VPN on IP from Loopback Interface

Hello,

In our new topology our watchguard is behind two edge routers (with bgp) and in charge for a /24 public network.
The connection to the edge routers is done by different public transfer networks.

Therefore we put the /24 on the loopback.
Snat and dnat work like expected.

Now I want to set up vpn (mobile or bovpn) on those ips. This seems not to work because you only can select ips from external interfaces.

How can this be done?

Thank you

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @frankl

    Most of the mobile VPNs will allow you to type in an IP address if the firewall doesn't know it, and specify a gateway ID that reflects the external IP.

    It'd help to know what specific VPN you're using, and if you're seeing any errors. Keep in mind that the upstream device(s) need to be forwarding that VPN traffic to the firebox, or the firebox won't be able to do anything with it.

    -James Carson
    WatchGuard Customer Support

  • all my attempts to solve this by using the loopback interface were futil.

    i did not find any way to use the loopback device. either by wsm, webgui or by editing the config-xml. every time the iked stalls by complaining the wrong interface or does not find the corresponding gateway.

    i ended up by configuring the network like "usual", putting a gatewayip on the edge-routers and there within a vrr.

    this i by far more logic on the edge-routes than i want to have, but it seem that watchguard has no other possibility. watchguard or an least the vpn part may not be ready for this kind of redundancy and failover network topologies.

    prove me wrong

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @frankl I'd suggest opening a support case. It's very difficult to troubleshoot issues like this without seeing the logs from the firewall or being able to see what traffic is making it to the firewall.

    You can create a support case by clicking the support center link at the top right of this page.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.