Establish BOVPN between Watchguard X750e and x20e using WatchGuard System Manager

Posted on 2007-08-01
Medium Priority
Last Modified: 2013-12-14
We are running a new Watchguard Firebox X750e (with Fireware 9.0 on static IP Verizon Business DSL via a Westell Versalink modem set to bridge mode) and able to connect/manage remotely with Watchguard System Manager (WSM).

We are also running a Watchguard x20e on dynamic IP (DHCP Cable Modem) at an off site office.

We attempted to establish a BOVPN between the x750e and x20e; while using WatchGuard Management System to centralize the management.  However we are unable to establish the BOVPN after following instructions from Watchguard.  We are able to connect via PPTP and establish a VPN.

During trouble shooting, we were able to use VPN Manager 7.3 (running off a Watchguard Firebox x700 on Verizon Business FiOS) to manage the x20e; but when switched to WSM, the x20e shows dvcp connection timed out on its log and x750e had no signs of x20e making connection.  We simply are unable to establish communication to make a hardware VPN.

One speculation is that the Westell Versalink is catching the connection request from the x20e and preventing it to connect to the X750e.  Another speculation is that Verizon block the ports that allows VPN connections (which I think is horse hockey).

We know that T-1 with static IP in all locations would make this simple, but that is unfortunately not an option.  Sacked 2 consultants already...  Any one?
Question by:medic4152
  • 4
  • 3
  • 2
  • +1
LVL 32

Assisted Solution

dpk_wal earned 600 total points
ID: 19614872
The WatchGuard Firebox Management policy (WG-Firebox-Mgmt) allows configuration and monitoring connections to be made to the Firebox uses following:
" Internet Protocol(s): TCP
" Port Number(s): 4103, 4105, 4117, 4118

When you configure a Management Server, WG-Mgmt-Server service controls incoming connections to
the Management Server; uses following:
" Internet Protocol(s): TCP
" Port Number(s): 4110, 4112, 4113

The WatchGuard Small Office Management policy (WG-SmallOffice-Mgmt) allows you to make a secure connection to SOHO and Edge Fireboxes from the WatchGuard System Manager, uses following.
" Internet Protocol(s): TCP
" Port Number(s): TCP 4109

Please make sure all the needed ports (listed above for specific policy) are opened on the ISP.

Also, make sure you have configured the following:

1. Enabled remote management check box [under Administration > WSM Access]
2. Typed a status passphrase and a configuration passphrase for your Firebox X Edge. Make sure that these passphrases must match the passphrases you use when you add the device to the Management Server or the connection will fail.
3. In the Management Server Address text box, typed the IP address of the Management Server if it
has a public IP address. If the Management Server has a private IP address, type the public IP
address of the Firebox that protects the Management Server.
4. The Client Name to give your Edge to identify the Edge in the Management Server configuration must match the name you use for the Edge when you add it to the Management Server configuration. Please remember that this name is case-sensitive.
10. Typed the Shared Key. This shared key must be the same on the Edge and the Management Server. The shared key can be obtained from your Management Server.

If all above above have been already configured then uncheck remote management on X Edge; delete device from Central manager; push some other configurations and then start afresh.

Thank you.
LVL 13

Expert Comment

ID: 19625667
Establishing a Manual BOVPN connection between the two devices would be very straightforward.  I have 7 Edges using a mixture of dynamic and static addressing connecting to an X700 running Fireware Pro.  You simply need to use agressive mode and use a domain name (basically a firebox alias) in lieu of a remote IP when defining the remote gateway.

Setting up WSM for 2 devices seems somewhat excessive in terms effort and cost when it is so straightforward and reliable to use Manual IPSec.

Granted, you're the customer, but my advice and, incidentally, the advice of a senior Watchguard techie here in the UK was to forget WSM and use aggressive mode.

The only main management advantage using WSM with an Edge is to use a centralised webblocker policy, but you only have the one Edge to manage.  Remote management would be straightforward - simply allow HTTPS and either

1) check the logs for the most recent dynamic address
2) Set up the Firebox to use dynamic DNS and ping it when you need to find out IP

If you're happy to stick with manual BPVPN, I can post detailed instructions on getting the two talking.

Expert Comment

ID: 19627497
Agreed, I have over 120 Edges/Edge-e/and SOHO6s connecting to our central office. All are using manual BOVPN.

Setup, even with DDNS is fairly simple.  Agressive mode is only needed when you are traversing NAT. Sounds like you are not. You should be able to use main mode.

You will end up using an IP id type on the x750e, and Domain Name for the x20e.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 19630009
Hi all, I have been on the phone with Watchguard Tech Support for over 3 hours yesterday and it got elevated to second level.

The Watchguard tech was unable to establish the BOVPN after login into my Firebox x750e and Edge x20e.  Second level support's initial comment is that it could be a firmware issue.  Apparently v8.5.1 (the lastest release) has problem working with Watchguard Systems Manager.

Using WSM, we are able to connect to the Edge X20e initially and download all the necessary settings to the Edge.  But once the Edge reboots, nothing.  It didn't connect to the WSM with its updated IP address so the BOVPN can be established.  That's where the hang up is.

We have absolutely no problem using VPN Manager 7.3 managing the Edge x20e's BOVPN connection with our Firebox X700 using the same exact Edge box.
LVL 32

Expert Comment

ID: 19630097
It would be good idea to upgrade to latest 9.0 as it is available and has fixes for many known issues and bugs in the previous releases.

Author Comment

ID: 19631219
Hi all,

Manual VPN sounds good at this point; while Watchguard figures out WSM.  Would Hastile please post the instruction?

I wasn't clear on what Watchguard related back.  On the X750e, it isrunning Fireware 9.0.  The Firmware on the Edge box is v8.5 and according to Watchguard, WSM seems to have problems managing Edge x20e with that firmware.  Watchguard is proposing to downgrade the Edge's firmware to v8.0 to resolve the issue.

Connecting the same Edge x20e to Firebox X700 using VPN Manager 7.3 (completely separate) has no issues what so ever.
LVL 13

Expert Comment

ID: 19631575
I have version 9 on my work laptop.  We are still running 8.3, so my current notes are inaccurate.  If you can wait until Monday morning (GMT) - I will post instructions.

Author Comment

ID: 19632849
Hi Hastiles,

I can wait until Monday.  Thanks.
LVL 13

Accepted Solution

hstiles earned 900 total points
ID: 19636942

Main site Firebvox x750e running FW Pro 9

Remote site running v8.x firmware

Firebox X 750e
Click on VPN, Branch Office Gateways, Choose Add

New Gateway
Gateway Name - gw-test
pre-shared key - make it at least 15 characters
Gateway endpoint - local gateway ID by IP Address (external IP of X750e)
               remote gateway ID by domain name also gw-test, use dynamic address
Phase 1 settings - aggressive mode, SHA1-3DES, NAT Traversal and SA Life 24 hours

VPN tunnels
create new tunnel called vpn-test using gateway gw-test
Tunnel route settings remote address, local address enabled both directions

Now on the Edge

Click on VPN, manual VPN and add new gateway
name - vpn-test
shared key - as above
phase 1 settings
agressive mode
remote IP Address - local ID - gw-test, type domain name
remote ID, external address of Firebox 750e, type IP Address
expires 0KB, 24 hours
phase 2 settings - same as phase 1

add routing policy from (local) to (remote)

that should work

Author Comment

ID: 19650866
End of the day, we do have a Manual BOVPN up, but not managed by WSM.  I still believe the issue lies in WSM not working well with Edge box's firmware.  

Thank you both for your expert assistance.

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month17 days, 12 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question