About Manual IPSec Branch Office VPNs
A virtual private network (VPN) creates secure connections between computers or networks in different locations. Each connection is known as a tunnel. When a VPN tunnel is created, the two tunnel endpoints authenticate with each other. Data in the tunnel is encrypted so only the sender and the recipient of the traffic can read it.
A branch office virtual private network (BOVPN) enables organizations to deliver secure, encrypted connectivity between geographically separated offices. The networks and hosts on a BOVPN tunnel can be corporate headquarters, branch offices, cloud-based endpoints such as Microsoft Azure or Amazon AWS, remote users, or telecommuters. BOVPN communications often contain the types of critical data exchanged inside a corporate firewall. In this scenario, a BOVPN provides confidential connections between these offices. This streamlines communication, reduces the cost of dedicated lines, and maintains security at each endpoint.
Manual BOVPN tunnels provide many additional tunnel options. Another type of tunnel is a managed BOVPN tunnel, which is a BOVPN tunnel that you create between your centrally managed devices with a drag-and drop procedure or a wizard. For information on this type of tunnel, see Managed Branch Office VPN Tunnels (WSM).
WatchGuard branch office VPNs use IPSec or TLS to secure the BOVPN tunnel. The branch office VPN tunnel must connect to an external interface of the device at each end of the tunnel.
BOVPN Requirements and Planning
To create an IPSec branch office VPN between a Firebox and another IPSec VPN gateway:
- You must have two Fireboxes, or one Firebox and a third-party IPSec VPN gateway.
- The two gateways must each have an interface with a connection to the Internet.
- You must know whether the IP address assigned to the other VPN device is static or dynamic. If the other VPN device has a dynamic IP address and uses dynamic DNS, you can specify the domain name of that device. If the other device does not use dynamic DNS, that device can send any non-resolvable domain string if it is the initiator. For dynamic endpoints, you must use either IKEv1 Aggressive Mode or IKEv2 (recommended).
- The ISP for each VPN device must allow IPSec traffic on their networks.
Some ISPs do not let you create VPN tunnels on their networks unless you upgrade your Internet service to a level that supports VPN tunnels. For the VPN to function properly, make sure these ports and protocols are allowed:
- UDP Port 500 (Internet Key Exchange or IKE)
- UDP Port 4500 (NAT traversal)
- IP Protocol 50 (Encapsulating Security Payload or ESP)
Before you configure a branch office VPN, you must agree on the VPN gateway and tunnel settings to use, and you must know the IP addresses of the private networks that you want to send and receive traffic through the tunnel:
- To use a pre-shared key as the credential method, you must know the shared key (passphrase) for the tunnel. The same shared key must be used by each device. The shared key can be up to 79 characters in length. In Fireware v12.5.4 or higher, you can specify a hex-based pre-shared key. For information about hex-based keys, see Hex-Based Pre-Shared Keys.
- To use a certificate as the credential method, the same certificate must be installed on both endpoints.
- (Fireware v12.6.2 or higher) If you select Specify a CA certificate for remote endpoint verification, the certificate from the VPN peer must be part of the certificate chain that includes the specified root or intermediate CA certificate. If the peer certificate is not part of the chain, the Firebox rejects Phase 1 tunnel negotiations.
- You must know the encryption method used for the tunnel (3DES, AES-128 bit, AES-192 bit, or AES-256 bit). In Fireware v12.2 or higher, you can also specify AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). The two VPN devices must use the same encryption method. For best performance and security, we recommend you use AES or better encryption on all branch office VPNs on supported Firebox devices.
- You must know the authentication method for each end of the tunnel (MD5, SHA-1, SHA2-256, SHA2-384, SHA2-512). The two VPN devices must use the same authentication method.
- You must know the network addresses of the private (trusted) networks behind your Firebox and of the network behind the other VPN device, and their subnet masks.
- If any of the private IP addresses of the computers behind your Firebox are the same as the IP addresses of the computers on the other side of the VPN tunnel, you can use 1-to-1 NAT to masquerade the IP addresses to avoid a conflict. For more information, see Configure 1-to-1 NAT Through a Branch Office VPN Tunnel.
We recommend that you record information about the local Firebox configuration and the information about the remote VPN gateway you want to connect to. See the Sample VPN Information Table for a list of information to collect. You can also save or print the BOVPN configuration for easy comparison of settings. For more information, see Use the BOVPN Configuration Reports.
BOVPN Tunnel Configuration Options
There are two ways to configure a manual BOVPN tunnel. The method you choose determines how the Firebox decides whether to send traffic through the tunnel.
Configure a BOVPN Gateway and add BOVPN Tunnels
You can configure a BOVPN gateway and add one or more BOVPN tunnels that use that gateway. This option enables you to set up a BOVPN tunnel between two Fireboxes, or between a Firebox and another device that uses the same gateway and tunnel settings. When you use this configuration method, the Firebox always routes a packet through the BOVPN tunnel if the source and destination of the packet match a configured BOVPN tunnel.
For a demonstration of how to configure BOVPN gateways and tunnels in Policy Manager, see the Branch Office VPN video tutorial (12 minutes).
For information about how to configure the gateway and tunnel settings, see
- Configure Manual BOVPN Gateways — Configure the connection points on both the local and remote sides of the tunnel.
- Define a Tunnel — Configure the tunnel routes and security settings.
Configure a BOVPN Virtual Interface
You can also configure a BOVPN as a BOVPN virtual interface and then add routes through the virtual interface. When you use this configuration method, the Firebox routes a packet through the tunnel based on the outgoing interface for the packet. You can select a BOVPN virtual interface as a destination when you configure policies. The decision about whether the Firebox sends traffic through the VPN tunnel is affected by static and dynamic routes, and by policy-based routing.
For more information, see About BOVPN Virtual Interfaces.
Custom Tunnel Policies
When you configure a BOVPN tunnel, the Firebox automatically adds new VPN tunnels to the BOVPN-Allow.in and BOVPN-Allow.out policies. These policies allow all traffic to use the tunnel. You can choose to not use these policies and instead create custom VPN policies to allow only traffic of specific types through the tunnel. For more information, see Define Custom Tunnel Policies.
If you want to create a VPN tunnel that allows traffic to flow in only one direction, you can configure the tunnel to use outgoing dynamic NAT. This can be helpful when you make a tunnel to a remote site where all VPN traffic comes from one public IP address. For more information, see Configure Outgoing Dynamic NAT Through a Branch Office VPN Tunnel.
VPN tunnels automatically fail over to the backup WAN interface during a WAN failover. You can configure BOVPN tunnels to fail over to a backup peer endpoint if the primary endpoint becomes unavailable. To configure the failover settings, you must define at least one backup endpoint as described in Configure VPN Failover.
Global VPN Settings
Global VPN settings on your Firebox apply to all manual BOVPN tunnels, BOVPN virtual interfaces, managed BOVPN tunnels, and Mobile VPN tunnels. You can use these settings to:
- Enable IPSec pass-through
- Clear or maintain the settings of packets with Type of Service (TOS) bits set
- Enable the use of non-default routes to determine if IPSec is used
- Disable or enable the built-in IPSec policy
- Use an LDAP server to verify certificates
- Configure the Firebox to send a notification when a BOVPN tunnel is down (BOVPN tunnels only)
To change these settings, from Policy Manager, select VPN > VPN Settings.To change these settings, from Fireware Web UI, select VPN > Global Settings. For more information on these settings, see About Global VPN Settings.
BOVPN Tunnel Status
You can see the current status of BOVPN tunnels in the Front Panel tab of Firebox System Manager or on the Device Status tab of WatchGuard System Manager when you are connected to your device. For more information, see VPN Tunnel Status and Subscription Services.
To see the current status of BOVPN tunnels, from Fireware Web UI, select System Status > VPN Statistics. For more information, see VPN Statistics.
Rekey BOVPN Tunnels
If you do not want to wait for your BOVPN tunnel keys to expire, you can use Firebox System Manager to immediately generate new keys for your BOVPN tunnels. For more information, see Force a Branch Office VPN Tunnel Rekey.
Branch Office VPN (Video)