Use a Branch Office VPN for Failover from a Leased Line (BGP)

This topic provides an example of how to configure failover from a leased line that uses BGP to a branch office VPN. For an overview of how failover to a branch office VPN works, see Configure a Branch Office VPN for Failover from a Leased Line.

In this example, an organization has a private leased line that connects WatchGuard XTM devices at two office locations. The leased line is connected to a trusted XTM device interface at each site. The network administrator wants to configure a branch office VPN connection between the two offices, which can be used for failover if the leased line connection becomes unavailable.

This diagram shows the configuration settings that apply to each site for this example.

Network failover diagram

Example Network Configuration

For this example, the two offices use these IP addresses.

  Main Office XTM Device Regional Office XTM Device
External interface IP address 203.0.113.2/24 198.51.100.2/24
Default Gateway IP address 203.0.113.1 198.51.100.1
IP address of the trusted interface connected to the trusted network 10.0.1.1/24 10.50.1.1/24

Trusted network IP address

10.0.1.0/24 10.50.1.0/24
IP address of the trusted interface connected to the leased line 192.168.100.1/30 192.168.100.2/30

Configure Dynamic Routing at the Main Office

To use the branch office VPN connection for failover, you must enable dynamic routing on the XTM device at each site. You can use any supported dynamic routing protocol (RIP v1, RIP v2, OSPF, or BGP v4). For this example, we use BGP.

To enable dynamic routing :

  1. In the Web UI, select Network > Dynamic Routing.
    The Dynamic Routing Setup page appears.
  2. Select the Enable Dynamic Routing check box.
  3. Select the BGP tab.
  4. Select the Enable check box.
  5. In the BGP tab text box, paste the text of your routing daemon configuration file.

For the main office, the BGP routing daemon configuration file contains this text: 

router bgp 65535
network 10.0.1.0/24
neighbor 192.168.100.2 remote-as 65535

Screen shot of the Dynamic Routing Setup page, BGP tab

Configure Dynamic Routing at the Regional Office

To enable dynamic routing with BGP on the XTM device at the regional office, repeat the steps in the previous section.

For the regional office, the BGP routing daemon configuration file contains this text: 

router bgp 65535
network 10.50.1.0/24
neighbor 192.168.100.1 remote-as 65535

Screen shot of the Dynamic Routing Setup page, BGP tab

Configure the VPN at the Main Office

For this example we use the default Phase 1 and Phase 2 settings.

At the Main Office, Configure the VPN Gateway to the Regional Office

  1. Select VPN > Branch Office VPN.
  2. Adjacent to the Gateways list, click Add.
    The New Gateway dialog box appears.The Gateway settings page appears.
  3. In the Gateway Name text box, type a name to identify the gateway.
    For this example, type MO-RO-GWY.
  4. Select Use Pre-Shared Key. Type a shared key to use on both devices.
  5. In the Gateway Endpoints section, click Add.
    The Gateway Endpoint Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. In the Local Gateway tab, in the By IP Address text box, type the External interface IP address for the XTM device at the main office, 203.0.113.2.
  2. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. In the Remote Gateway section, for the remote gateway IP address, type the External interface IP address for the XTM device at the regional office, 198.51.100.2.
  2. In the Remote Gateway section, for the gateway ID, type the External interface IP address for the XTM device at the regional office, 198.51.100.2.
  3. Click OK.
    The Gateway Endpoints you added appear in the New Gateway dialog box.
  4. Click Save.

At the Main Office, Configure the VPN Tunnel to the Regional Office

  1. Select VPN > Branch Office Tunnels.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name for the tunnel.
  4. From the Gateway drop-down list, select the gateway you just added.
    For this example, select MO-RO-GWY.
  5. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings page

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the IP address of the trusted network at the main office, 10.0.1.0/24.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the IP address of the trusted network at the regional office, 10.50.1.0/24.
  5. Click OK.
    The tunnel route appears in the New Tunnel dialog box.

At the Main Office, Configure Global VPN Settings to Enable Failover

  1. Select VPN > Global  Settings.
    The Global VPN Settings dialog box appears.

Screen shot of the Global VPN Settings page

  1. Select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.
  2. Click Save.
  3. Save the configuration to the device.

Configure the VPN at the Regional Office

Configure the VPN at the regional office with settings that correspond to the settings at the main office.

At the Regional Office, Configure the VPN Gateway to the Main Office

  1. Select VPN > Branch Office Gateways.
  2. Click Add.

    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify the gateway.
    For this example, type RO-MO-GWY.
  4. Select Use Pre-Shared Key. Type a shared key to use on both devices.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box, Local Gateway tab

  1. In the Local Gateway tab, type the External interface IP address for the XTM device at the regional office, 198.51.100.2.
  2. Select the Remote Gateway tab.

Screen shot of the Gateway Endpoint Settings dialog box, Remote Gateway tab

  1. In the Remote Gateway tab, for the remote gateway IP address, type the External interface IP address for the XTM device at the main office, 203.0.113.2.
  2. In the Remote Gateway section, for the gateway ID, type the External interface IP address for the XTM device at the main office, 203.0.113.2.
  3. Click OK.
    The Gateway Endpoints you added appear in the New Gateway dialog box.
  4. Click Save.

At the Regional Office Configure the VPN Tunnel to the Main Office

  1. Select VPN > Branch Office Tunnels.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a name for the tunnel.
  4. From the Gateway drop-down list, select the gateway you just added.
    For this example, select RO-MO-GWY.
  5. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings page

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the IP address of the trusted network at the regional office, 10.50.1.0/24.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the IP address of the trusted network at the main office, 10.0.1.0/24.
  5. Click OK.
    The tunnel route appears in the New Tunnel dialog box.

At the Regional Office, Configure Global VPN Settings to Enable Failover

  1. Select VPN > Global  Settings.
    The Global VPN Settings dialog box appears.

Screen shot of the Global VPN Settings page

  1. Select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.
  2. Click Save.
  3. Save the configuration to your XTM device.

For more information about how to configure BGP, see Configure IPv4 and IPv6 Routing with BGP.

See Also

Configure a Branch Office VPN for Failover from a Leased Line

Use a Branch Office VPN for Failover from a Leased Line (OSPF)

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base