Configure a BOVPN to a Locally Managed or Third-Party VPN Endpoint

Applies To: Cloud-managed Fireboxes

This feature is only available to participants in the WatchGuard Cloud Beta program.

You can configure a VPN from a cloud-managed Firebox to any Firebox or any third-party VPN endpoint that supports IKEv2 VPNs with compatible settings.

The remote endpoint can be:

  • A third-party VPN endpoint
  • A locally-managed Firebox
  • A cloud-managed Firebox in another account

To configure a BOVPN between two cloud-managed Fireboxes in the same account, see Configure a BOVPN Between Cloud-Managed Fireboxes.

You can configure a BOVPN virtual interface to a third-party VPN endpoint or cloud-based endpoint. Supported endpoints include cloud-based virtual networks, such as Microsoft Azure, Amazon AWS, and Cisco VTI endpoints.

When you configure the BOVPN, WatchGuard Cloud deploys the configuration to the cloud-managed Firebox. You must then configure the remote endpoint with the same settings.

When you add a BOVPN to a cloud-managed Firebox, you configure:

  • VPN Gateways — The external networks the two device use to connect.
  • Pre-Shared key — A shared secret used to encrypt and decrypt data that goes through the tunnel.
  • Network Resources — The networks that can send receive traffic through the tunnel.
  • Virtual IP Address — (optional) Required if you want to add the BOVPN to an SD-WAN action.
  • Security Settings — Authentication and encryption settings for VPN negotiation.

BOVPNs and Routing

In the BOVPN configuration, you specify what network resources are accessible through the tunnel. The resources you select for one endpoint become static routes on the other VPN endpoint, with the BOVPN as the gateway. The metric you specify for each resource appears in the routing table. The Firebox uses the routing table to determine whether to send traffic through the BOVPN tunnel.

You cannot specify network resources for both endpoints in the same subnet. This means you cannot route traffic through a BOVPN tunnel between private networks use the same IP address range.

If you add a zero route BOVPN network resource (0.0.0.0/0), this creates a default route that sends all network traffic (including the traffic to WatchGuard Cloud) through the VPN tunnel.

If you add a zero route BOVPN network resource, and the remote VPN endpoint cannot route traffic from the cloud-managed Firebox to WatchGuard Cloud, you lose the ability to manage or monitor the Firebox.

For a VPN between a Firebox and a non-cloud VPN endpoint

  • The network resources you specify for the remote endpoint specify what traffic the Firebox routes through the tunnel. These become static routes on the cloud-managed Firebox, with the BOVPN as the gateway.
  • The network resources you specify for the Firebox are the resources that you want the remote endpoint to route through the VPN tunnel to the Firebox. The resources you specify here do not limit what traffic the Firebox accepts through the VPN tunnel. For the Firebox to receive VPN traffic to these resources, the remote endpoint must be configured to route traffic to these IP addresses through the tunnel.

BOVPNs and Automatic Deployment

When you add, edit, or remove a BOVPN, the BOVPN configuration is automatically deployed for the cloud-managed Firebox to download. To make sure that the automatic deployment contains only BOVPN configuration changes, you cannot save BOVPN changes if the Firebox has other undeployed configuration changes.

Before you add, edit, or remove a BOVPN, make sure that the Firebox does not have undeployed changes.

Add a BOVPN

You can add a BOVPN from the BOVPN page for a specific Firebox, or you can add it from the VPNs shared configuration page. For more information, see Manage BOVPNs for Cloud-Managed Fireboxes.

To add a BOVPN:

  1. To open the BOVPN page, use one of these methods:
    • To manage BOVPNs for all Fireboxes in the currently selected account, select Configure > VPNs
    • To manage BOVPNs for a specific Firebox, on the Device Configuration page, click the Branch Office VPN tile.
  2. From either BOVPN page, click the Branch Office VPN tile.
    The BOVPN page shows currently configured BOVPNs.

Screen shot of the BOVPN page with no BOVPNs added

  1. Click Add BOVPN.
    The Add BOVPN page opens.
  2. In the Name text box, type a name for this BOVPN.
  3. Select Locally-Managed Firebox or third-party VPN endpoint.
    The content of the Endpoint B section changes from a list of Fireboxes to an Endpoint Name text box.

Screen shot of the Add BOVPN page with Locally-Managed Firebox or third-party VPN endpoint selected

  1. In the Endpoint A section, select a cloud-managed Firebox in your account.
    If you added the BOVPN from a Device Configuration page, the Endpoint A list contains only one Firebox.
  2. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint.
    The BOVPN configuration uses this name to refer to Endpoint B.

Screenshot of the Define VPN endpoints settings, with a local and remote VPN endpoint specified

  1. Click Next.
    The VPN Gateways settings page opens.

Screen shot of the VPN Gateways and Pre-shared key settings

  1. For the cloud-managed Firebox, select one external network to use for this VPN connection.
  2. Specify the IP address or a domain name that resolves to the Firebox external network IP address.
  3. For the remote endpoint, in the IP or Domain Name text box, type an IP address or a domain name that resolves to the IP address of the remote endpoint.
  4. In the Pre-shared key text box, type a pre-shared key to secure this VPN tunnel.
  5. Click Next.

Screen shot of the Traffic settings

  1. Select the Firebox internal and guest networks that you want to be accessible through the VPN tunnel.
  2. To add a network resource other than internal or guest networks:
    1. In the section for the Firebox resources, click Add Network Resource.

    Screen shot of the Add Network Resource dialog box

    1. In the Network Resource text box, type the network IP address and netmask.Tip!
    2. In the Metric text box, you can edit the metric. The default is 1.
    3. Click Add.
      The network resource is added to the Traffic settings for the endpoint.
  3. Add a network resource for the remote endpoint:
    1. In the section for the second endpoint, click Add Network Resource.
    1. In the Network Resource text box, type the network IP address and netmask.
    2. In the Metric text box, you can edit the metric. The default is 1.
    3. Click Add.
      The network resource is added to the Traffic settings for the endpoint.
  4. Repeat the previous step to add other network resources.
  5. (Optional) For each endpoint, in the Virtual IP Address text box, type an IP address.

Screen shot of the virtual IP address settings

We recommend you specify an IP address in a private network IP address range that is not used for routing on either endpoint.

You must specify virtual IP addresses before you can add this BOVPN to an SD-WAN action. To use this in an SD-WAN action, specify a host IP address with a /32 netmask.

  1. Click Next.
    The Security settings page opens.

Screen shot of the default security settings

  1. Accept the default security settings, or edit them to match settings supported by the remote VPN endpoint. For information, see Configure BOVPN Security Settings.
  2. Click Add.
    The BOVPN deployment is added, and the BOVPN Guide page opens.

Screen shot of the last page of the Add BOVPN wizard, with the View Guide link

  1. To open the BOVPN Guide in a new browser tab, click View Guide.
    The BOVPN Guide with opens in a new browser tab. You can print this page or save it to a PDF.
  2. To return to the BOVPN list, click Finish.

Configure the Remote Endpoint

On the remote endpoint, add an IKEv2 VPN with settings that match the Firebox VPN settings.

  • Remote gateway — Specify the external domain name or IP address of the Firebox.
  • Pre-shared key — Specify the pre-shared key specified in the Firebox BOVPN settings.
  • Virtual IP addresses — The virtual IP addresses specified in the Firebox BOVPN settings.
  • Phase 1 settings — Phase 1 authentication, encryption, SA Life, and key expiration settings specified in the Firebox BOVPN settings
  • Phase 2 settings — Configure the remote endpoint to use ESP (Encapsulating Security Payload), and specify the authentication, encryption, and key expiration settings specified in the Firebox BOVPN configuration.
  • Network resources — Configure the remote endpoint to route traffic through the VPN to the Firebox network resources.

Use a secure method to send the BOVPN Guide and pre-shared secret to the administrator of the remote endpoint.

View the BOVPN Guide

For each BOVPN, WatchGuard Cloud generates a VPN Guide that summarizes the VPN configuration settings required on the remote VPN endpoint. You can view the BOVPN Guide from the Edit BOVPN page. For more information, see View the BOVPN Guide.

Edit or Delete a BOVPN

You can edit or delete a BOVPN from the BOVPN page. For information, see Manage BOVPNs for Cloud-Managed Fireboxes.

See Also

Manage Firebox Configuration Deployment