Watchguard IPsec Configuration


This article will show you how to configure the Watchguard to connect to the Acreto Ecosystem. This configuration will be made by using IPsec VPN.


  1. Watchguard installation
  2. Ecosystem set up with proper security policies


Step 1: Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New
Gateway Wedge - New

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway, or similar tools.

Step 2: Read the Values from Acreto Gateway

To proceed with the Watchguard configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Peer ID
  4. Recommended Ciphers Wedge - New Gateway Wedge - New Gateway

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Fortigate - VPN wizard panel Fortigate - VPN wizard panel

Step 3: Configure VPN settings on Watchguard

  1. Create Phase 2 proposal - Navigate to VPN > Phase 2 Proposals and click ADD button Watchguard - VPN Watchguard - VPN

  2. Create Phase 2 with the following values and SAVE

  • Name: Acreto
  • Description: Acreto phase2 selectors
  • Type: ESP
  • Authentication: SHA-512
  • Encryption: AES(128-bit)
  • Time: 1 hour Watchguard - VPN Watchguard - VPN
  1. To set up IPsec VPN navigate to VPN > BOVPN Virtual Interfaces and click ADD from the right pane Watchguard - VPN Watchguard - VPN

  2. Select Remote Endpoint Type as Cloud VPN or Third-Party Gateway Watchguard - VPN Watchguard - VPN

  3. Provide the Preshared key copied from the Wedge dashboard in Step 1 and click ADD button to configure Gateway Endpoint Watchguard - VPN Watchguard - VPN

  4. Configure Local gateway - Select Interface By Domain Name and provide the Peer ID copied from Wedge dashboard in Step 1. Watchguard - VPN Watchguard - VPN

  5. Configure Remote gateway with values copied in Step 1 and click OK

  • Static IP Address : Wedge_gateway
  • By IP Address: Wedge_gateway Watchguard - VPN Watchguard - VPN
  1. Click Phase 1 Settings tab Watchguard - VPN Watchguard - VPN

  2. the following values

  • Version: IKEv2
  • Keep-alive interval: 540 seconds
  • Traffic-idle timeout: 30 seconds Watchguard - VPN Watchguard - VPN
  1. Select the Phase 1 Transform set in Transform Settings and click EDIT. Set the following values and click OK.
  • Authentication: SHA2-512
  • Encryption: AES(28-bit)
  • SA Life: 3 hours
  • Key Group: Diffie-Hellman Group 15 Watchguard - VPN Watchguard - VPN
  1. Click Phase 2 Settings and configure Phase 2 with values as below
  • Enable Perfect Forward Secrecy: Diffie-Hellman Group 15

Select Acreto from Phase 2 proposal and ADD and SAVE. Watchguard - VPN Watchguard - VPN

  1. Verify the tunnel status - Navigate to SYSTEM STATUS > VPN Statistics > Branch Office VPN and click IKEv2 Virtual Interface. If the VPN is successfully established, the statistics related to VPN will be displayed. Watchguard - VPN Watchguard - VPN


Once the VPN connection is successfully established, all the internet traffic will be routed through Acreto.