loopback ip

NormanNorman
edited February 17 in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hello,
can the loopback ip by part of 192.168.114.0 or 192.168.113.0 networks
these are used for muvpn ikev2 and sslvpn.

background
i have a firebox without trusted interface , it is used for bovpn and muvpn only.
works as a vpn concentrator.
Radius traffic is intented to go through bovpn tunnel. it is send through the tunnel but sender adress is the public ip.

Deny xxx.x58.14.151 192.168.7.222 radius/udp 58277 1812 BovpnVif.V Firebox ip spoofing sites 110 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" flags="SR" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="110" rcvd_bytes="0" Traffic

adding a loopback would be the easyest without changes to the bovpn tunnels

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Norman

    There isn't a way to use the loopback address for SSL or IKEv2 mobile VPNs.

    The "IP Spoofing Sites" designation is the firewall saying that it's seeing traffic on an interface that it didn't expect. If the external xxx.x58.14.151 IP isn't in the BOVPN's routes; you'll see the firewall drop that traffic.

    -James Carson
    WatchGuard Customer Support

  • NormanNorman
    edited February 17

    The "IP Spoofing Sites" is because of firebox is sending radius packets with its public IP instead of an internal ip suitable for that tunnel.
    eg 192.168.114.254 would be fine

  • Bruce_BriggsBruce_Briggs

    You need to add the external IP addr of the firewall in your BOVPN setup.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Alternatively, use the set source IP in a policy specific to that RADIUS traffic to set the source IP as something you already have a tunnel for.

    -James Carson
    WatchGuard Customer Support

  • NormanNorman

    @Bruce_Briggs said:
    You need to add the external IP addr of the firewall in your BOVPN setup.

    VPN route ?

  • Bruce_BriggsBruce_Briggs

    Yes, if you are using a Virtual Interface BOVPN.

    For the old style BOVPN, add it in the Local/Remote entries at each end.

    Or, use James Carson's method

  • NormanNorman

    @james.carson said:
    Alternatively, use the set source IP in a policy specific to that RADIUS traffic to set the source IP as something you already have a tunnel for.

    i added a policy for port 1812 udp on the radius client side.
    firebox to bovpn-tunnel
    set source ip to a ip within the vpn routes.

    but still i see the public ip in the log on the nps server site

  • Bruce_BriggsBruce_Briggs

    The packet is coming from the firewall, not a RADIUS server.

    You can select the "Enable configuration of policies for traffic generated by the Firebox" check box, and then using manual order mode, you can move your RADIUS policy above the "Any from Firebox" generated policy, which might fix this.

    See the Traffic Generated by the Firebox section
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html

  • NormanNorman
    edited February 18

    yes , the firewall is acting as a radius client.
    "Enable configuration of policies for traffic generated by the Firebox" check box
    moved my poilcy on top on its own. but still it is sending out with its public ip.

    i see
    Allow xxx.x58.14.151 192.168.7.222 radius/udp 41428 1812 Firebox BovpnVif.kraftfluss Allowed 158 64 (RADIUS-RFC-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.168.12.2" Traffic

    i also set "all traffic in this policy" to 192.168.12.2

    src_ip_nat="192.168.12.2" Traffic

    i had to add 192.168.12.2 on the other firebox and also edit the NPS ,

    now it works fine

    thank you both

Sign In to comment.