Watchguard IPsec Configuration

Overview

This article will show you how to configure the Watchguard to connect to the Acreto Ecosystem. This configuration will be made by using IPsec VPN.

Prerequisites

  1. Watchguard installation
  2. Ecosystem set up with proper security policies

How-To

Step 1: Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway, or similar tools.

Step 2: Read the Values from Acreto Gateway

To proceed with the Watchguard configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Peer ID
  4. Recommended Ciphers Wedge - New Gateway

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Animation how to get required values from Gateway [▶]

Step 3: Configure VPN settings on Watchguard

  1. Create Phase 2 proposal - Navigate to VPN > Phase 2 Proposals and click ADD button Watchguard - VPN

  2. Create Phase 2 with the following values and SAVE

  • Name: Acreto
  • Description: Acreto phase2 selectors
  • Type: ESP
  • Authentication: SHA-512
  • Encryption: AES(128-bit)
  • Time: 1 hour Watchguard - VPN

  1. To set up IPsec VPN navigate to VPN > BOVPN Virtual Interfaces and click ADD from the right pane Watchguard - VPN

  2. Select Remote Endpoint Type as Cloud VPN or Third-Party Gateway Watchguard - VPN

  3. Provide the Preshared key copied from the Wedge dashboard in Step 1 and click ADD button to configure Gateway Endpoint Watchguard - VPN

  4. Configure Local gateway - Select Interface By Domain Name and provide the Peer ID copied from Wedge dashboard in Step 1. Watchguard - VPN

  5. Configure Remote gateway with values copied in Step 1 and click OK

  • Static IP Address : Wedge_gateway
  • By IP Address: Wedge_gateway Watchguard - VPN

  1. Click Phase 1 Settings tab Watchguard - VPN

  2. the following values

  • Version: IKEv2
  • Keep-alive interval: 540 seconds
  • Traffic-idle timeout: 30 seconds Watchguard - VPN
  1. Select the Phase 1 Transform set in Transform Settings and click EDIT. Set the following values and click OK.
  • Authentication: SHA2-512
  • Encryption: AES(28-bit)
  • SA Life: 3 hours
  • Key Group: Diffie-Hellman Group 15 Watchguard - VPN
  1. Click Phase 2 Settings and configure Phase 2 with values as below
  • Enable Perfect Forward Secrecy: Diffie-Hellman Group 15

Select Acreto from Phase 2 proposal and ADD and SAVE. Watchguard - VPN

  1. Verify the tunnel status - Navigate to SYSTEM STATUS > VPN Statistics > Branch Office VPN and click IKEv2 Virtual Interface. If the VPN is successfully established, the statistics related to VPN will be displayed. Watchguard - VPN

Summary

Once the VPN connection is successfully established, all the internet traffic will be routed through Acreto.

Next page: WireGuard - Administrator Guide