Prestige to WatchGuard Tunneling

  1. Setup Prestige
  2. Setup WatchGuard

Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.


This page guides us to setup a VPN connection between Prestige and WatchGuard. As the figure shown below, the tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for Prestige and WatchGuard are explained in the following sections. 

The IP addresses we use in this example are as shown below.

PC 1 

Prestige

WatchGuard

PC 2

192.168.1.33

LAN: 192.168.1.1
WAN:  202.132.154.1

LAN: 192.168.2.1
WAN:  168.10.10.66

192.168.2.33

Note: The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous 0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.


1. Setup Prestige

  1. Login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
  2. Click Advanced, and click VPN tab on the left.
  3. On the SUMMARY menu, Select a policy to edit by clicking Edit.
  4. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy.
  5. Select IPSec Keying Mode to IKE and Negotiation Mode to Main.
  6. Source IP Address Start and Source IP Address End are PC 1 IP in this example. (the secure host behind Prestige)
  7. Destination IP Address Start and Destination IP Address End are PC 2 IP in this example. (the secure remote host)
  8. My IP Addr is the WAN IP of Prestige.
  9. Secure Gateway IP Addr is the remote secure gateway IP, that is WatchGuard WAN IP in this example.
  10. Select Encapsulation Mode to Tunnel.
  11. Check the ESP check box. (AH can not be used in SUA/NAT case)
  12. Select Encryption Algorithm to DES and Authentication Algorithm to MD5, as we configured in WatchGuard.
  13. Enter the key string 12345678 in the Preshared Key text box, and click Apply.

See the screen shot:


2. Setup WatchGuard

  1. In the QuickSetup Wizard, select Configure in Routed Mode, click Next.
  2. Enter IP of PC2, click OK.
  3. In External Interface, enter the WAN IP for WatchGuard; and in Trusted Interface, enter the LAN IP for WatchGuard. Then click Next.
  4. Enter the Default Gateway of WatchGuard then click Next twice.
  5. Enter your passwords for Status and Configuration then click Next.
  6. Select Use Serial Cable to Assign IP Address and Serial Port of your computer then click Next and OK.
  7. Turn the Firebox off and on again. Wait for the configuration file to be uploaded.
  8. In the 'WatchGuard Control Center' click on the Policy Manager icon.
  9. Pull down Network -> Branch Office VPN -> IPSec. See the figure below.
  10. Click Gateway, and click Add.
  11. Enter a name for remote security gateway in Name field, enter the remote gateway IP in Remote Gateway IP field.
  12. Select isakmp (dynamic) (IKE in Prestige) as Key Negotiation Type and enter a string as Share Key.I
    zw_wg02.gif (16048 bytes)
  13. Click Tunnels, and click Add.
  14. Select the Gateway you had created and click OK.
  15. Enter a name in Name field for this Tunnel.
  16. Click Dynamic Security tab, select Type, Authentication and Encryption for your SAP. These settings must be consistant with Prestige settings.
  17. Enable the Key expiration. Then click OK twice. (ESP, MD5-HMAC, DES-CBC)
    zw_wg03.gif (14734 bytes)
  18. Click Add in the main menu to Add Routing Policy.
  19. In Local Host, enter PC1 IP; in Remote Host, enter PC2 IP, then select Secure in Disposition and Tunnel you had created. Then click OK twice.

  20. Select 'Save to Firebox' and enter the write pass phrase for your WatchGuard.

¡@