Managed VPN behind NAT device
Hello
I have a little problem.
i need to create BOVPN beetween multiples devices (style hub & spoke) , all (included main hub) are behind NAT device.
sadly, i'm french, and in my country all recent ISP box are now without bridged mode, so i must use DMZ -> all firefox don't have public external ip, but private external ip.
i can create Manual BOVPN, and it's work without problem, but if i try to create managed bovpn (with dimension or wsm server), it's not work, because managed bovpn are created with external private adress for gateway instead of public ip.
and after bovpn created, of course i cannot change that because dimension/wsm not allow to change details of managed bovpn.
is there an option somewhere that i can set to force the bovpn managed wizard to use public ip when create gateway?
since I have a lot of tunnels to create, if I could do it automatically (or almost) instead of having to do it individually on each device, it would be more easier. 
Thanks
Comments
Hi @winproof
The WSM server uses the public IPs it finds in each device's properties (if you right click any of the firewalls in the tree view, and go to properties, you'll see the external IPs.)
If you remove the private IPs here, and put the public ones in, the DVCP VPNs should form provided the firewall is able to call home and get that configuration.
-James Carson
WatchGuard Customer Support
but if i do that (i have to do it already for "external" firebox,otherwise I can't manage them) for the gateway firebox, i lose ability to manage it from wsm...
i've tried to play with policy to allow internal management (install wsm without gateway and configure gateway manualy after), but without succes.
it's probably because of the NAT Hairpinning is not allowed on my isp box.
no possibility to set, for the gateway, one internal ip for managing task and one external ip for vpn settings?
ok, sorry, i'm stupid
if i cannot manage gateway after changing ip, it's just because of me, i've forgot to add a policy to allow 4105, 4117, and 4118 from internal network to external (no default policy to allow all ports internal -> external in my config, all must be explicit with a policy) , so of course wsm cannot find my gateway using public ip
but now i have one last problem, we have two external ip on two external interface, and my first managed bovpn created is set on the wrong interface...
can i set for managed bovpn which interface to use by default?
because the second is a backup line (slow adsl)
disable "vpn failover" functionnality for managed bovpn?
I recall that the "primary" WAN for these managed BOVPNs is the one on the lowest interface number.
One option is to switch your WAN interface setups.
ok thanks
but for the moment, it's too complicated for me to use managed bovpn (specialy because of the lack of hairpinning on isp box), i'm going back to manual settings for bovpn.