Sep 15 2022
Create Branch Office Tunnel WatchGuard 

Fireware > Fireware Help > Configure Network Settings > Manual Branch Office VPN Tunnels > Manual BOVPN Configuration Examples > Set up a VPN Between Two Fireware v11.x Devices (WSM) 

Contents ● Fireware Help 

Set up a VPN Between Two Fireware Devices (WSM) 

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This document tells you how to use Policy Manager to define a manual BOVPN tunnel between two Fireboxes. 

For the same example as configured in Fireware Web UI, see Set up a VPN Between Two Fireware Devices (Web UI)

For detailed information about BOVPN settings, see: 

Determine IP Address and Tunnel Settings  

Before you create a manual BOVPN tunnel, we recommend that you determine which IP addresses and settings to use. This topic includes a checklist that can help you plan.  

In this example, both endpoints have static external IP addresses. For information on BOVPN tunnels to devices with a dynamic external IP address, see Define Gateway Endpoints for a BOVPN Gateway

Make sure that you configure the VPN endpoints correctly and that the Phase 1 and Phase 2 settings are the same on both Fireboxes. The VPN tunnel does not build if the settings do not match. 

If a setting does not appear in this list, keep the default value for that setting.  

BOVPN Tunnel Settings 

Site A Firebox  

Public IP address: ______________________________  

Private IP address: _____________________________  

Site B Firebox 

Public IP address: ______________________________ 

Private IP address: _____________________________  

Phase1 Settings  

Both Fireboxes must use exactly the same values. 

For a BOVPN tunnel between two Fireboxes, we recommend that you select Dead Peer Detection (RFC3706), not IKE Keep-Alive. Do not select both. You should always select Dead Peer Detection if both endpoint devices support it. 

Credential method: Select Use Pre-Shared Key.  

Pre-shared key: ______________________________  

IKE Version: IKEv1 ____ IKEv2 ____  

Mode (choose one): Main ____ Aggressive ____  

NAT Traversal: Yes ____ No ____ 

NAT Traversal Keep-alive interval: ________________ 

IKE Keep-alive: Yes ____ No ____ 

IKE Keep-alive Message interval: ________________ 

IKE Keep-alive Max failures: ________________ 

Dead Peer Detection (RFC3706): Yes ____ No ____ 

Dead Peer Detection Traffic idle timeout: ________________ 

Dead Peer Detection Max retries: ________________ 

Authentication algorithm (choose one): MD5___SHA1____ SHA2-256____SHA2-384____SHA2-512____  

We recommend SHA-1 or SHA-2 

Encryption algorithm (choose one): DES____ 3DES____ AES-128____ AES-192____ AES-256____ AES-GCM-128____AES-GCM-192____AES-GCM-256 

We recommend an AES variant. AES-GCM is supported in Fireware v12.2 or higher. AES-GCM is supported for IKEv2 only. 

SA Life ________________  

Select Hours as the unit for SA life.  

Diffie-Hellman Group (choose one): 1____ 2____ 5____14____15____19____20____ 

Phase 2 Settings 

Both Fireboxes must use exactly the same values. 

Perfect Forward Secrecy (Diffie-Hellman Group): Disable____ Group1____ Group2____ Group5____ Group14____ Group15____ Group19____ Group20____  

Authentication algorithm (choose one): MD5___SHA1____ SHA2-256____SHA2-384____SHA2-512_____ (We recommend SHA-1 or SHA-2) 

Encryption algorithm (choose one): DES____ 3DES____AES-128____ AES-192____ AES-256____ AES-GCM-128____AES-GCM-192____AES-GCM-256 

We recommend an AES variant. AES-GCM is supported in Fireware v12.2 or higher. AES-GCM is supported for ESP only. 

Force Key Expiration Time (Hours): ________________  

Force Key Expiration Traffic (kilobytes): ________________  

Example Tunnel Settings  

This section has the same fields as the previous section, and includes example settings. These settings correspond to the settings that appear in the images in this example. 

Site A Firebox  

Public IP address: 203.0.113.2 

Private network IP address: 10.0.1.0/24 

Site B Firebox  

Public IP address: 198.51.100.2 

Private network IP address: 10.50.1.0/24 

Phase 1 Settings  

Both sides must use exactly the same values. 

Credential method: Select Use Pre-Shared Key

Pre-shared key: [Specify a strong key] 

Version: IKEv1 

Mode: Main  

NAT Traversal: Enable 

NAT Traversal Keep-alive interval: 20 seconds 

IKE Keep-alive: Disable 

IKE Keep-alive Message interval: none 

IKE Keep-alive Max failures: none 

Dead Peer Detection (RFC3706): Enable 

Dead Peer Detection Traffic idle timeout: 20 seconds 

Dead Peer Detection Max retries: 5 

Authentication algorithm: SHA256 

Encryption algorithm: AES (256-bit) 

SA Life: 24 hours 

Diffie-Hellman Group: 14  

Phase 2 Settings  

Both sides must use exactly the same values. 

Perfect Forward Secrecy (Diffie-Hellman Group): 14 

Type: ESP  

Authentication algorithm: SHA256 

Encryption algorithm: AES (256-bit) 

The settings in this example are the default Phase 1 and 2 settings in Fireware v12.0 and higher. The default Phase 1 and 2 settings are different in Fireware v11.12.4 and lower. For more information about these settings in Fireware v11.12.4 and lower, see Fireware Help version 11

Configure Site A 

You now use Policy Manager to configure the gateway on the Site A Firebox. A gateway is a connection point for one or more tunnels. To configure a gateway, you must specify: 

  • Credential method (either pre-shared keys or an IPSec Firebox certificate) 
  • Location of local and remote gateway endpoints, either by IP address or domain information 
  • Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation  

Add a VPN Gateway  

  1. Select VPN > Branch Office Gateways.  
    The Gateways dialog box appears.  
  2. Click Add.  
    The New Gateway dialog box appears. 
  1. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.  
  2. In the Credential Method area, select Use Pre-Shared Key. Type the shared key. 
    The shared key must use only standard ASCII characters.  
  3. In the Gateway Endpoints section, click Add
    The New Gateway Endpoints Settings dialog box appears. 
  1. From the External Interface drop-down list, select the interface that has the external (public) IP of the Site A Firebox.  
  2. (Fireware v12.2 or higher) To specify an IP address, in the Interface IP Address drop-down list, select Primary Interface IP Address or select a secondary IP address that is already configured on the selected external interface. Tip!The Interface IP Address is the primary IP address you configured on the selected external interface.  
  3. Select By IP Address and type the primary IP address of the Firebox interface. 
    In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the By IP Address text box. 
  4. In the Remote Gateway section, select Static IP Address. 
  5. In the adjacent text box, type the external (public) IP address of the Site B Firebox. 
  6. Select By IP Address
  7. In the adjacent text box, type the external (public) IP address of the Site B Firebox. 
  8. Click OK

Configure the Phase 1 Settings  

Phase 1 of establishing an IPSec connection is where the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).  

  1. Select the Phase 1 Settings tab. 
  1. From the Mode drop-down list, select Main.  
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode. 
  2. Select NAT Traversal and Dead Peer Detection (RFC3706). These are the recommended settings for a BOVPN tunnel between two Fireboxes.  
  3. In the Transform Settings area, select the default transform and click Edit.  
  1. From the Authentication and Encryption drop-down lists, select your preferred algorithm. In our example, we use SHA256 and AES (256-bit).  
  2. In the SA Life text box, type 24 and select Hours.  
  3. From the Key Group drop-down list, select a Diffie-Hellman group. In our example, we select Diffie-Hellman Group 14.  
  4. Click OK. Leave all other Phase 1 settings with their default values. 
  5. Click OK.  
    The gateway you added appears in the Gateways list. 
  1. Click Close to close the Gateways dialog box. 

Add a VPN Tunnel  

After you define gateways, you can make tunnels between them. The process for making a tunnel includes: 

  • Specify routes (local and remote endpoints for the tunnel) 
  • Configure Phase 2 of the Internet Key Exchange (IKE) negotiation  

From Policy Manager: 

  1. Select VPN > Branch Office Tunnels
    The Branch Office IPSec Tunnels dialog box appears. 
  2. Click Add
    The New Tunnel dialog box appears. 
  1. In the Tunnel Name text box, type a name for the tunnel.  
  2. From the Gateway drop-down list, select the gateway you just created.  
  3. Select the Add this tunnel to the BOVPN-Allow policies check box at the bottom of the dialog box if you want to add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies. These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel. For more information, see Define Custom Tunnel Policies
  4. In the Addresses area, click Add.  
    The Tunnel Route Settings dialog box appears. 
  1. In the Local and Remote sections, configure one of these options to specify which devices behind the local Firebox can communicate through the tunnel.  
  • (Fireware v12.3.1 or lower) Type an IPv4 address in the text box. 
  • (Fireware v12.4 or higher) Type an IPv4 or IPv6 address in the text box.  
    The IP address you specify must be of the same address family (IPv4 or IPv6) as the gateway.  
  • Click the button adjacent to the Local drop-down list to specify a host IP address, network address, range of host IP addresses, or a host name.  
    For IPv6, if you select Host Name, your local computer must be able to resolve the host name to an IPv6 address. 
  • (Fireware v12.4 or higher) Select the Any IPv4 or Any IPv6 box to specify a zero route (0.0.0.0/0 or ::/0). 
  1. From the Direction drop-down list, click the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.  
  2. Click OK
    The tunnel route appears in the Addresses tab of the New Tunnel dialog. 

Configure the Phase 2 Settings  

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints. 

  1. From the New Tunnel dialog box, select the Phase 2 Settings tab. 
  1. Select the PFS check box to enable Perfect Forward Secrecy (PFS).  
  2. Select a Diffie-Hellman Group from the drop-down list. In our example, we select Diffie-Helman Group 14.  
  3. The Firebox contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES 256-bit encryption, and SHA256 authentication. For this example, we use the default proposal. You can either:  
    • Use the default proposal.  
    • Remove the default proposal. Then select a different proposal in the drop-down list and click Add.  
    • Add an additional proposal, as described in Add a Phase 2 Proposal.  
  4. Click OK to return to the Branch Office IPSec Tunnel dialog box. 
    The tunnel you added appears on the Branch Office IPSec Tunnels list. 
  1. Click Close and save the changes to the Firebox. 

The Firebox at Site A is now configured.  

Configure Site B 

You now use Policy Manager to configure the gateway at Site B that has an Firebox with Fireware 11.x or higher. 

Add a VPN Gateway  

  1. Select VPN > Branch Office Gateways.  
    The Gateways dialog box appears.  
  2. Click Add.  
    The New Gateway dialog box appears. 
  3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.  
  4. Click the General Settings tab.  
  5. In the Credential Method area, select Use Pre-Shared Key. Type the shared key. 
    This shared key must use only standard ASCII characters.  
  6. In the Gateway Endpoints section, click Add
    The New Gateway Endpoints Settings dialog box appears. 
  1. In the External Interfacedrop-down list, select the interface that has the external (public) IP of the Site B Firebox.  
  2. (Fireware v12.2 or higher) To specify an IP address, in the Interface IP Address drop-down list, select Primary Interface IP Address or select a secondary IP address that is already configured on the selected external interface. Tip!The Interface IP Address is the primary IP address you configured on the selected external interface.  
  3. Select By IP Address and type the primary IP address of the Firebox interface. 
    In Fireware v12.4 or higher, you must specify an IP address type that matches the Address Family setting you configured earlier. For example, if you specified IPv6 Addresses, you must specify an IPv6 address in the By IP Address text box.  
  4. In the Remote Gateway section, select Static IP Address.  
  5. In the adjacent text box, type the external (public) IP address of the Site A Firebox.  
  6. Select By IP Address.  
  7. n the adjacent text box, type the external (public) IP address of the Site A Firebox.  
  8. Click OK
    The gateway pair you defined appears in the list of gateway endpoints. 

Configure the Phase 1 Settings  

Phase 1 of establishing an IPSec connection is where the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).  

  1. Select the Phase 1 Settings tab. 
  1. From the Mode drop-down list, select Main.  
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode. 
  2. Select NAT Traversal and Dead Peer Detection (RFC3706).  
  3. In the Transform Settings section, select the default transform and click Edit.  
  1. From the Authentication and Encryption drop-down lists, select SHA2-256 and AES (256-bit).  
  2. In the SA Life text box, type 24. In the drop-down list, select Hours.  
  3. In the Key Group drop-down list, select a Diffie-Helman Group. In our example, we select Diffie-Hellman Group 14.  
  4. Click OK. Keep the default values for all other Phase 1 settings.  
  5. Click Close to close the Gateways dialog box. 
    The gateway you added appears on the Branch Office VPN page in the Gateways list. 

Add a VPN Tunnel  

After you define gateways, you can make tunnels between them. When you make a tunnel you must specify: 

  • Routes (local and remote endpoints for the tunnel) 
  • Settings for Phase 2 of the Internet Key Exchange (IKE) negotiation 

To add a VPN tunnel: 

  1. Select VPN > Branch Office Tunnels
    The Branch Office IPSec Tunnels dialog box appears. 
  2. Click Add
    The New Tunnel dialog box appears. 
  3. In the Tunnel Name text box, type a name for the tunnel.  
  4. From the Gateway drop-down list, select the gateway you created.  
  5. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, select the Add this tunnel to the BOVPN-Allow policies check box. These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel. 
  6. In the Addresses area, click Add.  
    The Tunnel Route Settings dialog box appears. 
  1. In the Local and Remote sections, configure one of these options to specify which devices behind the local Firebox can communicate through the tunnel.  
  • (Fireware v12.3.1 or lower) Type an IPv4 address in the text box. 
  • (Fireware v12.4 or higher) Type an IPv4 or IPv6 address in the text box.  
    The IP address you specify must be of the same address family (IPv4 or IPv6) as the gateway.  
  • Click the button adjacent to the Local drop-down list to specify a host IP address, network address, range of host IP addresses, or a host name.  
    For IPv6, if you select Host Name, your local computer must be able to resolve the host name to an IPv6 address. 
  • (Fireware v12.4 or higher) Select the Any IPv4 or Any IPv6 box to specify a zero route (0.0.0.0/0 or ::/0). 
  1. Click OK
    The tunnel route appears in the Addresses tab of the New Tunnel dialog. 

Configure the Phase 2 Settings  

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints. 

  1. From the New Tunnel dialog box, click the Phase 2 Settings tab. 
  1. Select the PFS check box to enable Perfect Forward Secrecy (PFS).  
  2. If you enable PFS, in the Enable Perfect Forward Secrecy drop-down list, select a Diffie-Hellman group. In our example, we select Diffie-Hellman Group 14
  3. The Firebox contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES 256-bit encryption, and SHA256 authentication. For this example, we use the default proposal. You can either:  
    • Use the default proposal.  
    • Remove the default proposal. Then select a different proposal in the drop-down list and click Add.  
    • Add an additional proposal, as described in Add a Phase 2 Proposal.  
  4. Click OK to return to the Branch Office IPSec Tunnel dialog box. 
    The tunnel you added appears on the Branch Office IPSec Tunnels list. 
  1. Click Close and save the changes to your Firebox.  

The Firebox at Site B is now configured. 

After both ends of the tunnel are configured, the tunnel opens and traffic passes through the tunnel. If the tunnel does not work, examine the log files on both Fireboxes for the time period you tried to start the tunnel. Log messages appear in the log file to indicate where the failure is located in the configuration and which settings might be part of the problem. You can also review the log messages in real-time with Firebox System Manager.  

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search 

© 2019 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries. All other tradenames are the property of their respective owners. 

From <https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_fireware-xtm_fireware-xtm_wsm.html>  

admin 0 Comments