[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1354
  • Last Modified:

How to configure watchguard so two sites communicate with vpn.

My company has 2 sites.We try to establish a permanent connection between two sites.
One site runs in at subnet  172.27.1.0/24
and the other site at subnet 172.27.0.0/24

The first site communicates with outside wolrd with a router (ip 172.27.1.1).
The other site has a watchguard firewall (trusted interface 172.27.0.2) and one of its external interfaces has a router(192.168.0.1 255.255.255.0 getaway 192.168.0.254)
 which has a permanent ssl vpn connection with the router on the other site.
The ssl vpn connection between 2 routers is established in subnet 10.27.1.0/24.

Is it possible the two subnets to communicate with this architecture?
I think my problem is to route all traffic through watchguard and I don't know how to do that.
Should I use  NAT or something else in policies?
My watchguard model is XTM22 (firmware 11.4.2).

At the end I want the domain controllers in each site to ping each other with no problem.

0
labricius
Asked:
labricius
  • 2
  • 2
1 Solution
 
netjgrnautCommented:
I'm confused
If I've got that right, here's what you're describing:

SiteA (172.27.1.0/24)
* RouterA (172.27.1.1/24 - inside, ?.?.?.?/? - outside, 10.27.1.x/24 - vpn)

SiteB (172.27.0.0/24)
* WtchGrdB (172.27.0.2/24 - inside, 192.168.0.1 - outside)
* RouterB (192.168.0.254/24 - inside, ?.?.?.?/? - outside, 10.27.1.x/24 - vpn)

Am I getting warm?  I don't see how RouterA and RouterB are connected - is this a private link, or (I think) Internet links?

What are the default gateways of your DCs at each site?

NAT is probably not the answer.  In fact, if I understand, you want the site-to-site traffic to go *around* the WatchGuard - not through it.  This is based on my understanding that the SSL VPN is established between RouterA and RouterB - and that this VPN is up even if the WatchGuard is down.

A little more info, and I think I can help...
0
 
BrianCommented:
Do you have XTM22's at each site?

Can you describe your network route in this format. Fill in the make, model and IP of each:

LAN  at Site 1 > Firewall at Site 1 > Modem at Site 1> Internet < Modem at Site 2 < Firewall at Site 2 < LAN at Site 2
0
 
labriciusAuthor Commented:
Ok let me try to rephrase..

SIte A
subnet 172.27.1.0/24
RouterA  LAN ip 172.27.1.1 and a dynamic ip from ISP to connect to Internet.
So the domain controller(dcA) there has a static ip 172.27.1.10 subnet mask 255.255.255.0
getaway 172.27.1.1(router) and dns 127.0.0.1

Site B
The subnet for our intranet is 172.27.0.0/24.
Watchguard is the getway at ip 172.27.0.2(trusted interface).
Watchguard has 4 external interfaces with 4 routers which all establish internet connections and is working in load balancing traffic mode.
The domain controller(dcB) there has a static ip 172.27.0.10 subnet mask 255.255.255.0
getaway 172.27.0.2(watchguard) and dns 127.0.0.1

We want to use one of these routers( routerB in our case) to make a permanent vpn connection with the router of siteA.We did that using SSL VPN protocol.
So routers A and B except from the ip that take from ISP,they also have another ip for vpn so they can communicate each other.
RouterA has the ip of 10.27.1.6 and routerB has the ip of 10.27.1.1 .

The external interface of watchguard in which the routerB is connected has these settings
192.168.0.1 255.255.255.0 getaway 192.168.0.254

So I don't want the traffic to go around watchguard but through it.And yes if watchguard is down,everything is down.

When the dcB in siteB, pings dcA it should resolve the correct ip of dcA (172.27.1.10) and traffic should be routed through watchguard->routerB->internet vpn->routerA->dcA.
When the dcA in siteA pings dcB it should resolve the correct ip of dcB (172.27.0.10) and traffic should be routed though routerA->internet vpn->routerB->watchguard->dcB.

Is it possible and how?
We want to avoid buying a second watchguard for siteA and establish the vpn connection between the 2 watchguards.

   

0
 
netjgrnautCommented:
There's no reason you shouldn't be able to make this work, provided that the router-to-router VPN is up and running.  Can you ping one router's VPN interface IP from the other router?

First, leave DNS out of the mix until you've got good traffic flow.  Getting dcA to properly resolve dcB without static DNS entries (since both are using localhost as the sole DNS resolver) is a whole 'nother kettle of fish.  ;-)

Are you running any routing protocols on all this?  Let's assume not.

You'll need a static route on the WG for 172.27.1.0/24 that points to the inside interface of RouterB (which is one of four possible default routes to the Internet in your current config, if I understand your load-balancing solution correctly).

RouterB will also need this staic route for 172.27.1.0/24, but pointing to RouterA's vpn interface IP address (10.27.1.6).

RouterA will need a static route for 172.27.0.0/24 that points to RouterB's vpn interface IP address (10.27.1.1).

*I'm assuming that RouterB already knows to route traffic for 172.27.0.0/24 through the WG.*  Perhaps I should ask if you have any services *behind* the WG that are accessible from the Internet (as this would indicate my assumption about routing is correct).

Now test:  (assumes that the firewall on dcA will allow ICMP in/out from more than just the local subnet)...

Can you ping the IP of dcA from RouterB?  If so, your static routes over the VPN are working.
Can you ping the IP of dcA from the WG?  If so, your static routes from the WG to the VPN is working.
Can you ping the IP of dcA from *behind* the WG (for example, from dcB)?  If not (and I'm betting not), you'll need to allow exceptions on the WG for traffic to/from 172.27.0.0/24 <-> 172.27.1.0/24.

Let's see how far that gets you...

0
 
BrianCommented:
I did not see listed any external IP addresses. The 10.x.x.x addresses you listed are in the private LAN range. The Firewalls will need to know the external IP address of the other. The modems you have from your ISP are not passing through the public IP, but using a different private subnet.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now