Watchguard XTM26 to DrayTek Vigor 3900 IPSec VPN

Watchguard XTM26 to DrayTek Vigor 2860/2862 IPSec VPN Firstly let's set-up the Watchguard XTM Firebo

Watchguard XTM26 to DrayTek Vigor 3900 IPSec VPN

Firstly let's set-up the Watchguard XTM Firebox:

Here we are using the software management tool rather than the browser but either will suffice if you stick to the correct encryption and key properties.

Open up the Policy Manager. Then click on the Branch Office Gateways option from the menu, you see as below:

Watchguard Gateways Dialogue Box

Click the add button to open the Gateways properties box and enter the gateway name and pre-shared-key (PSK).

Watchguard Firebox new Gateway Dialog

Once you have entered the PSK, which must be identical to the shared key we are to enter in the DrayTek, click the add button bottom right to enter the gateway endpoint:

Watchguard Firebox New Gateway Endpoints Dialog

Enter the external IP of the Watchguard ( in the above example) and for the DrayTek (which is so we enter the relevant IPs and choose the external interface that we are using on the Firebox (the interface with the external IP we are entering in this box for the Firebox)

Say OK to close this dialog box

When back to the last box, click on the Phase 1 tab at the top to see the below where we configure the Phase 1 settings for our encryption:

Watchguard Firebox New Gateway Dialog 3DES Group 2

We shall tick the boxes for IKE keep alive and dead peer detection and then click 'Edit' at the bottom to edit the encryption choices:

Watchguard Firebox Phase One Transform Dialog

I am using the American Encryption Standard on an 8 hour time out but feel free to choose anything you like as long as you take note to make sure it is the same on the DrayTek.

Click OK to close the box and OK again to return us back to the Policy Manager screen

Once back to the Policy Admin screen click on the VPN menu and choose Branch Office Tunnels:

Watchguard Firebox Branch Office IPSec Tunnels Dialog

Click the 'add' button to create the IPSec tunnel:

Watchguard Firebox New Tunnel Address Dialog

Click the 'add' button to configure the tunnel:

Watchguard Tunnel Route Settings Dialog

Here we are adding the internal IPs for the local and remote domains. In this example we are using 192.168.x.x subnets and so we enter the local Firebox subnet and the remote DrayTek subnet with the /24 Class C subnet. Click OK to close.

Now choose the Phase 2 tab at the top of the last screen:

Watchguard New Tunnel Phase Two Settings Dialog

Tick the PFS (Perfect forward Secret) box and choose Group 5 as this is what we configure on the DrayTek.

In the above I have not altered the ESP-AES-SHA1 IPSec proposal as it is the one I wish to use but you may add a custom one if you choose.

Click OK to return to the other screen

Click close on the tunnel screen to return to policy manager and save the settings to the Firebox.


Now we move onto the DrayTek Vigor 3900.

Once logged into the device, we are setting a new IPSec profile under VPN and Remote Access > IPSec Profiles

Choose to create a new profile and you are presented with the new IPSec profile dialogue:


DrayTek Vigor 3900 IPSec Profile


We tick the Enable box at the top to enable the profile.

We can leave the first two boxes as we are receiving only and expecting a router rather than a user.

In this case the DrayTek is expecting the VPN at the IP address associated with WAN1 so we leave that.

The local IP Address/Subnet mask are the same as those we set as the remote network details on the Watchguard and represent the internal network we are granting access to the Watchguard router network.

The Local Next Hop and Remote Host can remain as they are as the home user network will almost certainly have a dynamically assigned IP address.

The IKE protocol and Phase 1 settings can remain as defaults

Auth Type is set to PSK - Pre Shared Key and enter the same key as you entered into the Watchguard earlier.

The security protocol is set as ESP


Now we moved onto the second page:


DrayTek Vigor 3900 IPSec VPN Advanced


We are leaving the Phase 1 & 2 lifetimes as they are as they already match the Watchguard- you should update these to be the same as your Watchguard settings if you chose other than default periods.

Perfect Forward Secrecy (PFS) is on

All the other settings can remain as they are, except that once again we are setting NetBIOS naming packet as on.

Apply and save the changes.

We should now see from the status screen that a network VPN has been established.

And from the machine we are using, we can ping the remote 192.168.x.0 network...

Buy DrayTek Vigor VPN routers here

Add comment