Setup Office-Office Watchguard VPN

In the example below we are setting up a VPN between 2 offices.

Step 1: Create VPN Gateway

1.            Click VPN from the Menu Bar

2.            Click Branch Office Gateway

3.            Click Add

4.            Type Gateway Name (i.e Gateway to RemoteOffice)

5.            Enter Pre-shared key

6.            Underneath Gateway Endpoints Click Add

7.            Under Local Gateway enter Public IP Address of External Interface

8.            Select Correct External Interface (if you have more than 1)

9.            Under Remote Gateway enter the Public IP address of the firewall on the remote site

Enter the same IP address under the gateway ID

10.            Then click ok

11.            Select Phase1 Settings tab

12.            Set Mode to Main

13.            Uncheck Nat Traversal and IKE Keep-alive and select Dead Peer Detection

14.            Under Transform Settings select SHA1-DES and click Edit

15.            Set SA Life to 24 Hours

16.            Click OK

17.            Click OK

18.            Click Close


Step 2: Create VPN Tunnel

1.        Click VPN from the Menu Bar and select Branch Office Tunnels

2.        Click Add

3.        Type Tunnel Name (i.e. Tunnel to Remote Office)

4.        On the Addresses tab Click Add

5.        Local > Enter the Network IP of the Local network

6.        Remote > Enter the Network IP of the Remote network

7.        Click OK

8.        Click On Phase2 Settings tab

9.        Select IpSec Proposal listed and click Remove

10.        Click Add

11.        Select Create a new Proposal and match the settings as per below. Note – I would actually choose 128-bit encryption as 256 bit creates a fair bit of overhead.

12.        Click OK

13.        Click OK

14.        Click Close

The VPN has been configured

Step 3:  Configure VPN Failover (optional)

To configure manual BOVPN tunnels to fail over to a backup endpoint, you must define more than one set of local and remote endpoints (gateway pairs) for each gateway.

For complete failover functionality for a VPN configuration, you must define gateway pairs for each combination of external interfaces on each side of the tunnel. For example, suppose your primary local endpoint is 23.23.1.1/24 with a backup of 23.23.2.1/24. Your primary remote endpoint is 50.50.1.1/24 with a backup of 50.50.2.1/24. For complete VPN Failover, you would need to define these four gateway pairs:

23.23.1.1 – 50.50.1.1

23.23.1.1 – 50.50.2.1

23.23.2.1 – 50.50.1.1

23.23.2.1 – 50.50.2.1

1.        Select VPN > Branch Office Gateways. Click Add to add a new gateway. Give the gateway a name and define the credential method, as described in Configure Gateways.

2.        In the Gateway Endpoints section of the New Gateway dialog box, click Add.

3.        Specify the location of the local and remote gateways. Select the external interface name that matches the local gateway IP address or domain name you add.

You can add both a gateway IP address and gateway ID for the remote gateway. This can be necessary if the remote gateway is behind a NAT device and requires more information to authenticate to the network behind the NAT device.

4.        Click OK to close the New Gateway Endpoints Settings dialog box.

The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints.

5.        Repeat this procedure to define additional gateway pairs. You can add up to nine gateway pairs. You can select a pair and click Up or Down to change the order in which the Firebox or XTM device attempts connections.

6.        Click OK.

Leave a Reply

Your email address will not be published. Required fields are marked *