BOVPN cannot access devices at branch office

I setup 2 new T80's for a customer that has a main office and now a new branch office. I have a BOVPN configured between the two with DHCP configured at the branch office on the T80. The Network at the Main office is 192.168.0.0, and the branch office network is 192.168.1.0, with DHCP configured from 192.168.1.50-192.168.1.254. From the Branch office network I can access (map a drive) to a server sitting at the main office. However, if I try to do the opposite, try to ping or browse to an IP at the Branch office I'm unable too. I can ping the branch office LAN IP (192.168.1.1) from a device at the main office, just not any other device (all DHCP) that sits on that network. I did verify my tunnel setting have the bi-directional setting checked.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Mcdonaldb
    The issue is likely not the tunnel, as the ping reply would not be working otherwise. There's likely something else going on.

    I would suggest turning on logging for your BOVPN allow in / out policies -- if you do that, do you see logs in your traffic monitor for your pings that aren't traversing?

    (If you go into your policy, there is a checkbox that says "send log message" -- ensure this is on in order to see your allow logs.)

    -James Carson
    WatchGuard Customer Support

  • Look at Traffic Monitor at the branch firewall.
    Looks to me that you don't have a policy at the branch allowing access to the branch trusted subnet.
    If so, you should see denies for access attempts from the main office subnet.

  • Bruce, is this something that is typically automatically configured when the tunnel is setup, or something you have as an extra step?

  • In the Tunnel setup, there is this option: "Add this tunnel to the BOVPN-Allow policies" check box.
    If it is not selected, then a policy will not be automatically created.

Sign In to comment.