loopback ip
Hello,
can the loopback ip by part of 192.168.114.0 or 192.168.113.0 networks
these are used for muvpn ikev2 and sslvpn.
background
i have a firebox without trusted interface , it is used for bovpn and muvpn only.
works as a vpn concentrator.
Radius traffic is intented to go through bovpn tunnel. it is send through the tunnel but sender adress is the public ip.
Deny xxx.x58.14.151 192.168.7.222 radius/udp 58277 1812 BovpnVif.V Firebox ip spoofing sites 110 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="110" rcvd_bytes="0" Traffic
adding a loopback would be the easyest without changes to the bovpn tunnels
0
Sign In to comment.
Comments
Hi @Norman
There isn't a way to use the loopback address for SSL or IKEv2 mobile VPNs.
The "IP Spoofing Sites" designation is the firewall saying that it's seeing traffic on an interface that it didn't expect. If the external xxx.x58.14.151 IP isn't in the BOVPN's routes; you'll see the firewall drop that traffic.
-James Carson
WatchGuard Customer Support
The "IP Spoofing Sites" is because of firebox is sending radius packets with its public IP instead of an internal ip suitable for that tunnel.
eg 192.168.114.254 would be fine
You need to add the external IP addr of the firewall in your BOVPN setup.
Alternatively, use the set source IP in a policy specific to that RADIUS traffic to set the source IP as something you already have a tunnel for.
-James Carson
WatchGuard Customer Support
VPN route ?
Yes, if you are using a Virtual Interface BOVPN.
For the old style BOVPN, add it in the Local/Remote entries at each end.
Or, use James Carson's method