This article describes how you can create a site-site VPN tunnel from a Watchguard


  • You need to have an active Copaco Hyper-V subscription

  • you must have completed How to create a site-to-site VPN

  • The Watchguard supports IKEv2 in version 11.11.2 and later, make sure the Watchguard is at least at version 11.11.2.


  1. Go to Policy Manager and click on VPN=> Branch Office Gateways

  2. Click on Add to add a gateway.

  3. Enter a name for the gateway (1) and fill-in the Pre-Shared Key which you entered before in the Copaco Hyper-v portal (2) and click on Add (3)

  4. Enter the local primary ip-address under Local Gateway. Under Remote Gateway enter the ip-address of the 2tCLoud Gateway, this can be found in the WAP Portal under the Site-2-Site VNET settings.
    The 2tCLoud gateways can be or
    Click on OK

  5. select Phase1 Settings, Make sure IKEv2 is selected

  6. The default Transform Settings are incorrect, select SHA1-3DES and click on Edit.
    Change the settings to SHA1, AES 256-bit and Diffie-Helman Group2

Branch Office Tunnels

  1. After creating the Branch Office Gateway (Phase 1), we need to create a Branch Office Tunnel.
    Go to Policy Manager and select VPN => Branch Office Tunnel.

  2. Click on Add

  3. Enter a name for the Tunnel and select the Gateway which we created before

  4. Click on Add to select the local subnet for the VPN-tunnel
    In this case the local subnet is and the Remote 2tCloud subnet is

  5. The Phase 2 settings need to be changed to the following:
    Select PFS and choose Diffie-Hellman Group14

  6. Remove the default proposal.

  7. Add a new proposal with options; ESP-SHA1-AES & Lifetime 1 hour.

  8. The configuration is now completed, click on OK and Close.
    Check if the vpn-tunnel is built under Firebox System Manager (Front Panel =>Branch Office VPN Tunnels)