WatchGuard VPN Interoperability Fireware XTM to Fireware XTM

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to define a manual BOVPN tunnel.

This topic does not give detailed information about the different settings in the BOVPN dialog boxes or how they affect an existing tunnel. If you want to know more about a particular setting, see:

Collect IP Address and Tunnel Settings

To create a manual BOVPN tunnel, you must first collect the IP addresses and determine the settings for the endpoints. You might find it helpful to print out this document, write down or indicate the values you want to use, and refer to them when you configure the settings in Policy Manager.

For this topic, both endpoints must have static external IP addresses.

For information on BOVPN tunnels to devices with a dynamic external IP address, see Define Gateway Endpoints for a BOVPN Gateway.

If you are the administrator of only one of the two devices, you can give the table to the other administrator to make sure he or she uses exactly the same values for the Phase 1 and Phase 2 settings.

Make sure that you configure the VPN endpoints correctly and that the Phase 1 and Phase 2 settings are the same on both devices. Tunnels do not build if the settings do not match.

If a setting does not appear in this list, do not change the default value.

BOVPN Tunnel Settings

SITE A (XTM device with Fireware XTM v11.x)

Public IP address: ______________________________

Private IP address: _____________________________

SITE B (XTM device with Fireware XTM v11.x)

Public IP address: ______________________________

Private IP address: _____________________________

PHASE 1 Settings (Both Sides Must Use Exactly the Same Values)

For a BOVPN tunnel between two Firebox or XTM devices that use Fireware XTM, we recommend that you select Dead Peer Detection (RFC3706), not IKE Keep-Alive. Do not select both. You should always select Dead Peer Detection if both endpoint devices support it.

Credential method: Select Use Pre-Shared Key.

Mode (choose one): Main ____ Aggressive ____

Pre-shared key: ______________________________

NAT Traversal: Yes ____ No ____

NAT Traversal Keep-alive interval: ________________

IKE Keep-alive: Yes ____ No ____

IKE Keep-alive Message interval: ________________

IKE Keep-alive Max failures: ________________

Dead Peer Detection (RFC3706): Yes ____ No ____

Dead Peer Detection Traffic idle timeout: ________________

Dead Peer Detection Max retries: ________________

Authentication algorithm (choose one): SHA1____ MD5____

Encryption algorithm (choose one): DES____ 3DES____ AES-128____ AES-192____ AES-256____

SA Life ________________

Select Hours as the unit for SA life.

Diffie-Hellman Group (choose one): 1____ 2____ 5____

PHASE 2 Settings (Both Sides Must Use Exactly the Same Values)

Type: AH ____ ESP ____

Authentication algorithm (choose one): None____ MD5____ SHA1____

Encryption algorithm (choose one): DES____ 3DES____ AES-128____ AES-192____ AES-256____

Force Key Expiration (choose one): Enable____ Disable____

Perfect Forward Secrecy (Diffie-Hellman Group): Disable____ Group1____ Group2____ Group5____

Phase 2 Key Expiration (Hours) ________________

Phase 2 Key Expiration (kilobytes) ________________

Example Tunnel Settings

This page has the same fields as the previous page, and includes example settings. These settings correspond to the settings that appear in the images in this example.

SITE A (XTM device with Fireware XTM v11.x)

Public IP address: 203.0.113.2

Private network IP address: 10.0.1.0/24

SITE B (XTM device with Fireware XTM v11.x)

Public IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

PHASE 1 Settings (Both sides must use exactly the same values)

Credential method: Select Use Pre-Shared Key.

Mode (choose one): Main

Pre-shared key: SiteA2SiteB

NAT Traversal: Yes

NAT Traversal Keep-alive interval: 20 seconds

IKE Keep-alive: No

IKE Keep-alive Message interval: none

IKE Keep-alive Max failures: none

Dead Peer Detection (RFC3706): Yes

Dead Peer Detection Traffic idle timeout: 20 seconds

Dead Peer Detection Max retries: 5

Authentication algorithm (choose one): SHA1

Encryption algorithm (choose one): 3DES

SA Life: 8

Select Hours as the unit for SA life.

Diffie-Hellman Group (choose one): 2

PHASE 2 Settings (Both sides must use exactly the same values)

Type: ESP

Authentication algorithm (choose one): SHA1

Encryption algorithm (choose one): AES (256 bit)

Force Key Expiration (choose one): Enable

Perfect Forward Secrecy (Diffie-Hellman Group): Disable

Phase 2 Key Expiration (Hours): 8

Phase 2 Key Expiration (kilobytes): 128000

If you use WSM v11.x, the example Phase 1 and Phase 2 settings match the default settings. They also match the default settings for WSM v10.2.2 and later, and Edge v10.2.2 and later.

Configure Site A, Fireware XTM v11.x

You now configure the gateway at Site A that has a XTM device with Fireware XTM v11.x. A gateway is a connection point for one or more tunnels. To configure a gateway, you specify:

To add a VPN Gateway:

  1. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears, with the Gateways list at the top.
  2. To add a gateway, adjacent to the Gateways list, click Add.
    The Gateway settings page appears.

Screen shot of the Gateway settings page

  1. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  2. Select the General Settings tab.
  3. In the Credential Method section, select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters.
  4. In the Gateway Endpoints section, click Add.

    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box for gateway to Site B

  1. In the Local Gateway section, select By IP Address.
  2. In the By IP Address text box, type the external (public) IP address for the Site A XTM device.
  3. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Site A XTM device.
  4. In the Remote Gateway section, select Static IP Address.
  5. In the Static IP Address text box, type the external (public) IP address of the Site B XTM device.
  6. Select By IP Address.
  7. In the By IP Address text box, type the external (public) IP address of the Site B XTM device.
  8. Click OK to close the New Gateway Endpoints Settings dialog box.
    The gateway pair you defined appears in the Gateway Endpoints list.

Screen shot of the Gateway General Settings tab with Endpoints

Configure the Phase 1 Settings

In Phase 1 of the IPSec connection, the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

  1. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 Settings tab

  1. From the Mode drop-down list, select Main or Aggressive. Make sure you choose the same setting you selected in the BOVPN Tunnel Settings at the top of this topic.
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode.
  2. Select NAT Traversal, IKE Keep-alive, or Dead Peer Detection (RFC3706). Make sure you select the same values you chose in the BOVPN Tunnel Settings.

For a BOVPN tunnel between an XTM device and a Firebox that uses Fireware v10.2.2 or higher, we recommend you select NAT Traversal and Dead Peer Detection.

  1. In the Transform Settings section, select the default transform and click Edit.

Screen shot of the Transform Settings dialog box

  1. From the Authentication and Encryption drop-down lists, select the methods you chose in the BOVPN Tunnel Settings.
  2. In the SA Life text box, type the setting that you chose in the BOVPN Tunnel Settings. In the drop-down list, select Hours.
  3. In the Key Group drop-down list, select a Diffie-Hellman group.
  4. Click OK. Keep the default values for all other Phase 1 settings.
  5. Click Save to close the Gateway page.
    The gateway you added appears on the Branch Office VPN page in the Gateways list.

Screen shot of the BOVPN settings page

Add a VPN Tunnel

After you define gateways, you can make tunnels between them. When you make a tunnel you must specify:

To add a VPN tunnel:

  1. Adjacent to the Tunnels list, click Add.
    The Tunnel configuration page appears.

Screen shot of the Tunnel settings page

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. In the Gateway drop-down list, select the gateway you created.
  3. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, on the Addresses tab, select the Add this tunnel to the BOVPN-Allow policies check box.

These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel. 

  1. In the Addresses section, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, from the Choose Type drop-down list, select the type of local address.
  2. In the Network IP text box, type the local (private) network address.
    This is the Site A private network IP address.
  3. In the Remote IP section, in the Choose Type drop-down list, select the type of remote address.
  4. In the Network IP text box, type the remote (private) network address.
    This is the Site B private network address.
  5. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  6. Click OK.
    The tunnel route appears on the Tunnel settings page in the Addresses section.

Screen shot of the Tunnel settings page with addresses

Configure the Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the XTM device to know what to do with the traffic between the endpoints.

  1. On the Tunnel settings page, select the Phase 2 Settings tab.

Screen shot of the Phase 2 settings tab

  1. To enable Perfect Forward Secrecy (PFS), select the PFS check box.
  2. If you enable PFS, in the PFS drop-down list, select the correct Diffie-Hellman Group.
  3. The XTM device contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA1 authentication. For this example, we use the default proposal. You can either:
  1. Click Save.
    The Tunnel you created appears on the BOVPN page in the Tunnels list.

The XTM device at Site A is now configured.

Configure Site B, Fireware XTM v11.x

You now configure the gateway at Site B that has an XTM device with Fireware v11.x.

To add a VPN Gateway:

  1. Select VPN > Branch Office VPN.
    The BOVPN configuration page appears, with the Gateways list at the top.
  1. To add a gateway, click Add.
    The Gateway settings page appears.

Screen shot of the Gateway General Settings tab

  1. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  2. Select the General Settings tab.
  3. In the Credential Method section, select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters.
  4. In the Gateway Endpoint section, click Add.

    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box

  1. In the Local Gateway tab, select By IP Address.
  2. In the By IP Address text box, type the external (public) IP address for the Site A XTM device.
  3. From the External Interface drop-down list, select the interface that has the external (public) IP of the Site A XTM device.
  4. In the Remote Gateway tab, select Static IP Address.
  5. In the Static IP Address text box, type the external (public) IP address of the Site B XTM device.
  6. Select By IP Address.
  7. In the Static IP Address text box, type the external (public) IP address of the Site B XTM device.
  8. Click OK to close the New Gateway Endpoints Settings dialog box.

    The gateway pair you defined appears in the list of gateway endpoints.

Screen shot of the Gatweay General Settings with gateway endpoints defined

Configure the Phase 1 Settings

In Phase 1 of the IPSec connection, the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

  1. Select the Phase 1 Settings tab.

Screen shot of the Gateway Phase 1 Settings tab

  1. From the Mode drop-down list, click Main or Aggressive. Make sure you choose the same setting you selected in the BOVPN Tunnel Settings at the top of this topic.
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode.
  2. Select NAT Traversal, IKE Keep-alive, or Dead Peer Detection (RFC3706). Make sure you select the same values you chose in the BOVPN Tunnel Settings.
  3. In the Transform Settings section, select the default transform and click Edit.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box

  1. From the Authentication and Encryption drop-down lists, select the methods you chose for the BOVPN Tunnel Settings.
  2. In the SA Life text box, type the setting that you chose for the BOVPN Tunnel Settings. In the drop-down list, select Hours.
  3. In the Key Group drop-down list, select a Diffie-Hellman group.
  4. Click OK. Keep the default values for all other Phase 1 settings.
  5. Click Save to close the Gateway page.

    The gateway you added appears in the Gateways list on the BOVPN page.

Screen shot of the BOVPN Gateways page with gateway added

Add a VPN Tunnel

  1. Adjacent to the Tunnels list, click Add.
    The Tunnel configuration page appears.

Screen shot of the Tunnel Settings for Site B

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway you just created.
  3. Select the Addresses tab.
  4. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, select the Add this tunnel to the BOVPN-Allow policies check box.

These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel.

  1. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, in the Choose Type drop-down list, select the type of local address.
  2. In the Network IP text box, type the local (private) network address.
    This is the Site B private network IP address.
  3. In the Remote IP section, in the Choose Type drop-down list, select the type of remote address.
  4. In the Network IP text box, type the remote (private) network address.
    This is the Site A private network address.
  5. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  6. Click OK.

    The tunnel route appears in the Addresses section of the Tunnel settings page.

Screen shot of the Tunnel settings page

Configure the Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the XTM device to know what it should do with the traffic between the endpoints.

  1. On the Tunnel settings page, select the Phase 2 Settings tab.

Screen shot of the Tunnel Phase 2 Settings

  1. To enable Perfect Forward Secrecy (PFS), select the PFS check box.
  2. If you enable PFS, from the PFS drop-down list, select the correct Diffie-Hellman Group.
  3. The XTM device has one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES encryption, and SHA1 authentication. For this example, we use the default proposal. You can either:
  4. Click Save.
    The tunnel you created appears on the BOVPN page in the Tunnels list.

The XTM device at Site B is now configured.

After both ends of the tunnel are configured, the tunnel opens and traffic passes through the tunnel. If the tunnel does not work, examine the log files on both XTM devices for the time period you tried to start the tunnel. Log messages appear in the log file to indicate where the failure is located in the configuration and which settings might be part of the problem. You can also review the log messages in real-time with Firebox System Manager.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base