Watchguard Site to Site VPN

Oliver E. Martinez Vasquez 1 Reputation point

I need the IKE phase one + phase two settings for getting up a Route-based connection between our Wachguard M470 and Azure VNG.


Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
{count} votes

1 answer

Sort by: Most helpful
  1. TP 75,541 Reputation points


    UPDATE 2024-03-18: Below are the configuration settings I used to successfully connect Firebox to Azure VPN Gateway S2S with IPsec / IKE policy set to Default. Copying here for better visibility.

    BOVPN Virtual Interface: BovpnVif.1
    Remote Endpoint Type: Cloud VPN or Third-Party Gateway
    Restrict tunnel MTU:
    VPN Routes
      Route 1
        Route To:
        Metric: 1
    Dynamic Routing
        Configured: No
        Local IP Address:
        Remote IP Address:
    Phase 2 Settings
      Perfect Forward Secrecy: Disabled
      IPSec Proposals
        Proposal 1
          Name: ESP-AES256-GCM
          Type: ESP
          Authentication: None
          Key Expiration: 8 hours
    Multicast Settings
      Multicast over tunnel: Disabled
      Origination IP:
      Group IP:
      Send multicast traffic on:
      Receive multicast traffic on:
    BOVPN Gateway Settings
      IKE Version: IKEv2
      Credential Method: Pre-shared Key
        Endpoint 1
          Local Interface: External
          Local ID: <FireboxIP> (IP Address)
          Remote IP Address: <AzureVPNIP>
          Remote ID: <FireboxIP> (IP Address)
    Phase 1 Settings
      NAT Traversal: Enabled (20 second interval)
      Dead Peer Detection: Traffic-Based (20 second timeout, 5 max retries)
      Auto Start: Yes
        Transform: 1
          Authentication: SHA2-256
          Encryption: AES (256-bit)
          SA Life: 8 hours
          Key Group: Diffie-Hellman Group 2

    When you created your Site to Site connection, did you leave IPsec / IKE policy set to Default, or did you select Custom?

    Please reference document below for default parameters:

    Please reference below WatchGuard KB article for help configuring:

    Another thing that can be helpful is to navigate to your VPN Gateway in the portal, click Connections blade, click on your Site-to-Site connection, and then click on Download configuration button at the top. It will ask you to select manufacturer (pick one like Cisco/Juniper/Ubiquiti), device, firmware version, and then you can download text file with configuration details.

    NOTE: There are no WatchGuard options, however, what you can do is open up the text file for one of the other manufacturers and you will see the various parameters. By looking at these it can help you to know what you need to enter in your WatchGuard.

    Please click Accept Answer if the above was helpful.