Prestige to
WatchGuard Tunneling
- Setup Prestige
- Setup WatchGuard
Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged
CD-ROM.
This page guides us to
setup a VPN connection between Prestige and WatchGuard. As the figure shown below, the
tunnel between PC 1 and PC 2 ensures the packets flow between them are secure. To setup
this VPN tunnel, the required settings for Prestige and WatchGuard are explained in the
following sections.
The IP addresses we use in
this example are as shown below.
PC 1 |
Prestige |
WatchGuard |
PC 2 |
192.168.1.33 |
LAN: 192.168.1.1
WAN: 202.132.154.1 |
LAN: 192.168.2.1
WAN: 168.10.10.66 |
192.168.2.33 |
Note: The following configurations are
supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses
dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this
case, the VPN connection can only be initiated from dynamic side to fixed side to update
its dynamic IP to the fixed side. From this connection, the source IP is obtained and then
update to the previous 0.0.0.0 field. However, if both gateways use dynamic IP addresses,
it is no way to establish VPN connection at all.
1. Setup Prestige
- Login Prestige by giving the LAN IP address of Prestige in URL field. Default LAN
IP is 192.168.1.1, default password to login web configurator is 1234.
- Click Advanced, and click VPN tab on the
left.
- On the SUMMARY menu, Select a policy to edit by clicking Edit.
- On the CONFIGURE-IKE menu, check Active
check box and give a name to this policy.
- Select IPSec Keying Mode to IKE and Negotiation
Mode to Main.
- Source IP Address Start and Source IP Address End
are PC 1 IP in this example. (the secure host behind Prestige)
- Destination IP Address Start and Destination IP
Address End are PC 2 IP in this example. (the secure remote
host)
- My IP Addr is the WAN IP of Prestige.
- Secure Gateway IP Addr is the remote secure gateway IP, that
is WatchGuard WAN IP in this example.
- Select Encapsulation Mode to Tunnel.
- Check the ESP check box. (AH can not be used in SUA/NAT
case)
- Select Encryption Algorithm to DES and Authentication
Algorithm to MD5, as we configured in WatchGuard.
- Enter the key string 12345678 in the Preshared Key
text box, and click Apply.
See the screen shot:
2. Setup WatchGuard
- In the QuickSetup Wizard, select Configure in Routed Mode,
click Next.
- Enter IP of PC2, click OK.
- In External Interface, enter the WAN IP for WatchGuard; and in Trusted
Interface, enter the LAN IP for WatchGuard. Then click Next.
- Enter the Default Gateway of WatchGuard then click Next
twice.
- Enter your passwords for Status and Configuration then click Next.
- Select Use Serial Cable to Assign IP Address and Serial Port of
your computer then click Next and OK.
- Turn the Firebox off and on again. Wait for the configuration file to be
uploaded.
- In the 'WatchGuard Control Center' click on the Policy Manager
icon.
- Pull down Network -> Branch Office VPN -> IPSec.
See the figure below.

- Click Gateway, and click Add.
- Enter a name for remote security gateway in Name field, enter the
remote gateway IP in Remote Gateway IP field.
- Select isakmp (dynamic) (IKE in Prestige) as Key Negotiation Type
and enter a string as Share Key.I

- Click Tunnels, and click Add.
- Select the Gateway you had created and click OK.
- Enter a name in Name field for this Tunnel.
- Click Dynamic Security tab, select Type, Authentication and
Encryption for your SAP. These settings must be consistant with Prestige
settings.
- Enable the Key expiration. Then click OK twice. (ESP, MD5-HMAC,
DES-CBC)

- Click Add in the main menu to Add Routing Policy.
- In Local Host, enter PC1 IP; in Remote Host, enter PC2 IP, then
select Secure in Disposition and Tunnel you had created. Then click OK twice.

- Select 'Save to Firebox' and enter the write pass phrase for your
WatchGuard.

¡@