Solved

Watchguard Firebox and VPN Routing

Posted on 2012-03-26
5
720 Views
Last Modified: 2012-07-01
I have two offices each with a Firebox firewall running XTM. Each office has its own internet service provider/internet access. I have a vpn connection between offices that goes over the internet and links the private/trusted networks.

Let us say my Firebox ip's are setup as

Office 1
External Internet IP 105.105.105.5, External Internet Gateway 105.105.105.1
Private/Trusted network 192.168.111.0/24

Office 2
External Internet IP 205.205.205.5, External Internet Gateway 205.205.205.1
Private/Trusted network 192.168.222.0/24

VPN 192.168.111.0/24 <==> 192.168.222.0/24

I have my VPN gateway endpoints now set at 105.105.105.5 and 205.205.205.5, the public ip of the Fireboxes

Now, I have setup a point to point private connection between the two offices using two wireless access points. The Firebox only allows External interfaces to be VPN gateway endpoints.

1) How should I setup the ip's on the wireless access points and on the Firebox so that the access points can be used as  VPN gateway endpoints?

2) How can I route internet, non-vpn, traffic through the access points so they can be used as a secondary/backup internet connection if the internet service provider's line goes down at an office?

Thank you for your help
0
Comment
Question by:mmcodefive
  • 3
  • 2
5 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37771646
Enable multi WAN which would help you achieve both 1 and 2 above.

Have a look at link:
http://customers.watchguard.com/articles/Article/3033

Please implement and update.

Thank you.
0
 
LVL 6

Author Comment

by:mmcodefive
ID: 37772342
Multi-wan is if  I had two connections with internet access at each office. I have only one connection at each office that has internet. The second conneciton is point to point between each office, no internet.

If I do a multi-wan setup I have to setup a route from the point to point connection out to the internet on the firebox that is accepting the packets.

Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two. I need to know how then to route those packets out to the internet. Basically an external to external policy on firebox two that does not affect the existing VPN.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37777737
>> Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two.

Once packets reach firewall at office two; configure a policy as:
Enabled and Allowed
From 192.168.111.0/24; to Any-external, 192.168.222.0/24

Firebox at office two would do dynamic NAT automatically as it would have entry for 192.168.0.0/16.

Please implement and update.

Thank you.
0
 
LVL 6

Accepted Solution

by:
mmcodefive earned 0 total points
ID: 37844305
The solution is to use dynamic routes. I am working with Watchguard support on the issue. They have some directions on how to do this that are similar to what I want to do.

http://www.watchguard.com/help/docs/wsm/11-XTM/en-US/Content/en-US/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
0
 
LVL 6

Author Closing Comment

by:mmcodefive
ID: 38142471
The solution to this setup is documented in the link above.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now