Configure Remote VPN Endpoint Settings on a Locally-Managed Firebox or Third-Party VPN Endpoint
Applies To: Cloud-managed Fireboxes
You can configure a VPN from a cloud-managed Firebox to any Firebox or any third-party VPN endpoint that supports IKEv2 VPNs with compatible settings.
The remote endpoint can be:
- A third-party VPN endpoint.
- A locally-managed Firebox BOVPN virtual interface.
- A cloud-based virtual network, such as Microsoft Azure, Amazon AWS, and Cisco VTI endpoints.
- A cloud-managed Firebox in another WatchGuard Cloud account.
Configure the BOVPN on the Cloud-Managed Firebox
To configure the BOVPN on the cloud-managed Firebox, from WatchGuard Cloud, add the BOVPN to the Firebox. For more information, go to Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint.
After you configure the BOVPN, you can view the BOVPN Guide to view a summary of BOVPN settings on the cloud-managed device. You can use this as a reference when you configure the remote endpoint. For more information, go to View the BOVPN Guide.
Configure the BOVPN on the Locally-Managed or Third-Party Endpoint
To complete the VPN configuration, on the remote VPN endpoint, configure the VPN as a virtual interface or route-based VPN with these settings:
- Remote gateway — Specify the external domain name or IP address of the cloud-managed Firebox.
- Credential method — Select one of two options:
- Pre-shared Key — Specify the pre-shared key configured in the cloud-managed Firebox BOVPN settings.
- Certificate — Specify an IPSec Firebox certificate used for tunnel authentication.
- Virtual IP addresses — The virtual IP addresses specified in the cloud-managed Firebox BOVPN settings.
- Phase 1 settings — Configure the remote endpoint to use IKEv2, and specify the authentication, encryption, SA Life, and key expiration settings specified in the cloud-managed Firebox BOVPN settings.
- Phase 2 settings — Configure the remote endpoint to use ESP (Encapsulating Security Payload), and specify the authentication, encryption, and key expiration settings specified in the cloud-managed Firebox BOVPN configuration.
- Network resources — Configure the remote endpoint to route traffic through the VPN to the Firebox network resources.
If the remote VPN endpoint is a locally-managed Firebox, to configure the VPN on the locally-managed Firebox, you must:
- Add the BOVPN as a BOVPN virtual interface.
- Set the Remote Endpoint Type to Cloud VPN or Third-Party Gateway.
- In the Phase 1 settings, change the Version to IKEv2.
- Configure all other VPN settings as described in the previous section.
For detailed steps to configure a BOVPN virtual interface on a locally-managed Firebox, go to Configure a BOVPN Virtual Interface.
Test the VPN
After you complete the VPN configuration on both endpoints, try to send traffic through the tunnel and then look at the VPN status in WatchGuard Cloud and on the remote VPN endpoint. For information about how to monitor VPN status in WatchGuard Cloud, go to Monitor VPNs on Fireboxes and FireClusters.