Watchguard XTM26 to DrayTek Vigor 3900 IPSec VPN
Firstly let's set-up the Watchguard XTM Firebox:
Here we are using the software management tool rather than the browser but either will suffice if you stick to the correct encryption and key properties.
Open up the Policy Manager. Then click on the Branch Office Gateways option from the menu, you see as below:
Click the add button to open the Gateways properties box and enter the gateway name and pre-shared-key (PSK).
Once you have entered the PSK, which must be identical to the shared key we are to enter in the DrayTek, click the add button bottom right to enter the gateway endpoint:
Enter the external IP of the Watchguard (126.96.36.199 in the above example) and for the DrayTek (which is 188.8.131.52) so we enter the relevant IPs and choose the external interface that we are using on the Firebox (the interface with the external IP we are entering in this box for the Firebox)
Say OK to close this dialog box
When back to the last box, click on the Phase 1 tab at the top to see the below where we configure the Phase 1 settings for our encryption:
We shall tick the boxes for IKE keep alive and dead peer detection and then click 'Edit' at the bottom to edit the encryption choices:
I am using the American Encryption Standard on an 8 hour time out but feel free to choose anything you like as long as you take note to make sure it is the same on the DrayTek.
Click OK to close the box and OK again to return us back to the Policy Manager screen
Once back to the Policy Admin screen click on the VPN menu and choose Branch Office Tunnels:
Click the 'add' button to create the IPSec tunnel:
Click the 'add' button to configure the tunnel:
Here we are adding the internal IPs for the local and remote domains. In this example we are using 192.168.x.x subnets and so we enter the local Firebox subnet and the remote DrayTek subnet with the /24 255.255.255.0 Class C subnet. Click OK to close.
Now choose the Phase 2 tab at the top of the last screen:
Tick the PFS (Perfect forward Secret) box and choose Group 5 as this is what we configure on the DrayTek.
In the above I have not altered the ESP-AES-SHA1 IPSec proposal as it is the one I wish to use but you may add a custom one if you choose.
Click OK to return to the other screen
Click close on the tunnel screen to return to policy manager and save the settings to the Firebox.
Now we move onto the DrayTek Vigor 3900.
Once logged into the device, we are setting a new IPSec profile under VPN and Remote Access > IPSec Profiles
Choose to create a new profile and you are presented with the new IPSec profile dialogue:
We tick the Enable box at the top to enable the profile.
We can leave the first two boxes as we are receiving only and expecting a router rather than a user.
In this case the DrayTek is expecting the VPN at the IP address associated with WAN1 so we leave that.
The local IP Address/Subnet mask are the same as those we set as the remote network details on the Watchguard and represent the internal network we are granting access to the Watchguard router network.
The Local Next Hop and Remote Host can remain as they are as the home user network will almost certainly have a dynamically assigned IP address.
The IKE protocol and Phase 1 settings can remain as defaults
Auth Type is set to PSK - Pre Shared Key and enter the same key as you entered into the Watchguard earlier.
The security protocol is set as ESP
Now we moved onto the second page:
We are leaving the Phase 1 & 2 lifetimes as they are as they already match the Watchguard- you should update these to be the same as your Watchguard settings if you chose other than default periods.
Perfect Forward Secrecy (PFS) is on
All the other settings can remain as they are, except that once again we are setting NetBIOS naming packet as on.
Apply and save the changes.
We should now see from the status screen that a network VPN has been established.
And from the machine we are using, we can ping the remote 192.168.x.0 network...
Buy DrayTek Vigor VPN routers here