Contents

Related Topics

Set up a VPN Between Two Fireware v11.x Devices (Web UI)

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to use Fireware Web UI to define a manual BOVPN tunnel between two Fireboxes that use Fireware v11.x.

For the same example as configured in Policy Manager, see Set up a VPN Between Two Fireware v11.x Devices (WSM).

This topic does not give detailed information about the different settings in the BOVPN dialog boxes or how they affect an existing tunnel. If you want to know more about a particular setting, see:

Collect IP Address and Tunnel Settings

To create a manual BOVPN tunnel, you must first collect the IP addresses and determine the settings for the endpoints. You might find it helpful to print out this document, write down or indicate the values you want to use, and refer to them when you configure the settings in Policy Manager.

For this topic, both endpoints must have static external IP addresses.

For information on BOVPN tunnels to devices with a dynamic external IP address, see Define Gateway Endpoints for a BOVPN Gateway.

If you are the administrator of only one of the two devices, you can give the table to the other administrator to make sure he or she uses exactly the same values for the Phase 1 and Phase 2 settings.

Make sure that you configure the VPN endpoints correctly and that the Phase 1 and Phase 2 settings are the same on both devices. Tunnels do not build if the settings do not match.

If a setting does not appear in this list, do not change the default value.

BOVPN Tunnel Settings

SITE A (Firebox with Fireware Fireware v11.x)

Public IP address: ______________________________

Private IP address: _____________________________

SITE B (Firebox with Fireware Fireware v11.x)

Public IP address: ______________________________

Private IP address: _____________________________

PHASE 1 Settings (Both Sides Must Use Exactly the Same Values)

For a BOVPN tunnel between two Fireboxes that use Fireware, we recommend that you select Dead Peer Detection (RFC3706), not IKE Keep-Alive. Do not select both. You should always select Dead Peer Detection if both endpoint devices support it.

Credential method: Select Use Pre-Shared Key.

Pre-shared key: ______________________________

IKE Version: IKEv1 ____ IKEv2 ____ (requires Fireware v11.11.2 or higher)

Mode (choose one): Main ____ Aggressive ____

NAT Traversal: Yes ____ No ____

NAT Traversal Keep-alive interval: ________________

IKE Keep-alive: Yes ____ No ____

IKE Keep-alive Message interval: ________________

IKE Keep-alive Max failures: ________________

Dead Peer Detection (RFC3706): Yes ____ No ____

Dead Peer Detection Traffic idle timeout: ________________

Dead Peer Detection Max retries: ________________

Authentication algorithm (choose one): MD5___SHA1____ SHA2-256____SHA2-384____SHA2-512_____ (WatchGuard recommends SHA-1 or SHA-2)

Encryption algorithm (choose one): DES____ 3DES____ AES-128____ AES-192____ AES-256____ (WatchGuard recommends AES-128, AES-192, or AES-256)

SA Life ________________

Select Hours as the unit for SA life.

Diffie-Hellman Group (choose one): 1____ 2____ 5____14____15____19____20____

PHASE 2 Settings (Both Sides Must Use Exactly the Same Values)

Perfect Forward Secrecy (Diffie-Hellman Group): Disable____ Group1____ Group2____ Group5____ Group14____ Group15____ Group19____ Group20____

Authentication algorithm (choose one): MD5____ SHA1____ (WatchGuard recommends SHA-1)

Encryption algorithm (choose one): DES____ 3DES____AES____ (WatchGuard recommends AES. The encryption strength for this AES setting is 256-bit.)

Force Key Expiration Time (Hours): ________________

Force Key Expiration Traffic (kilobytes): ________________

Example Tunnel Settings

This section has the same fields as the previous section, and includes example settings. These settings correspond to the settings that appear in the images in this example.

SITE A (Firebox with Fireware v11.x)

Public IP address: 203.0.113.2

Private network IP address: 10.0.1.0/24

SITE B (Firebox with Fireware v11.x)

Public IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

PHASE 1 Settings (Both sides must use exactly the same values)

Credential method: Select Use Pre-Shared Key.

Pre-shared key: SiteA2SiteB

Version: IKEv1

Mode: Main

NAT Traversal: Enable

NAT Traversal Keep-alive interval: 20 seconds

IKE Keep-alive: Disable

IKE Keep-alive Message interval: none

IKE Keep-alive Max failures: none

Dead Peer Detection (RFC3706): Enable

Dead Peer Detection Traffic idle timeout: 20 seconds

Dead Peer Detection Max retries: 5

Authentication algorithm: SHA1

Encryption algorithm: AES (128-bit)

SA Life: 8 hours

Diffie-Hellman Group: 2

PHASE 2 Settings (Both sides must use exactly the same values)

Perfect Forward Secrecy (Diffie-Hellman Group): Disable

Type: ESP

Authentication algorithm: SHA1

Encryption algorithm: AES (The encryption strength for this AES setting is 256-bit.)

If you use WSM v11.x, the example Phase 1 and Phase 2 settings match the default settings. They also match the default settings for WSM v10.2.2 and higher, and Edge v10.2.2 and higher.

Configure Site A, Fireware v11.x

You now configure the gateway at Site A that has a Firebox with Fireware v11.x. A gateway is a connection point for one or more tunnels. To configure a gateway, you specify:

  • Credential method (either pre-shared keys or an IPSec Firebox certificate)
  • Location of local and remote gateway endpoints, either by IP address or domain information
  • Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation

This example uses the values specified in the previous section.

To add a VPN Gateway:

  1. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears, with the Gateways list at the top.
  2. In the Gateways section, click Add.
    The Gateway Settings page appears.

Screen shot of the Gateway settings page

  1. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  2. In the Credential Method section, select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters.
  3. In the Gateway Endpoint section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box for gateway to Site B

  1. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Site A Firebox.
  2. Select By IP Address.
  3. In the By IP Address text box, type the external (public) IP address for the Site A Firebox.
  4. In the Remote Gateway tab, select Static IP Address.
  5. In the Static IP Address text box, type the external (public) IP address of the Site B Firebox.
  6. To specify the Gateway ID, select By IP Address.
  7. In the By IP Address text box, type the external (public) IP address of the Site B Firebox.
  8. Click OK to close the New Gateway Endpoints Settings dialog box.
    The gateway pair you defined appears in the Gateway Endpoints list.

Screen shot of the Gateway General Settings tab with Endpoints

Configure the Phase 1 Settings

In Phase 1 of the IPSec connection, the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

  1. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 Settings tab

  1. From the Version drop-down list, select IKEv1.
  2. From the Mode drop-down list, select Main.
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode.
  3. Select NAT Traversal and Dead Peer Detection (RFC3706). These are the recommended settings for a BOVPN tunnel between a Firebox that uses Fireware v11.x and a Firebox that uses Fireware v10.2.2 or higher.
  4. In the Transform Settings section, select the default transform and click Edit.

Screen shot of the Transform Settings dialog box

  1. From the Authentication and Encryption drop-down lists, select your preferred algorithms. In our example, we select SHA-1 and AES (128-bit).
  2. In the SA Life text box, type 8. In the drop-down list, select Hours.
  3. In the Key Group drop-down list, select a Diffie-Helman Group. In our example, we select Diffie-Hellman Group 2.
  4. Click OK. Keep the default values for all other Phase 1 settings.
  5. Click Save to close the Gateway page.
    The gateway you added appears on the Branch Office VPN page in the Gateways list.

Add a VPN Tunnel

After you define gateways, you can make tunnels between them. When you make a tunnel you must specify:

  • Routes (local and remote endpoints for the tunnel)
  • Settings for Phase 2 of the Internet Key Exchange (IKE) negotiation

To add a VPN tunnel:

  1. From the Tunnels section, click Add.
    The Tunnel configuration page appears.

Screen shot of the Tunnel settings page

  1. In the Name text box, type a name for the tunnel.
  2. In the Gateway drop-down list, select the gateway you created.
  3. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, on the Addresses tab, select the Add this tunnel to the BOVPN-Allow policies check box.
    These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel. 
  4. In the Addresses section, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, from the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  2. In the Network IP text box, type the local (private) network address.
    This is the Site A private network IP address.
  3. In the Remote IP section, in the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  4. In the Network IP text box, type the remote (private) network address.
    This is the Site B private network address.
  5. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  6. Click OK.
    The tunnel route appears on the Tunnel settings page in the Addresses section.

Screen shot of the Tunnel settings page with addresses

Configure the Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what to do with the traffic between the endpoints.

  1. On the Tunnel settings page, select the Phase 2 Settings tab.

Screen shot of the Phase 2 settings tab

  1. To enable Perfect Forward Secrecy (PFS), select the Enable Perfect Forward Secrecy check box.
  2. If you enable PFS, in the Enable Perfect Forward Secrecy drop-down list, select a Diffie-Hellman group. In our example, we select Diffie-Hellman Group 2.
  3. The Firebox contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA1 authentication. For this example, we use the default proposal. You can either:
  • Use the default proposal.
  • Remove the default proposal. Then select a different proposal in the drop-down list and click Add.
  • Add an additional proposal, as described in Add a Phase 2 Proposal.
  1. Click Save.
    The Tunnel you created appears on the BOVPN page in the Tunnels list.

The Firebox at Site A is now configured.

Configure Site B, Fireware v11.x

You now configure the gateway at Site B that has an Firebox with Fireware v11.x.

To add a VPN Gateway:

  1. Select VPN > Branch Office VPN.
    The BOVPN configuration page appears, with the Gateways list at the top.
  1. To add a gateway, click Add.
    The Gateway settings page appears.
  2. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  3. Select the General Settings tab.
  4. In the Credential Method section, select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters.
  5. In the Gateway Endpoint section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box

  1. From the External Interface drop-down list, select the interface that has the external (public) IP of the Site A Firebox.
  2. Select By IP Address.
  3. In the By IP Address text box, type the external (public) IP address for the Site A Firebox.
  4. In the Remote Gateway tab, select Static IP Address.
  5. In the Static IP Address text box, type the external (public) IP address of the Site B Firebox.
  6. To specify the gateway ID, select By IP Address.
  7. In the By IP Address text box, type the external (public) IP address of the Site B Firebox.
  8. Click OK to close the New Gateway Endpoints Settings dialog box.
    The gateway pair you defined appears in the list of gateway endpoints.

Screen shot of the Gatweay General Settings with gateway endpoints defined

Configure the Phase 1 Settings

In Phase 1 of the IPSec connection, the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

  1. Select the Phase 1 Settings tab.

Screen shot of the Gateway Phase 1 Settings tab

  1. From the Mode drop-down list, click Main.
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode.
  2. Select NAT Traversal and Dead Peer Detection (RFC3706).
  3. In the Transform Settings section, select the default transform and click Edit.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box

  1. From the Authentication and Encryption drop-down lists, select your preferred algorithms. In our example, we select SHA-1 and AES (128-bit).
  2. In the SA Life text box, type 8 and select hours.
  3. In the Key Group drop-down list, select a Diffie-Helman Group. In our example, we select Diffie-Hellman Group 2 .
  4. Click OK. Keep the default values for all other Phase 1 settings.
  5. Click Save to close the Gateway page.
    The gateway you added appears in the Gateways list on the BOVPN page.

Add a VPN Tunnel

  1. In the Addresses section, click Add.
    The Tunnel configuration page appears.

Screen shot of the Tunnel Settings for Site B

  1. In the Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway you just created.
  3. Select the Addresses tab.
  4. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, select the Add this tunnel to the BOVPN-Allow policies check box.
    These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel.
  5. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, in the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  2. In the Network IP text box, type the local (private) network address.
    This is the Site B private network IP address.
  3. In the Remote IP section, in the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  4. In the Network IP text box, type the remote (private) network address.
    This is the Site A private network address.
  5. From the Direction drop-down list, select bi-directional. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  6. Click OK.
    The tunnel route appears in the Addresses section of the Tunnel settings page.

Screen shot of the Tunnel settings page

Configure the Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints.

  1. On the Tunnel settings page, select the Phase 2 Settings tab.

Screen shot of the Tunnel Phase 2 Settings

  1. To enable Perfect Forward Secrecy (PFS), select the PFS check box.
  2. If you enable PFS, from the PFS drop-down list, select a Diffie-Hellman group. In our example, we select Diffie-Hellman Group 2.
  3. The Firebox has one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA1 authentication. For this example, we use the default proposal. You can either:
    • Click Add to add the default proposal.
    • Remove the default proposal. Then select a different proposal in the drop-down list and click Add.
    • Add an additional proposal, as explained in Add a Phase 2 Proposal.
  4. Click Save.
    The tunnel you created appears on the BOVPN page in the Tunnels list.

The Firebox at Site B is now configured.

After both ends of the tunnel are configured, the tunnel opens and traffic passes through the tunnel. If the tunnel does not work, examine the log files on both Fireboxes for the time period you tried to start the tunnel. Log messages appear in the log file to indicate where the failure is located in the configuration and which settings might be part of the problem. You can also review the log messages in real-time with Firebox System Manager.

Give Us Feedback     Get Support     All Product Documentation     Technical Search