Solved

x550e WatchGuard VPN BOVPN Initial Setup

Posted on 2010-11-08
28
2,156 Views
Last Modified: 2012-05-10
Hi,

I would like to create a VPN from our office to our firewall. Need help with this process as I’ve looked at the manual and searched through the WG forums, but found nothing that could help?  For the testing (before giving to a client for commercial use), we shall be connecting from a Netgear firewall in the office.

I assume I need to setup a new Gateway Endpoint but would like to know precisely what details I require for the “local gateway” (this only has a pull-down menu of the external IP of the firewall and 192.168.0.1), “remote gateway” and “gateway ID” please.

In addition to this, I assume I’ll need to setup a firewall policy, IPSEC?  I’ve created one from our office IP to Any-BOVPN, is this right?

Do I also need to check “Enable IPSec Pass-trough” under the global “VPN Settings” section too?
If there is anything else I’ve missed, could you also please point this out.

Thanks in advance.
0
Comment
Question by:jammy-d0dger
  • 14
  • 11
  • 3
28 Comments
 
LVL 9

Expert Comment

by:Brian
ID: 34085920
In your WatchGuard Policy Manager:
1. Create a new Gateway
2. Put in your PreShared Key and add your endpoints. Your Local gateway is your external IP and the remote gateway is the other external IP.
3. Everything else take the defaults
4. Back in the Policy Manager, Create a new Tunnel
5. Choose the gateway you just created
6. Put in your local address in slash notation with the last octet being 0
    Example 192.168.1.0/24 for the local and 192.168.2.0/24 for the remote
7. The check mark at the bottom will auto create the policies you need.
8. Save the config to your Firebox

On your NetGear:
9. Setup an IPSec tunnel with the same preshared key as above.
10. Test by pinging the other router and then try passing other traffic

You may end up needing to enable broadcast routing over the tunnel and/or multi-cast over the tunnel. That will depend on a number of factors about your setup and usage.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34089887
Few questions:
1. Which version of WG software you are running and which model of WG device you got.
2. You wish to allow remote users access to resources through VPN or you wish to allow a remote site connectivity to resources behind your firewall.
3. Depending on 2; if remote users then you would configure PPTP [called RUVPN in WG; windows based client] or IPSec [called MUVPN in WG; specific IPSec client to be installed on every remote host]; or site-to-site then branch office VPN tunnel [BOVPN].
4. If the netgear router is sitting behind WG and is on the trust network; you would not be able to test remote user VPN connecitity; you should have netgear on some other internet connection to test VPN [be it BOVP or RUVP or MUVPN].

Please provide details so we can assist further.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34091185
1) Fireware 10.2.10  - x550e (rack of servers at a datacentre).
2) We intend to allow a client to connect to one of our servers, on certain ports only (MSSQL) only, via VPN.
3) We initially setup a MUVPN for them and they replied asking for a site-to-site IPSEC VPN.
4) The Netgear is in our office, a seperate location/network entirely from the datacentre.
Note: As far as I'm aware, they will not be using a WG product their end.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34091508
As detailed in the first post by washburnma; please follow the instructions; additionally look at link below:
http://watchguard.custhelp.com/app/answers/detail/a_id/16/kw/BOVPN

Please update if you need more details.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34092405
Thanks for the help so far guys.
I've setup a Gateway Endpoint as instructed. As for the "gateway ID", is that too set to the external IP of our office?
For the local and remote network IPs in the tunnel setup, I've got 192.168.1.0/24 for local, our office network, but for the remote, does that need to be the network IP for the VLAN that the server lies on?
The rules were created automatically as described and I've not touched them.
Netgear isn't connecting for whatever reason, and the really helpful logs just show this;
initiating Main Mode
STATE_MAIN_I1: retransmission; will wait 20s for response
max number of retransmissions (4861780) reached .  No response (or no acceptable response) to our first IKE message


netgear-grab.jpg
0
 

Author Comment

by:jammy-d0dger
ID: 34092525
Just noticed that the Netgear defaults to Group 2 and the WG is on Group 1. So I've changed the Netgear to 1, and now the log shows something different.....so close now I'm sure....  :-)
Sat, 2000-01-01 00:01:01 - [Datacentre]added connection description "Datacentre"
Sat, 2000-01-01 00:01:01 - adding interface ipsec0/nas0 officeIP:500
Tue, 2010-11-09 12:40:07 - [Datacentre] initiating Main Mode
Tue, 2010-11-09 12:40:07 - [Datacentre] ISAKMP SA established
Tue, 2010-11-09 12:40:07 - [Datacentre] Dead Peer Detection (RFC 3706): enabled
Tue, 2010-11-09 12:40:17 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 20s for response
Tue, 2010-11-09 12:40:37 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 40s for response
Tue, 2010-11-09 12:40:47 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 20s for response
Tue, 2010-11-09 12:41:07 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 40s for response
Tue, 2010-11-09 12:41:17 - [Datacentre] max number of retransmissions (4861988) reached .  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
 
0
 

Author Comment

by:jammy-d0dger
ID: 34092559
If any screenshots of any particual settings would be of use, please shout.
0
 
LVL 9

Expert Comment

by:Brian
ID: 34093483
The WatchGuard should have the remote LAN IP of the VLAN you want to have the VPN tunnel pass traffic with. So I believe yes, the VLAN your server is on.

From looking at the screenshot of the NetGear, I believe the default algorithims are different on the WatchGuard. Check under the Tunnel and Gateway settings in the WatchGuard and compare to the NetGear.

I did not see in the NetGear screen shot where the remote external IP address is set. There should be something under "Remote Identity Type and Data" unless that is on a seperate screen.
0
 

Author Comment

by:jammy-d0dger
ID: 34093533
Is that not "Remote VPN Endpoint" at the top of the settings?  It's currently set to use a FQDN, (blacked out).
0
 
LVL 9

Expert Comment

by:Brian
ID: 34093929
I see now. If you are using the domain name to identify the remote site, does an nslookup of the domain name come back with the same IP as the remote IP in the WatchGuard?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34098902
Change the Remote VPN endpoint to IP Address on Netgear; and specify WG public IP there and then update [assumption: your WG has public IP on external interface].

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34100060

<:>I have changed the VPN Enpoint to Fixed IP address on the Netgear instead of fully qualified domain name. Like before it seems to connect....and then times out?

Wed, 2010-11-10 08:59:00 - [Datacentre]added connection description "Datacentre"
Wed, 2010-11-10 08:59:00 - adding interface ipsec0/nas0 office public IP:500
Wed, 2010-11-10 08:59:15 - [Datacentre] initiating Main Mode
Wed, 2010-11-10 08:59:16 - [Datacentre] ISAKMP SA established
Wed, 2010-11-10 08:59:16 - [Datacentre] Dead Peer Detection (RFC 3706): enabled
Wed, 2010-11-10 08:59:26 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 20s for response
Wed, 2010-11-10 08:59:46 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 40s for response
Wed, 2010-11-10 09:00:26 - [Datacentre] max number of retransmissions (4861988) reached .  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
 
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34100644
Can you check that dead peer detection [DPD] is present and enabled on both ends; otherwise disable DPD and check. Also, post sanitized screenshots of both Netgear and WG VPN configuration.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34100858
There is no visible setting for that in the Netgear, but when I disable it on the WG, this occurs;
 

Wed, 2010-11-10 11:15:58 - [Datacentre] initiating Main Mode
Wed, 2010-11-10 11:15:58 - [Datacentre] ISAKMP SA established
Wed, 2010-11-10 11:15:58 - [Datacentre] Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Wed, 2010-11-10 11:16:08 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 20s for response
Wed, 2010-11-10 11:16:28 - [Datacentre] STATE_QUICK_I1: retransmission; will wait 40s for response
Wed, 2010-11-10 11:17:08 - [Datacentre] max number of retransmissions (4861988) reached .  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
 
Please find attachments are requested.

edit-gateway-Capture.JPG
edit-gateway-endpoints-Capture.JPG
edit-gateway-phase1-Capture.JPG
edit-tunnel-Capture.JPG
edit-tunnel-phase2-Capture.JPG
edit-tunnel-route-Capture.JPG
Netgear-Capture.JPG
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 34108634
On Netgear:
Change remote to subnet IP and specify 192.168.3.0/24 [if this is not what you wish then change on WG to single IP for local subnet under tunnel addresses].

If the tunnel still does not come up; then in WG under tunnel settings, Phase 2 Settings; IPSec proposals; change from ESP-AES-SHA1 to SHA1-3DES.

Please implement and update.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34110397
I think these screenshots tell the story  :-)  THANKS A LOT!
I am 99.9% there now....just need to get my head around the way that the policies now work. If I were to want to RDP to an existing server, say 192.168.3.100 from the office 192.168.1.0/24, what would be the syntax of the policy please?
I've still only got the WG generated ones (in the picture) thus far.

hooray-.jpg
WG-hooray-.jpg
bovpn-policy.jpg
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34110608
The tunnel is up; only strange thing is, WG side reports sent as zero bytes; policy on WG all look good [generic policies are ANY policies allowing traffic on all ports/protocols].
Am assuming that the machines behind WG are using WG internal IP as default gateway and you do not have any other device on the network with 192.168.1.0/24 subnet so that packets are getting routed over that device instead of VPN tunnel.

If you were to do:
traceroute 192.168.1.1
on any machine behind WG; it should send packet to WG internal IP for further routing.

Please check and update.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34110673
The servers all have internal addresses. For example the machine I ran this tracert on is 192.168.3.105 with g/w 192.168.3.1.
There is a VLAN though, 192.168.1.1/24, so as I understand, all traffic back is being routed to that and not the office? Would that mean I need to change the network IP in the office to a network NOT being used on the WG?
 

tracert-wg.JPG
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34110704
As in the screenshot; the gateway for traffic is 192.168.1.1 [something on LAN]; rather than WG internal IP; if possible set Netgear to say 192.168.5.0/24 [something which is not used on your internal network behind WG at all]; then the traffic should get routed over VPN.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34110741
Thanks!
Just before I do this, the local IP range I have in the tunnel (192.168.3.0/24) also exists at the datacentre. I chose this range because this is the network I wish to have access to. Is this incorrect, should it again be another network range that is not used?
Cheers.
0
 

Author Comment

by:jammy-d0dger
ID: 34110760
And any access to anything is entirely configure through the policies as per usual..........?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34110807
As you wish to allow access to subnet 192.168.3.0/24 behind WG from another location through IPSec site-to-site VPN tunnel; yes, you would have local IP range as 192.168.3.0/24 on WG [if there are more subnets, then you should add multiple tunnels on the same gateway].

Yes, by default ANY service allows traffic on ALL ports/protocols.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34111038
Arrrrrgh, must be so close to sorting this. Now a tracert goes to the local gateway 192.168.3.1 but not further it seems.
There are sent bytes on the WG. A tracert from the office to 192.168.3.1 does not change the received bytes however  :-(
I did mentioned earlier I think, but there is a global VPN setting for
[   ]  Enable IPSec Pass-through
which is currently unticked.

FSM.jpg
new-tracert.JPG
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34118085
Can you check if you were to tracert from Netgear side; the packets are following correct path back; if no, please make amendments.

Also, if needed on Netgear you have policies to allow traffic in/out of the tunnel.

Thank you.
0
 

Author Comment

by:jammy-d0dger
ID: 34119404
Here is the tracert from the office side. There is no direct option for allowing traffic through VPN. And by default, these Netgears allow ALL outgoing traffic unless specified otherwise.

office-tracert.jpg
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 34133504
All settings look good to me; can you check that the end hosts do not have any personal firewall on them which might be blocking the traffic.
Other than this I do not think anything else is wrong in the configuration.

Thank you.
0
 

Author Closing Comment

by:jammy-d0dger
ID: 34238596
Many thanks for all your help. Got there in the end.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 34238959
Happy to be of assistance.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now