WatchGuard BOVPN GRE tunnel over IPSec with other vendors IPsec solutions

LauriAloLauriAlo
in Firebox - VPN Branch Office

Hello !

We have working IPsec tunnel between OPNsense and WatchGuard BOVPN (ipv4 subnets). and next want to route both IPv4 and IPv6 traffic securely over the GRE tunnel, which is carried inside the IPsec tunnel.
Is there alternative solutions how to configure BOVPN IPv4 and IPv6 traffic securely ipv4 IPsec tunnel.

Is there guide / examples to configure WatchGuard BOVPN with GRE tunnel. Is there any compatibility issues related to BOVPN ipsec site to site VPN and GRE with other solutions.

I haven found BOVPN Integration Guide that describes how other vendors solutions to configure BOVPN IPv4 and IPv6 traffic securely ipv4 IPsec tunnel.

Lauri-Alo Adamson

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited March 13

    Hi @LauriAlo

    There is an open feature request for this. It is FBX-21224. If you'd like to follow that request, please open a support case and mention it somewhere in the case. The technician that is assigned the case can set that up for you.

    This request is not currently on any feature roadmap, so there is no ETA as to when this might be available.

    -James Carson
    WatchGuard Customer Support

  • LauriAloLauriAlo
    edited March 16

    I am currently configuring a Firebox device and would like to confirm whether IPv6 traffic can be encapsulated within an IPv4 BOVPN (IPSec) tunnel. Specifically, I would like to know if it is possible to route IPv6 traffic over an IPv4 BOVPN connection using IPSec on the Firebox, and if there are any special configuration requirements for this setup.

    Could you please provide confirmation on this feature and, if supported, point me to the relevant documentation or configuration guides?

    If its supported then is this Watchguard solutions compatible with other vendors analog solutions which allows IPv6 over IPv4 ipsec tunnel.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LauriAlo
    The firebox will not convert IPv6 to IPv4 for you. If you wish to do this, you'll need something to send the traffic to internally on your network.

    If you are looking to send IPv6 data over an IPv4 external address, so long as the traffic is exiting the tunnel on the other end as IPv6, you should be able to do this.

    You can add routes to a tunnel via:
    (Add Routes for a Tunnel)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/routes_add_new_c.html

    You can see everything the firewall supports via IPv6 here:
    (About IPv6 Support in Fireware)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/ipv6_supported_features.html

    -James Carson
    WatchGuard Customer Support

  • LauriAloLauriAlo

    Hallo !

    You wrote
    if you are looking to send IPv6 data over an IPv4 external address, so long as the traffic is exiting the tunnel on the other end as IPv6, you should be able to do this

    Is there any example configuration how to do it . I documentation link To add a tunnel route, from Policy Manager https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/routes_add_new_c.html

    There are lines that state that

    In Fireware v12.4 or higher, if you select a gateway configured for IPv6, you must specify IPv6 addresses in the tunnel route settings.

    If i undrestood this documentation correctly i can add ipv6 routes to tunnel only the then gateway is configured for IPv6. This mean that all gateway ip address must be IPv6 addresses.

    If use ipv4 addresses in gateway addresses i cant add ipv6 routes in tunnel configuration.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LauriAlo I wasn't aware of that limitation -- the documentation is correct, there would not be a way to do this.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.