Contents

Related Topics

Configure BOVPN over TLS in Client Mode

BOVPN over TLS uses a client-server model for VPN tunnel communication. You must configure at least one Firebox as a TLS Client, and at least one Firebox as a TLS Server.

By default, the BOVPN over TLS server assigns addresses in the 192.168.113.0/24 pool to BOVPN over TLS clients. Mobile VPN with SSL also uses the 192.168.113.0/24 pool by default. If BOVPN over TLS in Client mode and Mobile VPN with SSL are enabled on the same Firebox, you must specify a different address pool for one of these features. If both features use the same IP address pool, BOVPN over TLS traffic is not sent through the tunnel properly.

In Fireware v12.1, you must use the Web UI to configure BOVPN over TLS.

To configure a Firebox in Client mode, from Fireware Web UI:

  1. Select VPN > BOVPN over TLS.

Screen shot of BOVPN over TLS Enable page

  1. Click Enable.
    The BOVPN over TLS Mode dialog box appears.

Screen shot of the BOVPN over TLS Mode dialog box

  1. From the Firebox Mode drop-down list, select Client.

Screen shot of the Client mode configuration page

  1. Click Add.
    The Add Server page appears.

Screen shot of the Add Server page

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. In the Description text box, type a description of the tunnel.
  3. Keep the Enabled check box selected to enable this tunnel.
  4. In the Primary Server text box, type the IP address or domain name of the TLS server.
    The TLS server is a remote Firebox configured in TLS Server mode.
  5. (Optional) In the Backup Server text box, type the IP address or domain name of a backup TLS server.
  6. In the Tunnel ID text box, type a name for the tunnel. You must specify the same Tunnel ID on the TLS server.
  7. In the Pre-Shared Key check box, type the pre-shared key.
    The pre-shared key must be between 8 and 23 characters in length.

Screen shot of an example TLS BOVPN tunnel configuration

  1. (Optional) To change the default communication settings, click Edit.
    The Advanced Settings dialog box appears.

Screen shot of the Advanced Settings

  1. In the Authentication drop-down list, select SHA-1, SHA-256, or SHA-512.
  2. In the Encryption drop-down list, select 3DES, AES (128-bit), AES (192-bit), or AES (256-bit).
  3. From the Data channel drop-down list, select TCP or UDP.
  4. If you selected UDP, specify a port number in the adjacent text box.
  5. In the Keep-Alive Interval text box, type an interval in seconds.
  6. In the Keep-Alive Timeout text box, type an interval in seconds.
  7. In the Renegotiate Data Channel text box, type an interval in hours.

The Import a configuration file option is for internal testing purposes and is not supported.

See Also

About Branch Office VPN over TLS

Configure BOVPN over TLS in Server Mode

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.