Hi Guys,
Is it possbile to build a tunnel from external via SSLVPN and then build up a BOVPN tunnel in this connection?

Best Answer


  • Tunnel an IPSec connection within a SSLVPN connection ?
    Not that I can see.

    What is your goal?

  • @Bruce_Briggs my goal is Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited August 2020


    In theory it's possible (the WatchGuard SSLVPN policy would have to be modified in order to allow that connection to the remote firewall.)

    There'd likely be performance problems with it. TCP/IP already reduces your MTU down to ~1472, and each VPN will take more off the top of that. Depending on what encryption, etc you're using, you could very well end up with a packet that has a data payload of less than 1200 bytes. Most applications will fragment that traffic, but some may just fail to transmit data at all. Each VPN will also add latency, as it needs to be encrypted, decrypted, at each step.

    It is possible to use SSO across BOVPN tunnels, and you can also use manual BOVPNs in order to limit what each subnet has a route to. Trying to run a VPN over a VPN will (in my opinion) just slow everything down if it does work, and create a very bad user experience.

    -James Carson
    WatchGuard Customer Support

  • @Bruce_Briggs yes exactly that I wan to do. A Mobile SSLVPN user is coming from outside to the Firebox and want to access a resource in another subsididary via a BOVPN tunnel.

  • @Bruce_Briggs is it necessary like in the manual above in step 3. to change to specify allowed resources or can I keep the setting at "Allow access to networks connected through the Trusted, Optional,an VLANS"? Then it should be enough that I continue at point 9 with the SSLVPN address or not?

  • You either need "Force all client traffic through tunnel", or you need "Specify allowed resources" with the desired subnets.
    The 2nd option does not include remote subnets such as at the end of a BOVPN.

  • @Bruce_Briggs Thanks for the hint. Would you take "Froce all client traffic through tunnel" oder would you take "specify allowed traffic"?

  • "Specify allowed resources" is a split tunnel method, which is riskier than "Force all client traffic through tunnel" as the client can be connected to the Internet and to your LAN at the same time. However Internet access will usually be faster when connected using "Specify allowed resources".
    I prefer safety over speed.
    You need to decide which is best for your site and clients

  • @Bruce_Briggs Thanks for your recommendation. I will configure this next week with "Specify allowd resources" and give a feedback it it work.

  • @Bruce_Briggs Thanks it works fine.

  • @Daniel_P30 is there a significant speed decrease at your BOVPN sites?

  • @NickSimpson no there isnt a significant speed decrease.

Sign In to comment.