Solved

BOVPN between Firebox Core x550e and x1250e

Posted on 2009-04-10
14
1,030 Views
Last Modified: 2013-11-16
I'm setting up a BOVPN between two Watchguard core firewalls. Before I installed the x550 at siteB I wanted to verify the settings. See below for the break down for each site. These are public class B subnets, no NAT.

Site A (primary, original network, x1250e) Drop in Mode
Subnet  x.x.11.0/25
Trusted Int x.x.11.40
Gateway x.x.11.1
No DHCP, DHCP handled by Windows server
BOVPN Configurations:
Local Gateway  x.x.11.40
Remote Gateway x.x.64.130
Gateway ID  x.x.64.130
Same Pre-Shared Key
Default Phase1 settings, Except checked IKE Keep-Alive
Tunnel Settings:
Local: x.x.11.0/25
Remote x.x.64.128/27
Default Phase2 settings
Policy: Any: SiteB
Policy: SiteB: Any


Site B (secondary, new network, x550e) Drop in Mode
Subnet x.x.64.128/27
Trusted Int x.x.64.130
Gateway x.x..64.129
DHCP active for subnet
BOVPN Configurations:
Local Gateway x.x.64.130
Remote Gateway x.x.11.40
Gateway ID x.x.11.40
Same Pre-Shared Key
Default Phase1 settings, Except checked IKE Keep-Alive
Tunnel Settings:
Local: x.x.64.128/27
Remote: x.x.11.0/26
Default Phase2 settings
Policy: Any: SiteA
Policy: SiteA: Any

I've never done this before, so any feedback or suggestions would be greatly appreciated.  Currently siteB is connected to SiteA via VLAN which is being discontinued (this is the reason for second firewall and subnet) and are on the same subnet x.x.11.0/25. I've been told that for the interface at siteB has a secondary gateway of x.x.64.129 so I can move the users over at my convenience. I'm I correct in assuming that all I have to do drop in the new firewall and have it point to the new gateway things will work?

0
Comment
Question by:futureman0
  • 6
  • 5
  • 3
14 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24122817
The settings look good; the tunnel should come up when deployed.

For drop-in mode; you should choose it if you wish FB not to do NAT and all the devices behind FB would have public IP on them.

Please let know if you need more details.

Thank you.
0
 

Author Comment

by:futureman0
ID: 24129961
dpk wal -

Yes, all IP addresses are public. This is at a university and they give them away like candy on Halloween :)

I'll report back once I get a chance to try it in the next couple of days. Thanks for the assistance.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24130822
Welcome, please update whenever the set the boxes up. Also, if for some reason the tunnel does not come up, please post some sanitized logs which would help with troubleshooting.

Thank you.
0
 

Author Comment

by:futureman0
ID: 24181559
I tested out the firewall configurations today. Initially I thought it was successful, but once I did ipconfig /flushdns on the laptop I was using it became apparent DNS was not working from the remote site. The tunnel did come up automatically, so this has to be a configuration mistake.

I could ping by IP address workstations/servers on the main location but not by host name. Also I could not open up Windows shares by IP from the remote to the main office. Any ideas? Things got interupted due to an emergency issue that came about during the test window. I was also able to RDP by IP from remote to main office too.
0
 
LVL 2

Expert Comment

by:bzumwalt
ID: 24181874
Sounds like your tunnel is working then. The issue you are having now is DNS. Are these Active Directory network at each location? More than likely SiteA's DNS does not have any records for SiteB and vice versa so there is no way for them to resolve to each each other.

Now if you are at SiteB and use SiteA's DNS servers and try to ping SiteA's hosts by name it should work then and vice versa.

-Brandon
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24182028
Do you have local DNS severs at both locations; after doing  /flushdns things didnt work. At the DHCP Server which DNS is configured. Also, did you use policy wizard to create policies for the tunnel or created them manually.

Please provide details.

Thank you.
0
 

Author Comment

by:futureman0
ID: 24205854
dpk wal -

No, only DNS servers are at the main office (SiteA) none at branch office (SiteB). I'm using the DHCP server on the Firebox x550e at SiteB and it is configured to use DNS servers of x.x.11.62 and x.x.11.61 (at SiteA) with a gateway of x.x.64.128. Policys were created during the setup for the BOVPN setup to allow "ANY" traffic outbound and inbound for the other branch location.

bzumwalt -

No, only SiteA has AD network, but SiteB needs access to all servers in SiteA and also has a couple of worstations at are on the shared domain between the two.

Thanks for you assistance!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:dpk_wal
ID: 24208517
Can you so a test:
From any machine at site B, first check that the DNS server address is indeed IP of site-A servers (use ipconfig/all). Once sure, try to resolve name of any internal machine (you can ping any internal host by name), if this does not work, then try following command:
nslookup machine-name <siteA-DNS-server-ip-address>

As you have ANY service between the subnets, all traffic should be allowed through the tunnel. Also, please enable logging on the service and see if you see any logs in traffic monitor for allowed/denied entries.

Please update on the results.

Thank you.
0
 
LVL 2

Expert Comment

by:bzumwalt
ID: 24208658
All you need to do is use is SiteA's DNS Server in one of SiteB's DNS entries i.e. put SiteA's DNS Server address in the TCP/IP entries on a workstation and then I bet you can ping by name.

Alot of times I will install a WINS server at the main location so that remote sites can resolve NETBIOS names if that is necessary.

-Brandon
0
 

Author Comment

by:futureman0
ID: 24279504
Update - I'm scheduling 2nd test next week. It takes awhile to get the green light from the network admins.

Do you have any suggestions for how I got about testing the connection this time?
0
 
LVL 2

Expert Comment

by:bzumwalt
ID: 24279628
Sorry I just re-read my post I was not very clear. When you are on SiteB put in the DNS server of SiteA in one of your workstations network cards. Just use SiteA's DNS and no other. Also make sure you VPN is active at the time and you can ping across the tunnel to each side. You should then be able to resolve SiteA's hostnames at SiteB by using SiteA's DNS information on the workstation you are testing from.

-Brandon
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24281597
One more thing you can try is putting the names in hosts file on the local machine; this would be a tedious task to do on a 100s of machines.

ipconfig and nslookup results would get lots of details for us.

Thank you.
0
 

Author Comment

by:futureman0
ID: 24338454
At long last the BOVPN is now setup and appears to be fully functional. The problem I found out was the I forgot about the local firewall policies on the servers/domain controllers that only allowed traffic from x.x.11.0/25, once I allowed the new subnet everything started working. I've sense up dated the group policy for the firewall settings and all servers appear to be functioning normally with Site B.

One more quick quesiton, because of the new subnet should I make a second revsere lookup zone for it on the DNS servers?
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 24338528
It would be a good idea; you would be able to resolve host names for the new subnet using the same DNS server.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now