VPN endpoint cant see another VPN endpoint on a different subnet.

Hi All,

Hope someone can point us in the right direction here.

In summary, we have multiple VPN endpoints, and they cannot see each other.
We have a 192.168.250.0/24 subnet which has a tunnel to our HQ (10.10.0.0/16), we also have a tunnel from 10.1.1.0/24 to our HQ, both can see the HQ, and the HQ can see both the VPN end points, but the endpoints cant see each other.

When running tracert from one subnet to another, it appears to work as expected initially hits our layer 3 core switch at HQ and then times out.

If we check the firewall, we see the following...

2020-03-15 15:53:43 Deny 192.168.250.53 10.1.1.115 icmp 20-WAN VLAN Firebox ip spoofing sites 92 19 (Internal Policy) proc_id=”firewall” re=”101” msg_id=”3000-0148”

Hope I've made this clear enough, I've tried various things with no luck.

Best Regards

Jamie

Answers

  • Firebox Model: M470
    Firebox Version: 12.5.2.B609628

  • The spoofing deny indicates that XTM is not expecting that source IP on that firewall interface.
    On what firewall did the deny happen?

    To have all sites be connected via a VPN, there are 2 options -
    1) create a VPN between these 2 endpoints (full mesh option)
    2) create a hub & spoke VPN setup

    Review this:
    Branch Office VPN Tunnel Switching
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_tunnel_switching_summary_wsm.html

  • Are both of the 10.1.1.0/24 & the 192.168.250.0/24 subnet at the same location?
    Please explain their location.

  • @Bruce_Briggs said:
    Are both of the 10.1.1.0/24 & the 192.168.250.0/24 subnet at the same location?
    Please explain their location.

    Hi Bruce, thanks for responding.

    The 192.168.250.0/24 subnet has users connecting to HQ via Cisco Meraki's VPN deceives.
    The 10.1.1.0/24 is a BOVPN connection between HQ and an amazon AWS VPC.

    We also have the following:
    192.168.252.0/24 which is WG's SSL Client VPN.
    192.168.51.0/24 which is WG BOVPN tunnel to another Firebox.

    All subnets above can see HQ and vice versa, but neither of the above can see each other. The Firebox is at HQ.

    Thanks again for your response.

  • So the question is why did the ping packet from 192.168.250.53 to 10.1.1.115 come in the 20-WAN interface ?

    Looks to me that there needs to be a change to the Meraki & HQ VPN settings to indicate that 10.1.1.0/24 is reachable via the HQ site.
    For the XTM firewall end, add an additional Tunnel entry with Local = 10.1.1.0/24, Remote = 192.168.250.0/24
    Do the reverse equivalent at the other end.

  • edited March 30

    @Bruce_Briggs said:
    So the question is why did the ping packet from 192.168.250.53 to 10.1.1.115 come in the 20-WAN interface ?

    Looks to me that there needs to be a change to the Meraki & HQ VPN settings to indicate that 10.1.1.0/24 is reachable via the HQ site.
    For the XTM firewall end, add an additional Tunnel entry with Local = 10.1.1.0/24, Remote = 192.168.250.0/24
    Do the reverse equivalent at the other end.

    Thanks again Bruce,

    You are spot on with that summary, however we are unfortunately not experts in WG..
    The VPN connection between HQ and AWS uses a "BOVPN Virtual Interface" so im not sure how to add this tunnel entry here as the settings look slightly different than the standard BOVPN, do you have any ideas?

    Thanks in advance.

  • edited March 30

    I don't have personal experience with this.

    Consider opening a support incident to get help from a WG rep.
    Perhaps @James_Carson will comment here.

  • @Bruce_Briggs said:
    I don't have personal experience with this.

    Consider opening a support incident to get help from a WG rep.
    Perhaps @James_Carson will comment here.

    Thanks for your assistance, ill log a ticket.

Sign In to comment.