WatchGuard IKEv2 with Branch Office VPNs (BOVPNs)

In our previous article we discussed the newly-available IKEv2 mobile VPN and the benefits of moving your users to this version for remote connection.  If your firewall is running firmware version 11.11.2 or higher, IKEv2 is also available for use in branch office VPNs (BOVPNs).  


BOVPN IKEv2 Availability

IKEv2 is available as a configuration option for:

  • Manual branch office VPNs

  • Virtual branch office VPNs


IKEv2 is not currently available as a configuration option for:

  • Managed branch office VPNS

  • Branch office VPNs connected to Microsoft Azure

  • Branch office VPNs connected to Amazon AWS


Benefits of IKEv2

There are two main benefits to upgrading your BOVPNs to IKEv2: performance and security.  The previous option, IKEv1, has often presented issues of incompatibility between firewalls and overcomplicating of the connection process.  IKEv1 presents multiple connection methods (Main and Aggressive) that have presented many users with confusion as to which mode to use.


IKEv2 greatly simplifies the process.  The negotiation between firewalls is simplified, making for an easier connection.  Additionally, unlike IKEv1 in which both sides must use the same authentication method, IKEv2 allows for different authentication methods from the two connections.


Transitioning to IKEv2

The transition of a BOVPN to IKEv2 is very simple.  The only requirement is that both sides of the phase 1 gateway need be set to this method.


To change a manual BOVPN to IKEv2:

  1. In Policy Manager, navigate to VPN > Branch Office Gateways.

  2. Select the gateway that you want to update and click Edit

Branch Office Gateway image

3. Select the Phase 1 Settings tab. 

Phase 1 Setting tab image

4. In the Version drop-down, select IKEv2.  

Gateway IKEv2 drop- down image

5. Save your firewall policy.

6. Ensure that the gateway setting on each firewall is changed to IKEv2.


To change a virtual BOVPN to IKEv2:

  1. In Policy Manager, navigate to VPN > BOVPN Virtual Interfaces.

  2. Select the virtual BOVPN that you want to update and click Edit.

BOVPN Virtual Interfaces image

3. Select the Phase 1 Settings tab.

BOVPN Virtual Interface Phase 1 settings tab

4. In the Version drop-down, select IKEv2.

IKEv2 drop-down image

5. Save your firewall policy.

6. Ensure that the gateway setting on each firewall is changed to IKEv2.


Once your BOVPN is converted to IKEv2, you will see it listed as such in your Firebox System Manager on the Front Panel under Branch Office VPNs.

Front Panel Firebox System Manager image