Related Topics
Configure Manual BOVPN Gateways
A BOVPN gateway is a connection point for one or more tunnels. To create a tunnel, you must set up gateways on both the local and remote endpoint devices. To configure these gateways, you must specify:
- Credential method — Either pre-shared keys or an IPSec Firebox certificate.
For information about how to use certificates for BOVPN authentication, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication. - Location of local and remote gateway endpoints, either by IP address or domain information.
- Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation. This phase defines the security association, or the protocols and settings that the gateway endpoints will use to communicate and protect data that is passed in the negotiation.
Add a Gateway
Configure the gateways for each branch office VPN endpoint.
- Select VPN > Branch Office VPN.
The Branch Office VPN configuration page appears.
- To add a gateway, in the Gateways section, click Add.
The Gateway settings page appears.
- In the Gateway Name text box, type a name to identify the gateway for this Firebox.
- Select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication method for this tunnel.
Use Pre-Shared Key
Type or paste the shared key. You must use the same shared key on the remote device. This shared key must use only standard ASCII characters.
Use IPSec Firebox Certificate
The current certificates on the Firebox appear in the certificates list. This includes the IP security IKE intermediate Extended Key Usage (EKU) identifier (OID 1.3.6.1.5.5.8.2.2). For a Firebox that runs Fireware v11.11.4 or higher, you can also select a certificate that does not include an EKU identifier.
To see a list of available certificates that do not include an EKU identifier, select the Show All Certificates check box.
For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
You can now define the gateway endpoints. For more information, see Define Gateway Endpoints for a BOVPN Gateway.
- Select VPN > Branch Office Gateways.
The Gateways dialog box appears.
- To add a gateway, click Add.
The New Gateway dialog box appears.
- In the Gateway Name text box, type a name to identify the gateway for this Firebox.
- From the New Gateway dialog box, select either Use Pre-Shared Key or Use IPSec Firebox Certificate to identify the authentication method for this tunnel.
Use Pre-Shared Key
Type or paste the shared key. You must use the same shared key on the remote device. This shared key must use only standard ASCII characters.
Use IPSec Firebox Certificate
The current certificates on the Firebox appear in the certificates list. This includes the IP security IKE intermediate Extended Key Usage (EKU) identifier (OID 1.3.6.1.5.5.8.2.2). For a Firebox that runs Fireware v11.11.4 or higher, you can also select a certificate that does not include an EKU identifier.
To see a list of available certificates that do not include an EKU identifier, select the Show All Certificates check box.
For more information, see Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
You can now define the gateway endpoints and configure phase 1 settings. For more information, see:
Run the BOVPN Gateway Configuration Report
After you add a gateway, you can run a report to see a summary of all gateway settings. This report can be useful if you need to troubleshoot the VPN. It can also make it easier to compare the configured settings with the settings of the remote VPN endpoint device.
To run the report from Fireware Web UI or Policy Manager:
- In the Gateways dialog box, select a configured gateway.
- Click Report.
- To add details about tunnels that use this gateway, select the Show Tunnel Details check box.
For more information about this report, see Use the BOVPN Configuration Reports.