Site To Site VPN Behind Existing Firewall
I want to be able to easily configure a way for home users to access the network in my office where I already have a Watchguard Firewall.
The goal to me is to potentially have a firewalla behind my main Watchguard which would be a VPN Server and nothing else. (I do not need the other features of the Firewalla).
Then ideally I would give home users a Red or Blue and have them set it up at home behind their router. To add to this, I don't want to have to see traffic on their LAN at home, so potentially I would have a basic router that would be sitting behind their existing one to segment their LAN from the LAN which the Firewalla would be on. Both corporate laptop and VOIP SIP phone on the secondary LAN. Is this even feasible?
As mentioned, I don't want to have to explain the purpose of the Firewalla that might be on a users home LAN and nor do I care about their devices/usage in their network. By putting a firewalla behind a secondary router the hope would be to just be able to see devices on that secondary LAN.
-
The WatchGuard allows OpenVPN connections via the SSL vpn. I've tested it and it works, but I was not able to go from the Watchguard back to the Firewalla Gold. I decided to install IKEv2 via StrongSwan on my Firewalla and have it VPN into the WatchGuard at work. I can see all devices at work, but have not had the time to mess with Work -> Firewalla Gold. This is a Production Firewall that is the central hub for 2 other branches and about 30 other Remote VPN users so It can't go down because I'm messing around with it. You should be able to do it with OpenVPN but if not, then IKEv2 would work with some testing.
-
Here is what I have done so far...
Main Office LAN (Watchguard): 10.10.10.x/23 / SNAT to Firewalla Blue+ for VPN
Office Firewalla Blue+ (On Main VLAN) : LAN 10.10.10.150 / Overlay 192.168.100.1 / Limited Mode
OPENVPN Network (On Firewalla Blue+): 10.102.90.1/24
Remote Firewalla Red: LAN 192.168.99.1 / Overlay 192.168.200.1 / DHCP Mode
I have the Blue+ set up as the Site-To-Site VPN Server and I can connect from the Red just fine when I assign clients to the VPN. However, I have one HUGE issue that I can't figure out.
I have a Polycom SIP Phone that is able to register to the SIP Server, but the calls are failing to go through. I have struggled getting SIP to work over SNAT on the Watchguard in the past and the only way it has worked is through the BOVPN Site-To-Site in Watchguard.
I feel like I am on the cusp of this working as the VOIP Phone is a deal breaker if I can't get it working.
Any ideas on what might be causing the calls to fail?
Please sign in to leave a comment.
Comments
3 comments