What You Need to Create a Manual BOVPN
Before you configure a branch office VPN network on your XTM device, read these requirements:
- You must have two XTM devices, or one XTM device and a second device that uses IPSec standards. You must enable the VPN option on the other device if it is not already active.
- The two devices must each have an external interface with a connection to the Internet.
- The ISP for each VPN device must allow IPSec traffic on their networks.
Some ISPs do not let you create VPN tunnels on their networks unless you upgrade your Internet service to a level that supports VPN tunnels. Speak with a representative from each ISP to make sure these ports and protocols are allowed:
- UDP Port 500 (Internet Key Exchange or IKE)
- UDP Port 4500 (NAT traversal)
- IP Protocol 50 (Encapsulating Security Payload or ESP)
- If the other side of the VPN tunnel is a XTM device and each device is under management, you can use the Managed VPN option. Managed VPN is easier to configure than Manual VPN. To use this option, you must get information from the administrator of the XTM device on the other side of the VPN tunnel.
- You must know whether the IP address assigned to the external interface of your XTM device is static or dynamic.
For more information about IP addresses, see About IP Addresses.
- Your XTM device model tells you the maximum number of VPN tunnels that you can create. If your XTM device model can be upgraded, you can purchase a model upgrade that increases the maximum number of supported VPN tunnels.
- If you connect two Microsoft Windows NT networks, they must be in the same Microsoft Windows domain, or they must be trusted domains. This is a Microsoft Networking issue, and not a limitation of the XTM device.
- If you want to use the DNS and WINS servers from the network on the other side of the VPN tunnel, you must know the IP addresses of these servers.
The XTM device can give WINS and DNS IP addresses to the computers on its trusted network if those computers get their IP addresses from the XTM device with DHCP.
- If you want to give the computers the IP addresses of WINS and DNS servers on the other side of the VPN, you can type those addresses into the DHCP settings in the trusted network setup.
For information on how to configure the XTM device to distribute IP addresses with DHCP, see Configure IPv4 DHCP in Mixed Routing Mode.
- You must know the network address of the private (trusted) networks behind your XTM device and of the network behind the other VPN device, and their subnet masks.
- To configure a BOVPN virtual interface, both endpoints must be WatchGuard devices that use Fireware XTM v11.8 or higher. For more information, see About BOVPN Virtual Interfaces.
The private IP addresses of the computers behind your XTM device cannot be the same as the IP addresses of the computers on the other side of the VPN tunnel. If your trusted network uses the same IP addresses as the office to which it will create a VPN tunnel, then your network or the other network must change their IP address arrangement to prevent IP address conflicts.