running Mac OS X and a WatchGuard Firebox Internet Security Appliance.
You can either use the Manual IPsec configuration or the Mobile User VPN configuration in order to get connected with VPN Tracker.
The WatchGuard Firebox is configured as a router connecting a company LAN to the Internet.
This paper is only a supplement to, not a replacement for, the instructions that have been included with your WatchGuard Firebox. Please be sure to read those instructions and understand them before starting.
All trademarks, product names, company names, logos, screenshots displayed, cited or otherwise indicated on the How-to are the property of their respective owners.
2. Prerequisites
First you have to make sure that your WatchGuard Firebox has VPN support built in. Please refer to your WatchGuard Firebox manual for details.
Furthermore you should use a recent WatchGuard Firebox fimware version. The latest firmware release for your WatchGuard Firebox appliance can be obtained from
http://www.watchguard.com/
For this document, WatchGuard Version 7.1.B1444 has been used.
3. Connecting a VPN Tracker host to a
WatchGuard Firebox
In this example the Mac running VPN Tracker is directly connected to the Internet via a dialup or PPP connection.
The WatchGuard Firebox is configured in NAT mode and has the static WAN IP address 169.1.2.3 and the private LAN IP address 192.168.1.1. The Stations in the LAN behind the WatchGuard Firebox use 192.168.1.1 as their default gateway and should have a working Internet connection.
3.1
WatchGuard Firebox Manual IPsec Configuration
Please create a new “Branch Office VPN -> Manual IPsec” configuration on the WatchGuard Firebox.
The pre-defined VPN Tracker connection type has been created using the default settings for your WatchGuard Firebox appliance. If you change any of the settings on the WatchGuard Firebox, you will eventually have to adjust the connection type in VPN Tracker.
Add a Remote Gateway:
• Name: an arbritary name: (i.e. m a c-vp nt ra c ke r ) • Remote ID Type: Us er N am e
• Gateway Identifier: an unique identifier (i.e. vpn t ra ck e r@d om ain. c om) • Shared Key: your Pre-shared key (i.e. s ec r et k ey )
• Enable Aggressive Mode: c he c ke d
Figure 2: WatchGuard - Remote Gateway
Create a new tunnel with the previously defined gateway and choose a name for the tunnel. The default Phase 2 settings should be fine in most cases.
Figure 3: WatchGuard - Select Gateway
Figure 4: WatchGuard - Configure Tunnel
Add Routing Policy:
• Local N etw ork: Local network behind WatchGuard (i.e. 1 92. 168. 1.0/2 4 ) • Remote H os t: Virtual IP address of VPN Tracker client (i.e. 1 0.1.2. 3 ) • Tunnel: The tunnel you’ve created before.
Figure 5: WatchGuard - Add Routing Policy
Please note: The Remote Host is n ot the public IP address of the client. After the first three steps the configuration should look like this:
Figure 6: WatchGuard - IPsec Configuration
Step 3
Step 3
Step 1
Add a Firewall Rule:
Incoming traffic from and outgoing traffic to the IP address 10.1.2.3 must be allowed.
To create a new Firewall setting, add a service and select the Packet Filter “Any”. On the “Incoming” tab select “Enabled and Allowed” from the popup menu. Then add the virtual IP address (10.1.2.3) to the “From” list and the IP address of the LAN (192.168.1.0/24) to the “To” list.
For the “Outgoing” tab use the same values with interchanged “From” and “To” addresses:
Figure 7: WatchGuard - Firewall Properties
3.2
WatchGuard MUVPN Configuration
Please create a new “Remote User -> Firebox Authenticated User” on your WatchGuard firewall:
Create a new user and and enter a password for this user:
Figure 8: WatchGuard - MUVPN – User
Configure allowed Access:
• Allow user access to: Local network behind WatchGuard (i.e. 192.1 68.1. 0/24 )
• Virtual IP address for mobile user: Virtual IP address of VPN Tracker client (i.e. 10. 1.2.3 )
Figure 9: WatchGuard - MUVPN – Access
Configure Encryption and Authentication: • Authentication: S H A1 -H MAC • Encryption: 3D ES -C BC
• Key expires: every 24 h ours
Figure 10: WatchGuard - MUVPN – Encryption
After S t ep 3 your configuration should look like this:
3.3
VPN Tracker Configuration
Add a new connection with the following options: • Vendor: „W at ch Gu ard“
• Model: your VPN device
Figure 12: VPN Tracker - Connection Settings
Change your Network Settings:
• VPN Server Address: public IP address of your VPN Gateway (e.g. 169.1. 2.3 )
• Local Address: a virtual IP address assigned to the VPN Tracker client (e.g. 1 0.1.2. 3 )
• Remote Network/Mask: network address and netmask of the remote network (eg. 1 92.1 68.1. 0/25 5.25 5.25 5.0 ).
Figure 13: VPN Tracker - Network Settings
Pl e as e n ot e: In order to access multiple remote networks simultaneously, just
Change your Authentication Settings:
Pre-shared key: the same Pre-shared key as in the WatchGuard configuration.
Figure 14: VPN Tracker- Authentication Settings
Identifier Settings (Manual IPsec configuration):
• Local Identifier: E-mail address (e.g. vp nt ra c ke r @d om ai n.c om). • Local Identifier type: E mail
• Remote Identifier: Remote endpoint IP address.
Figure 15: VPN Tracker - Identifier Settings
Identifier Settings (Manual User VPN configuration):
• Local Identifier: your username (e.g. vp nt r ac k er ) • Local Identifier type: E mail
• Remote Identifier: Remote endpoint IP address
Figure 16: VPN Tracker - Identifier settings - MUVPN
Save the connection and Click „Start IPsec“ in the VPN Tracker main window. You’re done. After 10-20 seconds the red status indicator for the connection should change to green, which means you’re securely connected to the WatchGuard. After IPsec has been started, you may quit VPN Tracker. The IPsec service will keep running.
Now to test your connection simply ping a host in the WatchGuard network from the dialed-in Mac in the “Terminal” utility:
ping 192.168.1.10
