5. VPN

The 6tcw handles two types of IPsec tunneling. The first - which WatchGuard calls "Branch Office" allows a tunnel to be set up between either two WatchGuard SOHO-series appliances or from a SOHO back to one of their Firebox-series VPN gateways. The Firebox connection is simplified by a "Managed VPN" capability that essentially requires you to just enter the address of the remote firebox and some simple authentication information.

The second method is via Mobile User VPN (MUVPN) connections. MUVPN uses a SafeNet SoftRemote IPsec client running on client Windows machines to tunnel to the router itself. WatchGuard includes a 10 seat MUVPN license (this was originally a one seat license), but you need to download the application, either with or without an integrated copy of ZoneAlarm's personal firewall for an extra measure of protection.

I worked only with MUVPN and frankly had a hell of a time getting a successful tunnel. The MUVPN client doesn't come pre-configured to match the 6tcw's setup and the documentation had errors in key places and was also incomplete. After I tried all the tricks I knew and contacted WatchGuard, they apologized and sent an updated manual that still had incorrect information and didn't get me any closer to a connection.

They eventually had a support person call who found the problem was caused by mismatched settings related to the product''s split-tunneling capabilities. WatchGuard said they're working on better documentation and setup wizards for their next firmware release.

Two important "features" of MUVPN is that it works only in Aggressive mode and requires static IP addresses on both ends of the tunnel. Although this is ok for wireless VPN, the static IP-only limitation may prevent you from remotely connecting via Internet.

I was surprised that the IPsec setup options weren't more extensive in the Manual VPN mode - which you'd use to tunnel the box to something other than a WatchGuard Firebox (Figure 5).

Figure 5: Manual VPN setup
(click on the image for a full-sized view)

There's no support for certificate-based authentication and your only choices for Phase 1 IDs are IP address and Domain - although Phase 2 does allow subnets to be specified for both local and remote ends of the connection.