Configure BOVPN over TLS in Client Mode
BOVPN over TLS uses a client-server model for VPN tunnel communication. You must configure at least one Firebox as a TLS Client, and at least one Firebox as a TLS Server.
By default, the BOVPN over TLS server assigns addresses in the 192.168.113.0/24 pool to BOVPN over TLS clients. Mobile VPN with SSL also uses the 192.168.113.0/24 pool by default. If BOVPN over TLS in Client mode and Mobile VPN with SSL are both enabled on the same Firebox, you must specify a different IP address pool for one of these features. If both features use the same IP address pool, BOVPN over TLS traffic is not sent through the tunnel correctly.
In Fireware v12.1, you must use the Web UI to configure BOVPN over TLS. In Fireware v12.1.1 and higher, you can also use Policy Manager.
- Select VPN > BOVPN over TLS.
- Click Enable.
The BOVPN over TLS Mode dialog box appears.
- From the Firebox Mode drop-down list, select Client.
- Click Add.
The Add Server page appears.
- In the Tunnel Name text box, type a name for the tunnel.
- In the Description text box, type a description of the tunnel.
- Keep the Enabled check box selected to enable this tunnel.
- In the Primary Server text box, type the IP address or domain name of the TLS server.
The TLS server is a remote Firebox configured in TLS Server mode. - (Optional) In the Backup Server text box, type the IP address or domain name of a backup TLS server.
- In the Tunnel ID text box, type a name for the tunnel. You must specify the same Tunnel ID on the TLS server.
- In the Pre-Shared Key check box, type the pre-shared key.
The pre-shared key must be between 8 and 23 characters in length.
- (Optional) To change the default communication settings, click Edit.
The Advanced Settings dialog box appears.
- Configure the Advanced Settings.
Authentication
Select an authentication method for the connection: SHA-1, SHA-256, or SHA-512. We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.
Encryption
Select an algorithm to encrypt the traffic: 3DES, AES (128-bit), AES (192-bit), or AES (256-bit).In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). We recommend AES encryption. For the best performance, choose a 128-bit AES variant. For the strongest encryption, choose a 256-bit AES variant.
If you select 3DES, be aware of a potential, but unlikely, security attack. For more information, go to Sweet32 Vulnerability in the WatchGuard Knowledge Base.
Data Channel
If the data channel protocol is TCP, you cannot specify a port number other than 443.
You can change the data channel protocol to UDP and specify a different port unless Management Tunnel over SSL is enabled on your Management Server. For information about the differences between TCP and UDP, go to Choose the Port and Protocol for Mobile VPN with SSL.
Keep-Alive Interval
If no packets have been sent over the tunnel for the amount of time you specify, the BOVPN over TLS client pings the BOVPN over TLS server.
Keep-Alive Timeout
If the BOVPN over TLS server does not send a response or other packet before the Keep-Alive Timeout value elapses, the tunnel connection closes and restarts.
Renegotiate Data Channel
If a BOVPN over TLS connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the BOVPN over TLS client must create a new tunnel. The minimum value is 1 hour.
The Import a configuration file option is for internal testing purposes and is not supported.
- Select VPN > BOVPN over TLS.
- Select Activate BOVPN over TLS.
- From the Firebox Mode drop-down list, select Client.
- Click Add.
The Add Server dialog box appears.
- In the Tunnel Name text box, type a name for the tunnel.
- In the Description text box, type a description of the tunnel.
- Keep the Enabled check box selected to enable this tunnel.
- In the Primary Server text box, type the IP address or domain name of the TLS server.
The TLS server is a remote Firebox configured in TLS Server mode. - (Optional) In the Backup Server text box, type the IP address or domain name of a backup TLS server.
- In the Tunnel ID text box, type a name for the tunnel. You must specify the same Tunnel ID on the TLS server.
- In the Pre-Shared Key check box, type the pre-shared key.
The pre-shared key must be between 8 and 23 characters in length.
- (Optional) To change the default communication settings, click Edit.
The Advanced Settings dialog box appears.
- Configure the advanced settings:
Authentication
Select an authentication method for the connection: SHA-1, SHA-256, or SHA-512. We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.
Encryption
Select an algorithm to encrypt the traffic: 3DES, AES (128-bit), AES (192-bit), or AES (256-bit). In Fireware v12.2 or higher, you can also select AES-GCM (128-bit), AES-GCM (192-bit), or AES-GCM (256-bit). We recommend AES encryption. For the best performance, choose a 128-bit AES variant. For the strongest encryption, choose a 256-bit AES variant.
If you select 3DES, be aware of a potential, but unlikely, security attack. For more information, go to Sweet32 Vulnerability in the WatchGuard Knowledge Base.
Data Channel
If the data channel protocol is TCP, you cannot specify a port number other than 443.
You can change the data channel protocol to UDP and specify a different port. For information about the differences between TCP and UDP, go to Choose the Port and Protocol for Mobile VPN with SSL.
Keep-Alive Interval
If no packets have been sent over the tunnel for the amount of time you specify, the BOVPN over TLS client pings the BOVPN over TLS server.
Keep-Alive Timeout
If the BOVPN over TLS server does not send a response or other packet before the Keep-Alive Timeout value elapses, the tunnel connection closes and restarts.
Renegotiate Data Channel
If a BOVPN over TLS connection has been active for the amount of time specified in the Renegotiate Data Channel text box, the BOVPN over TLS client creates a new tunnel. The minimum value is 1 hour.