CHAPTER 11: Using Virtual Private Networks (VPN)
304 Vcontroller
gateway, client-to-gateway, and client-to-client. Peers must
support the same method of UDP ESP encapsulation.
NAT traversal is enabled per IKE policy. It is not a global
setting. If NAT traversal is enabled for an IKE policy, and
an IKE peer has NAT traversal capability but the peer’s
policy has not enabled NAT traversal, Vclass will not per-
form NAT traversal negotiation with the remote peer.
After the tunnel is established, IKE sends a keep-alive mes-
sage to the remote peer at a fixed interval. The default
interval is 20 seconds, but this value can be changed.
Firebox Vclass appliance VPN Solutions
The WatchGuard Firebox System offers several methods to
provide secure tunnels:
• Mobile User VPN (Remote User VPN)
• VPN to other IPSec compliant devices
Mobile User VPN
Mobile User VPN (MUVPN) requires configuration of both
the Firebox Vclass appliance and the remote client comput-
ers. However, the Firebox Vclass administrator has consid-
erable control over the client configuration. MUVPN users
authenticate either to the Firebox Vclass appliance or to a
RADIUS authentication server. Authentication takes place
either by using shared keys or certificates.
The complete procedure for using MUVPN is documented
in the Vclass Mobile User VPN Administration Guide and the
operating system-specific MUVPN end-user brochures. For
information on configuring the Firebox Vclass appliance to
use MUVPN, see Chapter 13, “Creating a Remote User
VPN Policy” on page 327.
To Next Page
