Establish BOVPN between Watchguard X750e and x20e using WatchGuard System Manager

Posted on 2007-08-01
Last Modified: 2013-12-14
We are running a new Watchguard Firebox X750e (with Fireware 9.0 on static IP Verizon Business DSL via a Westell Versalink modem set to bridge mode) and able to connect/manage remotely with Watchguard System Manager (WSM).

We are also running a Watchguard x20e on dynamic IP (DHCP Cable Modem) at an off site office.

We attempted to establish a BOVPN between the x750e and x20e; while using WatchGuard Management System to centralize the management.  However we are unable to establish the BOVPN after following instructions from Watchguard.  We are able to connect via PPTP and establish a VPN.

During trouble shooting, we were able to use VPN Manager 7.3 (running off a Watchguard Firebox x700 on Verizon Business FiOS) to manage the x20e; but when switched to WSM, the x20e shows dvcp connection timed out on its log and x750e had no signs of x20e making connection.  We simply are unable to establish communication to make a hardware VPN.

One speculation is that the Westell Versalink is catching the connection request from the x20e and preventing it to connect to the X750e.  Another speculation is that Verizon block the ports that allows VPN connections (which I think is horse hockey).

We know that T-1 with static IP in all locations would make this simple, but that is unfortunately not an option.  Sacked 2 consultants already...  Any one?
Question by:medic4152
    LVL 32

    Assisted Solution

    The WatchGuard Firebox Management policy (WG-Firebox-Mgmt) allows configuration and monitoring connections to be made to the Firebox uses following:
    " Internet Protocol(s): TCP
    " Port Number(s): 4103, 4105, 4117, 4118

    When you configure a Management Server, WG-Mgmt-Server service controls incoming connections to
    the Management Server; uses following:
    " Internet Protocol(s): TCP
    " Port Number(s): 4110, 4112, 4113

    The WatchGuard Small Office Management policy (WG-SmallOffice-Mgmt) allows you to make a secure connection to SOHO and Edge Fireboxes from the WatchGuard System Manager, uses following.
    " Internet Protocol(s): TCP
    " Port Number(s): TCP 4109

    Please make sure all the needed ports (listed above for specific policy) are opened on the ISP.

    Also, make sure you have configured the following:

    1. Enabled remote management check box [under Administration > WSM Access]
    2. Typed a status passphrase and a configuration passphrase for your Firebox X Edge. Make sure that these passphrases must match the passphrases you use when you add the device to the Management Server or the connection will fail.
    3. In the Management Server Address text box, typed the IP address of the Management Server if it
    has a public IP address. If the Management Server has a private IP address, type the public IP
    address of the Firebox that protects the Management Server.
    4. The Client Name to give your Edge to identify the Edge in the Management Server configuration must match the name you use for the Edge when you add it to the Management Server configuration. Please remember that this name is case-sensitive.
    10. Typed the Shared Key. This shared key must be the same on the Edge and the Management Server. The shared key can be obtained from your Management Server.

    If all above above have been already configured then uncheck remote management on X Edge; delete device from Central manager; push some other configurations and then start afresh.

    Thank you.
    LVL 13

    Expert Comment

    Establishing a Manual BOVPN connection between the two devices would be very straightforward.  I have 7 Edges using a mixture of dynamic and static addressing connecting to an X700 running Fireware Pro.  You simply need to use agressive mode and use a domain name (basically a firebox alias) in lieu of a remote IP when defining the remote gateway.

    Setting up WSM for 2 devices seems somewhat excessive in terms effort and cost when it is so straightforward and reliable to use Manual IPSec.

    Granted, you're the customer, but my advice and, incidentally, the advice of a senior Watchguard techie here in the UK was to forget WSM and use aggressive mode.

    The only main management advantage using WSM with an Edge is to use a centralised webblocker policy, but you only have the one Edge to manage.  Remote management would be straightforward - simply allow HTTPS and either

    1) check the logs for the most recent dynamic address
    2) Set up the Firebox to use dynamic DNS and ping it when you need to find out IP

    If you're happy to stick with manual BPVPN, I can post detailed instructions on getting the two talking.

    Expert Comment

    Agreed, I have over 120 Edges/Edge-e/and SOHO6s connecting to our central office. All are using manual BOVPN.

    Setup, even with DDNS is fairly simple.  Agressive mode is only needed when you are traversing NAT. Sounds like you are not. You should be able to use main mode.

    You will end up using an IP id type on the x750e, and Domain Name for the x20e.

    Author Comment

    Hi all, I have been on the phone with Watchguard Tech Support for over 3 hours yesterday and it got elevated to second level.

    The Watchguard tech was unable to establish the BOVPN after login into my Firebox x750e and Edge x20e.  Second level support's initial comment is that it could be a firmware issue.  Apparently v8.5.1 (the lastest release) has problem working with Watchguard Systems Manager.

    Using WSM, we are able to connect to the Edge X20e initially and download all the necessary settings to the Edge.  But once the Edge reboots, nothing.  It didn't connect to the WSM with its updated IP address so the BOVPN can be established.  That's where the hang up is.

    We have absolutely no problem using VPN Manager 7.3 managing the Edge x20e's BOVPN connection with our Firebox X700 using the same exact Edge box.
    LVL 32

    Expert Comment

    It would be good idea to upgrade to latest 9.0 as it is available and has fixes for many known issues and bugs in the previous releases.

    Author Comment

    Hi all,

    Manual VPN sounds good at this point; while Watchguard figures out WSM.  Would Hastile please post the instruction?

    I wasn't clear on what Watchguard related back.  On the X750e, it isrunning Fireware 9.0.  The Firmware on the Edge box is v8.5 and according to Watchguard, WSM seems to have problems managing Edge x20e with that firmware.  Watchguard is proposing to downgrade the Edge's firmware to v8.0 to resolve the issue.

    Connecting the same Edge x20e to Firebox X700 using VPN Manager 7.3 (completely separate) has no issues what so ever.
    LVL 13

    Expert Comment

    I have version 9 on my work laptop.  We are still running 8.3, so my current notes are inaccurate.  If you can wait until Monday morning (GMT) - I will post instructions.

    Author Comment

    Hi Hastiles,

    I can wait until Monday.  Thanks.
    LVL 13

    Accepted Solution


    Main site Firebvox x750e running FW Pro 9

    Remote site running v8.x firmware

    Firebox X 750e
    Click on VPN, Branch Office Gateways, Choose Add

    New Gateway
    Gateway Name - gw-test
    pre-shared key - make it at least 15 characters
    Gateway endpoint - local gateway ID by IP Address (external IP of X750e)
                   remote gateway ID by domain name also gw-test, use dynamic address
    Phase 1 settings - aggressive mode, SHA1-3DES, NAT Traversal and SA Life 24 hours

    VPN tunnels
    create new tunnel called vpn-test using gateway gw-test
    Tunnel route settings remote address, local address enabled both directions

    Now on the Edge

    Click on VPN, manual VPN and add new gateway
    name - vpn-test
    shared key - as above
    phase 1 settings
    agressive mode
    remote IP Address - local ID - gw-test, type domain name
    remote ID, external address of Firebox 750e, type IP Address
    expires 0KB, 24 hours
    phase 2 settings - same as phase 1

    add routing policy from (local) to (remote)

    that should work

    Author Comment

    End of the day, we do have a Manual BOVPN up, but not managed by WSM.  I still believe the issue lies in WSM not working well with Edge box's firmware.  

    Thank you both for your expert assistance.

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
    This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now