Need IKEv2 mobile users to access resources on remote BOVPN

Hello, I am needing to configure access for mobile VPN users (IKEv2) who connect to Office A to access resources in Office B (specifically a printer is the immediate need). Users physically in Office A can access all of the resources in Office B, Users physically in Office B can access all resources in Office A. It appears that Mobile VPN with SSL can accomplish this as you have the ability to Specify allowed resources, but that option does not exist for IKEv2. Anyone know how to configure short of setting up SSL? I've searched but have not found anything - have I just missed it?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @John_A

    You'll need to make a route in your BOPVN from the IKEV2 VPN subnet to the resource subnet, and vice versa on the other side.

    Assuming your IKEv2 subnet is 192.168.114.0/24, and your remote resource is at 10.10.50.0/24 you'd need to add the following to your BOVPN routes.

    192.168.114.0/24 <--> 10.10.50.0/24

    and on the opposite side

    10.10.50.0/24 <--> 192.168.114.0/24

    If you're using a BOVPN Virtual Interface, just the route to needs to be added on both sides.

    Nothing should need to be modified on the IKEv2 tunnel as it's already a default/zero route and will send all traffic to the firewall.

    -James Carson
    WatchGuard Customer Support

  • Hi @james.carson

    That was actually the first thing I tried. When I set up the 2nd tunnel on both sides it immediately broke the VPN and the offices were no longer connected. Fortunately, I had a mobile VPN to Office B as well, so I was able to log into both routers and delete both secondary tunnels (saved me a 2 hour drive - lol). After rebooting the BOVPN was re-established.

    After this fiasco, I moved the testing into my office. Replicating Office A and Office B, I created a BOVPN between to T20's; the BOVPN connected and I was able to access both networks as expected. As soon as I created the 2nd tunnel for the mobile users I had the same issue with the BOVPN "breaking" as I did with the production routers. Checking System Status - VPN Statistics. 2 tunnels, 1 Gateway - 0 active tunnels.

    It was at this point, started looking elsewhere. I started by searching the Internet / WatchGuard for instructions on how to configure access. I found the instructions regarding the SSL config, but that didn't apply as there is no option to route VPN traffic with the IKEv2 configuration. I then looked into Network - Routes - nothing there. After reading your comment, I decided to try again.

    I setup the 2nd tunnel in Office A and Office B. Saved both configs and again the BOVPN broke. I deleted both of the 2nd tunnels, rebooted routers and verified the BOVPN was functional. I rebooted both again and checked the BOVPN - still up. At this point I created the tunnel's again and rebooted both routers. When they came back up this time the BOVPN was up, both tunnels were active and I could access Office B from the mobile VPN from Office A.

    I'm going to wait until the weekend to try this on the production routers, just in case I run into issues.

    I appreciate you taking your time to reply. I was actually glad I read your steps, because I knew that I was doing it "correctly" even though I could not get it to connect.

    John

  • What did you see in Traffic Monitor when the BOVPNs would not come up?

    Normally a reboot is not needed. The BOVPN endpoints should try to negotiate with the new settings.

    If there is nothing to help understand this in your firewall logs/Traffic Monitor,
    you can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Logging -> Settings
    Set the slider to Information or higher

    Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.

    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

    Perhaps doing a Rekey All BOVPN tunnels would help.

    See the Troubleshoot section here:
    Manual Branch Office VPN Tunnels
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/other/chapters/manualbovpntunnels.html

Sign In to comment.