Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FB700 --> Soho6tc, BOVPN, must setup quickly 1

Status
Not open for further replies.
jenlion

jenlion

IS-IT--Management
Nov 13, 2001
215
The documentation for this stuff STINKS, by the way.

Running version 7 of the WG software on my FBIII 700 at main office. TONIGHT, I must learn to set up the soho 6 tc using BOVPN because tomorrow I ship it out of the country and Friday I follow it to set it up for real. So I hope someone can point me in the right direction.

There's IPSEC, but this will be a pure WG network with one FBIII and 2 SOHO6tcs in different locations. All the documentation on the SOHO end, however, is for manual ipsecs. Tried following their ipsec instructions but it just doesn't work. Maybe I shouldn't have gone to v7, dunno.

WHat is the easiest way to set this up that will also give me a great deal of control over what the remote networks can have access to?????

Thanks for any help here.
 
Sort by date Sort by votes
jenlion

At least there's no pressure then ;-)

I agree that the Watchguard documentation needs some more thought and can be confusing in areas where there are several ways of doing things (VPN's for example).

Anyway, what you want to do is pretty straight forward and Version 7 of the software IMHO is the most stable/complete yet.

Here's what to do:

Firstly, you don't need to get bogged down with the manual IPSEC stuff as this is generally for interoperability with non Watchguard appliances. Instead, there are only two simple configuration areas you need to touch (one on the FB700 and one on the SOHO's)

Your FB700's will act as a 'hub' and the two SOHO's become the spokes for your setup.

So, the hub FB700 will be a server and will manage the VPN sessions of the IPSEC tunnels to all the appliances. Set this one by going to the menu item Network>Branch Office VPN>Basic DVCP Server. Here you need to 'Add' a configuration for each of your SOHO's making sure here that they are assigned a different network range or there will be conflicts.

Now set up the spoke appliances for VPN use: On the SOHO's go to the 'Managed VPN' link and enter the address of the hub FB700 for the DVCP server together with EXACTLY the same details (shared key etc.) that you entered when configuring the FB700 earlier.

Now when the appliances are connected to the internet they should make contact with the hub FB700 which will tunnel to each device and away you go...

One last point is to enable the relevant services when the tunnels are up as you might have an active tunnel but with all traffic being blocked. In answer to your last question of controlling network access from the SOHO's, just open the config on the FB700 and create services based on whatever you need. You'll find a new alias has been created named 'dvcp_nets' and this represents the two SOHO's trusted networks. So, for example you might create an 'Any' service and 'allow' from 'trusted' to 'dvcp_nets' and vice versa. This service will open the SOHO network up completely with no restiction.

Finally best advice as always is to keep your eyes glued to the traffic monitor and see what's going on. When the tunnels are up, you should constant 'Keepalive' requests travelling to and from all the appliances.

Hope that gets you going.
 
Upvote 0 Downvote
I got it up finally late last night (around 3 am ;-)) Turned out to be something pretty simple that some other people on the watchguard site posting boards had had. Documentation just flat wasn't there. It's actually a very quick and easy process, once you know what you're doing. I didn't! :)

Wasn't sure about whether I needed the keepalive, I'll watch for that, thanks.

It seemed for a little bit that ipsec_users included the machines on the other end of the soho -- I had access to "any" through my ipsec_users rule, set up for MUVPN, which I found odd. So I'm pulling out my ipsec_users rules and adding back each user (fortunately I'm small and only have 3 muvpn users) and setting up separated dvcp rules, since there will be different access there.

Is there any way to give different rules to the different dvcp clients? I don't see it in there. Maybe it's documented somewhere... no, wait.....

Thanks for the response.
 
Upvote 0 Downvote
Hi jenlion,
So what your saying is that having ipsec_users conflicted with dvcp_net in the "ANY" service? I am having a similar problem and am searching high and low.

BNutz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
229
hairlessupportmonkey
hairlessupportmonkey
basball
  • Locked
  • Question
VLAN Setup
Replies
0
Views
142
basball
basball
rod602
  • Locked
  • Question
Cisco ASA 5512 on demand apple ios setup
Replies
0
Views
108
rod602
rod602
detroit
  • Locked
  • Question
Sonicwall 2040 Setup For VPN
Replies
2
Views
121
sstoppel
sstoppel
andyatthowe
  • Locked
  • Question
Watchguard External Interface Setup
Replies
8
Views
169
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top