Totally New Setup - VPN

Hi guys,
I have been tasked with setting up a VPN.
The idea is that users can access the internal network from the internet.
This firebox does an NAT to the ISP.
However, I am not sure if I am to use IKEv2 or SSL or the difference between them.
Also I tried configuring mobile VPN with SSL but the client cannot even reach the external ip of the firebox.
Can anyone assist me?
Thanks!

Comments

  • For the record, what firewall model do you have and what Fireware version is running on it?

    Does the firewall have a public IP addr on it?

    Is the SSLVPN client installed on the test PC?
    If so, was the client downloaded from the firewall?

    Is the SSLVPN connection attempt being tried from the Internet or from behind the firewall?

    What do you see in the SSLVPN client logs?

    What do you see in Traffic Monitor when the SSLVPN client tries to connect?

    Review this:
    Troubleshoot Mobile VPN with SSL
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_tshoot_c.html

  • edited March 2021

    For the record, what firewall model do you have and what Fireware version is running on it?

    M4600

    Does the firewall have a public IP addr on it?

    Public ip address is assigned via DHCP. Is there a way to check it?

    Is the SSLVPN client installed on the test PC?
    Yes. Mobile SSL with VPN client

    If so, was the client downloaded from the firewall?
    Yes. From the offical website

    Is the SSLVPN connection attempt being tried from the Internet or from behind the firewall?

    It is tried from the internet. The next hop of the firebox is the ISP.

    What do you see in the SSLVPN client logs?
    I key in the external ip address. It is the first step and it fails to connect.

    What do you see in Traffic Monitor when the SSLVPN client tries to connect?
    I am sorry but how do you check this?

  • Fireware version?

    How do you look at Traffic Monitor?

    For SSLVPN client logs - Right click on the client icon in the System Tray.

  • What do you mean by "This firebox does an NAT to the ISP"?

    If you mean that your firewall is behind an ISP router that has NAT enabled, then your firewall likely would have a private IP on its Ext interface. You can see that in Firebox System Manager's Front Panel or via the web UI (which I almost never touch).

    If you have your firewall behind an ISP router and it's getting a private IP, you MAY be able to get the ISP to put their device into bridge mode. That would let your box get the real public IP and it's the better option. Barring that, set the ISP device to put the WAN IP of your firewall into the ISP router's DMZ, which will let all packets sent to the ISP router on its public IP go to the WatchGuard firewall's WAN interface.

    Gregg Hill

  • The big differences between SSLVPN and IKEv2 VPN are speed and accessibility. The IKEv2 VPN is noticeably faster than SSLVPN, but SSLVPN is more accessible due to using port 443 outbound by default, which almost no network blocks. Some hotels, etc., may block egress ports and kill IKEv2 VPN, but SSLVPN should still work. You can have both enabled at the same time.

    Gregg Hill

  • @Greggmh123 said:
    What do you mean by "This firebox does an NAT to the ISP"?

    If you mean that your firewall is behind an ISP router that has NAT enabled, then your firewall likely would have a private IP on its Ext interface. You can see that in Firebox System Manager's Front Panel or via the web UI (which I almost never touch).

    If you have your firewall behind an ISP router and it's getting a private IP, you MAY be able to get the ISP to put their device into bridge mode. That would let your box get the real public IP and it's the better option. Barring that, set the ISP device to put the WAN IP of your firewall into the ISP router's DMZ, which will let all packets sent to the ISP router on its public IP go to the WatchGuard firewall's WAN interface.

    Hi,
    Let's put it this way.
    I plug a LAN cable in the ISP router. On the other end I put the WAN port of the firebox. It gets an ip address automatically. I did a ping to the internet and it works fine. How do I check the ip address assigned to the WAN interface of the firebox?

    The settings you mentioned on the ISP can be done in the default gateway? Or must I call them up to do it?

  • edited March 2021

    External IP addr:
    Web UI -> Dashboard -> Interfaces
    or WSM Firebox System Manager -> Front Panel - click on the + next to Interfaces

    If you have management access to your ISP device, then perhaps you can make the change yourself - otherwise you need to contact your ISP, IF the ISP device is doing NAT, to get a public IP addr on your firewall external interface.

  • Ok thanks noted. I will give it a try.

    If I want the wan interface of firebox to get fixed ip address, it is done on the ISP side right? Assuming that the isp gives me a range of public ip addresses.

    Or must I liaise with the dynamic dns provider?

  • edited March 2021

    The issue is not a fixed IP addr - but a public IP addr.
    If your ISP device is doing NAT, then incoming to your firewall will not work without adding access rules to your ISP device and your firewall.

    SSLVPN will work to a DNS name (i.e. dynamic DNS solution - I use this) or to a fixed IP addr.

  • From what you described, your firewall likely would have a private IP on its Ext interface, which as Bruce noted, can be seen in the web UI or in WSM Firebox System Manager (my preference). That is NOT a deal-breaker. While getting the ISP to put their device into bridge mode is best, not all ISPs will do it.

    In the case of an ISP that won't do it, either request access to their device (which is your WatchGuard's gateway), or have them do it, and add your WAN IP to the ISP device's DMZ. You can use the current IP on your WAN interface Eth0 and set that statically in the WatchGuard config, then have them assign that IP to their DMZ, or do it yourself. Sometimes their password is on their device.

    You just need all inbound traffic to go to your firewall's WAN interface, regardless of what the ISP calls that access (DMZ, pin-hole, etc.).

    Gregg Hill

  • @Bruce_Briggs said:
    The issue is not a fixed IP addr - but a public IP addr.
    If your ISP device is doing NAT, then incoming to your firewall will not work without adding access rules to your ISP device and your firewall.

    SSLVPN will work to a DNS name (i.e. dynamic DNS solution - I use this) or to a fixed IP addr.

    Hi,
    I have a question on this fixed ip address thing.
    So I can configured a fixed ip address on my watchguard WAN interface even though my ISP gives me a dynamic public ip address range?

    Not exactly sure how this thing works.

  • @HowCanIHelpYou said:

    @Bruce_Briggs said:
    The issue is not a fixed IP addr - but a public IP addr.
    If your ISP device is doing NAT, then incoming to your firewall will not work without adding access rules to your ISP device and your firewall.

    SSLVPN will work to a DNS name (i.e. dynamic DNS solution - I use this) or to a fixed IP addr.

    Hi,
    I have a question on this fixed ip address thing.
    So I can configured a fixed ip address on my watchguard WAN interface even though my ISP gives me a dynamic public ip address range?

    Not exactly sure how this thing works.

    This comment is wrong: "So I can configured a fixed ip address on my watchguard WAN interface even though my ISP gives me a dynamic public ip address range?"

    If your ISP provides you with a PUBLIC dynamic IP address, that is what you have to use, you cannot just pick a static IP to use. As outlined before, it looks like you have a typical setup where THEIR device gets the PUBLIC dynamic IP address, and on the ISP device's LAN side (your WatchGuard's WAN side), it has a NAT private IP range with DHCP. Your firewall's WAN gets a private-range DCHP address in the ISP device's LAN, i.e., you are behind their device that is doing NAT. Now, that CAN work if you get into their device and put your WAN IP into their device's DMZ. You'll still be doing a bandage, but it works.

    The BEST thing would be to ask the ISP to put their device into bridge mode, which means YOUR firewall gets the PUBLIC dynamic IP from the ISP and their device passes all inbound traffic to your firewall without NAT.

    Gregg Hill

  • A correction to my "This comment is wrong" statement above. If you are referring to the PUBLIC IP address, then No, you cannot just set a public IP on your Firebox' WAN side.

    If you mean can you set a static PRIVATE IP on your Firebox' WAN side, yes, you can, and that IP would be in the LAN subnet of the ISP device if it were left in NAT mode and not in bridge mode.

    Go with bridge mode if at all possible. That way OUR device gets the public IP address.

    Gregg Hill

  • Ok. That was what I was trying to ask.
    If I set the ISP router to a bridge mode, will the firewall WAN interface get a public ip address at RANDOM?

    This is assuming that the isp has a range of public address.

    If I set the isp router to bridge mode (layer 2 i assume) , how can I make sure that the watchguard wan interface gets a FIXED public ip address?

    Is the configuration to be done on watchguard or isp side?

    Thanks for the help.

  • edited April 2021

    The firewall will get whatever IP addr that your ISP setup gives it.
    For most, it will be a not-static IP addr, which may change periodically.
    I have an Internet connection from an ISP, and I don't have a static IP addr, however, my external IP addr rarely changes.

    When one has a dynamic public IP addr, one can set up Dynamic DNS on the firewall and with a Dynamic DNS provider.

    Configure Dynamic DNS
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dyndns_setup.html

Sign In to comment.