Set up a VPN Between Two Fireware Devices (Web UI)

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic explains how to use Fireware Web UI to configure a BOVPN tunnel between two Fireboxes.

For the same example as configured in Policy Manager, go to Set up a VPN Between Two Fireware Devices (WSM).

For detailed information about BOVPN settings, go to:

Determine IP Address and Tunnel Settings

Before you create a manual BOVPN tunnel, we recommend that you determine which IP addresses and settings to use. This topic includes a checklist that can help you plan.

In this example, both endpoints have static external IP addresses. For information on BOVPN tunnels to devices with a dynamic external IP address, go to Define Gateway Endpoints for a BOVPN Gateway.

Make sure that you configure the VPN endpoints correctly and that the Phase 1 and Phase 2 settings are the same on both Fireboxes. The VPN tunnel does not build if the settings do not match.

If a setting does not appear in this list, keep the default value for that setting.

BOVPN Tunnel Settings

Site A Firebox

Public IP address: ______________________________

Private IP address: _____________________________

Site B Firebox

Public IP address: ______________________________

Private IP address: _____________________________

Phase1 Settings

Both Fireboxes must use exactly the same values.

For a BOVPN tunnel between two Fireboxes, we recommend that you select Dead Peer Detection (RFC3706), not IKE Keep-Alive. Do not select both. You should always select Dead Peer Detection if both endpoint devices support it.

Credential method: Select Use Pre-Shared Key.

Pre-shared key: ______________________________

(Fireware v12.5.4 or higher) Pre-shared key type (string-based or hex-based): ________________

IKE Version: IKEv1 ____ IKEv2 ____

Mode (choose one): Main ____ Aggressive ____

NAT Traversal: Yes ____ No ____

NAT Traversal Keep-alive interval: ________________

IKE Keep-alive: Yes ____ No ____

IKE Keep-alive Message interval: ________________

IKE Keep-alive Max failures: ________________

Dead Peer Detection (RFC3706): Yes ____ No ____

Dead Peer Detection Traffic idle timeout: ________________

Dead Peer Detection Max retries: ________________

Authentication algorithm (choose one): MD5___SHA1____ SHA2-256____SHA2-384____SHA2-512____
We recommend SHA-1 or SHA-2

Encryption algorithm (choose one): DES____ 3DES____ AES-128____ AES-192____ AES-256____ AES-GCM-128____AES-GCM-192____AES-GCM-256
We recommend an AES variant. AES-GCM is supported in Fireware v12.2 or higher. AES-GCM is supported for IKEv2 only.

SA Life ________________

Select Hours as the unit for SA life.

Diffie-Hellman Group (choose one): 1____ 2____ 5____14____15____19____20____

Phase 2 Settings

Both Fireboxes must use exactly the same values.

Perfect Forward Secrecy (Diffie-Hellman Group): Disable____ Group1____ Group2____ Group5____ Group14____ Group15____ Group19____ Group20____

Authentication algorithm (choose one): MD5___SHA1____ SHA2-256____SHA2-384____SHA2-512_____ (We recommend SHA-1 or SHA-2)

Encryption algorithm (choose one): DES____ 3DES____AES-128____ AES-192____ AES-256____ AES-GCM-128____AES-GCM-192____AES-GCM-256
We recommend an AES variant. AES-GCM is supported in Fireware v12.2 or higher. AES-GCM is supported for ESP only.

Force Key Expiration Time (Hours): ________________

Force Key Expiration Traffic (kilobytes): ________________

Example Tunnel Settings

This section has the same fields as the previous section, and includes example settings. These settings correspond to the settings that appear in the images in this example.

Site A Firebox

Public IP address: 203.0.113.2

Private network IP address: 10.0.1.0/24

Site B Firebox

Public IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Phase 1 Settings

Both sides must use exactly the same values.

Credential method: Select Use Pre-Shared Key.

Pre-shared key: [Specify a strong key]

Pre-shared key type: String-based

Version: IKEv1

Mode: Main

NAT Traversal: Enable

NAT Traversal Keep-alive interval: 20 seconds

IKE Keep-alive: Disable

IKE Keep-alive Message interval: none

IKE Keep-alive Max failures: none

Dead Peer Detection (RFC3706): Enable

Dead Peer Detection Traffic idle timeout: 20 seconds

Dead Peer Detection Max retries: 5

Authentication algorithm: SHA256

Encryption algorithm: AES (256-bit)

SA Life: 24 hours

Diffie-Hellman Group: 14

Phase 2 Settings

Both sides must use exactly the same values.

Perfect Forward Secrecy (Diffie-Hellman Group): 14

Type: ESP

Authentication algorithm: SHA256

Encryption algorithm: AES (256-bit)

Configure Site A

Next, configure the gateway on the Site A Firebox. A gateway is a connection point for one or more tunnels. To configure a gateway, you specify:

  • Credential method (either pre-shared keys or an IPSec Firebox certificate)
  • Location of local and remote gateway endpoints, either by IP address or domain information
  • Settings for Phase 1 of the Internet Key Exchange (IKE) negotiation

This example uses the values specified in the previous section.

To add a VPN Gateway:

  1. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears with the Gateways list at the top.
  2. In the Gateways section, click Add.
    The Gateway Settings page appears.

Screen shot of the Gateway settings page

  1. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  2. In the Credential Method section, select Use Pre-Shared Key.
  3. (Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
  4. Type the shared key.
    The shared key must use only standard ASCII characters.
  5. In the Gateway Endpoint section, click Add.

    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box for gateway to Site B

  1. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Site A Firebox.
  2. Select By IP Address.
  3. In the By IP Address text box, type the external (public) IP address for the Site A Firebox.
  4. In the Remote Gateway tab, select Static IP Address.
  5. In the Static IP Address text box, type the external (public) IP address of the Site B Firebox.
  6. To specify the Gateway ID, select By IP Address.
  7. In the By IP Address text box, type the external (public) IP address of the Site B Firebox.
  8. Click OK to close the New Gateway Endpoints Settings dialog box.
    The gateway pair you defined appears in the Gateway Endpoints list.

Screen shot of the Gateway General Settings tab with Endpoints

For information about the Use modem for failover setting, go to Configure VPN Modem Failover.

For information about the Start Phase 1 tunnel when Firebox startssetting, go to Disable Automatic Tunnel Startup.

Configure the Phase 1 Settings

In Phase 1 of the IPSec connection, the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

  1. Select the Phase 1 Settings tab.

Screen shot of the Phase 1 Settings tab

  1. From the Version drop-down list, select IKEv1.
  2. From the Mode drop-down list, select Main.
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode.
  3. Select NAT Traversal, which we recommended for a BOVPN tunnel between two Fireboxes.
    NAT Traversal, or UDP Encapsulation, allows traffic to get to the correct destinations when a device does not have a public IP address.
  4. Select Dead Peer Detection (RFC3706), which we recommended for a BOVPN tunnel between two Fireboxes.
    When you enable dead peer detection, the Firebox connects to a peer only if no traffic is received from the peer for a specified length of time and a packet is waiting to be sent to the peer. This method is more scalable than IKE keep-alive messages.
  5. In the Transform Settings section, select the default transform and click Edit.

Screen shot of the Transform Settings dialog box

  1. From the Authentication and Encryption drop-down lists, select your preferred algorithms. In our example, we keep the default selections, SHA2-256 and AES (256-bit).
  2. In the SA Life text box, type 24. In the drop-down list, select Hours.
    The security association (SA) is valid for the amount of time that you specify in this setting. If the two VPN gateways do not complete Phase 2 negotiations before the Phase 1 SA expires, then they must complete Phase 1 negotiations again.
  3. In the Key Group drop-down list, select a Diffie-Helman Group. In our example, we select Diffie-Hellman Group 14.
    Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
  4. Click OK. Keep the default values for all other Phase 1 settings.
  5. Click Save to close the Gateway page.
    The gateway you added appears on the Branch Office VPN page in the Gateways list.

Add a VPN Tunnel

After you define gateways, you can make tunnels between them. When you make a tunnel you must specify:

  • Routes (local and remote endpoints for the tunnel)
  • Settings for Phase 2 of the Internet Key Exchange (IKE) negotiation

To add a VPN tunnel:

  1. From the Tunnels section, click Add.
    The Tunnel configuration page appears.

Screen shot of the Tunnel settings page

  1. In the Name text box, type a name for the tunnel.
  2. In the Gateway drop-down list, select the gateway you created.
  3. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, on the Addresses tab, select the Add this tunnel to the BOVPN-Allow policies check box.
    These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel. 
  4. In the Addresses section, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, from the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  2. In the Network IP text box, type the local (private) network address.
    This is the Site A private network IP address.
  3. In the Remote IP section, in the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  4. In the Network IP text box, type the remote (private) network address.
    This is the Site B private network address.
  5. From the Direction drop-down list, select the tunnel direction. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  6. Click OK.
    The tunnel route appears on the Tunnel settings page in the Addresses section.

Screen shot of the Tunnel settings page with addresses

For more information about IPSec VPN negotiations, go to About IPSec VPN Negotiations.

For more information about Diffie-Hellman groups, go to About Diffie-Hellman Groups.

Configure the Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what to do with the traffic between the endpoints.

  1. On the Tunnel settings page, select the Phase 2 Settings tab.

Screen shot of the Phase 2 settings tab

  1. To enable Perfect Forward Secrecy (PFS), select the Enable Perfect Forward Secrecy check box.
  2. If you enable PFS, in the Enable Perfect Forward Secrecy drop-down list, select a Diffie-Hellman group. In our example, we select Diffie-Hellman Group 14.
    PFS makes keys more secure because new keys are not made from previous keys. If a key is compromised, new session keys are still secure. When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated.
  3. The Firebox contains one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES 256-bit encryption, and SHA256 authentication. For this example, we use the default proposal. You can either:
  • Use the default proposal.
  • Remove the default proposal. Then select a different proposal in the drop-down list and click Add.
  • Add an additional proposal, as described in Add a Phase 2 Proposal.
  1. Click Save.
    The Tunnel you created appears on the BOVPN page in the Tunnels list.

The Firebox at Site A is now configured.

Configure Site B

You now configure the gateway at Site B.

To add a VPN Gateway:

  1. Select VPN > Branch Office VPN.
    The BOVPN configuration page appears, with the Gateways list at the top.
  2. To add a gateway, click Add.
    The Gateway settings page appears.
  3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  4. Select the General Settings tab.
  5. In the Credential Method section, select Use Pre-Shared Key.
  6. (Fireware v12.5.4 or higher) Select String-Based or Hex-Based. The default setting is String-Based. For information about hex-based keys, go to Hex-Based Pre-Shared Keys.
  7. Type the shared key.
    The shared key must use only standard ASCII characters.
  8. In the Gateway Endpoint section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the Gateway Endpoint Settings dialog box

  1. From the External Interface drop-down list, select the interface that has the external (public) IP of the Site A Firebox.
  2. Select By IP Address.
  3. In the By IP Address text box, type the external (public) IP address for the Site A Firebox.
  4. In the Remote Gateway tab, select Static IP Address.
  5. In the Static IP Address text box, type the external (public) IP address of the Site B Firebox.
  6. To specify the gateway ID, select By IP Address.
  7. In the By IP Address text box, type the external (public) IP address of the Site B Firebox.
  8. Click OK to close the New Gateway Endpoints Settings dialog box.

    The gateway pair you defined appears in the list of gateway endpoints.

Screen shot of the Gatweay General Settings with gateway endpoints defined

Configure the Phase 1 Settings

In Phase 1 of the IPSec connection, the two peers make a secure, authenticated channel they can use to communicate. This is known as the ISAKMP Security Association (SA).

  1. Select the Phase 1 Settings tab.

Screen shot of the Gateway Phase 1 Settings tab

  1. From the Mode drop-down list, click Main.
    The example uses Main Mode because both endpoints have static IP addresses. If one endpoint has a dynamic IP address, you must use Aggressive mode.
  2. Select NAT Traversal and Dead Peer Detection (RFC3706).
  3. In the Transform Settings section, select the default transform and click Edit.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box

  1. From the Authentication and Encryption drop-down lists, select your preferred algorithms. In our example, we select SHA2-256 and AES (256-bit).
  2. In the SA Life text box, type 24 and select hours.
  3. In the Key Group drop-down list, select a Diffie-Helman Group. In our example, we select Diffie-Hellman Group 14 .
  4. Click OK. Keep the default values for all other Phase 1 settings.
  5. Click Save to close the Gateway page.

    The gateway you added appears in the Gateways list on the BOVPN page.

Add a VPN Tunnel

  1. In the Addresses section, click Add.
    The Tunnel configuration page appears.

Screen shot of the Tunnel Settings for Site B

  1. In the Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway you just created.
  3. Select the Addresses tab.
  4. To add the tunnel to the BOVPN-Allow.in and BOVPN-Allow.out policies, select the Add this tunnel to the BOVPN-Allow policies check box.
    These policies allow all traffic that matches the tunnel routes. If you want to restrict traffic through the tunnel, clear this check box and use the BOVPN Policy Wizard to create policies for types of traffic that you want to allow through the tunnel.
  5. Click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, in the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  2. In the Network IP text box, type the local (private) network address.
    This is the Site B private network IP address.
  3. In the Remote IP section, in the Choose Type drop-down list, select a host or network type. In our example, we select Network IPv4.
  4. In the Network IP text box, type the remote (private) network address.
    This is the Site A private network address.
  5. From the Direction drop-down list, select bi-directional. The tunnel direction determines which endpoint of the VPN tunnel can start a VPN connection through the tunnel.
  6. Click OK.

    The tunnel route appears in the Addresses section of the Tunnel settings page.

Screen shot of the Tunnel settings page

Configure the Phase 2 Settings

Phase 2 settings include settings for a security association (SA), which defines how data packets are secured when they are passed between two endpoints. The SA keeps all information necessary for the Firebox to know what it should do with the traffic between the endpoints.

  1. On the Tunnel settings page, select the Phase 2 Settings tab.

Screen shot of the Tunnel Phase 2 Settings

  1. To enable Perfect Forward Secrecy (PFS), select the PFS check box.
  2. If you enable PFS, from the PFS drop-down list, select a Diffie-Hellman group. In our example, we select Diffie-Hellman Group 14.
  3. The Firebox has one default proposal, which appears in the IPSec Proposals list. This proposal specifies the ESP data protection method, AES 256-bit encryption, and SHA256 authentication. For this example, we use the default proposal. You can either:
    • Click Add to add the default proposal.
    • Remove the default proposal. Then select a different proposal in the drop-down list and click Add.
    • Add an additional proposal, as explained in Add a Phase 2 Proposal.
  4. Click Save.
    The tunnel you created appears on the BOVPN page in the Tunnels list.

The Firebox at Site B is now configured.

After both ends of the tunnel are configured, the tunnel opens and traffic passes through the tunnel. If the tunnel does not work, examine the log files on both Fireboxes for the time period you tried to start the tunnel. Log messages appear in the log file to indicate where the failure is located in the configuration and which settings might be part of the problem. You can also review the log messages in real-time with Firebox System Manager.

Related Topics

Manual Branch Office VPN Tunnels

Monitor and Troubleshoot BOVPN Tunnels