A VPN (Virtual Private Network) creates secure connections between computers or networks in different locations. Each connection is known as a tunnel. When a VPN tunnel is created, the two tunnel endpoints authenticate with each other. Data in the tunnel is encrypted. Only the sender and the recipient of the traffic can read it.
Branch Office Virtual Private Networks (BOVPN) enable organizations to deliver secure, encrypted connectivity between geographically separated offices. The networks and hosts on a BOVPN tunnel can be corporate headquarters, branch offices, remote users, or telecommuters. These communications often contain the types of critical data exchanged inside a corporate firewall. In this scenario, a BOVPN provides confidential connections between these offices. This streamlines communication, reduces the cost of dedicated lines, and maintains security at each endpoint.
Manual BOVPN tunnels provide many additional tunnel options. Another type of tunnel is a managed BOVPN tunnel, which is a BOVPN tunnel that you create with a drag-and drop procedure, a wizard, and the use of templates. For information on this type of tunnel, see About Managed Branch Office VPN Tunnels.
In addition to the VPN requirements, you must have this information to create a manual VPN tunnel:
For more information, see What You Need to Create a Manual BOVPN.
We recommend that you write down your Firebox or XTM device configuration and the related information for the other device. See the Sample VPN Address Information Table to record this information.
The basic procedure to create a manual tunnel includes these steps:
Other options you can use for BOVPN tunnels are described in the subsequent sections.
The Firebox or XTM device automatically adds new VPN tunnels to the BOVPN-Allow.in and BOVPN-Allow.out policies. This allows all traffic to use the tunnel. You can choose to not use this policy and instead create custom VPN policies to allow only traffic of specific types through the tunnel. For more information, see Define a Custom Tunnel Policy.
Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel if you want to keep the VPN tunnel open in one direction only. This can be helpful when you make a tunnel to a remote site where all VPN traffic comes from one public IP address.
VPN tunnels automatically fail over to the backup WAN interface during a WAN failover. You can configure BOVPN tunnels to fail over to a backup peer endpoint if the primary endpoint becomes unavailable. To do this, you must define at least one backup endpoint, as described in Configure VPN Failover.
Global VPN settings on your Firebox or XTM device apply to all manual BOVPN tunnels, managed tunnels, and Mobile VPN tunnels. You can use these settings to:
You can use Firebox or XTM device System Manager to see the current status of BOVPN tunnels. This information also appears on the Device Status tab of WatchGuard System Manager. For more information, see VPN Tunnel Status and Subscription Services.
You can use Firebox System Manager to immediately generate new keys for BOVPN tunnels instead of waiting for them to expire. For more information, see Rekey BOVPN Tunnels.