Setting up site-to-site on WatchGuard

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


Configuring the tunnel on the WatchGuard Management Interface

1. Open Fireware Web UI

2. In the left panel, select VPN, then Branch Office VPN

3. Under Gateways select ADD. The following window will open (make sure the General Settings tab is displayed)


4. Under Gateway Name fill in a name of your own choice

5. Select Use Pre-Shared Key and insert the Shared Secret you have generated (we will also need this value on our end)

6. Under Gateway Endpoint select ADD

7. Fill in the following information:

  • Local Gateway 
  • - External Interface: External
  • - Interface IP Address: Primary Interface IP Address


  • Remote Gateway:
  • - Select Static IP Address and enter the IP of your NordLayer dedicated server
  • - Select By IP Address and enter your the IP of your NordLayer dedicated server
  • Advanced:
  • - Select "Specify a different pre-shared key for each gateway endpoint" and enter the Shared Secret

Leave the rest of the fields with the default values.


8. Go to the Phase 1 Settings tab and fill in the following information:

  • Version: IKEv1 (IKEv2 recommended if your device supports it)
  • Mode: Main
  • NAT Traversal: Check
  • Keep-alive Interval: 20 seconds
  • IKE Keep-alive: Check
  • Message Interval: 30 seconds
  • Max failures: 5
  • Dead Peer Detection (RFC3706): Check
  • Traffic idle timeout: 20 seconds
  • Max retries: 5

9. Go to the Transform Settings and select ADD. Fill in the following information:

  • Authentication: SHA2-256
  • Encryption: AES(256-bit)
  • SA Life: 24 hours
  • Key Group: Diffie-Hellman Group 14

10. Go back to the Branch Office VPN page. Under Tunnel select ADD

  • Name: Fill in a name of your choice.
  • Gateway: Choose the gateway that you have just created.

11. Go to the Addresses tab and select ADD

  • Local IP: Any (
  • Remote IP: Network IPv4;
  • Direction: bi-directional

Leave the rest of the fields with default values (including the NAT tab).

Screenshot_2021-05-26_at_17.43.27.png12. Go to the Phase 2 Settings

13. Check Enable Perfect Forward Secrecy and select Diffie-Hellman Group 14

14. Under IPSec Proposals choose ESP-AES256-SHA256 then select ADD

15. Select Save (leave the settings in the Multicast Settings tab alone)


Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top