medic4152
asked on
Watchguard, Firebox, X700
We have a netework of VPNs managed by DVCP on our X700 in the center and X20s on the client sides.
X700 has trust network: 192.168.1.0/24; X20e (1) is 192.168.60.0/24, and X20e (2) is 192.168.50.0/24
We would like the ability to access 192.168.60.0/24 from 192.168.50.0/24 and vice versa. We know the VPN tunnels are working and we have no problem accessing either network from the X700 and vice versa.
Any help is appreciated.
X700 has trust network: 192.168.1.0/24; X20e (1) is 192.168.60.0/24, and X20e (2) is 192.168.50.0/24
We would like the ability to access 192.168.60.0/24 from 192.168.50.0/24 and vice versa. We know the VPN tunnels are working and we have no problem accessing either network from the X700 and vice versa.
Any help is appreciated.
ASKER
We are running VPN Manager 7.3, and the dvcp server is on the X700 which runs WSM 7.3.
Sorry to sound dumb, but would you give us a more detailed instruction on where to add such policies?
Thanks, Michael
Sorry to sound dumb, but would you give us a more detailed instruction on where to add such policies?
Thanks, Michael
As you are running VPN manager; you would have got the policies, tunnel and gateway all created automatically for you. In policy manager, Setup, BOVPN; you can look at the configuration. If you wish to configure the VPN manually you need to configure the routing policies here.
For VPN manager I would need to look as I don't remember exactly; I remember that we would need to add subnets; I am not sure if would be possible using VPN manager but manually I had configured once.
Please give me one day so I can give you step-by-step details on how to configure using VPN manager.
Thank you.
For VPN manager I would need to look as I don't remember exactly; I remember that we would need to add subnets; I am not sure if would be possible using VPN manager but manually I had configured once.
Please give me one day so I can give you step-by-step details on how to configure using VPN manager.
Thank you.
ASKER
No problem! Please take your time! -Michael
In VPN manager, make a new policy template for X700 as follows:
1. Select the device.
2. Right-click and select Insert Policy or click the Insert Policy Template icon.
3. Type a policy name [for eg, pol1].
4. Select the disposition for this policy as secure.
5. Click Add to add a network address [192.168.60.0/24] to the tunnel policy.
6 Click OK.
Repeat above steps and add another policy for 192.168.50.0/24 subnet.
Drag-drop from X20e(1) to X700; select policy template; for X20e(1) use the pre-existing one for X700 use pol2 [the one created for .50.0/24 subnet]; click Next; select security template [the one's you have used earlier]; click Next; Select the checkbox Restart devices now to download VPN
configuration. Click Finish to restart the devices and deploy the VPN tunnel.
Repeat for X20e(2); just remember to set policy template on X700 as pol1 instead of pol2.
Please implement and advice if this works.
PS: I would strongly recommend creating a backup so that any accidental misconfiguration would not hamper your current setup and work.
Thank you.
1. Select the device.
2. Right-click and select Insert Policy or click the Insert Policy Template icon.
3. Type a policy name [for eg, pol1].
4. Select the disposition for this policy as secure.
5. Click Add to add a network address [192.168.60.0/24] to the tunnel policy.
6 Click OK.
Repeat above steps and add another policy for 192.168.50.0/24 subnet.
Drag-drop from X20e(1) to X700; select policy template; for X20e(1) use the pre-existing one for X700 use pol2 [the one created for .50.0/24 subnet]; click Next; select security template [the one's you have used earlier]; click Next; Select the checkbox Restart devices now to download VPN
configuration. Click Finish to restart the devices and deploy the VPN tunnel.
Repeat for X20e(2); just remember to set policy template on X700 as pol1 instead of pol2.
Please implement and advice if this works.
PS: I would strongly recommend creating a backup so that any accidental misconfiguration would not hamper your current setup and work.
Thank you.
ASKER
We have a hard time getting this to work...
Any way we can do it manually on the x20e boxes individually and making this work?
Any way we can do it manually on the x20e boxes individually and making this work?
Well I was thinking about having a mixed environment with VPN manager and manual tunnel for the same boxes; I am not sure if this would work.
As you have both the X20e connected to VPN manager why don't you create a direct VPN tunnel from X20e(1) to X20e(2); this would be a good idea as this would ensure less congestion on X700; also the latency for data travelling over the VPN tunnel from X20e(1) to X20e(2) and back would be low.
For this all you need to do is drag-drop from X20e(1) to X20e(2) and then follow the wizrd; thats it!
By default X20e comes with 10 BOVPN licenses, so I think license should not be a limitation.
What you say?
As you have both the X20e connected to VPN manager why don't you create a direct VPN tunnel from X20e(1) to X20e(2); this would be a good idea as this would ensure less congestion on X700; also the latency for data travelling over the VPN tunnel from X20e(1) to X20e(2) and back would be low.
For this all you need to do is drag-drop from X20e(1) to X20e(2) and then follow the wizrd; thats it!
By default X20e comes with 10 BOVPN licenses, so I think license should not be a limitation.
What you say?
ASKER
Well, that would be idea, except both x20es are dynamic IP'ed and managed by the X700 via DVCP; that's why we thought of sending the traffic via the X700. The X700 is on a static T-1 line; and the two specific X20es are on ADSL lines.
Any suggestions? - Michael
Any suggestions? - Michael
ASKER
Sorry, I mis-read the message. We'll give that a try on the weekend when office is closed.
-Michael
-Michael
It's quite easy to configure manual BOVPN with dynamic IP addresses
You simply use domain name rather than IP Address to identify the remote gateway (e.g. gw-test or similar), use a nice long shared secret and set the gateway type to aggressive.
You simply use domain name rather than IP Address to identify the remote gateway (e.g. gw-test or similar), use a nice long shared secret and set the gateway type to aggressive.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Granted, although you could use dynamic DNS.
If you want to mesh them, DVCP is probably your only option.
If you want to mesh them, DVCP is probably your only option.
ASKER
I do agree with hstiles that DVCP is probably the only option here and meshing them would be most ideal. We read all the available documentations on this for the last two weeks and we are still vague on how to go about meshing them using DVCP.
Would you by any chance have a step by step instruction?
Thanks, Mike
Would you by any chance have a step by step instruction?
Thanks, Mike
Normally this is how we would create VPN tunnels (manually):
Main site -
Gateway g1 and tunnel t1 - for X20e(1)
Gateway g2 and tunnel t2 - for X20e(2)
You would have routing policies on main site as:
192.168.1.0/24 192.168.60.0/24 t1
192.168.1.0/24 192.168.50.0/24 t2
You would need to add policies:
192.168.50.0/24 192.168.60.0/24 t1
192.168.60.0/24 192.168.50.0/24 t2
Remote site - 1
You would have routing policies as:
192.168.60.0/24 192.168.1.0/24 tunnel-on-remote
Add
192.168.60.0/24 192.168.50.0/24 tunnel-on-remote
Remote site - 2
You would have routing policies as:
192.168.50.0/24 192.168.1.0/24 tunnel-on-remote
Add
192.168.50.0/24 192.168.60.0/24 tunnel-on-remote
Thank you.