About Global VPN Settings

Global VPN settings apply to manual BOVPN tunnels, BOVPN virtual interfaces, managed BOVPN tunnels, Mobile VPN with IPSec, and Mobile VPN with IKEv2 tunnels. These settings do not apply to BOVPN over TLS.

Enable Outbound IPSec Pass-through

For a Mobile VPN with IPSec user on the trusted or optional network to make outbound IPSec connections to a Firebox located behind a different Firebox, you must select the Add a Policy to Enable Outbound IPSec Pass-Through check box. For example, if mobile employees are at a customer location that has a Firebox, they can use IPSec to make a VPN connection to their network. For the Firebox at the customer location to allow the outgoing IPSec connection, you must add an IPSec policy to the configuration.

When you enable IPSec pass-through, a policy called WatchGuard IPSec is automatically added to the configuration. The policy allows traffic from any trusted or optional network to any destination. When you disable IPSec pass-through, the WatchGuard IPSec policy is automatically deleted.

To enable inbound IPSec pass through, you must clear the Enable Built-In IPSec Policy check box, and create IPSec policies to handle inbound VPN traffic to the Firebox and any other VPN endpoints. For more information, go to Configure Inbound IPSec Pass-through with SNAT.

Enable TOS for IPSec

Type of Service (TOS) is a set of four-bit flags in the IP header that can tell routing devices to give an IP datagram more or less priority than other datagrams. Fireware gives you the option to allow IPSec tunnels to clear or maintain the settings on packets that have TOS flags. Some ISPs drop all packets that have TOS flags.

If you do not select the Enable TOS for IPSec check box, all IPSec packets do not have the TOS flags. If the TOS flags were set before, they are removed when Fireware encapsulates the packet in an IPSec header.

When the Enable TOS for IPSec check box is selected and the original packet has TOS flags, Fireware keeps the TOS flags set when it encapsulates the packet in an IPSec header. If the original packet does not have the TOS flags set, Fireware does not set the TOS flag when it encapsulates the packet in an IPSec header.

Make sure to carefully consider whether to select this check box if you want to apply QoS marking to IPSec traffic. QoS marking can change the setting of the TOS flag. For more information on QoS marking, go to About QoS Marking.

Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used

This option applies only to traffic through a BOVPN that is not a BOVPN virtual interface.

When this option is not enabled, all packets that match the tunnel route specified in the IPSec gateway are sent through the IPSec branch office VPN. If this option is enabled, the Firebox uses the routing table to determine whether to send the packet through the IPSec VPN tunnel.

If a default route is used to route a packet

The packet is encrypted and sent through the VPN tunnel, to the interface specified in the VPN gateway configuration.

If a non-default route is used to route a packet

The packet is routed to the interface specified in the non-default route in the routing table. When a non-default route is used, the decision about whether to send the packet through the IPSec VPN tunnel depends on the interface specified in the routing table. If the interface in the non-default route matches the interface in the BOVPN gateway, the packet goes through the BOVPN tunnel configured for that interface. For example, if the BOVPN gateway interface is set to Eth0, and the matched non-default route uses Eth1 as the interface, the packet is not sent through the BOVPN tunnel. However, if the matched non-default route uses Eth0 as the interface, the packet is sent through the BOVPN tunnel.

This feature works with any non-default route (static or dynamic). You can use this feature in conjunction with dynamic routing to enable dynamic network failover from a private network route to an encrypted IPSec VPN tunnel.

For example, consider an organization that sends traffic between two networks, Site A and Site B. They use a dynamic routing protocol to send traffic between the two sites over a private network connection, with no VPN required. The private network is connected to the Eth1 interface of each device. They have also configured a BOVPN tunnel between the two sites to send BOVPN traffic over the local Internet connection, over the Eth0 interface of each device. They want to send traffic over the BOVPN tunnel only if the private network connection is not available.

If they select the Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec Is Used check box in the Global VPN Settings, the Firebox sends traffic over the private network if a dynamic route to that network is present over the Eth1 interface. Otherwise, it sends traffic over the encrypted IPSec BOVPN tunnel on the Eth0 interface.

For more information about how to use this setting, go to Configure a Branch Office VPN for Failover from a Leased Line.

Disable or Enable the Built-in IPSec Policy

The Firebox includes a built-in IPSec policy that allows IPSec traffic from Any-External to Firebox. This hidden policy enables the Firebox to function as an IPSec VPN endpoint for Branch Office VPN, Mobile VPN with IPSec, and Mobile VPN with IKEv2 tunnels. The built-in IPSec policy has a higher precedence than any manually created IPSec policy. The built-in IPSec policy is enabled by default. To disable this policy, clear the Enable Built-In IPSec Policy check box. Do not disable the built-in policy unless you want to create another IPSec policy to terminate a VPN tunnel at a device other than the Firebox, such as a VPN concentrator on the Firebox trusted or optional network.

If you clear the Enable Built-In IPSec Policy check box, you must create IPSec policies to handle inbound VPN traffic to the Firebox and any other VPN endpoints. For more information, go to Configure Inbound IPSec Pass-through with SNAT.

Remove VPN Routes for a BOVPN Virtual Interface

You can choose whether you want the Firebox to automatically remove the static VPN routes configured for a BOVPN virtual interface from the Routes:Main table when the BOVPN virtual interface is down. This controls whether the Firebox can use the default route for packets that match these routes if the BOVPN virtual interface is down.

Select the Remove VPN Routes When the Tunnel for a BOVPN Virtual Interface Is Down check box if you want to automatically remove static routes for the BOVPN virtual interface from the routing table when the BOVPN virtual interface is down. If the destination IP address of a packet does not match any routes in the routing table, the Firebox sends it through the default route, which could be an unencrypted connection. If you select this check box, you must do one of two things to make sure that the VPN routes for a BOVPN virtual interface are added to the routes table when the tunnel is available. You can either enable policy-based routing for the BOVPN virtual interface, or, in the BOVPN virtual interface settings, select the Start Phase 1 Tunnel When It Is Inactive check box. This is selected by default when you configure the BOVPN virtual interface.

Clear the Remove VPN Routes When the Tunnel for a BOVPN Virtual Interface Is Down check box if you want to keep the route in the routing table when the BOVPN virtual interface is down. This is the default setting. When a BOVPN virtual interface is down, the distance (metric) for the routes that use it are automatically changed to a large number, so that they are lower priority than other routes. Because the route remains in the routing table, packets that match this route are not sent through the default route when the BOVPN virtual interface is down.

Regardless of this setting, if there is an alternate route for a packet to take, the Firebox sends the packet through the alternate route, when the BOVPN virtual interface is down, rather than the default route.

In Fireware v12.9 or higher, the Distance setting replaces the Metric setting for routes.

Enable LDAP Server for Certificate Verification

When you create a VPN gateway, you specify a credential method for the two VPN endpoints to use when the tunnel is created. If you choose to use an IPSec Firebox certificate, you can identify an LDAP server that validates the certificate. Type the IP address for the LDAP server. You can also specify a port if you want to use a port other than 389.

BOVPN Notification

In the BOVPN Notification settings, you can configure the Firebox to send a notification when a BOVPN tunnel is down.

For information about the notification options, go to Set Logging and Notification Preferences.

BOVPN notification settings do not apply to Mobile VPN with IPSec tunnels.

Related Topics

About Manual IPSec Branch Office VPNs

Managed Branch Office VPN Tunnels (WSM)