WatchGuard M500 & CradlePoint MBR1400 VPN Setting

Hi, I have a WatchGuard M500 & CradlePoint MBR1400.
I have private IP address both device.
How to connect VPV setting? Thanks.

WatchGuard M500 (HQ Local Gate IP
IP redacted / Sub / Gate redacted
CradlePoint MBR1400 (Store Local Gate IP
IP redacted / Sub / Gate redacted


  • I'm not understanding the issue.

    a) is the firewall connected to the CradlePoint
    b) is the CradlePoint at a different location, and you want to create a VPN to it from your firewall ?

    If b) what issue are you having with setting up the VPN settings?

  • edited December 2020

    I want to the firewall connected to the CradlePoint with VPN setting.
    I found some of site, looks different menu.
    ( to Watchguard Firebox.pdf )

  • Which menu looks different? The CradlePoint or the WG?
    Where are you confused about what to enter and where to enter it?

  • Yes, I am beginner system network. However I understand the CradlePoint PDF menu. But I don't see the WG m500. (WG m500 Ver 12.1.1)

  • The WG portion of the document shows how to do this using the WG Web UI.
    What are you trying to use? The Web UI or WSM Policy Manager?

    V12.1.1 is a quite old version of the firewall software (April 2018) - so some of the selection options in the Web UI may be somewhat different that is shown in the CradlePoint doc. And we have no way of knowing for what version of the WG software that the CradlePoint doc represents

    The online Help for V12.1 is here:

    The instructions on setting up a VPN gateway, which is the 1st step, is here:
    Configure Manual BOVPN Gateways
    There are sections for doing this for both the Web UI and for WSM Policy Manager.

  • edited December 2020

    Thanks for great help. Here is my CradlePoint Ver 6.2.3 & using Web UI.
    This time, I simply want to use a VPN service. (WG m500 <=> CradlePoint)

  • You should be able to follow the examples now

  • edited December 2020

    Hi, You said setting up a site on the 'BOVPN Gateways' (Branch Office VPN).
    I think, That is working with the WG to WG.

    So it's not working at all, Have any idea? Thanks.

  • Perhaps there are settings which do not agree on each end.
    What do you see in Traffic Monitor related to IKE?

    Review this:
    Monitor and Troubleshoot BOVPN Tunnels

  • Did you add a new gateway for the CradlePoint ?
    If not you need to, and then set up a Tunnel entry for the local & remote subnets for the new Gateway.

  • edited December 2020

    It's said
    'Endpoint 1 - Message retry timeout. Check the connection between local and remote gateway endpoints'.

    I try most setting but same issue.
    If you want like information, I will send it by email. ([email protected])

  • Any diagnostic logs on the CradlePoint ?
    FYI - I have no experience with CradlePoints.

    You can turn on diagnostic logging for IKE which may show something more to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

    Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.

    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

  • "retry timeout" usually means that the other end is not responding.

  • edited December 2020

    [Run-time Info (tunnel IPSEC_SA)]
    "0" IPSEC SA(s) are found under tunnel "tunnel.1"

    No policy checker results for this tunnel(no P2SA found or some other error)

  • I checked the manual of the CradlePoint. (Top of Link)
    However, I couldn't find the WG manual.
    Maybe, Is it not connect to other companies devices?

  • "I couldn't find the WG manual" ?
    "Maybe, Is it not connect to other companies devices?"

    I have no idea what you mean by either of these statements.
    Please explain.

    Time to find a CradlePoint board to get help with it. You need to see diagnostic info related to the VPN connection attempt from the WG to the CradlePoint.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NewDealUSA

    The manual for the firebox (fireware) is here:

    The firebox should treat the cradlepoint device just like any other external interface. So long as that interface is selected in the branch office gateway settings, the firewall will send traffic there.

    If you need assistance determining if the firewall is sending your VPN traffic to the cradlepoint, I'd suggest opening a support case so one of our reps can help.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @NewDealUSA
    I removed your two posts with log data (that were caught by the spam filter) and also removed the public IPs from your initial post. In the future, please make sure any logs you post here don't have identifiable information in them.

    If you need to post this data, I'd suggest opening a support case so it can be done in a secure way.

    -James Carson
    WatchGuard Customer Support

  • Bruce_Briggs,
    "I couldn't find the WG manual" ?
    As us know, Cradlepoint provided instructions on how to use the manual.
    (December 22, Cradlepoint to Watchguard Firebox.pdf)
    However, the WG Link site cannot find a connection to the Cradlepoint VPN service.

    "Maybe, Is it not connect to other companies devices?"
    So, my question is.... Can't WG support VPN service from third-party devices?

    I know, I don’t have any skills. but I want to connect somehow. Thanks.

  • Yes, one can create VPNs to many non-WG devices.

    You need diagnostic info from the Cradlepoint to
    1) identify if the Cradlepoint is getting any VPN initiating packets from the WG end
    2) if so, what setting where needs to be changed to make this work

Sign In to comment.