Back to Networking
WatchGuard VPN
Site-to-site and mobile VPN
Branch Office VPN (BOVPN)
Site-to-site IPsec tunnels between WatchGuard devices or third-party firewalls.
Configuration Steps
- 1. Go to VPN > Branch Office VPN
- 2. Add new gateway with peer IP and shared secret
- 3. Configure Phase 1 settings (IKE version, encryption)
- 4. Add tunnel with local and remote networks
- 5. Configure Phase 2 settings (ESP encryption)
- 6. Create Any policies for VPN traffic
Recommended Settings
| Setting | Value |
|---|---|
| IKE Version | IKEv2 (preferred) |
| Phase 1 Encryption | AES-256 |
| Phase 1 Hash | SHA-256 |
| DH Group | Group 14 or higher |
| PFS | Enable with same DH group |
Mobile VPN
Remote user VPN options for secure access.
VPN Types
| Type | Best For |
|---|---|
| SSL VPN | Browser-based access, no client install |
| IKEv2 | Native client support (Windows, macOS, iOS) |
| IPSec | Legacy compatibility, WatchGuard client |
| L2TP | Wide device support (legacy) |
Authentication
- * Local Firebox users
- * RADIUS (integrates with AD)
- * LDAP/Active Directory directly
- * AuthPoint MFA (recommended)
Troubleshooting
Common Issues
- Tunnel won't establish:
- * Verify PSK matches on both ends
- * Check Phase 1/2 settings match
- * Ensure UDP 500/4500 is open
- Traffic not passing:
- * Verify tunnel routes are correct
- * Check for overlapping subnets
- * Review BOVPN-Allow policies
- Intermittent drops:
- * Enable DPD (Dead Peer Detection)
- * Check for NAT-T issues
- * Review lifetime settings