Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint

Applies To: Cloud-managed Fireboxes

You can configure a VPN from a cloud-managed Firebox to any Firebox or any third-party VPN endpoint that supports IKEv2 VPNs with compatible settings. You can configure a BOVPN virtual interface to a third-party VPN endpoint or cloud-based endpoint. Supported endpoints include cloud-based virtual networks, such as Microsoft Azure, Amazon AWS, and Cisco VTI endpoints.

To configure a BOVPN between two cloud-managed Fireboxes in the same WatchGuard Cloud account, see Configure a BOVPN Between Cloud-Managed Fireboxes.

When you configure the BOVPN, WatchGuard Cloud deploys the configuration to the cloud-managed Firebox. You must then configure the remote endpoint with the same settings.

When you add a BOVPN to a cloud-managed Firebox, you configure:

  • VPN Gateways — The external networks the two device use to connect.
  • Pre-Shared key — A shared secret used to encrypt and decrypt data that goes through the tunnel.
  • Network Resources — The networks that can send receive traffic through the tunnel.
  • Virtual IP Address — (optional) Required if you want to add the BOVPN to an SD-WAN action.
  • Security Settings — Authentication and encryption settings for VPN negotiation.

BOVPNs and Routing

In the BOVPN configuration, you specify what network resources are accessible through the tunnel. The resources you select for one endpoint become static routes on the other VPN endpoint, with the BOVPN as the gateway. The metric you specify for each resource appears in the routing table. The Firebox uses the routing table to determine whether to send traffic through the BOVPN tunnel.

You cannot specify network resources for both endpoints in the same subnet. This means you cannot route traffic through a BOVPN tunnel between private networks that use the same IP address range.

If you add a zero route BOVPN network resource (0.0.0.0/0), this creates a default route that sends all network traffic (including the traffic to WatchGuard Cloud) through the VPN tunnel.

If you add a zero route BOVPN network resource, and the remote VPN endpoint cannot route traffic from the cloud-managed Firebox to WatchGuard Cloud, you lose the ability to manage or monitor the Firebox.

For a VPN between a Firebox and a locally-managed or third-party VPN endpoint

  • The network resources you specify for the remote endpoint specify what traffic the Firebox routes through the tunnel. These become static routes on the cloud-managed Firebox, with the BOVPN as the gateway.
  • The network resources you specify for the Firebox are the resources that you want the remote endpoint to route through the VPN tunnel to the Firebox. The resources you specify here do not limit what traffic the Firebox accepts through the VPN tunnel. For the Firebox to receive VPN traffic to these resources, the remote endpoint must be configured to route traffic to these IP addresses through the tunnel.

BOVPNs and Automatic Deployment

When you add, edit, or remove a BOVPN, the BOVPN configuration is automatically deployed for the cloud-managed Firebox to download. To make sure that the automatic deployment contains only BOVPN configuration changes, you cannot save BOVPN changes if the Firebox has other undeployed configuration changes.

Before you add, edit, or remove a BOVPN, make sure that the Firebox does not have undeployed changes.

Add a BOVPN

To add a BOVPN to the cloud-managed Firebox, from WatchGuard Cloud:

  1. To open the BOVPN page, use one of these methods:
    • To manage BOVPNs for all Fireboxes in the currently selected account, select Configure > VPNs
    • To manage BOVPNs for a specific Firebox, on the Device Configuration page, click the Branch Office VPN tile.
  2. From either BOVPN page, click the Branch Office VPN tile.
    The BOVPN page shows currently configured BOVPNs.

Screen shot of the BOVPN page with no BOVPNs added

  1. Click Add BOVPN.
    The Add BOVPN page opens.
  2. In the Name text box, type a name for this BOVPN.
  3. Select Locally-Managed Firebox or third-party VPN endpoint.
    The content of the Endpoint B section changes from a list of Fireboxes to an Endpoint Name text box.

Screen shot of the Add BOVPN page with Locally-Managed Firebox or third-party VPN endpoint selected

  1. In the Endpoint A section, select a cloud-managed Firebox in your account.
    If you added the BOVPN from a Device Configuration page, the Endpoint A list contains only one Firebox.
  2. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint.
    The BOVPN configuration uses this name to refer to Endpoint B.

Screenshot of the Define VPN endpoints settings, with a local and remote VPN endpoint specified

  1. Click Next.
    The VPN Gateways settings page opens.

Screen shot of the VPN Gateways and Pre-shared key settings

  1. For the cloud-managed Firebox, select one external network to use for this VPN connection.
  2. Specify the IP address or a domain name that resolves to the Firebox external network IP address.
  3. For the remote endpoint, in the IP or Domain Name text box, type an IP address or a domain name that resolves to the IP address of the remote endpoint.
  4. In the Pre-shared key text box, type a pre-shared key to secure this VPN tunnel.
  5. Click Next.

Screen shot of the Traffic settings

  1. Select the Firebox internal and guest networks that you want to be accessible through the VPN tunnel.
  2. To add a network resource other than internal or guest networks:
    1. In the section for the Firebox resources, click Add Network Resource.

    Screen shot of the Add Network Resource dialog box

    1. In the Network Resource text box, type the network IP address and netmask.Tip!
    2. In the Metric text box, you can edit the metric. The default is 1.
    3. Click Add.
      The network resource is added to the Traffic settings for the endpoint.
  3. Add a network resource for the remote endpoint:
    1. In the section for the second endpoint, click Add Network Resource.
    1. In the Network Resource text box, type the network IP address and netmask.
    2. In the Metric text box, you can edit the metric. The default is 1.
    3. Click Add.
      The network resource is added to the Traffic settings for the endpoint.
  4. Repeat the previous step to add other network resources.
  5. (Optional) For each endpoint, in the Virtual IP Address text box, type an IP address.

Screen shot of the virtual IP address settings

We recommend you specify an IP address in a private network IP address range that is not used for routing on either endpoint.

You must specify virtual IP addresses before you can add this BOVPN to an SD-WAN action. To use this in an SD-WAN action, specify a host IP address with a /32 netmask.

  1. Click Next.
    The Security settings page opens.

Screen shot of the default security settings

  1. Accept the default security settings, or edit them to match settings supported by the remote VPN endpoint. For information, see Configure BOVPN Security Settings.
  2. Click Add.
    The BOVPN deployment is added, and the BOVPN Guide page opens.

Screen shot of the last page of the Add BOVPN wizard, with the View Guide link

  1. To open the BOVPN Guide in a new browser tab, click View Guide.
    The BOVPN Guide with opens in a new browser tab. You can print this page or save it to a PDF.
  2. To return to the BOVPN list, click Finish.

View the BOVPN Guide

For each BOVPN, WatchGuard Cloud generates a VPN Guide that summarizes the VPN configuration settings required on the remote VPN endpoint. You can view the BOVPN Guide from the Edit BOVPN page. For more information, see View the BOVPN Guide.

Configure the Remote VPN Endpoint

On the remote VPN endpoint, add an IKEv2 VPN with settings that match the VPN settings on the cloud-managed Firebox. For more information, see Configure Remote VPN Endpoint Settings on a Locally-Managed Firebox or Third-Party VPN Endpoint.

Edit or Delete a BOVPN

You can edit or delete a BOVPN from the BOVPN page. For information, see Manage BOVPNs for Cloud-Managed Fireboxes.

See Also

Manage Device Configuration Deployment