VPN over 2 Watchguards, for Manufacturersupport

Hello I am really new to the whole Firewall story. So please be kind.


First of all, I will try to describe the desired goal.
I got the specification to enable a Mobile-VPN to the T15 Firebox which is behind our main 670 Firebox in a VLAN only for the T15's (yes there will be more in the future when this one is working). The settings on the main one are...

  1. SNAT
    from the external IP to the internal IP
  2. Firewall-Policy
    from Any-external (can be changed to the IP of the manufacturer afterwards) to the SNAT-policy with a Highport: 30506

On the T15
1. Configured the IKEv2 VPN
Firebox Address is the
2. downloaded the client vpn file and changed the VPN-Server IP to the

The VPN is not working from the windows 10 Testclient
I can't even see traffic going to the main Firebox 670.

Do you have any idea where the problem is, or do you have a better solution?

Thank you all for your help!


  • Options
    edited February 2022


  • Options

    There is a default Built-in IPSec Policy in Fireware - so the 670 firewall is handling the IKEv2 VPN session attempt.

    You need to disable the Built-in IPSec Policy, in order for IPSec to be able to be forwarded to the internal T15.

    See the "Disable or Enable the Built-in IPSec Policy" section here:

    And you need to use a IPSec policy on the external firewall to allow this traffic through to the T15.

    Alternatively you could use the SSLVPN client which would be easier to get though the external firewall.

  • Options

    Thank you very much @Bruce_Briggs. I will try the second option with the SSLVPN, because I don't want to mess up the IKEv2 for our employees.
    I will tell you if it worked afterwards!
    Have a good day!

  • Options

    Do note that you can specify an alternate connection port for SSLVPN on the Advanced tab of the SSLVPN setup, which may make setting this up though your 650 easier.

    The remote user will then need to append that port after the connection IP addr in the SSLVPN client, such as
    with 4443 being the alternate TCP port

  • Options
    edited February 2022

    Hey so the T15 VPN is up and working. The last Error was that I configured the Primary Interface for the VPN to the IP-address of the T15 and not to the IP of the external interface from the M670.
    Thank you Bruce for the help!

Sign In to comment.