Best Of
Re: M370 to M390 | Mobile SSLVPN Fails now? "Waiting for initial response from server"
The OpenVPN TAP driver was updated between those versions -- if you're running into a problem with just the new version, you likely have something blocking that adapter from sending network traffic (local AV, local firewall, etc.) or potentially more than one TAP driver installed.
The older SSLVPN TAP will work, but you will see the driver signing warning when installing it (since the certificate that signed it has expired) and performance may be slightly worse, but it should continue to work if you choose to use it.
Re: M370 to M390 | Mobile SSLVPN Fails now? "Waiting for initial response from server"
Now you have some real facts to provide should you open a support case on this.
Let us know if a firewall reboot resolves the issue with the 12.10 client.
Re: how to set DNS Suffix
You can set this on the WINS/DNS tab of Network Configuration
"In the Domain Name text box, type a domain name that a DHCP client adds to unqualified host names. This setting corresponds to DHCP option 15."
This is the domain name suffix.
Above quote from here in the Configure Network DNS and WINS Servers section:
Configure Network DNS and WINS Servers
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/wins_dns_add.html
There is a similar setting on each DHCP setup page in the "Configure WINS/DNS Servers" area
Re: Mobile VPN through 2 firewalls on the same network
To get to the Firebox V, the SSLVPN port needs to be different than the SSLVPN port on your M590.
On your M590 you need to set up an incoming policy for the Firebox V SSLVPN port with a SNAT which points to 10.0.5.5.
Re: Received N(TS_UNACCEPTABLE) message
Hello together
I had this error (TS_UNACCEPTABLE) too , after a change from old BOVPN style to BOVPN-VIF + IKEv2
The problem was the external IP, which was a private IP.
The ISP router get only one external fixed IP and to internal a private range (192.168.178.0/24 ).
Seems that the Firebox tries to establish a VPN tunnel with the external IP from that range
There was a conflict with local IPs with a similar ISP connect.
At the beginning, I did not assign virtual interface IP addresses under "VPN Routes".
After doing so, the tunnel comes up stable.
I used APIPA addresses (Out of 169.254.0.0/16) for it.
regards Markus
Re: Rules and BOVPN Priority
Do you have a ping policy near the top of your policy list?
Re: Can't Access Firebox from both Web UI or WSM
We found a solution to this problem, described below.
If the problem is related to the web server certificate, I suppose changing the web server certificate back to the default self-signed firebox certificate should solve the connection problem. Since we can't make this change in WSM or WebUI, obviously that means we'll have to do it with the CLI command.
1.) Connect to firebox in putty using ssh via port 4118.
2.) Log in as "admin".
3.) you will enter two commands. press Enter after each command.
first command: configure
second command: web-server-cert default
4.) after you press enter in the second command, the cli will not confirm the change and will return you back to "wg(config) #". this means that it was successful
Re: Log VPN SSL connections
Have you added your new firewall to the cloud for reporting?
Try increasing the date range. If there are no client VPN authentications for the selected date/time range, then the Authentication selection item is not shown.
Re: Lock down IKEv2 VPN by only allowing only certain IPs to connect
Add the IP addr(s) or domain names of the remote BOVPN endpoint to the above IPSec policy
Re: Lock down IKEv2 VPN by only allowing only certain IPs to connect
Hi @Kucster
All IKE/IPSec traffic is governed by a hidden rule. You can turn it off and create your own rule, but you must account for any IPSec connection (including site to site/Branch Office VPNs.)
See:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html
(jump down to the section labeled "Disable or Enable the Built-in IPSec Policy"
Once that built in rule is disabled, you can make a rule
-Create a new policy.
-Use a packet filter, there should be a predefined one called "IPSec" in the packet filter list with the ports you'll need.
-Make the FROM field the IPS you want to allow IPSec traffic from.
-Make the TO field "Firebox."
If you make this change, you will need to update the FROM list every time you need to allow a new IP. Residential ISPs are usually DHCP based so this may happen frequently.