About Branch Office VPN over TLS

In Fireware v12.1 or higher, you can configure a BOVPN tunnel that uses TLS for secure communication between Fireboxes. TLS is the successor to the SSL protocol. Fireboxes configured for BOVPN over TLS send VPN tunnel traffic over port 443, which is usually open on most networks.

BOVPN over TLS uses a client-server model for communication. On a Firebox configured in Server mode, you can configure tunnels to one or more Fireboxes configured in Client mode. On a Firebox configured in Client mode, you can configure tunnels to one or more Fireboxes configured in Server mode. You cannot configure a Firebox in both Server and Client mode.

We recommend BOVPN over TLS only when these conditions are true:

  • Your network cannot pass IPSec traffic. For example, some ISPs might not allow IPSec traffic, and some older NAT devices might drop packets related to IPSec traffic. Or, your business operates in a location where you do not have full control of the network and cannot open ports required for an IPSec BOVPN.
  • You have a hub-and-spoke VPN configuration.

For a full or partial mesh VPN configuration on a network that allows IPSec traffic, we recommend that you configure an IPSec BOVPN tunnel. An IPSec BOVPN tunnel is better suited for environments that require high VPN performance. For more information about IPSec BOVPN tunnels, go to Quick Start — Set Up a VPN Between Two Fireboxes. Network performance for BOVPN over TLS is comparable to Mobile VPN with SSL and Management Tunnels with SSL.

Requirements

To create a branch office VPN over TLS:

  • You must have two Fireboxes with Fireware v12.1 or higher. Third-party VPN endpoints are not supported.
  • The ISP for each VPN device must allow TLS traffic on port 443 and OpenVPN traffic on their networks.
    Traffic is sent over port 443, but the traffic is not HTTPS. Some content inspection filters on upstream firewalls could block BOVPN over TLS communication.
  • The Fireboxes at each end of the tunnel must use the same authentication and encryption methods.
  • The same pre-shared key must be used by the Firebox endpoints. The pre-shared key must be between 8 and 23 characters in length.

These features are not supported:

  • Drop-in mode
  • Bridge mode
  • Active/Active FireCluster
  • IP ranges in tunnel routes
  • BOVPN NAT
  • Dynamic routing
  • SD-WAN routing (Fireware v12.3 or higher) or Policy-based routing (Fireware v12.2.1 or lower)
  • Multicast traffic

Tunnel Configuration Options

Fireware supports two VPN configurations for BOVPN over TLS.

Option 1 — TLS server connects to multiple TLS clients

In this example, you configure Firebox A as the TLS server and multiple Fireboxes (n) as TLS clients. Firebox A is the hub. Fireboxes (n) are the spokes. Optionally, you can configure Mobile VPN with SSL on Firebox A for connections from Mobile VPN with SSL users. This drawing shows the topology.

Topology drawing for supported BOVPN over TLS configuration option 1

When you configure this option:

  • Devices on the local network behind Firebox A can connect to the local networks behind the Fireboxes (n).
  • Devices on the local networks behind Fireboxes (n) can connect to the local network behind Firebox A.
  • Mobile VPN with SSL users connect to Firebox A if Mobile VPN with SSL is enabled on Firebox A.
  • Mobile VPN with SSL users can connect to the local networks behind Fireboxes A and (n).

Option 2 — TLS client connects to multiple TLS servers

In this example, you configure Firebox A as the TLS client and multiple Fireboxes (n) as TLS servers. Firebox A is the spoke. Fireboxes (n) are the hubs. Optionally, you can configure Mobile VPN with SSL on Firebox A for connections from Mobile VPN with SSL users. This drawing shows the topology.

When you configure this option:

  • Firebox A establishes TLS VPN tunnels with multiple Fireboxes (n) configured as TLS servers.
  • Each TLS VPN tunnel on Firebox A has its own configuration parameters and operates separately from all other TLS VPN tunnels.
  • Devices on the local networks behind Firebox A can connect to the local networks behind the Fireboxes (n).
  • Devices on the local networks behind Fireboxes (n) can connect to the local network behind Firebox A.
  • If Mobile VPN with SSL is enabled on Firebox A, Mobile VPN with SSL users can connect to Firebox A and the local network behind Firebox A.
  • Mobile VPN with SSL and BOVPN over TLS have separate configuration settings. For example, Mobile VPN with SSL has an address pool, authentication proposals, and encryption proposals that are not shared with BOVPN over TLS.

If Mobile VPN with SSL is enabled on the BOVPN over TLS Client, you must select the Specify the destination addresses that the client will route through the tunnel option on the BOVPN over TLS Server. If you select Traffic destined for all locations is sent through the tunnel, mobile users cannot make a Mobile VPN with SSL connection to the Firebox configured as a BOVPN over TLS Client.

For configuration instructions, go to:

Policies

When you configure BOVPN over TLS in Client mode or Server mode, these policies are automatically created:

  • BOVPN-allow.in
  • BOVPN-allow.out
  • WatchGuard SSLVPN

The BOVPN-allow.in and BOVPN-allow.out policies are shared by:

  • BOVPN over TLS
  • IPSec BOVPN
  • BOVPN virtual interfaces

In Fireware v12.1 and higher, the WatchGuard SSLVPN policy specifies only the Any-External interface by default.

The WatchGuard SSLVPN policy is shared by Management Tunnel over SSL, BOVPN over TLS, Mobile VPN with SSL, and the Access Portal. For more information about this policy, go to SSL/TLS Settings Precedence and Inheritance.

In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, go to WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base.

VPN Failover

You can specify a backup TLS server in the BOVPN over TLS configuration settings. For example, you can specify the IP address of a secondary external interface on the Firebox. If the primary server is not available, TLS clients will automatically try to connect to the backup server.

Global VPN Settings

The VPN Global Settings do not apply to BOVPN over TLS.

BOVPN Tunnel Status

The Rekey Tunnel options on the VPN Statistics page do not apply to BOVPN over TLS.

License

BOVPN over TLS shares the SSL VPN Users license with Mobile VPN with SSL and Management Tunnel with SSL.

Related Topics

Configure BOVPN over TLS in Client Mode

Configure BOVPN over TLS in Server Mode