Create a VPN tunnel to the same private network.

Looking to find out if this scenario is possible and if so, a little nudge in the direction I should look up to implement.

I have to Offices seperated by 40 miles.  Branch A and B are connected with point to point fiber connection with an Ethernet hand off.  For all intensive purposes, both offices function as one subnet.

I have MPLS Internet service in both offices.  Branch A is the only one actually connected to the Internet.  Branch B comes across the Point to Point for and goes out Branch A's default gateway(  The Internet service in Branch B is directly connected to a video camera, for now.  But that can be taken down anytime.

What I'd like to know, is it possible after connecting another firewall to Branch B, with a gateway of, to create a VPN tunnel to Branch A's firewall and have it work as a redundant connection in case the Point to Point ever goes down?  Configuring the network to with the secondary gateway?

Both my Firewalls are Watchguard Core series.
Any help would be appreciated,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I did this exact setup at one of my old jobs, but with Cisco routers.  What I had was two routers, each with their own private internal IP, but each also running HSRP (hot standby routing protocol) where one was the primary gateway for a specific "virtual" IP address, and the other was the backup.  If the primary router went down, the backup would just takeover responsibility for the virtual IP address and all traffic would go over the backup router, which connected back to the main office through a VPN tunnel (just to elaborate, the virtual IP address was the gateway address for that LAN).

If your watchguard firewalls can support any type of "failover" interface or HSRP protocol then you should be able to easily do it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jon SnydermanCommented:
This is definately doable except there is one big issue.  Your two sites are bridged.  If they were routed subnets, the configuration would be straight forward.  The issue is that you would not have two networks with the same IP range split by the VPN tunnel.  It would not know what to route.   Watchguard does provide a way to deal with this (network masking), but it would not work in your case.

Your scenario, at the basic level, will work.  And we can certainly help.  But, unfortunately, the first thing that you would need to do would be to seperate the two networks with routers.   Then your routing would take care of the failover.  Based on reading TheTulls response, I think thats how he was set up also.

gthmpdAuthor Commented:
Thanks for the replies, I believe I'm following you so far.

If I use the subnet of 10.0.x.x for Branch A   and 10.1.x.x for Branch B, where would I place the routers? On either side of the current Point to Point?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jon SnydermanCommented:
Yes, exactly.  

On each network, your would have 3 devices...
A router to the point-to-point: Eth0/0 to your private LAN and Eth0/1 to your point-to-point fiber.
Firewall: Trusted to your private LAN and Untrusted to your internet router on Eth0/0.
Router to the internet: Eth0/0 to your untrustred port on the firewall and WAN port to your ISP.

Each site would have a 10.x.x.1 for your WAN router and 10.x.x.2 for the firewall.
The network would then be configured to route all traffic to 10.x.x.1.
The WAN router would route all traffic for the remote side first by the WAN port, then to the firewall if the WAN route was down.
The WAN router would route all other traffic to the firewall.   If the firewall ever sees traffic bound for the remote network, the VPN will be raised automatically.

Hope that helps a bit.
gthmpdAuthor Commented:
It does, Thanks Jon

At the risk of exposing my knowledge (as in lack there of) let me see I can break this down

I'll need a total of 4 Routers and 2 firewalls?

"A router to the point-to-point: Eth0/0 to your private LAN and Eth0/1 to your point-to-point fiber."
This isnt a routed connection now, so I'm assumming eth0/1 from Branch A would have the same IP as eth0/0 in Branch B and vice versa?

My Firewall in Brach A now has our public IP on the external port and the DG on the trusted port.
I'm assuming I'll be doing Branch B the same way with the other Public IP on the External and a DG of say ??

So you're saying I also need a router between my Firewall and the ISP provided hardware?

Thanks again,

Jon SnydermanCommented:
Your first point is ALMOST right.  The two Eth0/1's would not be the same as Eth0/0.
Branch A:
Private Eth0/0 =
WAN Eth0/1 =  (First example)
Branch B:
Private Eth0/0 =
WAN Eth0/1 =

You technically have three networks.  There MAY be a way to do it with one router by putting Branch A LAN in to Eth0/0 and the fiber from Branch B on to Eth0/1.  But I dont know if you could make the failover routing work in that scenario.

On the ISP router question, you only NEED a router between the firewall and ISP if you need one today.  In other words, it your are running broadband or FIOS, then no, you shouldn't need one.  But in a sense, their devices are acting as the router.
~Jon (me)

gthmpdAuthor Commented:
Thanks for your patience Jon,

We have broadband.

So one router off the Point to Point in each location,  where does the other router go?  Before the firewall?

Jon SnydermanCommented:
Broadband should not require an additional router so 1 router for the WAN at each location plus the firewall at each local.

gthmpdAuthor Commented:
Ok, thanks again for everything.  I still need to get the HP routers.  Here goes nothing!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.