VPN over 2 Watchguards, for Manufacturersupport
Hello I am really new to the whole Firewall story. So please be kind.
ALL IPS ARE JUST FOR EXAMPLE
First of all, I will try to describe the desired goal.
I got the specification to enable a Mobile-VPN to the T15 Firebox which is behind our main 670 Firebox in a VLAN only for the T15's (yes there will be more in the future when this one is working). The settings on the main one are...
- SNAT
from the external IP 123.123.123.123 to the internal IP 172.30.5.1:500 - Firewall-Policy
from Any-external (can be changed to the IP of the manufacturer afterwards) to the SNAT-policy with a Highport: 30506
On the T15
1. Configured the IKEv2 VPN
Firebox Address is the 172.30.5.1
2. downloaded the client vpn file and changed the VPN-Server IP to the 123.123.123.123
The VPN is not working from the windows 10 Testclient
I can't even see traffic going to the main Firebox 670.
Do you have any idea where the problem is, or do you have a better solution?
Thank you all for your help!
Comments
.
There is a default Built-in IPSec Policy in Fireware - so the 670 firewall is handling the IKEv2 VPN session attempt.
You need to disable the Built-in IPSec Policy, in order for IPSec to be able to be forwarded to the internal T15.
See the "Disable or Enable the Built-in IPSec Policy" section here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html
And you need to use a IPSec policy on the external firewall to allow this traffic through to the T15.
Alternatively you could use the SSLVPN client which would be easier to get though the external firewall.
Thank you very much @Bruce_Briggs. I will try the second option with the SSLVPN, because I don't want to mess up the IKEv2 for our employees.
I will tell you if it worked afterwards!
Have a good day!
Do note that you can specify an alternate connection port for SSLVPN on the Advanced tab of the SSLVPN setup, which may make setting this up though your 650 easier.
The remote user will then need to append that port after the connection IP addr in the SSLVPN client, such as
123.123.123.123:4443
with 4443 being the alternate TCP port
Hey so the T15 VPN is up and working. The last Error was that I configured the Primary Interface for the VPN to the IP-address of the T15 and not to the IP of the external interface from the M670.
Thank you Bruce for the help!