Watchguard Site to Site VPN

Oliver E. Martinez Vasquez 1 Reputation point
2024-03-11T21:46:13.8933333+00:00

I need the IKE phase one + phase two settings for getting up a Route-based connection between our Wachguard M470 and Azure VNG.

Thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
{count} votes

1 answer

Sort by: Most helpful
  1. TP 75,541 Reputation points
    2024-03-11T22:33:38.43+00:00

    Hi,

    UPDATE 2024-03-18: Below are the configuration settings I used to successfully connect Firebox to Azure VPN Gateway S2S with IPsec / IKE policy set to Default. Copying here for better visibility.

    BOVPN Virtual Interface: BovpnVif.1
    Remote Endpoint Type: Cloud VPN or Third-Party Gateway
    Restrict tunnel MTU:
    VPN Routes
      Route 1
        Route To: 10.20.1.0/24
        Metric: 1
    Dynamic Routing
        Configured: No
        Local IP Address:
        Remote IP Address:
    Phase 2 Settings
      Perfect Forward Secrecy: Disabled
      IPSec Proposals
        Proposal 1
          Name: ESP-AES256-GCM
          Type: ESP
          Authentication: None
          Encryption:
          Key Expiration: 8 hours
    Multicast Settings
      Multicast over tunnel: Disabled
      Origination IP:
      Group IP:
      Send multicast traffic on:
      Receive multicast traffic on:
    BOVPN Gateway Settings
      IKE Version: IKEv2
      Credential Method: Pre-shared Key
      Endpoints
        Endpoint 1
          Local Interface: External
          Local ID: <FireboxIP> (IP Address)
          Remote IP Address: <AzureVPNIP>
          Remote ID: <FireboxIP> (IP Address)
    Phase 1 Settings
      NAT Traversal: Enabled (20 second interval)
      Dead Peer Detection: Traffic-Based (20 second timeout, 5 max retries)
      Auto Start: Yes
      Transforms
        Transform: 1
          Authentication: SHA2-256
          Encryption: AES (256-bit)
          SA Life: 8 hours
          Key Group: Diffie-Hellman Group 2
    
    

    When you created your Site to Site connection, did you leave IPsec / IKE policy set to Default, or did you select Custom?

    Please reference document below for default parameters:

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec

    Please reference below WatchGuard KB article for help configuring:

    https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZogSAG&type=KBArticle

    Another thing that can be helpful is to navigate to your VPN Gateway in the portal, click Connections blade, click on your Site-to-Site connection, and then click on Download configuration button at the top. It will ask you to select manufacturer (pick one like Cisco/Juniper/Ubiquiti), device, firmware version, and then you can download text file with configuration details.

    NOTE: There are no WatchGuard options, however, what you can do is open up the text file for one of the other manufacturers and you will see the various parameters. By looking at these it can help you to know what you need to enter in your WatchGuard.

    Please click Accept Answer if the above was helpful.

    Thanks.

    -TP