IKE VPN with AuthPoint RADIUS in remote office.

jessejesse
in AuthPoint - General

Hello,
We are trying to set up IKE VPN in one of our branch offices. It needs to leverage our RADIUS server for AuthPoint that is located in our home office and connected to branch network over BOVPN. Watching the traffic the packets seem to get to the RADIUS and it responds but that never seems to arrive back at the branch WatchGuard in order to trigger AuthPoint push.
We have IKE set up in three of our locations be those all have their own RADIUS servers local to their branch. This is the first one we've tried to leverage a RADIUS server that was remote from the terminating WG.

I would appreciate direction on what we might be missing.

Comments

  • kimmo.pohjoisahokimmo.pohjoisaho
    Do you use policy based vpn (GW&Tunnel) or route based vpn (BOVPN Virtual Interface) config?
  • jessejesse

    Route based BOVPN

  • kimmo.pohjoisahokimmo.pohjoisaho
    If you are using BOVPN Vif configuration, try to configure in the branch office BOVPN Vif config a free IP address from your branch office network as a Virtual IP.

    BOVPN Vif / VPN Routes / Assign virtual interface IP addresses config.

    Firebox is now using this address when it is connecting to the remote radius server through the VPN tunnel. Configure also this virtual IP as the radius client in the NPS server.

    Without this virtual IP config the firebox is using its external IP as the source IP when trying to connect to the radius server...
  • jessejesse
    edited June 2

    @kimmo.pohjoisaho said:
    ... firebox is using its external IP as the source IP when trying to connect to the radius server...

    We did know this and made rules to allow but that hasn't worked.
    Thank you for your assistance.

  • jessejesse

    Using the VIP worked great!
    Thank you for your help.

  • jessejesse
    edited June 2

    If you hit this post with the same problem.
    In the BOVPN under the VPN Routes section at the bottom, you enable the Virtual IP.
    The first IP is a local IP to that Watchguard Network (i.e. 192.168.2.200)
    The Peer IP is a local IP for the remote network (i.e. 192.168.3.200)
    On the remote Watchguard under the BOVPN reverse the 2 IP's)
    i.e. On remote BOVPN Local is 192.168.3.200 and the Peer IP is 192.168.2.200.
    This will allow the Watchguard to talk to the remote network via the Peer IP and vice versa.

    Thank you big time @kimmo.pohjoisaho

  • kimmo.pohjoisahokimmo.pohjoisaho

    It’s enough that you configure an IP and mask (example a free IP from your local network) in the branch office Firebox BOVPN Vif config,
    when the Firebox is locally managed.

    If the Firebox is a cloud-managed device then you need to give both local and remote Virtual IP in the VPN config in the WG cloud.
    But you don’t really need to configure the Virtual IP in the remote Firebox VPN config….

Sign In to comment.