We help IT Professionals succeed at work.

Watchguard, Firebox, X700

2,185 Views
Last Modified: 2013-11-16
We have a netework of VPNs managed by DVCP on our X700 in the center and X20s on the client sides.  

X700 has trust network: 192.168.1.0/24; X20e (1) is 192.168.60.0/24, and X20e (2) is 192.168.50.0/24

We would like the ability to access 192.168.60.0/24 from 192.168.50.0/24 and vice versa.  We know the VPN tunnels are working and we have no problem accessing either network from the X700 and vice versa.

Any help is appreciated.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Are you using VPN manager to configure your VPN tunnels; which software version of WSM are you using.

Normally this is how we would create VPN tunnels (manually):

Main site -
  Gateway g1 and tunnel t1 - for X20e(1)
  Gateway g2 and tunnel t2 - for X20e(2)
  You would have routing policies on main site as:
   192.168.1.0/24 192.168.60.0/24 t1
   192.168.1.0/24 192.168.50.0/24 t2

  You would need to add policies:
   192.168.50.0/24 192.168.60.0/24 t1
   192.168.60.0/24 192.168.50.0/24 t2

Remote site - 1
  You would have routing policies as:
   192.168.60.0/24 192.168.1.0/24 tunnel-on-remote
  Add
   192.168.60.0/24 192.168.50.0/24 tunnel-on-remote

Remote site - 2
  You would have routing policies as:
   192.168.50.0/24 192.168.1.0/24 tunnel-on-remote
  Add
   192.168.50.0/24 192.168.60.0/24 tunnel-on-remote

Thank you.

Author

Commented:
We are running VPN Manager 7.3, and the dvcp server is on the X700 which runs WSM 7.3.

Sorry to sound dumb, but would you give us a more detailed instruction on where to add such policies?

Thanks, Michael
CERTIFIED EXPERT
Top Expert 2007

Commented:
As you are running VPN manager; you would have got the policies, tunnel and gateway all created automatically for you. In policy manager, Setup, BOVPN; you can look at the configuration. If you wish to configure the VPN manually you need to configure the routing policies here.

For VPN manager I would need to look as I don't remember exactly; I remember that we would need to add subnets; I am not sure if would be possible using VPN manager but manually I had configured once.

Please give me one day so I can give you  step-by-step details on how to configure using VPN manager.

Thank you.

Author

Commented:
No problem!  Please take your time! -Michael
CERTIFIED EXPERT
Top Expert 2007

Commented:
In VPN manager, make a new policy template for X700 as follows:
1. Select the device.
2. Right-click and select Insert Policy or click the Insert Policy Template icon.
3. Type a policy name [for eg, pol1].
4. Select the disposition for this policy as secure.
5. Click Add to add a network address [192.168.60.0/24] to the tunnel policy.
6 Click OK.

Repeat above steps and add another policy for 192.168.50.0/24 subnet.

Drag-drop from X20e(1) to X700; select policy template; for X20e(1) use the pre-existing one for X700 use pol2 [the one created for .50.0/24 subnet]; click Next; select security template [the one's you have used earlier]; click Next; Select the checkbox Restart devices now to download VPN
configuration. Click Finish to restart the devices and deploy the VPN tunnel.

Repeat for X20e(2); just remember to set policy template on X700 as pol1 instead of pol2.

Please implement and advice if this works.

PS: I would strongly recommend creating a backup so that any accidental misconfiguration would not hamper your current setup and work.

Thank you.

Author

Commented:
We have a hard time getting this to work...
Any way we can do it manually on the x20e boxes individually and making this work?
CERTIFIED EXPERT
Top Expert 2007

Commented:
Well I was thinking about having a mixed environment with VPN manager and manual tunnel for the same boxes; I am not sure if this would work.

As you have both the X20e connected to VPN manager why don't you create a direct VPN tunnel from X20e(1) to X20e(2); this would be a good idea as this would ensure less congestion on X700; also the latency for data travelling over the VPN tunnel from X20e(1) to X20e(2) and back would be low.

For this all you need to do is drag-drop from X20e(1) to X20e(2) and then follow the wizrd; thats it!

By default X20e comes with 10 BOVPN licenses, so I think license should not be a limitation.

What you say?

Author

Commented:
Well, that would be idea, except both x20es are dynamic IP'ed and managed by the X700 via DVCP; that's why we thought of sending the traffic via the X700.  The X700 is on a static T-1 line; and the two specific X20es are on ADSL lines.

Any suggestions? - Michael

Author

Commented:
Sorry, I mis-read the message.  We'll give that a try on the weekend when office is closed.
-Michael

Commented:
It's quite easy to configure manual BOVPN with dynamic IP addresses

You simply use domain name rather than IP Address to identify the remote gateway (e.g. gw-test or similar), use a nice long shared secret and set the gateway type to aggressive.
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
Granted, although you could use dynamic DNS.

If you want to mesh them, DVCP is probably your only option.

Author

Commented:
I do agree with hstiles that DVCP is probably the only option here and meshing them would be most ideal.  We read all the available documentations on this for the last two weeks and we are still vague on how to go about meshing them using DVCP.  

Would you by any chance have a step by step instruction?

Thanks, Mike
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.