Solved

Watchguard Firebox and VPN Routing

Posted on 2012-03-26
5
717 Views
Last Modified: 2012-07-01
I have two offices each with a Firebox firewall running XTM. Each office has its own internet service provider/internet access. I have a vpn connection between offices that goes over the internet and links the private/trusted networks.

Let us say my Firebox ip's are setup as

Office 1
External Internet IP 105.105.105.5, External Internet Gateway 105.105.105.1
Private/Trusted network 192.168.111.0/24

Office 2
External Internet IP 205.205.205.5, External Internet Gateway 205.205.205.1
Private/Trusted network 192.168.222.0/24

VPN 192.168.111.0/24 <==> 192.168.222.0/24

I have my VPN gateway endpoints now set at 105.105.105.5 and 205.205.205.5, the public ip of the Fireboxes

Now, I have setup a point to point private connection between the two offices using two wireless access points. The Firebox only allows External interfaces to be VPN gateway endpoints.

1) How should I setup the ip's on the wireless access points and on the Firebox so that the access points can be used as  VPN gateway endpoints?

2) How can I route internet, non-vpn, traffic through the access points so they can be used as a secondary/backup internet connection if the internet service provider's line goes down at an office?

Thank you for your help
0
Comment
Question by:mmcodefive
  • 3
  • 2
5 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Enable multi WAN which would help you achieve both 1 and 2 above.

Have a look at link:
http://customers.watchguard.com/articles/Article/3033

Please implement and update.

Thank you.
0
 
LVL 6

Author Comment

by:mmcodefive
Comment Utility
Multi-wan is if  I had two connections with internet access at each office. I have only one connection at each office that has internet. The second conneciton is point to point between each office, no internet.

If I do a multi-wan setup I have to setup a route from the point to point connection out to the internet on the firebox that is accepting the packets.

Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two. I need to know how then to route those packets out to the internet. Basically an external to external policy on firebox two that does not affect the existing VPN.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
>> Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two.

Once packets reach firewall at office two; configure a policy as:
Enabled and Allowed
From 192.168.111.0/24; to Any-external, 192.168.222.0/24

Firebox at office two would do dynamic NAT automatically as it would have entry for 192.168.0.0/16.

Please implement and update.

Thank you.
0
 
LVL 6

Accepted Solution

by:
mmcodefive earned 0 total points
Comment Utility
The solution is to use dynamic routes. I am working with Watchguard support on the issue. They have some directions on how to do this that are similar to what I want to do.

http://www.watchguard.com/help/docs/wsm/11-XTM/en-US/Content/en-US/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
0
 
LVL 6

Author Closing Comment

by:mmcodefive
Comment Utility
The solution to this setup is documented in the link above.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now