Quick Start — Set Up a VPN Between Two Fireboxes

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic summarizes the steps required to set up a BOVPN tunnel between two Fireboxes.

This topic does not provide descriptions for the settings in the BOVPN dialog boxes and the effects they can have on a tunnel. For more detailed information about branch office VPN settings, go to:

For detailed configuration examples, go to Manual BOVPN Configuration Examples.

The procedures in this topic describe how to set up a branch office VPN between two Fireboxes that have static external IP addresses. For information about how to set up a BOVPN gateway to a device that uses a dynamic external IP address, go to Define Gateway Endpoints for a BOVPN Gateway.

Quick Start with Fireware Web UI

If both Fireboxes have a static public IP address, you must have this information before you begin:

  • Public IP address of each Firebox — This is the IP address that the peer gateway connects to.
  • Private IP addresses for each Firebox — This is an IP address used to identify a local network. These are the IP addresses of the computers on each device that are allowed to send traffic through the VPN tunnel.
  • Pre-shared key — This is a passphrase used to encrypt and decrypt the data that goes through the VPN tunnel.

Here is a checklist of the information you must collect:

Site A device

Site A External (Public) IP address: ______________________________

Site A Private IP addresses: _____________________________

Site B device

Site B External (Public) IP address: ______________________________

Site B Private IP addresses: _____________________________

Common VPN settings

Pre-shared key: _____________________________

You must also decide what Phase 1 and Phase 2 settings to use. For a VPN between two Fireboxes, you can use the default Phase 1 and Phase 2 settings on both devices. You can select IKEv2 in the Phase 1 settings for improved tunnel reliability.

For a complete list of settings, and a detailed example of how to configure settings for a BOVPN between two Fireboxes, go to Set up a VPN Between Two Fireware Devices (Web UI).

  1. Select VPN > Branch Office VPN.
  2. Below the Gateways list, click Add.
  3. In the Gateway Name text box, type a name to identify this gateway.
  4. (Fireware v12.4 or higher) From the Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
  5. In the Credential Method section, select Use Pre-Shared Key.
  6. (Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
  7. Type the shared key.
  8. Below the Gateway Endpoint list, click Add.
  9. From the External Interface drop-down list, select the interface that has the external IP address.
  10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address or Primary Interface IPv6 Address.
  11. Select By IP Address.
  12. In the By IP Address text box, type the external (public) IP address of the Site A Firebox.
  13. Select the Remote Gateway tab.
  14. Select Static IP Address.
  15. In the Static IP Address text box, type the external (public) IP address of the Site B Firebox.
  16. Select By IP Address. In the By IP Address text box, type the external IP address of the Site B Firebox.
  17. Click OK to close the Gateway Endpoint Settings dialog box.
  18. Click Save to save the gateway settings.
  1. On the Branch Office VPN page, below the Tunnels list, click Add.
  2. In the Name text box, type a name for the tunnel.
  3. From the Gateway drop-down list, select the gateway you created.
  4. Below the Addresses list, click Add.
  5. In the Local IP section, from the Choose Type drop-down list, select the type of local address. For example, select Network IPv4 to add an IPv4 subnet.
  6. In the adjacent text box, type the private network address at Site A.
  7. In the Remote IP section, from the Choose Type drop-down list, select the type of remote address. For example, select Network IPv4 to add an IPv4 subnet.
  8. In the adjacent text box, type the private network address at Site B.
  9. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  10. Click OK.
  11. Click Save to save the tunnel settings.
  1. Select VPN > Branch Office VPN.
  2. Below the Gateways list, click Add.
  3. In the Gateway Name text box, type a name to identify this gateway.
  4. (Fireware v12.4 or higher) From the Address Family drop-down list, select IPv4 Addresses or IPv6 Addresses.
  5. In the Credential Method section, select Use Pre-Shared Key.
  6. (Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
  7. Type the shared key.
  8. Below the Gateway Endpoint list, click Add.
  9. From the External Interface drop-down list, select the interface that has the external IP address.
  10. Select By IP Address.
  11. In the By IP Address text box, type the external (public) IP address of the Site B Firebox.
  12. Select the Remote Gateway tab.
  13. Select Static IP Address.
  14. In the Static IP Address text box, type the external (public) IP address of the Site A Firebox.
  15. Select By IP Address. In the By IP Address text box, type the external IP address of the Site A Firebox.
  16. Click OK to close the Gateway Endpoint Settings dialog box.
  17. Click Save to save the gateway settings.
  1. On the Branch Office VPN page, below the Tunnels list, click Add.
  2. In the Name text box, type a name for the tunnel.
  3. From the Gateway drop-down list, select the gateway you created.
  4. Below the Addresses list, click Add.
  5. In the Local IP section, from the Choose Type drop-down list, select the type of local address. For example, select Network IPv4 to add an IPv4 subnet.
  6. In the adjacent text box, type the private network address at Site B.
  7. In the Remote IP section, from the Choose Type drop-down list, select the type of remote address. For example, select Network IPv4 to add an IPv4 subnet.
  8. In the adjacent text box, type the private network address at Site A.
  9. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  10. Click OK.
  11. Click Save to save the tunnel settings.

Quick Start with Policy Manager

If both devices have a static public IP address, you need to know this information before you begin:

  • Public IP address of each device — This is the IP address that the peer gateway connects to.
  • Private IP addresses for each device — This is an address used to identify a local network. These are the IP addresses of the computers on each device that are allowed to send traffic through the VPN tunnel.
  • Pre-shared key — This is a passphrase used to encrypt and decrypt the data that goes through the VPN tunnel.

Here is a checklist of the information you must collect:

Site A device

Site A External (Public) IP address: ______________________________

Site A Private IP addresses: _____________________________

Site B device

Site B External (Public) IP address: ______________________________

Site B Private IP addresses: _____________________________

Common VPN settings

Pre-shared key: _____________________________

You must also decide what Phase 1 and Phase 2 settings to use. For a VPN between two Fireboxes, you can use the default Phase 1 and Phase 2 settings on both devices.

For a complete list of settings, and a detailed example of how to configure settings for a BOVPN between two Fireboxes, go to Set up a VPN Between Two Fireware Devices (WSM).

  1. In Policy Manager, select VPN > Branch Office Gateways. Click Add.
  2. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  3. In the Credential Method section, select Use Pre-Shared Key.
  4. (Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
  5. Type the shared key.
  6. In the Gateway Endpoints section, click Add.
  7. From the External Interface drop-down list, select the interface that has the external IP address.
  8. Select By IP Address.
  9. From the IP Address drop-down list, select the external IP address of the Site A device.
  10. In the Remote Gateway section, select Static IP Address.
  11. In the IP Address text box, type the external (public) IP address of the Site B device.
  12. In the for Specify the gateway ID for the tunnel authentication section, select By IP Address.
  13. In the IP Address text box, type the external IP (public) address of the Site B device.
  14. Click OK to close the New Gateway Endpoints Settings dialog box.
  15. Click Close to close the Gateways dialog box.
  1. In Policy Manager, select VPN > Branch Office Tunnels. Click Add.
  2. In the Tunnel Name text box, type a name for the tunnel.
  3. From the Gateway drop-down list, select the gateway you created.
  4. In the Addresses section, click Add.
  5. In the Local text box, type the private network address for the Site A local network. You can also click the button adjacent to the Local drop-down list to enter a host IP address, network address, range of host IP addresses, or DNS name.
  6. In the Remote text box, type the private network address at Site B. You can also click the adjacent button to enter a host IP address, network address, range of host IP addresses, or DNS name.
  7. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  8. Click OK.
  9. Click Close and save the changes to the Site A device.
  1. In Policy Manager, select VPN > Branch Office Gateways. Click Add.
  2. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  3. In the Credential Method section, select Use Pre-Shared Key.
  4. (Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
  5. Type the shared key.
  6. In the Gateway Endpoints section, click Add.
  7. From the External Interface drop-down list, select the interface that has the external IP address.
  8. Select By IP Address.
  9. From the IP Address drop-down list, select the primary static external IP address of the Site B device.
  10. In the Remote Gateway section, select Static IP Address.
  11. In the IP Address text box, type the external (public) IP of the Site A device.
  12. In the for Specify the gateway ID for the tunnel authentication section, select By IP Address.
  13. In the IP Address text box, type the external (public) IP of the Site A device.
  14. Click OK to close the New Gateway Endpoints Settings dialog box.
  1. In Policy Manager, select VPN > Branch Office Tunnels. Click Add.
  2. In the Tunnel Name text box, type a name for the tunnel.
  3. From the Gateway drop-down list, select the gateway you created.
  4. In the Addresses section, click Add.
  5. In the Local text box, type the local (private) network address for the Site B local network. You can also click the button adjacent to the Local drop-down list to enter a host IP address, network address, range of host IP addresses, or DNS name.
  6. In the Remote text box, type the private network addresses at the Site A. You can also click the adjacent button to enter a host IP address, network address, range of host IP addresses, or DNS name.
  7. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  8. Click OK.
  9. Click Close and save the changes to the Site B device.

After you complete and save the VPN configuration on both devices, the devices automatically negotiate the tunnel.

If the devices cannot establish the tunnel, examine the log files on both Fireboxes for the time period you tried to start the tunnel. You should see log messages that show where the failure occurred and which settings could be part of the problem. You can also check the log messages in real time with Firebox System Manager.

Related Topics

Manual Branch Office VPN Tunnels

Monitor and Troubleshoot BOVPN Tunnels