Branch Office VPN Terminology
When you configure branch office VPNs, it is useful to understand these terms. Some of these terms have a specific meaning when you set up and monitor branch office VPNs on a WatchGuard Firebox.
Internet Key Exchange (IKE)
IKE is the protocol used for IPSec VPN negotiation. Fireware branch office VPNs supports IKEv1 and IKEv2. Both IKE versions use UDP ports 500 and 4500 for negotiation.
IKEv2, described in in RFC 7296, is supported in Fireware v11.11.2 and higher.
Security Association (SA)
An IKEv1 Security Association is defined in RFC 2408 as part of the ISAKMP (Internet Security Association and Key Management Protocol) standard. In a VPN, you can think of an SA as the context that includes all of the information, such as encryption, authentication, and integrity checks, required for two peers to communicate securely. Both peers must share and agree upon this information. SA is a general term that can apply to different protocols, and the SA structure is different for different VPN protocols. SAs are uni-directional.
For an IKEv1 IPSec VPN tunnel, there are two types of SAs:
Phase 1 SA
Negotiated based on the Phase 1 settings, the Phase 1 SA creates a secure channel for Phase 2 negotiations. In Fireware XTM, you configure Phase 1 settings when you configure the branch office VPN gateway.
Phase 2 SA
Negotiated based on the Phase 2 settings, the Phase 2 SA defines what traffic can be sent over the VPN, and how to encrypt and authenticate that traffic. In Fireware XTM, you configure Phase 2 settings when you configure the branch office VPN tunnel.
For a Firebox, a branch office VPN gateway defines the settings for a connection between one or more pairs of VPN gateway endpoints. Each gateway endpoint pair consists of a local gateway and a remote gateway. When you configure a gateway endpoint pair, you specify the addresses of the two gateway endpoints, and the Phase I settings the two gateway endpoints use to exchange keys or negotiate an encryption methodology to use. If one or both sites has multi-WAN, the branch office VPN gateway can have multiple gateway endpoint pairs, and the gateway endpoint pairs can fail over to one another.
You can configure multiple tunnels to use the same gateway. The gateway creates a secure connection for the VPN tunnels that use it.
For a Firebox, a branch office VPN tunnel defines the Phase 2 configuration settings, and includes one or more tunnel routes to define who can exchange traffic through the tunnel.
For a Firebox, the tunnel route defines which hosts or networks can send and receive traffic through the tunnel. When you add a tunnel route, you specify a pair of local and remote IP addresses of devices at each end of the tunnel. Each IP address in a tunnel route can be for a host or network. You can add multiple tunnel routes to the same tunnel. Each tunnel route has a pair of associated SAs, one inbound and one outbound.
In Firebox System Manager, each active tunnel route appears as a separate tunnel. This allows you to easily monitor the status of each tunnel route. In the feature key, the number of Branch Office VPN tunnels refers to the maximum number of active branch office VPN tunnel routes.
For more information about the feature key and maximum tunnel routes, see VPN Tunnel Capacity and Licensing.