Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

BOVPN between Firebox Edge X20e and Core X1250e

Posted on 2009-04-01
2
Medium Priority
?
826 Views
Last Modified: 2013-11-16
I'm very much a novice when it comes Watchguard products and networking between subnets so I need some suggestions if I'm on the right track for my project.  Please be kind :)

I've been recently told that the VLAN connecting two of my buildings is being cut so I'll have to come up some sort VPN solution. I already have a Firebox Core 1250e (central office, site A) and have been looking at a Firebox Edge X20e for the "Branch Office" or site B. This is for a university so all IP addresses are public class B, but for example purpose I'll change the first part of address to 192.168.actual.ipaddress.

The current network (site A) is using 192.168.11.0/25, site B will use 192.168.62.128/26. Site B will only have 2 users and ~ 15 devices.  Both firewalls configured in Drop in Mode.

Site A (Core) firewall is currently configured with a trusted interface of 192.168.11.40 (gateway set 192.168.11.1)
Site B (Edge) firewall may be configured with a trusted interface of 192.168.62.180 (gateway 192.168.62.127?). The Edge will also be acting a DHCP server, and use the DNS/WINS servers from site A.

My limited understanding of BOVPNs is that it is a permanent(ish) IPSec VPN which makes it so instead of individual users connecting using PPTP/IPSec/SSL, one connection is made from the local firewall to the remote firewall. By using keep alives the connection should stay up indefinitely. Is this correct?

Its very important the site A and B can communicate just as before. Is this as simple as putting in the DNS/WINS server in Edge device for Site As servers?

Is the Edge X20e the best solution or could I go down to the X10e?

thanks for you help!
0
Comment
Question by:futureman0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 24046181
First thing, any of the firebox X Edge series cannot be configured in drop-in mode; so Edge would always do NAT for any/all devices behind it. If you need drop-in mode you need X550e or higher [you might be better off looking at some other vendor like fortigate in this case for cost consideration].

For VPN your observations are correct; ideally VPN tunnel is not supposed to go down, however, sometimes the tunnels flap, but can be looked into.

If you would have a max of 15 devices which would connect to internet then X10e would fit your requirement; for more users either get user upgrade or move to X20e.

Once site-to-site VPN is up between sites, it would be like accessing networks as earlier; however, you might experience some latency when compared to earlier user experience.

Thank you.
0
 

Author Comment

by:futureman0
ID: 24052942
Thanks for the information about the Edge series not doing drop-in mode. That saved me a lot of hassle. I'd rather stick to the Watchguard family of products, I can get X550e with a nice discount. Still it seems like a huge waste just for 15 devices.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question