L2TP connection while active IPsec VPN

Hi Community,

I'm new to WatchGuard and also to the community and would like to start with a question about IPsec in combination with L2TP.
For a better understanding, I use fantasy IPs and names to better describe the problem.

We have two branches over here:

  • Branch A with a firebox and a public IP address of 1.1.1.1
  • Branch B with a firebox and public IP address 2.2.2.2

For branch A also L2TP Mobile Client VPN is configured --> reachable at vpn.address.com (using the same public IP address 1.1.1.1) where 10.10.10.0/24 is configured as internal subnet.
Clients which want to connect to the VPN receive an IP address within this subnet by the firebox.

Branch A and B are connected with each other via an IPsec VPN tunnel (using the IPs 1.1.1.1 and 2.2.2.2 for Phase 1 of the IPsec VPN) for other business cases.
The access on both sides of the VPN to the different subnets is working well.

Now a client of branch B needs to connect to the L2TP subnet of branch A. I think a possible way to realize this, is to make sure that the client doesn't use the IPSec VPN but using the public internet connection to reach 10.10.10.0/24 while connecting to vpn.address.com. As the external interface (internet) is using the same IP 1.1.1.1 as the VPN (vpn.address.com) I'm not sure on how to configure this without disturbing the communication on the part of the IPSec VPN.

Do you guys get what I'm talking about and do you have an idea on how to configure this properly?

Path the connection should take (in my opinion):
Client of Branch B: 192.168.10.10 --> connect to vpn.address.com --> establish connection to vpn.address.com: 1.1.1.1 trough the internet --> forward the client request to 10.10.10.0/24 --> receive an IP address within this subnet --> connected

If it's possible to share a screenshot with you I can also sketch it for you.

Thank you very much.

Regards,
Chriz

Comments

  • You can connect via the BOVPN
    The BOVPN setup needs to include the L2TP subnet in the Local/Remote settings at each end for this to work
  • edited June 2019

    Hi Bruce,

    thank you for the feedback.
    You mean it should work by using the IPsec VPN for the connection establishment, correct?
    I tried this but it doesn't work so far: I added the subnets on both sides of the VPN within the phase 2 settings:

    Branch A: 10.10.10.0/24 (L2TP subnet) <=> 192.168.10.10/24 (internal subnet Branch B )
    Branch B: 192.168.10.10/24 <=> 10.10.10.0/24

    All other subnets I added within the address configuration of the IPSec VPN are working properly.

    Thank you.

    Regards,
    Chr1z

  • edited June 2019

    "Branch A and B are connected with each other via an IPsec VPN tunnel"
    Is this is a Branch Office VPN (BOVPN) or a client IPSec connection ?
    If a client IPSec connection, why not switch to a BOVPN Branch Office VPN, where this will clearly work.

    And if you set up a L2TP connection to allow the L2TP to Branch B, you would need a split tunnel setup on the client IPSec connection at Branch B to allow a connection to 192.168.10.10

Sign In to comment.