Options

Devices Behind BOVPN Not Able To Be Accessed By Other BOVPN/SSL VPN Users

WebbyZWebbyZ
in Firebox - VPN Branch Office

Hello all.

We have a M200 Box running v12.5.2 and we now have basically all users working remotely due to COVID-19.

Our main network (yes I know it isn't the best subnet range) is on 192.168.1.0/24 and we have 5 BOVPN Tunnels that are located at 192.168.4.0/24, 192.168.8.0/24, 192.168.12.0/24, 192.168.16.0/24 and 192.168.20.0/24.

I am currently behind the 20.x tunnel and I have a few devices that I would like to have people that are logged into the SSL VPN be able to access.

The SSL VPN Pool is at 192.168.113.0/24

No matter what I do, I cannot get any clients from the SSL VPN tunnel to be able to access anything behind any of the BOVPN Tunnels. I figure this is likely configuration related but I am not sure what to do.

Additionally, everyone can access the 192.168.1.0/24 network just fine. But even BOVPN Tunnel users cannot connect to devices behind other BOVPN Tunnels.

I did log into one of our servers on the 1.x network and I can get to anything that I want behind any BOVPN tunnel.

Just looking for some help on what I might be doing wrong here. Any help is appreciated.

Comments

  • Options
    BrianSteingraberBrianSteingraber

    With your main network on the 192.168.1.x range and many home users on that range, you may need to implement some NAT. WatchGuard has some existing education material on how to do this in the BOVPN scenario. The SSL-VPN scenario may be similar. Recommend opening a WG Support ticket.

  • Options
    Bruce_BriggsBruce_Briggs

    At any site, the BOVPN Tunnel entries need to include all remote subnets that need to access that site and all subnets that need to access a remote site.
    And the Tunnel entries at each end need to reflect the Tunnel settings at the other end.
    On the 192.168.1.0/24 end, you need to add a Tunnel entry for the tunnel to the .20 firewall for Local = 192.168.113.0/24 Remote = 192.168.20.0/24
    Do the reverse at the 192.168.20.0/24 end.

  • Options
    WebbyZWebbyZ

    @BrianSteingraber I know that some users have had issues but I have had them change their range at home to something like 192.168.200.0/24 so that they can at least connect to the 1.x network. Do you have a reference point to that documentation? I didn't see it, or at least maybe I wasn't searching for the right thing.

  • Options
    Bruce_BriggsBruce_Briggs
    edited April 2020

    Here is an article on this:
    Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/manual_bovpn_via_sslvpn_c.html

  • Options
    WebbyZWebbyZ

    @Bruce_Briggs I think that it what it is!

    I am working through this but I was able to get traffic form SSL VPN to my BOVPN.

    I have some older Cisco RV180 Routers that are being used and I am just working on setting up the proper routes on those, but this is off to a good start.

    Thanks!!

Sign In to comment.