About Managed Branch Office VPN Tunnels

A VPN (Virtual Private Network) creates secure connections between computers or networks in different locations. Each connection is known as a tunnel. When a VPN tunnel is created, the two tunnel endpoints authenticate with each other. Data in the tunnel is encrypted. Only the sender and the recipient of the traffic can read it.

Branch Office Virtual Private Networks (BOVPN) enable organizations to deliver secure, encrypted connectivity between geographically separated offices. The networks and hosts on a BOVPN tunnel can be corporate headquarters, branch offices, remote users, or telecommuters. These communications often contain the types of critical data exchanged inside a corporate firewall. In this scenario, a BOVPN provides confidential connections between these offices. This streamlines communication, reduces the cost of dedicated lines, and maintains security at each endpoint.

With WatchGuard System Manager, you can quickly and easily configure IPSec tunnels that use authentication and encryption. You can see that these tunnels operate with other tunnels and security policies. These tunnels are called managed BOVPN tunnels. Another type of tunnel is a manual BOVPN tunnel, which is a BOVPN tunnel that you use dialog boxes to define. For information on this type of tunnel, see About Manual Branch Office VPN Tunnels.

How to Create a Managed BOVPN Tunnel

You can quickly create a manual tunnel between devices with a drag-and-drop procedure and a simple wizard, as described in Make Managed Tunnels Between Devices.

However, you must make sure you have performed these procedures before you create managed tunnels:

1. Add the Firebox or XTM devices that will be the tunnel endpoints to the Management Server, as described in Add Managed Devices to the Management Server.
2. If you want to use a certificate for VPN authentication, you must first import the certificate. For more information on this, see See and Manage Firebox or XTM Device Certificates.

The certificate must be recognized as an "IPSec"-type certificate by Firebox System Manager. To verify this, Start Firebox System Manager, select View > Certificates, and make sure the Type column in the Certificates dialog box that appears says "IPSec" or "IPSec/Web." If you do not have a third-party or self-signed certificate, you must use the certificate authority on a Management Server.

For more information, see Configure the Certificate Authority on the Management Server.

Tunnel Options

You can use several options to customize managed VPN tunnels:

• If the trusted network behind one of the devices has many routed or secondary networks that you want to allow through the tunnel, add them manually as VPN resources for the device as described in Add VPN Resources.
• If you want to restrict the types of traffic you allow through the managed BOVPN, or if you want to restrict the types of traffic that send log messages to the Log Server, you must use a VPN Firewall policy template. Or, you can use a policy template that is already defined on your Management Server. For more information, see Add VPN Firewall Policy Templates.
• The wizard you use to create managed BOVPN tunnels allows you to choose from several settings for encryption. These settings are appropriate for most tunnels. However, if your network has special requirements, you can create your own settings, as described in Add Security Templates.

VPN Failover

VPN Failover, described in Configure VPN Failover, is supported with managed BOVPN tunnels. If you have multi-WAN configured and you create managed tunnels, WSM automatically sets up gateway pairs that include the external interfaces of both ends of your tunnel. No other configuration is necessary.

Global VPN Settings

Global VPN settings on your Firebox or XTM device apply to all manual BOVPN tunnels, managed tunnels, and Mobile VPN tunnels. You can use these settings to:

• Enable IPSec pass-through.
• Clear or maintain the settings of packets with Type of Service (TOS) bits set.
• Enable the use of non-default routes to determine if IPSec is used (BOVPN tunnels only).
• Use an LDAP server to verify certificates.
• Configure the Firebox or XTM device to send a notification when a BOVPN tunnel is down (BOVPN tunnels only).

To change these settings, from Policy Manager, select VPN > VPN Settings. For more information on these settings, see About Global VPN Settings.

BOVPN tunnel Status

You can use Firebox System Manager to see the current status of BOVPN tunnels. This information also appears on the Device Status tab of WatchGuard System Manager. For more information, see VPN Tunnel Status and Subscription Services.

Rekey BOVPN Tunnels

You can use Firebox System Manager to immediately generate new keys for BOVPN tunnels instead of waiting for them to expire. For more information, see Rekey BOVPN Tunnels.

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.