Watchguard Firebox Vclass User guide

WatchGuard

®

Central Policy

Manager

Applications Guide

Central Policy Manager version 5.1

ii Central Policy Manager 5.1

Copyright

Notice to Users

Information in this document is subject to change and

revision without notice. This documentation and the software

described herein is subject to and may only be used and

copied as outlined in the Firebox System software end-user

license agreement. No part of this manual may be reproduced

by any means, electronic or mechanical, for any purpose

other than the purchaser’s personal use, without prior written

permission from WatchGuard Technologies, Inc.

TRADEMARK NOTES

WatchGuard and LiveSecurity are either trademarks or

registered trademarks of WatchGuard Technologies, Inc. in

the United States and other countries. Firebox, ServerLock,

DVCP, and Designing peace of mind are trademarks of

WatchGuard Technologies, Inc. All other trademarks or

trade names mentioned herein, if any, are the property of

their respective owners.

Part No: 1200016

Central Policy Manager Applications Guide iii

WatchGuard Technologies, Inc.

Firebox System Software

End-User License Agreement

WatchGuard Central Policy Manager (CPM) End-User

License Agreement

IMPORTANT - READ CAREFULLY BEFORE ACCESSING

WATCHGUARD SOFTWARE:

This Central Policy Manager End-User License Agreement

('AGREEMENT') is a legal agreement between you (either an

individual or a single entity) and WatchGuard Technologies,

Inc. ('WATCHGUARD') for the WATCHGUARD optional

software product for the WatchGuard Firebox product you

have purchased, which includes computer software

components (whether installed separately on a computer

workstation or on the WATCHGUARD hardware product)

and may include associated media, printed materials, and on-

line or electronic documentation, and any updates or

modifications thereto, including those received through the

WatchGuard LiveSecurity Service (or its equivalent), (the '

OPTIONAL SOFTWARE PRODUCT'). WATCHGUARD is

willing to license the OPTIONAL SOFTWARE PRODUCT to

you only on the condition that you accept all of the terms

contained in this Agreement. Please read this Agreement

carefully. By installing, activating or using the OPTIONAL

SOFTWARE PRODUCT you agree to be bound by the terms

of this Agreement. If you do not agree to the terms of this

AGREEMENT, WATCHGUARD will not license the

OPTIONAL SOFTWARE PRODUCT to you, and you will not

have any rights in the OPTIONAL SOFTWARE PRODUCT.

In that case, promptly return the OPTIONAL SOFTWARE

PRODUCT/license key certificate, along with proof of

payment, to the authorized dealer from whom you obtained

the OPTIONAL SOFTWARE PRODUCT/license key

certificate for a full refund of the price you paid.

iv Central Policy Manager 5.1

1. Ownership and License. The OPTIONAL SOFTWARE

PRODUCT is protected by copyright laws and international

copyright treaties, as well as other intellectual property laws

and treaties. This is a license agreement and NOT an

agreement for sale. All title and copyrights in and to the

OPTIONAL SOFTWARE PRODUCT (including but not

limited to any images, photographs, animations, video,

audio, music, text, and applets incorporated into the

OPTIONAL SOFTWARE PRODUCT), the accompanying

printed materials, and any copies of the OPTIONAL

SOFTWARE PRODUCT are owned by WATCHGUARD or its

licensors. Your rights to use the OPTIONAL SOFTWARE

PRODUCT are as specified in this AGREEMENT, and

WATCHGUARD retains all rights not expressly granted to

you in this AGREEMENT. Nothing in this AGREEMENT

constitutes a waiver of our rights under U.S. copyright law or

any other law or treaty.

2. Permitted Uses. You are granted the following rights to

the OPTIONAL SOFTWARE PRODUCT:

(A) You may install and use the OPTIONAL SOFTWARE

PRODUCT on that number of WATCHGUARD hardware

products (or manage that number of WATCHGUARD

hardware products) at any one time as permitted in the

license key certificate that you have purchased and may

install and use the OPTIONAL SOFTWARE PRODUCT on

multiple workstation computers. You must also maintain a

current subscription to the WatchGuard LiveSecurity Service

(or its equivalent) for each additional WATCHGUARD

hardware product on which you will use a copy of an updated

or modified version of the OPTIONAL SOFTWARE

PRODUCT received through the WatchGuard LiveSecurity

Service (or its equivalent).

(B) To use the OPTIONAL SOFTWARE PRODUCT on more

WATCHGUARD hardware products than provided for in

Section 2(A), you must license additional copies of the

OPTIONAL SOFTWARE PRODUCT as required.

(C) In addition to the copies described in Section 2(A), you

may make a single copy of the OPTIONAL SOFTWARE

PRODUCT for backup or archival purposes only.

Central Policy Manager Applications Guide v

3. Prohibited Uses. You may not, without express written

permission from WATCHGUARD:

(A) Use, copy, modify, merge or transfer copies of the

OPTIONAL SOFTWARE PRODUCT or printed materials

except as provided in this AGREEMENT;

(B) Use any backup or archival copy of the OPTIONAL

SOFTWARE PRODUCT (or allow someone else to use such a

copy) for any purpose other than to replace the original copy

in the event it is destroyed or becomes defective;

(C) Sublicense, lend, lease or rent the OPTIONAL

SOFTWARE PRODUCT;

(D) Transfer this license to another party unless

(i) the transfer is permanent,

(ii) the third party recipient agrees to the terms of this

AGREEMENT, and

(iii) you do not retain any copies of the OPTIONAL

SOFTWARE PRODUCT; or

(E) Reverse engineer, disassemble or decompile the

OPTIONAL SOFTWARE PRODUCT.

4. Limited Warranty. WATCHGUARD makes the following

limited warranties for a period of ninety (90) days from the

date you obtained the OPTIONAL SOFTWARE PRODUCT

from WATCHGUARD or an authorized dealer:

(A) Media. The disks and documentation will be free from

defects in materials and workmanship under normal use. If

the disks or documentation fail to conform to this warranty,

you may, as your sole and exclusive remedy, obtain a

replacement free of charge if you return the defective disk or

documentation to us with a dated proof of purchase.

(B) OPTIONAL SOFTWARE PRODUCT. The OPTIONAL

SOFTWARE PRODUCT will materially conform to the

documentation that accompanies it or its license key

certificate. If the OPTIONAL SOFTWARE PRODUCT fails

vi Central Policy Manager 5.1

to operate in accordance with this warranty, you may, as your

sole and exclusive remedy, return all of the OPTIONAL

SOFTWARE PRODUCT and the documentation to the

authorized dealer from whom you obtained it, along with a

dated proof of purchase, specifying the problems, and they

will provide you with a new version of the OPTIONAL

SOFTWARE PRODUCT or a full refund, at their election.

Disclaimer and Release. THE WARRANTIES,

OBLIGATIONS AND LIABILITIES OF WATCHGUARD,

AND YOUR REMEDIES, SET FORTH IN PARAGRAPHS

4, 4(A) AND 4(B) ABOVE ARE EXCLUSIVE AND IN

SUBSTITUTION FOR, AND YOU HEREBY WAIVE,

DISCLAIM AND RELEASE ANY AND ALL OTHER

WARRANTIES, OBLIGATIONS AND LIABILITIES OF

WATCHGUARD AND ITS LICENSORS AND ALL OTHER

RIGHTS, CLAIMS AND REMEDIES YOU MAY HAVE

AGAINST WATCHGUARD AND ITS LICENSORS,

EXPRESS OR IMPLIED, ARISING BY LAW OR

OTHERWISE, WITH RESPECT TO ANY

NONCONFORMANCE OR DEFECT IN THE OPTIONAL

SOFTWARE PRODUCT (INCLUDING, BUT NOT LIMITED

TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY

OR FITNESS FOR A PARTICULAR PURPOSE, ANY

IMPLIED WARRANTY ARISING FROM COURSE OF

PERFORMANCE, COURSE OF DEALING, OR USAGE OF

TRADE, ANY WARRANTY OF NONINFRINGEMENT,

ANY WARRANTY THAT THE OPTIONAL SOFTWARE

PRODUCT WILL MEET YOUR REQUIREMENTS, ANY

WARRANTY OF UNINTERRUPTED OR ERROR-FREE

OPERATION, ANY OBLIGATION, LIABILITY, RIGHT,

CLAIM OR REMEDY IN TORT, WHETHER OR NOT

ARISING FROM THE NEGLIGENCE (WHETHER

ACTIVE, PASSIVE OR IMPUTED) OR FAULT OF

WATCHGUARD AND ITS LICENSORS AND ANY

OBLIGATION, LIABILITY, RIGHT, CLAIM OR REMEDY

FOR LOSS OR DAMAGE TO, OR CAUSED BY OR

CONTRIBUTED TO BY, THE OPTIONAL SOFTWARE

PRODUCT).

Central Policy Manager Applications Guide vii

Limitation of Liability. WATCHGUARD'S LIABILITY

(WHETHER IN CONTRACT, TORT, OR OTHERWISE; AND

NOTWITHSTANDING ANY FAULT, NEGLIGENCE,

STRICT LIABILITY OR PRODUCT LIABILITY) WITH

REGARD TO THE OPTIONAL SOFTWARE PRODUCT

WILL IN NO EVENT EXCEED THE PURCHASE PRICE

PAID BY YOU FOR SUCH PRODUCT. THIS SHALL BE

TRUE EVEN IN THE EVENT OF THE FAILURE OF AN

AGREED REMEDY. IN NO EVENT WILL WATCHGUARD

BE LIABLE TO YOU OR ANY THIRD PARTY, WHETHER

ARISING IN CONTRACT (INCLUDING WARRANTY),

TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED

NEGLIGENCE AND STRICT LIABILITY AND FAULT),

FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR

CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT

LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS

INTERRUPTION, OR LOSS OF BUSINESS

INFORMATION) ARISING OUT OF OR IN CONNECTION

WITH THIS WARRANTY OR THE USE OF OR INABILITY

TO USE THE OPTIONAL SOFTWARE PRODUCT, EVEN IF

WATCHGUARD HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE

TRUE EVEN IN THE EVENT OF THE FAILURE OF AN

AGREED REMEDY.

5.United States Government Restricted Rights. The

OPTIONAL SOFTWARE PRODUCT is provided with

Restricted Rights. Use, duplication or disclosure by the U.S.

Government or any agency or instrumentality thereof is

subject to restrictions as set forth in subdivision (c)(1)(ii) of

the Rights in Technical Data and Computer Software clause

at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of

the Commercial Computer Software -- Restricted Rights

Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer

is WatchGuard Technologies, Inc., 505 5th Ave. South,

Suite 500, Seattle, WA 98104.

6.Export Controls. You agree not to directly or indirectly

transfer the OPTIONAL SOFTWARE PRODUCT or

viii Central Policy Manager 5.1

documentation to any country to which such transfer would

be prohibited by the U.S. Export Administration Act and the

regulations issued thereunder.

7.Termination. This license and your right to use the

SOFTWARE PRODUCT will automatically terminate if you

fail to comply with any provisions of this AGREEMENT,

destroy all copies of the OPTIONAL SOFTWARE PRODUCT

in your possession, or voluntarily return the OPTIONAL

SOFTWARE PRODUCT to WATCHGUARD. Upon

termination you will destroy all copies of the OPTIONAL

SOFTWARE PRODUCT and documentation remaining in

your control or possession.

8.Miscellaneous Provisions. This AGREEMENT will be

governed by and construed in accordance with the

substantive laws of Washington excluding the 1980 United

National Convention on Contracts for the International Sale

of Goods, as amended. This is the entire AGREEMENT

between us relating to the OPTIONAL SOFTWARE

PRODUCT, and supersedes any prior purchase order,

communications, advertising or representations concerning

the OPTIONAL SOFTWARE PRODUCT AND BY USING

THE OPTIONAL SOFTWARE PRODUCT YOU AGREE TO

THESE TERMS. IF THE SOFTWARE PRODUCT IS

BEING USED BY AN ENTITY, THE INDIVIDUAL

INDICATING AGREEMENT TO THESE TERMS

REPRESENTS AND WARRANTS THAT (A) SUCH

INDIVIDUAL IS DULY AUTHORIZED TO ACCEPT THIS

AGREEMENT ON BEHALF OF THE ENTITY AND TO

BIND THE ENTITY TO THE TERMS OF THIS

AGREEMENT; (B) THE ENTITY HAS THE FULL POWER,

CORPORATE OR OTHERWISE, TO ENTER INTO THIS

AGREEMENT AND PERFORM ITS OBLIGATIONS

UNDER THIS AGREEMENT AND; (C) THIS

AGREEMENT AND THE PERFORMANCE OF THE

ENTITY'S OBLIGATIONS UNDER THIS AGREEMENT DO

NOT VIOLATE ANY THIRD-PARTY AGREEMENT TO

WHICH THE ENTITY IS A PARTY. No change or

modification of this AGREEMENT will be valid unless it is in

writing and is signed by WATCHGUARD.

Central Policy Manager Applications Guide ix

Contents

CHAPTER 1 Creating an IPSec Manual Key Policy .......1

Creating a New IPSec Manual Key Policy ...........................1

Entering the traffic specifications ......................................2

Selecting the action .......................................................2

Making this policy bidirectional ........................................2

Creating a Custom IPSec Action ........................................3

Configuring ESP protocols ..............................................4

Configuring AH protocol .................................................6

Completing this action ...................................................6

CHAPTER 2 Editing IKE Proposals and Pairs ................7

NAT Traversal (UDP Encapsulation) ...................................8

Selecting an Existing IKE Pair Setting .................................9

Creating a New IKE Proposal ..........................................10

Entering a single transform ............................................12

Entering more than one transform ..................................13

Changing the Authentication Process ..............................16

Using symmetric certificate matching rules .......................17

Using asymmetric certificate matching rules ......................18

Defining a custom preshared key ....................................18

x Central Policy Manager 5.1

CHAPTER 3 CPM Scheduler ......................................... 21

Batch Operations .......................................................... 21

Scheduling Batch Operations ......................................... 22

Deleting Batch Operations ............................................. 30

Stopping Batch Operations ............................................ 31

Why stop a batch operation? ........................................ 31

Scheduler Views ............................................................ 32

Batch View ................................................................ 33

Appliance View .......................................................... 34

CHAPTER 4 Creating Policies for Multi-Tenant Virtual

User Domains ............................................. 35

Creating policies for VLAN tenants ................................ 36

The advantages of a VLAN ........................................... 37

Inserting VLAN tenant security policies ........................... 38

Routing VLAN traffic through a WatchGuard appliance ....... 40

Note: Using a Firebox Vclass appliance in a VLAN setting ... 41

Creating policies for user-domain tenants ........................ 42

Inserting user domain tenant security policies .................. 42

Additional information ................................................. 43

An example of a user-domain policy in use ...................... 43

An overview of user-domain tenant authentication ........... 44

Inserting user domain tenant security policies .................. 45

How a user domain tenant makes a connection ............... 45

Activating the Firebox Vclass “authenticate with certificates”

feature

................................................................. 46

Importing a VPN certificate into a user’s Web browser ........ 47

CHAPTER 5 Defining Alarms ....................................... 49

About Built-in Alarms ..................................................... 49

About Probe Counters ................................................... 50

About Overriding Alarms ............................................... 51

Creating a New Alarm .................................................... 51

Adding system probe counters ...................................... 54

Adding VPN peer probe counters ................................. 56

Adding Interface probe counters ................................... 57

Central Policy Manager Applications Guide xi

Completing the alarm definition .....................................59

CHAPTER 6 Setting up and Managing Log Files ........61

Types of Logs .................................................................61

Log Size and Rollover .....................................................62

Viewing the CPM Log .....................................................63

Viewing the Logs for Specific Appliances .........................64

Revising Log Settings for an Appliance ............................64

Managing a Large Number of Log Entries ........................66

Changing the number of log entries per page ...................66

Filtering the contents of a log ........................................67

Creating a cumulative set of filters ..................................68

Archiving Log Files .........................................................68

CHAPTER 7 Maintaining Appliances ............................71

About the Shortcut Menu ...............................................71

Remotely Restarting an Appliance ...................................72

Remotely Shutting Down an Appliance ............................73

Restoring an Appliance to the Factory Default State .........73

Archiving an Appliance’s Profile as an XML File ................74

Synchronizing an Appliance’s Clock with CPM Server ........75

CHAPTER 8 Special Topics ............................................77

Installing CPM Server on a Solaris host ............................77

Backing up the CPM Database ........................................78

Restoring an Archived CPM Server Database ...................80

CHAPTER 9 Case Studies .............................................83

Dynamic NAT Firewall Policy ...........................................83

Policy (“dnat_access”) ..................................................83

QoS Actions ..................................................................84

Example 1: .................................................................84

Example 2: .................................................................85

VLAN in WatchGuard appliances .....................................86

Tunnel Switching Between Remote Sites ..........................87

Adding a new site .......................................................89

xii Central Policy Manager 5.1

CHAPTER 10 About the CPM Configuration Files ...... 91

CPM Server Config file ................................................... 91

Additional parameters ................................................. 95

CPM Client Config file ................................................... 97

CHAPTER 11 Real-time Monitor Probe Counters ........ 99

System Counters ........................................................... 99

Aggregate counters for all VPN end-point pairs ............. 105

IPSec counters per VPN end-point pair ........................ 106

Policy counters per policy ............................................ 107

Policy counters for all policies ....................................... 108

Interface counters ........................................................ 109

Central Policy Manager Applications Guide 1

CHAPTER 1 Creating an IPSec

Manual Key Policy

This chapter describes the process of creating a VPN

policy that uses a manual key. Initially, you must cre-

ate a set of manual key IPSec actions for use in your

policies. Critical parts of these actions include the

required security protocols, the preferred algorithms

for each, the manual key text for use with each proto-

col, and the local and peer SPI values for the two

appliances.

Note that manual key VPN policies cannot be applied

to more than two appliances.

Creating a New IPSec Manual Key Policy

To create a policy that establishes a bi-directional man-

ual-key VPN connection between two appliances, fol-

low these steps. You do not need to create a separate

policy for each direction of data traffic. You can apply

bidirectionality to a single unidirectional policy to

activate traffic in both directions.

CHAPTER 1: Creating an IPSec Manual Key Policy

2 Central Policy Manager 5.1

Entering the traffic specifications

1 Create a new policy row.

2 Drag-and-drop an address entry that represents the

private network of one of the two appliances into the

Source cell.

If you are creating a bidirectional VPN policy, you can drag

either address entry into the Source or Destination cells.

3 Drag-and-drop the address entry representing the

private network of the second appliance into the

Destination cell.

4 If you don’t want to use “ANY”, drag-and-drop the

relevant services from the Services tab into the policy

row Service cell.

Selecting the action

1 Open the IPSec Action tab and drag-and-drop the

appropriate manual key action into the Action cell.

CPM does not include any default manual-key IPSec actions. You

must create these actions before creating manual key policies.

For more information, see “Creating a Custom IPSec Action,”

below.

2 If necessary, open the Schedule tab and drag a

schedule entry into the Schedule cell.

If the Schedule cell does not appear in the policy row, select View

=> Show Columns => Schedule.

Making this policy bidirectional

1 Reopen the Policies tab, if it is not visible.

2 In the newly created policy, right-click the newly

added IPSec action, or the Action cell.

3 Select Bi-Directional to apply bidirectionality to this

IPSec action and the policy.

Creating a Custom IPSec Action

Central Policy Manager Applications Guide 3

Creating a Custom IPSec Action

If you find the default IPSec actions insufficient for your

particular network requirements, you can create and cus-

tomize your own IPSec action. These actions are usable in

as many policies as you want to apply them to:

1 Click the Configuration Editor window’s IPSec Action

tab.

2 Click the Create a New Object icon (shown at

right) and select New Manual IPSec from the

menu.

The IPSec Action dialog box appears, with its features

distributed into two tabs: General and Manual.

3 In the General tab (open by default) in the Name field,

type a name for this new action.

The name can consist of numbers, letters, hyphens (-), and

underscore (_) characters.

4 From the Mode menu, select either Tunnel or

Transport.

If you select Tunnel, this policy prompts the Firebox

Vclass appliance to hide any information about the

original sender of data. This option is preferred for site-

CHAPTER 1: Creating an IPSec Manual Key Policy

4 Central Policy Manager 5.1

to-site connections, in which the traffic goes through

the Firebox Vclass appliance.

If you select Transport, no additional identity masking

is applied. This option is recommended for use in

secured communication directed to either Firebox

Vclass appliance, such as SNMP traffic.

5 Click the Manual tab.

6 In both Local SPI and Peer SPI fields, type a different

unique number (between 256 and 65535) in each field.

The Local SPI entry is used to identify the key stored in the

source security appliance, while the Peer SPI entry identifies the

key used by the destination appliance. If you are activating

bidirectionality, you can enter the numbers arbitrarily, in either

field.

7 If you want to type the key text in hexadecimal

notation, select the checkbox marked use Hex.

Configuring ESP protocols

1 From the ESP Encrypt Alg menu, select the option you

want.

Creating a Custom IPSec Action

Central Policy Manager Applications Guide 5

2 Click Enter Key.

The ESP Encryption Key dialog box appears, listing a default key

composed of a randomly generated series of numbers.

3 If you want to type the key text in hexadecimal

notation, click by Hex.

4 In the Key field, enter the key.

You can accept the default, CPM-generated key text by clicking

OK.

5 Click OK to save the new key entry and close the ESP

Encryption Key dialog box.

6 When the Select IPSec dialog box’s Manual tab

reappears, open the ESP Hash Alg menu and select the

option you want.

7 Click Enter Key (to the right of the ESP Hash Alg

menu.)

The ESP Hash Key dialog box appears, listing a default key that

incorporates a randomly generated series of numbers.

8 If you want to type the key text in hexadecimal

notation, click by Hex.

9 In the Key field, enter the key.

You can accept the default, CPM-generated key text by clicking

OK.

10 Click OK to save the key entry and close this dialog

box.

CHAPTER 1: Creating an IPSec Manual Key Policy

6 Central Policy Manager 5.1

Configuring AH protocol

1 Click the Authentication Protocol checkbox.

2 Open the Hash Alg menu and select the option you

want.

3 Click Enter Key (to the right of the AH Hash Alg

menu.)

The AH Hash Key dialog box appears, listing a default key that

incorporates a randomly generated series of numbers.

4 If you want to type the key text in hexadecimal

notation, click by Hex.

5 In the Key field, enter the text of the key.

You can accept the default, CPM-generated key text by clicking

OK.

6 Click OK to save the key entry.

The IPSec Action dialog box reappears.

Completing this action

You can now save your new action entries and then select

this action for use in the policy.

1 To save your manual IPSec action entries, click OK.

2 You can now add this action to any new or existing

policies.

Central Policy Manager Applications Guide 7

CHAPTER 2 Editing IKE

Proposals and Pairs

Every time an automatic key IPSec action is applied to

a policy, CPM automatically generates an IKE pro-

posal that is used by the security appliances affected

by that policy. The default IKE proposals will meet the

majority of your needs. However, you can use CPM to

customize an existing proposal or create a new pro-

posal. This is especially useful if you are establishing

VPN tunnels between a Firebox Vclass appliance and

a “foreign” appliance that has its own internal pro-

posal structure.

You can also review and modify the settings for both

existing IKE pairs that are used in automatic key IKE

exchanges.

Before you can select or revise the IKE proposals for a

specific pair of peers, the following conditions must be

in effect:

• Each peer security appliance must be listed in the

Configuration Editor window and currently

visible to CPM by a live connection.

CHAPTER 2: Editing IKE Proposals and Pairs

8 Central Policy Manager 5.1

• All relevant pairings of security appliances (“peers”)

must be recorded in CPM as peer pairs in the

Configuration Editor window IKE Pairs tab.

• If third-party authentication is to be used, the

certificates must have already been imported to the

security appliances.

NAT Traversal (UDP Encapsulation)

A problem occurs with IPSec-encrypted packets crossing

NAT devices. The IPsec authentication header (AH) pro-

tects entire IP packets, including IP headers, from modifi-

cation. NAT modifies the IP header, causing an inherent

incompatibility. The IPsec Encapsulating Security Payload

(ESP) encrypts IP packets. NAT cannot modify TCP and

UDP ports when these values are encrypted. NAT is there-

fore incompatible with ESP.

The solution for this problem is UDP encapsulation, or NAT

traversal. UDP encapsulation wraps an IPsec packet inside a

UDP/IP header. This allows NAT to function, without

modifying the encapsulated IPsec packet.

Figure 3: UDP Encapsulation

Encapsulation requires “decapsulation.” ESP-wrapped

packets are exchanged between IKE peers: gateway-to-

gateway, client-to-gateway, and client-to-client. Peers must

support the same method of UDP ESP encapsulation.

NAT traversal is enabled per IKE policy. It is not a global

setting. If NAT traversal is enabled for an IKE policy, and

an IKE peer has NAT traversal capability but the peer’s

Original

IP Header

UDP

Header

Zero

Pad

ESP

Header

TCP/UDP Original Payload ESP Trail ESP Auth

Encrypted

Authenticated

Page is loading ...

Watchguard Firebox Vclass User guide

Watchguard Firebox Vclass User guide

Related papers

Other documents