Summary

This article describes how you can create a site-site VPN tunnel from a Watchguard

Prerequisites

  • You need to have an active Copaco Hyper-V subscription

  • you must have completed How to create a site-to-site VPN

  • The Watchguard supports IKEv2 in version 11.11.2 and later, make sure the Watchguard is at least at version 11.11.2.

Start

  1. Go to Policy Manager and click on VPN=> Branch Office Gateways

  2. Click on Add to add a gateway.

  3. Enter a name for the gateway (1) and fill-in the Pre-Shared Key which you entered before in the Copaco Hyper-v portal (2) and click on Add (3)

  4. Enter the local primary ip-address under Local Gateway. Under Remote Gateway enter the ip-address of the 2tCLoud Gateway, this can be found in the WAP Portal under the Site-2-Site VNET settings.
    The 2tCLoud gateways can be 188.126.112.100 or 188.126.112.101.
    Click on OK

  5. select Phase1 Settings, Make sure IKEv2 is selected

  6. The default Transform Settings are incorrect, select SHA1-3DES and click on Edit.
    Change the settings to SHA1, AES 256-bit and Diffie-Helman Group2

Branch Office Tunnels

  1. After creating the Branch Office Gateway (Phase 1), we need to create a Branch Office Tunnel.
    Go to Policy Manager and select VPN => Branch Office Tunnel.

  2. Click on Add

  3. Enter a name for the Tunnel and select the Gateway which we created before

  4. Click on Add to select the local subnet for the VPN-tunnel
    In this case the local subnet is 192.168.1.0/24 and the Remote 2tCloud subnet is 172.16.20.0/24

  5. The Phase 2 settings need to be changed to the following:
    Select PFS and choose Diffie-Hellman Group14

  6. Remove the default proposal.

  7. Add a new proposal with options; ESP-SHA1-AES & Lifetime 1 hour.

  8. The configuration is now completed, click on OK and Close.
    Check if the vpn-tunnel is built under Firebox System Manager (Front Panel =>Branch Office VPN Tunnels)