Dose the Watchguard need legal IP to establish the site to site VPN

I have a WatchGuard and i did established a site to site VPN while the ISP modem not in Bridge mode, and my WatchGuard is getting private IP address, and its working now
My Question is
Dose the WatchGuard need legal IP to establish the site to site VPN ?
IS this going to cause issues for me ?

Thanks

Comments

  • With legal ip, do you mean public ip?

  • ikeV2 can native run vpn behind NAT

  • As can IPSec - both can work in your setup.

  • edited October 2021

    @Bruce_Briggs @rv@kaufmann.dk my site to site VPN keep go down, and we have to restart the Watchguard to make it work.
    The Watchguard is still up, and can reach the internet only the site to site VPN go down from time to time and the only solution to fix this issue is to restart the watchguard.
    I have another site was having the same issue and i just changed the ISP modem to Bridge mode and after that the problem solved, this is why i was wondering if it should be a with ISP modem Bridge mode
    But because i have other systems using the modem i cant change the ISP modem to Bridge mode
    Any suggestions here ?

  • If you have an active LiveSecurity license, you should open a support incident to get help from a WG rep to get this resolved.

    What firewall model do you have and what software (Fireware) version is it running?
    What is at the other end of the BOVPN?

    Have you tried rekeying the VPN tunnel at either end?

    Anything to help understand this in Traffic Monitor?

    You can turn on diagnostic logging for IKE which may show something to help in Traffic Monitor:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Logging -> Settings
    Set the slider to Information or higher

    Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.

    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

  • @Bruce_Briggs unfortunately i dont have support contract as i am using an old modem T10 W
    And the other end is Watchguard as well
    tried rekeying the VPN tunnel from the Headoffice with no luck

  • edited October 2021

    If your T10 is getting a private IP from your ISP router, then I recommend setting the T10's WAN IP statically with the assigned private IP, then in the ISP router, put that private IP address into the ISP router's DMZ. That is almost as good as being in bridge mode because all external traffic is directed to the WAN IP of the T10 despite it being a private IP. When checking its WAN IP at https://www.myip.com/ or a similar site, that will show the public WAN IP address of the ISP router, and that is what should be used in the BOVPN...I think. It works for SSLVPN and IKEv2 VPN.

    Gregg Hill

Sign In to comment.