About Manual Branch Office VPN Tunnels

A VPN (Virtual Private Network) creates secure connections between computers or networks in different locations. Each connection is known as a tunnel. When a VPN tunnel is created, the two tunnel endpoints authenticate with each other. Data in the tunnel is encrypted so only the sender and the recipient of the traffic can read it.

A Branch Office Virtual Private Network (BOVPN) enables organizations to deliver secure, encrypted connectivity between geographically separated offices. The networks and hosts on a BOVPN tunnel can be corporate headquarters, branch offices, remote users, or telecommuters. These communications often contain the types of critical data exchanged inside a corporate firewall. In this scenario, a BOVPN provides confidential connections between these offices. This streamlines communication, reduces the cost of dedicated lines, and maintains security at each endpoint.

Manual BOVPN tunnels provide many additional tunnel options. Another type of tunnel is a managed BOVPN tunnel,which is a BOVPN tunnel that you can create between your centrally managed XTM devices in WatchGuard System Manager with a drag-and-drop procedure or a wizard. For information about this type of tunnel, see the WatchGuard System Manager Helpor User Guide.

What You Need to Create a VPN 

In addition to the VPN requirements, to create a manual VPN tunnel:

For more information, see What You Need to Create a Manual BOVPN.

We recommend that you write down your XTM device configuration and the related information for the other device. See the Sample VPN Address Information Table to record this information.

BOVPN Tunnel Configuration Options

There are two ways to configure a manual BOVPN tunnel. The method you choose determines how the XTM device decides whether to send traffic through the tunnel.

Configure a BOVPN Gateway and add BOVPN Tunnels

You can configure a BOVPN gateway and add one or more BOVPN tunnels that use that gateway. This option enables you to set up a BOVPN tunnel between two WatchGuard devices, or between a WatchGuard device and another device that uses the same gateway and tunnel settings. When you use this configuration method, the XTM device always routes a packet through the BOVPN tunnel if the source and destination of the packet match a configured BOVPN tunnel.

For information about how to configure the gateway and tunnel settings, see

Configure a BOVPN Virtual Interface

For a WatchGuard devices that use Fireware XTM v11.8 or higher, you can configure a BOVPN as a BOVPN virtual interface. When you use this configuration method, the XTM device routes a packet through the tunnel based on the outgoing interface for the packet. You can select a BOVPN virtual interface as a destination when you configure policies. The decision about whether the XTM device sends traffic through the VPN tunnel is affected by static and dynamic routes, and by policy-based routing.

For more information, see About BOVPN Virtual Interfaces.

One-Way Tunnels

If you want to create a VPN tunnel that allows information to flow in only one direction, you can configure the tunnel to use outgoing dynamic NAT. This can be helpful when you make a tunnel to a remote site where all VPN traffic comes from one public IP address. For more information, see Set Up Outgoing Dynamic NAT Through a Branch Office VPN Tunnel.

VPN Failover

VPN tunnels automatically fail over to the backup WAN interface during a WAN failover. You can configure BOVPN tunnels to fail over to a backup peer endpoint if the primary endpoint becomes unavailable. To do this, you must define at least one backup endpoint, as described in Configure VPN Failover.

Global VPN Settings

Global VPN settings on your XTM device apply to all manual BOVPN tunnels, BOVPN virtual interfaces, managed BOVPN tunnels, and Mobile VPN tunnels. You can use these settings to:

To change these settings, from Fireware XTM Web UI, select VPN > Global Settings. For more information on these settings, see About Global VPN Settings.

BOVPN Tunnel Status

To see the current status of BOVPN tunnels, in Fireware XTM Web UI, select System Status > VPN Statistics. For more information, see VPN Statistics.

Rekey BOVPN Tunnels

If you do not want to wait for your BOVPN tunnel keys to expire, you can use Fireware XTM Web UI to immediately generate new keys for BOVPN tunnels. For more information, see Rekey BOVPN Tunnels.

See Also

Use 1-to-1 NAT Through a Branch Office VPN Tunnel

e-Learning video — Branch Office VPN

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base