MX to Watchguard XTM Site-to-site VPN Setup
The Watchguard XTM can form a site-to-site VPN with a Meraki MX series security appliance.
To do this, log in to Watchguard by connecting to its IP address via a web browser. On the left hand side, click on VPN->Branch Office VPN. Under the Gateways tab, click Add and give the gateway an appropriate name:
Under the General Settings tab, select the radio button for Pre-Shared Key and enter the key string exactly as it appears on the MX under Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings > Non-Meraki VPN peers > Preshared secret. In the Gateway Endpoints section, click the Add button to be brought to the Gateway Endpoint Settings page to specify the local and remote peers participating in the VPN tunnel. If the MX is sitting behind a device performing NAT, the Remote IP will be the public address of the MX, while the Remote ID will be the private address.
Under Local Gateway, select the radio button for By IP Address and enter the public IP address of the Watchguard.
Under the section labeled Remote Gateway, select the radio button for Remote Gateway Static IP Address and enter the public IP address of the MX security appliance. Please note that this must be the IP address of the primary interface shown on the MX under Security & SD-WAN > Monitor > Appliance status > Uplink > Configuration > General > Public IP.
Under the section for Gateway ID for Tunnel Authentication select By IP address and again enter the public IP of the MX security appliance. Select the OK button.
Note: This section walks through configuring a site-to-site VPN tunnel on the Watchguard XTM, assuming the Cisco Meraki peer is using its default IPsec policy. If Custom IPsec Policies have been configured in Dashboard, please be sure to use those phase 1 and 2 parameters in Watchguard.
Back on the Gateway page, select the tab Phase 1 Settings and ensure that Main is selected in the drop down menu labeled Mode. NAT traversal and Dead Peer Detection are not required but can remain selected for improved tunnel stability.
Under Transform Settings select Add and ensure that under Phase 1 settings, SHA1-3DES is chosen for the encryption and authentication algorithms and that under Key Group, Diffie-Hellman Group 2 is selected. Click the Save button to be returned to the Branch Office VPN Page.
Under the Tunnels Section select the Add button.
Give the tunnel group a meaningful name, in our case VPN Phase 2. In the drop down menu labeled Gateway, select the name you created in the previous step.
Under the Addresses section select the Add button. In the field for Local IP enter the local IP subnet range. Additionally select Network IP for the Remote IP section and enter the subnet of the MX security appliance. Be sure to check the box for adding the tunnel to the BOVPN-Allow policies and that the tunnel is configured for bi-directional communication.
Click the tab Phase 2 Settings to move to the next section. Make sure that the checkbox for PFS or Perfect Forwarding Secrecy is unchecked.
Under IPSec Proposals, the drop-down menu specifies a variety of encryption and authentication methods. The MX security appliance can accept any of the following Encryption algorithms: 3DES, AES-128, AES-192 and AES-256. Additionally the MX can accept either SHA1 or MD5 as the authentication hashing algorithm. Any combination of encryption and authentication algorithms can work, however please use ESP as the IPSec protocol suite.
Click the Add button to add these to the list and select the Save button to be brought back to the Branch Office VPN page. With the settings saved to the Watchguard, it will attempt to establish a IPsec VPN tunnel with the MX once client traffic attempts to access the remote subnet.
For more information on setting up the MX to participate in a site-to-site VPN, please review the following articles: