Managed Branch Office VPN Tunnels (WSM)

A VPN (Virtual Private Network) creates secure connections between computers or networks in different locations. Each connection is known as a tunnel. When a VPN tunnel is created, the two tunnel endpoints authenticate with each other. Data in the tunnel is encrypted. Only the sender and the recipient of the traffic can read it.

Branch Office Virtual Private Networks (BOVPN) enable organizations to deliver secure, encrypted connectivity between geographically separated offices. The networks and hosts on a BOVPN tunnel can be corporate headquarters, branch offices, remote users, or telecommuters. These communications often contain the types of critical data exchanged inside a corporate firewall. In this scenario, a BOVPN provides confidential connections between these offices. This streamlines communication, reduces the cost of dedicated lines, and maintains security at each endpoint.

With WatchGuard System Manager, you can quickly and easily configure IPSec tunnels that use authentication and encryption. You can see that these tunnels operate with other tunnels and security policies. These tunnels are called managed BOVPN tunnels. Another type of tunnel is a manual BOVPN tunnel, which is a BOVPN tunnel that you use dialog boxes to define. For information on this type of tunnel, go to About Manual IPSec Branch Office VPNs.

How to Create a Managed BOVPN Tunnel

You can quickly create a manual tunnel between devices with a drag-and-drop procedure and a simple wizard, as described in Make Managed Tunnels Between Devices.

Before you create managed tunnels, make sure you add the Fireboxes that will be the tunnel endpoints to the Management Server, as described in Add Managed Devices to the Management Server.

If you do not have a third-party or self-signed certificate, you must use the certificate authority on a Management Server. For more information, go to Configure the Certificate Authority on the Management Server.

Before you add or remove Firebox external interfaces, or move the external interface, you must delete any managed VPN tunnels . After you the changes to the external interface configuration are complete, create new managed tunnels.

Tunnel Options

You can use several options to customize managed VPN tunnels:

  • If the trusted network behind one of the devices has many routed or secondary networks that you want to allow through the tunnel, add them manually as VPN resources for the device as described in Add VPN Resources.
  • If you want to restrict the types of traffic you allow through the managed BOVPN tunnel, or if you want to restrict the types of traffic that send log messages to the Log Server, you must use a VPN Firewall policy template. Or, you can use a policy template that is already defined on your Management Server. For more information, go to Add VPN Firewall Policy Templates.
  • The wizard you use to create managed BOVPN tunnels allows you to choose from several settings for encryption. These settings are appropriate for most tunnels. However, if your network has special requirements, you can create your own settings, as described in Add Security Templates.

VPN Failover

VPN Failover, described in Configure Branch Office VPN (BOVPN) Failover, is supported with managed BOVPN tunnels. If you have multi-WAN configured and you create managed tunnels, WSM automatically sets up gateway pairs that include the external interfaces of both ends of your tunnel. No other configuration is necessary.

To enable a managed BOVPN to use both external interfaces of a Firebox as a gateway pair for VPN Failover, both external interfaces on the Firebox must have static public IP addresses that are referenced in the configuration settings of the managed device on the Management Server.

Global VPN Settings

Global VPN settings on your Firebox apply to all manual BOVPN tunnels, managed tunnels, and Mobile VPN tunnels. You can use these settings to:

  • Enable IPSec pass-through.
  • Clear or maintain the settings of packets with Type of Service (TOS) bits set.
  • Enable the use of non-default routes to determine if IPSec is used (BOVPN tunnels only).
  • Use an LDAP server to verify certificates.
  • Configure the Firebox to send a notification when a BOVPN tunnel is down (BOVPN tunnels only).

To change these settings, from Policy Manager, select VPN > VPN Settings. For more information on these settings, go to About Global VPN Settings.

BOVPN Tunnel Status

You can use Firebox System Manager to see the current status of BOVPN tunnels. This information also appears on the Device Status tab of WatchGuard System Manager. For more information, go to VPN Tunnel Status and Subscription Services.

Rekey BOVPN Tunnels

You can use Firebox System Manager to immediately generate new keys for BOVPN tunnels instead of waiting for them to expire. For more information, go to Rekey BOVPN Tunnels.

For more information about managed BOVPN tunnels, go to: