How to Static Route through BOVPN
We have a primary site that accesses a 3rd party data center through an onsite Cisco router provided by the 3rd party. On the Firebox at this location, I have a static route that sends all traffic destined for any IP in that data center (we'll say 24.25.26.0/22) to the internal IP address of their router (198.168.100.2). This is the interface attached to my Firebox. From there, their router routes traffic to the appropriate IP address inside their data center. This is working fine for the primary site across all VLANs.
My question is, how do I do this from a remote office connected via BOVPN? I have a tunnel setup on the BOVPN that allows traffic from my internal IP network to the network that exists between the Cisco router and the Firebox at the primary site. I have set up static routes on the branch office Firebox as "Route To: 24.25.26.0/22 | Gateway: 198.168.100.2".
However, when I do a TraceRT from a PC behind the branch office Firebox it sends the traffic out onto the Internet instead of routing it across the BOVPN to their Cisco router.
I hope that makes sense, please ask any clarifying questions if not.
Thanks
Comments
A visual representation of what I'm wanting to achieve. How do I get traffic from the "Network at Branch Location" to route to an IP in the 24.25.26.0/22 network going through the BOVPN?
Add the remote subnet (24.25.26.0/22) to the BOVPN Tunnel Local/Remote entries at each end.
Hi @MattB
You'll need to use tunnel switching.
See:
(Branch Office VPN Tunnel Switching)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_tunnel_switching_summary_wsm.html
Basically, the middle device ("network at primary location") needs to have tunnel routes for whatever network the Branch location going to the remote cisco device, and back.
Pretending the branch site is 10.0.0.0/24 as an example. (I'm also just going to assume that anything not noted is a /24, feel free to replace with the correct IPs/Subnets)
Remote "Cisco" site would need to have tunnel routes for both networks going to the primary location:
24.25.26.0/22 <--> 192.168.100.0/24
24.25.26.0/22 <--> 10.0.0.0/24
The Primary location would have two BOVPN gateways/tunnels
The tunnel going to the Cisco device:
192.168.100.0.24 <--> 24.25.26.0/22
10.0.0.0/24 <--> 24.25.26.0/22
The tunnel going to the branch device:
192.168.100.0/24 <--> 10.0.0.0/24
24.25.26.0/22 <--> 10.0.0.0/24.
The Branch location would have a single BOVPN gateway with the following tunnel:
10.0.0.0/24 <--> 192.168.100.0/24
10.0.0.0/24 <--> 24.25.26.0/22
Note: If there is any way to have the Branch location connect directly to the remote Cisco site, this will almost always work better. Switching thru the "primary" site will induce additional latency, will very likely slow the connection down due to the extra distance, and if any part of the two tunnel chain goes down, the Cisco site and the Branch site will not be able to talk to each other.
-James Carson
WatchGuard Customer Support
Thank you! The tunnel into the network behind the Cisco router was the part I was missing. Once I did that I was able to sent traffic from the remote network into the 3rd party data center.