Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 733
  • Last Modified:

Watchguard Firebox and VPN Routing

I have two offices each with a Firebox firewall running XTM. Each office has its own internet service provider/internet access. I have a vpn connection between offices that goes over the internet and links the private/trusted networks.

Let us say my Firebox ip's are setup as

Office 1
External Internet IP 105.105.105.5, External Internet Gateway 105.105.105.1
Private/Trusted network 192.168.111.0/24

Office 2
External Internet IP 205.205.205.5, External Internet Gateway 205.205.205.1
Private/Trusted network 192.168.222.0/24

VPN 192.168.111.0/24 <==> 192.168.222.0/24

I have my VPN gateway endpoints now set at 105.105.105.5 and 205.205.205.5, the public ip of the Fireboxes

Now, I have setup a point to point private connection between the two offices using two wireless access points. The Firebox only allows External interfaces to be VPN gateway endpoints.

1) How should I setup the ip's on the wireless access points and on the Firebox so that the access points can be used as  VPN gateway endpoints?

2) How can I route internet, non-vpn, traffic through the access points so they can be used as a secondary/backup internet connection if the internet service provider's line goes down at an office?

Thank you for your help
0
mmcodefive
Asked:
mmcodefive
  • 3
  • 2
1 Solution
 
dpk_walCommented:
Enable multi WAN which would help you achieve both 1 and 2 above.

Have a look at link:
http://customers.watchguard.com/articles/Article/3033

Please implement and update.

Thank you.
0
 
mmcodefiveAuthor Commented:
Multi-wan is if  I had two connections with internet access at each office. I have only one connection at each office that has internet. The second conneciton is point to point between each office, no internet.

If I do a multi-wan setup I have to setup a route from the point to point connection out to the internet on the firebox that is accepting the packets.

Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two. I need to know how then to route those packets out to the internet. Basically an external to external policy on firebox two that does not affect the existing VPN.
0
 
dpk_walCommented:
>> Basically say internet connection goes out at office one, with multi wan the firebox will failover to the point to point connection and route packets to the firebox at office two.

Once packets reach firewall at office two; configure a policy as:
Enabled and Allowed
From 192.168.111.0/24; to Any-external, 192.168.222.0/24

Firebox at office two would do dynamic NAT automatically as it would have entry for 192.168.0.0/16.

Please implement and update.

Thank you.
0
 
mmcodefiveAuthor Commented:
The solution is to use dynamic routes. I am working with Watchguard support on the issue. They have some directions on how to do this that are similar to what I want to do.

http://www.watchguard.com/help/docs/wsm/11-XTM/en-US/Content/en-US/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
0
 
mmcodefiveAuthor Commented:
The solution to this setup is documented in the link above.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now