What we did and tried so far:
1. Took the configuration file from a functional T55 with Fireware 12.11.4. Changed the Firewall model and the Feature Key and imported the configuration to the T145.
-> Problem: Upload speed over VPN very slow. And when I say slow I mean kb/s or no speed!
2. We took the configuration file then from the T145 and did an Import to a M270 with Fireware 12.11.4.
-> No Problem on the M270. Full VPN Speed in upload and download.
3. We reseted the T145 to Factory default and configured a new configuration.
-> Problem: Upload speed over VPN again very slow.
4. We bought a new T145. Configuerd the box this time with Cloud Management. Configured the BOVPN to a Firebox T45 with Fireware 12.11.4.
-> Problem: Upload speed over VPN again very slow.

And we also followed the best Practise Guide from WatchGuard for BOVPN!

Has somebody else BOVPN Upload Problems with the new devices and Fireware 2025.11.2?

After boot, the bovpn to another Watchgard M390 on Datacenter it’s worked fine, but after an hour, a lot of pc cannot connect to server on Datacenter, someome work other no.

The problem seem to a mtu issue,

Anyone have the same problem ?

thanks

A possible problem was detected in the internal security policies for tunnel KZ.A correction to this error was attempted.
Recommendation: Send traffic to a host on the remote network, and run the report again.
Tunnel Name: MM
tunnel route#1(192.168.21.0/24<->192.168.71.0/24) - Established
Incoming traffic was NOT detected for this tunnel after the diagnostic report started.
Outgoing traffic was NOT detected for this tunnel after the diagnostic report started.
The outgoing traffic for tunnel route (192.168.21.0/24<->192.168.71.0/24) is denied by firewall policy (No route).
Recommendation: Check your firewall policy configuration.
The incoming traffic for tunnel route (192.168.71.0/24<->192.168.21.0/24) is denied by firewall policy (Inconclusive).
Recommendation: Check your firewall policy configuration.

I am currently trying to establish an IPsec IKEv2 connection between an OPNsense firewall and a Fritzbox. However, the connection setup is not working and I get the error message "no proposal sent".

Does anyone perhaps have a guide or instructions on what I need to configure in the OPNsense firewall so that the connection works?

Thank you very much and best regards,
Marco

We got this error after upgrading our M270 cluster to the latest firmware 12.11.6 (from 12.11.4).

We then switched from M270 to M295 fireboxes. They were running fine on 2025.1.2 firmware. But when we upgraded them to v2025.1.4 we got the same error ("No response for IKE_SA_INIT request message") and the Branch Office VPN could not be established. So we downgraded them again.

Could it be that we have BOVPN settings that conflicts with the new firmware versions? Or what else could be the issue?

Thanks, Chris

what about , skipping step 1
and add ddns names to step 2 or 3

this would still allow Dynamic Peer BOVPN

mfg
norman

I'm trying to setup a BOVPN with a couple of Fortigate Firewalls. Two seperate jobs not related. I've worked through the WatchGuard guide and tried numerous other combinations without success. Does anyone have a known working set of parameters please and has anyone ever got one working?

Thanks

Andy.

Where else can I look for this issue?

I have a properly working IPsec tunnel between Site A and Site B with the current configuration:
192.168.89.0/24 ⇔ 192.168.70.0/24

I now want to convert this to a zero-tunnel route to send all traffic from Site A to the internet via Site B and apply traffic rules at Site B.

I modified the tunnel configuration as follows:

Site A: ANY ⇔ 192.168.70.0/24
Site B: 192.168.70.0/24 ⇔ ANY
After this change, the tunnel went down. Side B's traffic monitor shows:
Reason=Received unacceptable traffic selector in CREATE_CHILD_SA request.

NAT on both sides is configured with 192.168.0.0/16 to any External.

Any thoughts on why this is failing and how to resolve it?

Many thanks.

I'm having trouble creating a BOVPN tunnel between a locally-managed Firebox (FB) and a cloud-managed device.

On the locally-managed side, I'm using afraid.org DDNS. I created an A record: myname.chickenkiller.com.

Here comes the first confusion. Afraid.org states on their router setup page:

Select 'freedns.afraid.org' in the drop-down menu, then enter:

Username: guest
Password: guest
Hostname: dns_name,update_key
However, in the WatchGuard documentation, it says: "Type the Password you used to set up your dynamic DNS account."

So, I tried both ways without any change.

The cloud-managed Firebox's BOVPN Endpoint B is set to myname.chickenkiller.com. This hostname correctly resolves to my external IP.

Currently, I am getting the following error in the logs:
2025-10-12 21:23:31 iked (192.168.8.68<->XX.XX.XX.XX) IKEv2 IKE_AUTH exchange from 192.168.8.68:4500 to XX.XX.XX.XX:4500 failed. Tunnel='tunnel.1'. Reason=Received N(AUTHENTICATION_FAILED) message.

I get the same message even if I put a wrong endpoint name (like mname.chickenkiller.com) in the cloud-managed FB. This leads me to believe something is wrong with the DDNS configuration.

I have the option "Allow the dynamic DNS provider to determine the IP address" enabled on both sides.

Have anybody had any luck with afraid.org?

Many thanks

Quick one we've a head office (site 1) with a T40.
We've got site number 2 with a draytek, connected via "gateway.1" and "tunnel.1", and IKEv1.
We've now got site number 3 with another draytek and I need to do the same as site number 2.

Do I just clone tunnel and change the IP address in the settings of the new tunnel?
Or do I need to set up another gateway also etc?

Thanks in advance

My plan is to put it into bridge mode and add it as an extra interface on my M290. However, for the VPN's I don't want to leverage those as on the Azure side there is no way to change BGP priority, so everything is ECMP always. I noticed a modem interface can be used to come online for a bovpn interface. However, that looks like a USB device...

Is there a way to create a custom modem interface that only brings up a site to site tunnel on this third external interface that is driven by this 5G modem over ethernet only when the first two connections are offline? Or is my only option to bring the interface up manually if an issue arises?

We are migrating a customer's BOVPN that connects with a single Azure VPN Gateway to an Azure Virtual WAN VPN Gateway with 2 instances in Active-Acitve configuration.

I created two BOVPN Virtual Interfaces in the WatchGuard using IKEv2 and BGP for both, the VPN connections are established without errors and azure shows both BGP sessions are connected (one to each Azure VPN Gateway).

The problem is that the WatcGuard is only adding the routes to one of the BOVPN Virtual Interfaces, seems like whichever connects last, the other Virtual Interface shows no routes. Communication from local networks to azure works fine but from azure to local networks is dependent on which VPN connection is used by Azure to send packets, anything sent using the BOVPN with the routes works fine, anything send on the one without does not, so the communication from azure to local is a ht and miss...

If I disable one of the Virtual Interfaces (does not matter which one, both do the same) then the other one gets the routes and as Azure stops sending packets through the one that is down then everything works fine but it defeats the purpose of having an expensive Active-Active setup in Azure if you are only using one and have to do manual failover on the WatchGuard side, plus, half the potential bandwidth...

Shouldn't the WatchGuard add the routes advertised through BGP to both Virtual Interfaces and use ECMP to balance both connections?

BGP configuration is pretty simple:

!
! The local BGP ASN is 10001
!
router bgp 10001

!
! Azure Virtual WAN VPN (Instance0)
neighbor 10.10.10.13 remote-as 65515
neighbor 10.10.10.13 activate
neighbor 10.10.10.13 ebgp-multihop
!
! Azure Virtual WAN VPN (Instance1)
neighbor 10.10.10.12 remote-as 65515
neighbor 10.10.10.12 activate
neighbor 10.10.10.12 ebgp-multihop

!
! Local networks to Advertise
network 172.20.0.0/24

Has anyone been able to get an Active-Active BOVPN with Azure working properly?

25-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)******** RECV an IKE packet at XXX.XXX.XXX.94:500(socket=14 ifIndex=4) from Peer XXX.XXX.XXX.86:500 ********
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Received IKEv2 "CREATE_CHILD_SA response" message with message-ID:11 length:480 SPI[i=003f59e5ac1aa8e7 r=721e0c1074f400c6]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)"CREATE_CHILD_SA response" message has 1 payloads [ ENCR(sz=452)]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Got IKE policy 'BovpnVif.1' from ikeSA(0x21d7f278)
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)"CREATE_CHILD_SA response" message has 5 payloads [ SA(sz=52) NONCE(sz=36) KE(sz=264) TSi(sz=24) TSr(sz=24)]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)IKEv2 "CREATE_CHILD_SA response"'s decrypted message contains 5 payloads [ SA(sz=52) NONCE(sz=36) KE(sz=264) TSi(sz=24) TSr(sz=24)]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)dispatch the received CREATE_CHILD_SA response message - IkeSA(0x21d7f278)'s state=MATURE
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Peer proposed selector[1/1]: from[0-255.255.255.255/0-65535] <-> to[0-255.255.255.255/0-65535], proto=47
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)BVPN-VIF: bvpn interface enabled. use IP(XXX.XXX.XXX.94) as local to match IP in received selector (0)
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)IKEv2 CREATE_CHILD_SA exchange from XXX.XXX.XXX.86:500 to XXX.XXX.XXX.94:500 failed. Gateway-Endpoint='BovpnVif.1'. Reason=Received unacceptable traffic selector in CREATE_CHILD_SA response.
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)delete childState(0x21d82988) and free SPI nodes
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)childState(0x21d82988) state change: EXCHANGING ==> DEL, reason: "Free the Child State"
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)stop the retry object(0x21d59b88) for the previous request message(name=CREATE_CHILD_SA request, msgId=11)
2025-08-03 01:00:21 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)******** RECV an IKE packet at XXX.XXX.XXX.94:500(socket=14 ifIndex=4) from Peer XXX.XXX.XXX.86:500 ********
2025-08-03 01:00:21 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Received IKEv2 "INFO request" message with message-ID:13 length:80 SPI[i=003f59e5ac1aa8e7 r=721e0c1074f400c6]

I understand that error is initiated by cloud based FB here
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Peer proposed selector[1/1]: from[0-255.255.255.255/0-65535] <-> to[0-255.255.255.255/0-65535], proto=47
but I do not understand where to fix this. My networks for VIF are 192.168.21.0/24 ol locally managed and 192.168.61.0/24 on cloud managed FB. I triple checked that phase 2 is identical on both machines.
Any help is highly appreciated !

thanks

Today it ran fine for about 5 hours, but within the past hour, it has disconnected twice.
When I use “Rekey Selected BOVPN Tunnel” in WatchGuard System Manager, the tunnel comes back up and works again—for a while.

I couldn’t find anything helpful in the Traffic Monitor logs.
The firewall was just deployed at this location today.

Is there anything I might need to adjust or fine-tune?

Firebox üzerinde network yapılandırmam aşağıdaki gibi.

0 external
1 servers
2 mpls

Phase1 i kurarken local gateway olarak external seçili ve çıkış ip adresim yazılım. konfigürasyonu defalarca kontrol ettim ama başarılı olamadım. aşağıdaki çıktıları inceleyip yol gösterirseniz çok memnun olurum.

*** WG Diagnostic Report for Gateway "Balikesir-sube" ***
Created On: Fri Jul 25 16:43:48 2025

[Conclusion]
Unable to find an established Phase 1 Security Association (SA) for BOVPN Gateway (Balikesir-sube)'s endpoint #1
Recommendation: Review VPN log messages to identify the reason.

[Gateway Summary]
Gateway "Balikesir-sube" contains "1" gateway endpoint(s). IKE Version is IKEv1.
Gateway Endpoint #1 (name "Balikesir-sube") Enabled
Mode: Main
PFS: Disabled AlwaysUp: Disabled
DPD: Enabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(1.1.1.1) <-> IP_ADDR(2.2.2.2)}
Local GW_IP<->Remote GW_IP: {1.1.1.1 <-> 2.2.2.2}
Outgoing Interface: eth0 (ifIndex=2)
  ifMark=0x10000
  linkStatus=0 (0:unknown, 1:down, 2:up)

[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway

Name: "balikesirp2" Enabled
PFS: "Enabled" DH-Group: "5"
Number of Proposals: "1"
 Proposal "ESP-AES256-SHA256"
  ESP:
   EncryptAlgo: "AES" KeyLen: "32(bytes)"
   AuthAlgo: "SHA2-256"
   LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
 #1
  Direction: "BOTH"
  "192.168.10.0/24<->192.168.0.0/24"

[Run-time Info (gateway IKE_SA)]

[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "balikesirp2"

[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "balikesirp2"

1

 Tunnel Endpoint: "1.1.1.1->2.2.2.2"
 Tunnel Selector: 192.168.10.0/24 -> 192.168.0.0/24 Proto: ANY
 Created On: Fri Jul 25 16:39:57 2025
 Gateway Name: "Balikesir-sube"
 Tunnel Name: "balikesirp2"

[Address Pairs in Firewalld]
Address Pairs for tunnel "balikesirp2"
 Direction: BOTH
 192.168.10.0/24 <-> 192.168.0.0/24

[Policy checker result]
Tunnel name: balikesirp2
 #1 tunnel route 192.168.10.0/24<->192.168.0.0/24
  No policy checker results for this tunnel (no P2SA found or some other error)

[Related Logs]

Jul 25 16:43:48 iked: alwaysUpTimerCb trigger autoStart for ikePcy(Balikesir-sube) ipsecPcy(balikesirp2)
Jul 25 16:43:48 iked: AUTOSTART: RECV ipecPcy(balikesirp2), ikePcy(Balikesir-sube), ifIndex(2), tunnel_src=1.1.1.1, tunnel_dst=2.2.2.2
Jul 25 16:43:48 iked: (1.1.1.1<->2.2.2.2) do the ACQUIRE action for the tunnel route [src:192.168.10.0/24 <-> dst:192.168.0.0/24], ike_ver=1, peer_udp_port=0
Jul 25 16:43:48 iked: (1.1.1.1<->2.2.2.2) ikeSAInsertToCookieHashTable: IKE SA event: Added IsakmpSA(0x6d3f50)
Jul 25 16:43:48 iked: MainMode: Start (Ct=71133) pcy [Balikesir-sube]
Jul 25 16:43:48 iked: ikeSendToWithPktInfo: sendmsg failed, ifindex:2 - error: Operation not permitted(1)
Jul 25 16:43:48 iked: StartMainMode: failed to send out 1st msg
Jul 25 16:43:48 iked: StartNegotiation: failed to start phase 1 negotiation
Jul 25 16:43:48 iked: SA Nego Fail: saHandle 0x0x84a0b8 InitMode 1, reason 2

thank

BR

This is the error I keep getting
2025-05-27 10:47:00 admd Authentication of MUVPN user [username] from x.x.x.x was rejected, received an Access-Reject response from the (x.x.x.x) server msg_id="1100-0005"

I setup NPS and ran the Azure MFA NPS Extension.The group exists in AD and the user is a member of the group. The VM in Azure I created an NSG rule to allow inbound UDP 1812/1813/1645/1646

Any help would be great. Thanks

I've this error after build up a BOVPN between a T20 and T15 Firebox but it's very strange because both Firewalls are reachable over public ip addresses, I can login into both of them and also in both firewalls I've already configured three others BOVPNs that are working properly. I've checked the max number of VPNs in my license and it's ok, I've removed and recreated the BOVPN that isn't working but without success. I've also upgrade OS to the latest possible version but without success.
Any tips?
Thx

UPDATE: issue SOLVED

"Unable to find any active Phase 2 Security Associations (SAs) for BOVPN virtual interface VIF.
Recommendation: Confirm whether either side is currently sending traffic through the tunnel."

TIA _ Josh

We have working IPsec tunnel between OPNsense and WatchGuard BOVPN (ipv4 subnets). and next want to route both IPv4 and IPv6 traffic securely over the GRE tunnel, which is carried inside the IPsec tunnel.
Is there alternative solutions how to configure BOVPN IPv4 and IPv6 traffic securely ipv4 IPsec tunnel.

Is there guide / examples to configure WatchGuard BOVPN with GRE tunnel. Is there any compatibility issues related to BOVPN ipsec site to site VPN and GRE with other solutions.

I haven found BOVPN Integration Guide that describes how other vendors solutions to configure BOVPN IPv4 and IPv6 traffic securely ipv4 IPsec tunnel.

Lauri-Alo Adamson

Trying to create a BOVPN over a Century Link home fiber connection from the T25 to the M470 at the main office.

Century Link home fiber requires an interesting solution for a third party product (T25) to replace CL's router.

You need to create a VPN w/ID 201, configure it as an external PPOe interface with dynamic addressing to work.

Created the Gateways, Tunnels, PSK, IKEv2 and identical transform settings and nothing works.
Rekey tunnels, change transform settings, change to IKEv1 and still no luck.

I have another BOVPN from a remote office that uses a Century Link DSL connection that runs fine.
Tried copying those settings and still no luck.

VPN diagnostic report from home office M470:

[Conclusion]
BOVPN Gateway(House to Work)'s endpoint #1 has a dynamic remote IP address. The configured DNS server was unable to resolve the remote ID (xxx.xxx.xxx.xxx) to a valid IP address.
Recommendation: Ask the remote site to initiate the tunnel.

Have tried to ping devices on remote network tunnel to initiate and the ping fails.

VPN diagnostic report from remote T25W:

Conclusion]
Error Messages for Gateway Endpoint #1(name "BOVPNtoWORK")
Mar 06 11:25:20 2025 ERROR 0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.

I can ping the remote gateway endpoint on the T25 from the M470 so I know it's good.

Any ideas or suggestions?

Thanks,

• Doug

Is there a built-in policy with that name, anyone know or have that same issue