Watchguard Site to Site VPN

Oliver E. Martinez Vasquez 1 Reputation point
2024-03-11T21:46:13.8933333+00:00

I need the IKE phase one + phase two settings for getting up a Route-based connection between our Wachguard M470 and Azure VNG.

Thanks

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,389 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 76,686 Reputation points
    2024-03-11T22:33:38.43+00:00

    Hi,

    UPDATE 2024-03-18: Below are the configuration settings I used to successfully connect Firebox to Azure VPN Gateway S2S with IPsec / IKE policy set to Default. Copying here for better visibility.

    BOVPN Virtual Interface: BovpnVif.1
Remote Endpoint Type: Cloud VPN or Third-Party Gateway
Restrict tunnel MTU:
VPN Routes
  Route 1
    Route To: 10.20.1.0/24
    Metric: 1
Dynamic Routing
    Configured: No
    Local IP Address:
    Remote IP Address:
Phase 2 Settings
  Perfect Forward Secrecy: Disabled
  IPSec Proposals
    Proposal 1
      Name: ESP-AES256-GCM
      Type: ESP
      Authentication: None
      Encryption:
      Key Expiration: 8 hours
Multicast Settings
  Multicast over tunnel: Disabled
  Origination IP:
  Group IP:
  Send multicast traffic on:
  Receive multicast traffic on:
BOVPN Gateway Settings
  IKE Version: IKEv2
  Credential Method: Pre-shared Key
  Endpoints
    Endpoint 1
      Local Interface: External
      Local ID: <FireboxIP> (IP Address)
      Remote IP Address: <AzureVPNIP>
      Remote ID: <FireboxIP> (IP Address)
Phase 1 Settings
  NAT Traversal: Enabled (20 second interval)
  Dead Peer Detection: Traffic-Based (20 second timeout, 5 max retries)
  Auto Start: Yes
  Transforms
    Transform: 1
      Authentication: SHA2-256
      Encryption: AES (256-bit)
      SA Life: 8 hours
      Key Group: Diffie-Hellman Group 2

    When you created your Site to Site connection, did you leave IPsec / IKE policy set to Default, or did you select Custom?

    Please reference document below for default parameters:

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec

    Please reference below WatchGuard KB article for help configuring:

    https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZogSAG&type=KBArticle

    Another thing that can be helpful is to navigate to your VPN Gateway in the portal, click Connections blade, click on your Site-to-Site connection, and then click on Download configuration button at the top. It will ask you to select manufacturer (pick one like Cisco/Juniper/Ubiquiti), device, firmware version, and then you can download text file with configuration details.

    NOTE: There are no WatchGuard options, however, what you can do is open up the text file for one of the other manufacturers and you will see the various parameters. By looking at these it can help you to know what you need to enter in your WatchGuard.

    Please click Accept Answer if the above was helpful.

    Thanks.

    -TP