Link to home
Start Free TrialLog in
Avatar of futureman0
futureman0

asked on

BOVPN between Firebox Core x550e and x1250e

I'm setting up a BOVPN between two Watchguard core firewalls. Before I installed the x550 at siteB I wanted to verify the settings. See below for the break down for each site. These are public class B subnets, no NAT.

Site A (primary, original network, x1250e) Drop in Mode
Subnet  x.x.11.0/25
Trusted Int x.x.11.40
Gateway x.x.11.1
No DHCP, DHCP handled by Windows server
BOVPN Configurations:
Local Gateway  x.x.11.40
Remote Gateway x.x.64.130
Gateway ID  x.x.64.130
Same Pre-Shared Key
Default Phase1 settings, Except checked IKE Keep-Alive
Tunnel Settings:
Local: x.x.11.0/25
Remote x.x.64.128/27
Default Phase2 settings
Policy: Any: SiteB
Policy: SiteB: Any


Site B (secondary, new network, x550e) Drop in Mode
Subnet x.x.64.128/27
Trusted Int x.x.64.130
Gateway x.x..64.129
DHCP active for subnet
BOVPN Configurations:
Local Gateway x.x.64.130
Remote Gateway x.x.11.40
Gateway ID x.x.11.40
Same Pre-Shared Key
Default Phase1 settings, Except checked IKE Keep-Alive
Tunnel Settings:
Local: x.x.64.128/27
Remote: x.x.11.0/26
Default Phase2 settings
Policy: Any: SiteA
Policy: SiteA: Any

I've never done this before, so any feedback or suggestions would be greatly appreciated.  Currently siteB is connected to SiteA via VLAN which is being discontinued (this is the reason for second firewall and subnet) and are on the same subnet x.x.11.0/25. I've been told that for the interface at siteB has a secondary gateway of x.x.64.129 so I can move the users over at my convenience. I'm I correct in assuming that all I have to do drop in the new firewall and have it point to the new gateway things will work?

ASKER CERTIFIED SOLUTION
Avatar of dpk_wal
dpk_wal
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of futureman0
futureman0

ASKER

dpk wal -

Yes, all IP addresses are public. This is at a university and they give them away like candy on Halloween :)

I'll report back once I get a chance to try it in the next couple of days. Thanks for the assistance.
Welcome, please update whenever the set the boxes up. Also, if for some reason the tunnel does not come up, please post some sanitized logs which would help with troubleshooting.

Thank you.
I tested out the firewall configurations today. Initially I thought it was successful, but once I did ipconfig /flushdns on the laptop I was using it became apparent DNS was not working from the remote site. The tunnel did come up automatically, so this has to be a configuration mistake.

I could ping by IP address workstations/servers on the main location but not by host name. Also I could not open up Windows shares by IP from the remote to the main office. Any ideas? Things got interupted due to an emergency issue that came about during the test window. I was also able to RDP by IP from remote to main office too.
Sounds like your tunnel is working then. The issue you are having now is DNS. Are these Active Directory network at each location? More than likely SiteA's DNS does not have any records for SiteB and vice versa so there is no way for them to resolve to each each other.

Now if you are at SiteB and use SiteA's DNS servers and try to ping SiteA's hosts by name it should work then and vice versa.

-Brandon
Do you have local DNS severs at both locations; after doing  /flushdns things didnt work. At the DHCP Server which DNS is configured. Also, did you use policy wizard to create policies for the tunnel or created them manually.

Please provide details.

Thank you.
dpk wal -

No, only DNS servers are at the main office (SiteA) none at branch office (SiteB). I'm using the DHCP server on the Firebox x550e at SiteB and it is configured to use DNS servers of x.x.11.62 and x.x.11.61 (at SiteA) with a gateway of x.x.64.128. Policys were created during the setup for the BOVPN setup to allow "ANY" traffic outbound and inbound for the other branch location.

bzumwalt -

No, only SiteA has AD network, but SiteB needs access to all servers in SiteA and also has a couple of worstations at are on the shared domain between the two.

Thanks for you assistance!
Can you so a test:
From any machine at site B, first check that the DNS server address is indeed IP of site-A servers (use ipconfig/all). Once sure, try to resolve name of any internal machine (you can ping any internal host by name), if this does not work, then try following command:
nslookup machine-name <siteA-DNS-server-ip-address>

As you have ANY service between the subnets, all traffic should be allowed through the tunnel. Also, please enable logging on the service and see if you see any logs in traffic monitor for allowed/denied entries.

Please update on the results.

Thank you.
All you need to do is use is SiteA's DNS Server in one of SiteB's DNS entries i.e. put SiteA's DNS Server address in the TCP/IP entries on a workstation and then I bet you can ping by name.

Alot of times I will install a WINS server at the main location so that remote sites can resolve NETBIOS names if that is necessary.

-Brandon
Update - I'm scheduling 2nd test next week. It takes awhile to get the green light from the network admins.

Do you have any suggestions for how I got about testing the connection this time?
Sorry I just re-read my post I was not very clear. When you are on SiteB put in the DNS server of SiteA in one of your workstations network cards. Just use SiteA's DNS and no other. Also make sure you VPN is active at the time and you can ping across the tunnel to each side. You should then be able to resolve SiteA's hostnames at SiteB by using SiteA's DNS information on the workstation you are testing from.

-Brandon
One more thing you can try is putting the names in hosts file on the local machine; this would be a tedious task to do on a 100s of machines.

ipconfig and nslookup results would get lots of details for us.

Thank you.
At long last the BOVPN is now setup and appears to be fully functional. The problem I found out was the I forgot about the local firewall policies on the servers/domain controllers that only allowed traffic from x.x.11.0/25, once I allowed the new subnet everything started working. I've sense up dated the group policy for the firewall settings and all servers appear to be functioning normally with Site B.

One more quick quesiton, because of the new subnet should I make a second revsere lookup zone for it on the DNS servers?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial