Cisco ISR and WatchGuard Firebox BOVPN Virtual Interface Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a BOVPN virtual interface connection between a WatchGuard Firebox and a Cisco Integrated Services Router (ISR).

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox M400
    • Fireware v12.7.2 or higher
  • Cisco ISR C921-4P
    • Version 15.9.3M2


This diagram shows the topology for a BOVPN virtual interface connection between a Firebox and a Cisco ISR.

Topology diagram

Configure the Firebox

To configure a BOVPN virtual interface, from Fireware Web UI:

  1. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  2. Click Add.
  3. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  4. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  5. On the Gateway Settings tab, select Use Pre-Shared Key.
  6. In the adjacent text box, type the pre-shared key.
  7. In the adjacent drop-down list, select String-Based.
  8. Enable Start Phase 1 tunnel when it is inactive.

Screen shot of the Gateway Settings

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the Local Gateway settings

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Cisco ISR WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Cisco ISR WAN connection.
  6. Keep the default settings for all other options.

Screen shot of the Remote Gateway settings

  1. Click OK.

Screen shot of the Gateway Settings

Next, configure the VPN Route settings.

  1. Select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select Network IPv4.
  4. In the Route To text box, type the Network IP address of a route that will use this virtual interface.

Screen shot of the VPN Route settings

  1. Click OK.

Screen shot of the VPN Routes settings

Next, configure the Phase 1 and Phase 2 settings:

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as default values.

Screen shot of the Phase 1 settings

  1. Keep the default values for Phase 2 settings.

Screen shot of the Phase 2 settings

  1. Click Save.

For more information about BOVPN virtual interfaces on the Firebox, see BOVPN Virtual Interfaces

Configure the Cisco ISR

To configure the Cisco ISR, from the Cisco CLI:

  1. Create an IKE proposal to establish Phase 1 of the VPN tunnel:
  2. Router>enable

    Router#config t


    Router(config)#crypto ikev2 proposal wg-proposal

    The IKEv2 proposal must be one of these two options:

  • Option 1 — Encryption algorithm other than AES-GCM, an integrity algorithm, and a Diffie-Hellman group. In our example, we use AES-CBC-256, SHA256, and Diffie-Hellman group 14.
  • Option 2 — AES-GCM encryption algorithm, a PRF algorithm, and a Diffie-Hellman group.

    Router(config-ikev2-proposal)#encryption aes-cbc-256

    Router(config-ikev2-proposal)#integrity sha256

    Router(config-ikev2-proposal)#group 14


  1. Add the proposal that you created to an IKEv2 policy:
  2. Router(config)#crypto ikev2 policy wg-policy

    The IKEv2 policy must have at least one complete proposal attached.

    Router(config-ikev2-policy)#proposal wg-proposal


  3. Create a keyring and specify the VPN pre-shared key:
  4. Router(config)#crypto ikev2 keyring wg-key

    Router(config-ikev2-keyring)#peer WG


    Router(config-ikev2-keyring-peer)#pre-shared-key 11111111

    You must specify the same pre-shared key that you specified in the BOVPN configuration on the Firebox.




  5. Associate Phase 1 settings with a Phase 1 profile:
  6. Router(config)#crypto ikev2 profile profile-ph1-wg

    An IKEv2 profile must have:

  • A local and a remote authentication method
  • A match identity, match certificate, or match any statement

    Router(config-ikev2-profile)#match identity remote address

    Router(config-ikev2-profile)#authentication remote pre-share

    Router(config-ikev2-profile)#authentication local pre-share

    Router(config-ikev2-profile)#keyring local wg-key

    Router(config-ikev2-profile)#match address local interface GigabitEthernet0/0


  1. Create a transform set for Phase 2 (IPSec):
  2. Router(config)#crypto ipsec transform-set wg-set esp-aes 256 esp-sha256-hmac

    Router(cfg-crypto-trans)#mode tunnel



  3. Associate Phase 2 settings with a Phase 2 profile and link that to the Phase 1 profile:
  4. Router(config)#crypto ipsec profile profile-ph2-wg

    Router(ipsec-profile)#set transform-set wg-set

    Router(ipsec-profile)#set ikev2-profile profile-ph1-wg


  5. Create a tunnel:
  6. Router(config)#int tunnel 1

    Router(config-if)#ip address

    Router(config-if)#ip tcp adjust-mss 1350

    Router(config-if)#tunnel source GigabitEthernet0/0

    Router(config-if)#tunnel mode ipsec ipv4

    Router(config-if)#tunnel destination

    Router(config-if)#tunnel protection ipsec profile profile-ph2-wg



  7. Set the VPN tunnel router:
  8. Router(config)#ip route tunnel 1


For more information about Cisco ISR VPN configuration and supported IKE ciphers, see the Cisco ISR 1921 Configuration Guides.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab and verify the VPN is established.

The screenshot of firebox, picture10, vpn statistics

  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Cisco ISR) can ping each other.