Knowledge Base - Meraki Dashboard

https://kb.meraki.com/knowledge_base/watchguard-xtm-site-to-site-vpn-with-mx-series[05/05/2014 04:38:12 p.m.]

Knowledge Base

Watchguard XTM Site-to-site VPN with MX Series
The Watchguard XTM can form a site-to-site VPN with a Meraki MX series security appliance. To do this login in to Watchguard by connecting to its IP address
via a web browser. On the left hand side click on VPN->Branch Office VPN. Under the Gateways tab click Add to give the gateway a name that will be
meaningful to you and easy to remember.
Under the General Settings tab select the radio button for Pre-Shared Key and enter the key string exactly as it appears on the MX under Configure->VPN--
>Non-Meraki VPN peers-->(peer) -->"Preshared secret". In the Gateway Endpoints section click Add button to be brought to the Gateway Endpoint Settings
page to specify the local and remote peers participating in the VPN tunnel. If the MX is in a NAT environment, the Remote IP will be the public address of the
MX, while the Remote ID will be the private address.
Meraki Dashboard Product Manuals Meraki
Search the Knowledge Base
Search
Knowledge Base - Meraki Dashboard
https://kb.meraki.com/knowledge_base/watchguard-xtm-site-to-site-vpn-with-mx-series[05/05/2014 04:38:12 p.m.]
Knowledge Base - Meraki Dashboard
https://kb.meraki.com/knowledge_base/watchguard-xtm-site-to-site-vpn-with-mx-series[05/05/2014 04:38:12 p.m.]
Under Local Gateway select the radio button for By IP Address and enter the public IP address of the Watchguard, in our example - 1.1.1.1." Under the section
labeled Remote Gateway select the radio button for Remote Gateway Static IP Address and enter the public IP address of the MX security appliance, in our
example - 2.2.2.2. Please note that this must be the IP address of the primary interface specified on the MX under Monitor -->Router Status. Therefore if you
have the primary uplink configured as Internet 1 then you must use Internet 1's Public IP address. Under the section for Gateway ID for Tunnel Authentication
select By IP address and again enter the public IP of the MX security appliance. Select the OK button.
Knowledge Base - Meraki Dashboard
https://kb.meraki.com/knowledge_base/watchguard-xtm-site-to-site-vpn-with-mx-series[05/05/2014 04:38:12 p.m.]
Back on the Gateway page select the tab Phase 1 Settings and ensure that Main is selected in the drop down menu labeled Mode. NAT traversal and Dead Peer
Detection are not required but can remain selected for improved tunnel stability. Under Transform Settings select Add and ensure that under Phase 1 settings
SHA1-3DES is chosen for the encryption and authentication algorithms and that under Key Group, Diffie-Hellman Group 2 is selected. Click the Save button to
be returned to the Branch Office VPN Page. Under the Tunnels Section select the Add button.
Knowledge Base - Meraki Dashboard
https://kb.meraki.com/knowledge_base/watchguard-xtm-site-to-site-vpn-with-mx-series[05/05/2014 04:38:12 p.m.]
Give the Tunnel group a name that is meaningful to you, in our case VPN Phase 2. In the drop down menu labeled Gateway select the name you created in the
previous step. Under the Addresses section select the Add button. In the field for Local IP enter the local IP subnet range. Additionally select Network IP for the
Remote IP section and enter the subnet of the MX security appliance. Be sure to check the box for adding the tunnel to the BOVPN-Allow policies and that the
tunnel is configured for bi-directional communication.
Knowledge Base - Meraki Dashboard
https://kb.meraki.com/knowledge_base/watchguard-xtm-site-to-site-vpn-with-mx-series[05/05/2014 04:38:12 p.m.]
Solution #1058 Updated on J anuary 15,
2014
Click the tab Phase 2 Settings to move to the next section. Make sure that the checkbox for PFS or Perfect Forwarding Secrecy is unchecked. Under IPSec
Proposals, the drop down menu specifies a variety of encryption and authentication methods. The MX security appliance can accept any of the following
Encryption algorithms: DES, 3DES, AES-128, AES-192 and AES-256. Additionally the MX can accept either SHA1 or MD5 as the authentication hashing
algorithm. Any combination of encryption and authentication algorithms can work however please use ESP as the IPSec protocol suite. Click the Add button to
add these to the list and select the Save button to be brought back to the Branch Office VPN page. With the settings saved to the Watchguard it will attempt to
establish a IPsec VPN tunnel with the MX once client traffic attempts to access the remote subnet.
For more information on setting up the MX to participate in a site-to-site VPN, please review the following articles:
3rd Party Site-to-Site VPN
Meraki MX Security Appliance Site to Site VPN







2014 Cisco Systems, Inc. privacy - terms
Suggest an improvement...
Email address
Submit