Branch Office VPN Using Starlink On One End
I have a customer that wants to use Starlink as their internet provider. They have a T-20 and want to create and BOVPN to an existing T-35 that has a traditional ISP internet service with a static IP address.
We have set up many BOVPNs with T-15s and T-20s with the T-35 but in each case we had static IP addresses.
Is this possible?
0
Sign In to comment.
Comments
Normally I'd say in theory - yes this is possible if you use on the Starlink (T20) end a BOVPN interface config that specifies a userid@domain identifier as the local gateway (as I believe Starlink issues a CGNAT address by default).
[I've been doing this for 4G connections without issue so far].
The remote (T35) end in your case has the static IP address which is fine.
However, you would have to test this as we have a client who is apparently using a Starlink connection and can't connect from their laptop to their corporate mobile IKEv2 endpoint which is a FireboxV.
The ISP documentation they've given us suggests that the CGNAT implementation may not like some IPsec type connections, which if so would be a problem for your setup.
Unfortunately I don't have a Starlink setup to test this on so can only go on what I've been given/told.
Only thought of this now, but another option for the Starlink T20 to connect to the T35 if all else fails is a BOVPN over TLS setup, however this does come with some changes on the T35 end which may conflict if you have an existing [mobile] SSL VPN setup.
In some quick testing I do notice you can't use this setup with any SDWAN rules unlike how you can specify a BOVPN interface in a SDWAN rule (it's more similar to a policy based VPN in how traffic is handled if I have it right).
Sure you can. Setup the external interface as DHCP (duh).
When you create your VPN tunnel in VPN->Branch Office Gateway you simply tell it that your side (or the other) is DHCP and enter in a 'domain' name (this can be anything you want, it does not need AD or anything behind it).
As long as the DHCP side knows the IP address of the other side and the rest of the exchange matches - it will connect.
.
I am attempting > @TestingTester said:
I am attempting this setup now with two fireboxes. I tried setting it up as you mentioned and it will not connect. I have starlink connect to an external interface set to dhcp and gave it a domain name of test. it still wont connect.
should I need to put the starlink router in bridge mode
Did you ever get it working? I'm considering Starlink as our backup connection on one of our sites.
If your ISP do not block or brake the ike protocols you can use a bovpn tunnel where Local gateway on the "client" end is setup to use tunnel authentication by domain name and you also configure dynamic DNS in the network settings matching the tunnel authentication domain name.
If this do not work, i thing the only option is to use a Bovpn over TLS tunnel.
But it would be much easier of you could get a static ip assgined (also works if it´s a dhcp assigned). Then you will create a dns record and use domain name in tunnel authentication.
There is a post here from Iain_G which said that there was a successful BOVPN setup from a WG firewall behind a Starlink to another not behind a Starlink.
VPN : T35-R to T35-R with Starlink at BOTH ends
https://community.watchguard.com/watchguard-community/discussion/2732/vpn-t35-r-to-t35-r-with-starlink-at-both-ends
No success when both were behind a Starlink, presumably because of multiple Starlink devices using the same public IP addr.
I would assume that the success requires the firewall behind the Starlink to be the initiator of the BOVPN connection.
The issue I'm envisioning is that I have Draytek routers at [quite a few] remote sites running different firmware (as some of them are slightly different models), but we do have two main sites operating on WatchGuard M390, so it looks like I can create a VPN tunnel between them, using STarlink on one end.
Site A (Main site with Starlink) RDS, DC01/DNS etc
Site B (Backup) RDS, DC02/DNS etc
All Draytek routers connect to both sites.
I wonder if I can get all Drayteks to connect to Site A through Site B when Site A's main fibre goes down. Do I need to create routes to get it working? Mobile VPN users can already access both sites regardless of which Forebox they connect to via a VPN client.
Review this:
Configure a Branch Office VPN for Failover from a Leased Line
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/vpn_failover_from_leased_line_overview_c.html
Thanks for this, Bruce. However, I'm struggling to understand the concept, so I prepared a diagram of my current setup.
Sites A and B can talk to each other, as can all remote sites. If the leased line goes down at Site A, Starlink at Site A (as the initiator) can maintain the VPN connection with Site B (as per this thread (?)). Drayteks won't work as a VPN server, not with Starlink anyway. The remote gateway ID settings are inconsistent across all of them. I have to use the remote gateway IP to get it working, which will be changeable for Starlink. Using Peer ID just doesn't work.
I want all remote sites to be able to access Site A networks whilst only being connected to Site B.
I don't have any experience with OSPF or BGP dynamic routing.
Hope it makes sense.
"I don't have any experience with OSPF or BGP dynamic routing."
Nor do I.
Note the instructions via the link say:
"At each site, the router that connects to the leased line must connect to a Firebox trusted or optional interface. The interface it connects to must be different than the interface used for the branch office VPN tunnel."
Your diagram seems to show the fiber lines as External.
Is your Internet access via the leased lines?
A significant issue would seem to be that the remote site routers would need to know to route traffic to site A subnets via site B. That would require a dynamic routing setup on them.
Other than the concept from the link that I posted, I am not aware of another way to accomplish what you want, using your firewalls in the solution.
The internet service is the leased line. A Juniper router, provided by the ISP and to which we don't have access, connects directly to the Firebox using an "External" configuration, say eth0. eth1 (trusted) is going to the core switch, where everything else happens.
So, I am not sure about the leased line using a trusted/optional interface.
Looks like the link that I posted will not work for your setup.