How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask derrickonline Your Own Question
derrickonline
derrickonline, Information Technology Manager
Category: Networking
Satisfied Customers: 979
Experience:  15 years experience in the information technology field.
22792886
Type Your Networking Question Here...
derrickonline is online now
A new question is answered every 9 seconds

I have established a BOVPN (branch office VPN) between my 2

Customer Question

Hello,
I have established a BOVPN (branch office VPN) between my 2 watchguard XTM series fireboxes. However I can not seem to get the traffic to flow through the tunnel. Please let me know what I need to do in order to send traffic through the tunnel.
Submitted: 1 year ago.
Category: Networking
Expert:  Pete replied 1 year ago.

Hi there,

Have you restarted the Watchguard boxes at each end?

Can you ping from one site to the other?

Customer: replied 1 year ago.

yes, many times.I also tried to create the virtual interface I had seen in the guides, but nothing. the traffic all still goes out through the normal gateway and not through the tunnel.

Expert:  Pete replied 1 year ago.

Ok, let me open this question up to the other experts for you...

Expert:  derrickonline replied 1 year ago.

Pete:

I'm going to jump in as I've worked with these boxes in the past. These are some of the easier boxes to work with. I'm not sure I totally understand what you're issue is. Are you simply stating devices in site "A" cannot communicate with devices in site "B"?

If this is the case it would be easier if we setup a remote sharing session. This does cost more money however (not my rules). Once I can see both boxes and how they're configured I'm confident we can get this squared away. Let me know if you'd like to proceed.

Customer: replied 1 year ago.

i wish I could. however it is a medical client and I can't bring anyone else in. I can give you example IP structure so we can work through this.

Expert:  derrickonline replied 1 year ago.

HIPAA I get it. Sure give me a sample IP structure let's see if we can't work it out!

Customer: replied 1 year ago.

Site A Site B

Ext GW: 96.97.222.172 Ext GW: 65.66.121.177

Tunnel

10.1.170.0/24 10.1.191.0/24

Expert:  derrickonline replied 1 year ago.

Pete:

That's not super helpful, can you grab the configuration reports and if you don't want to provide them to me, at least review them and tell me if you see any errors? If you're not sure how to get those reports, see below.

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#en-US/bovpn/manual/bovpn_config_report_c.html

Customer: replied 1 year ago.

*** WG Diagnostic Report for Gateway "STARR-VPN-GW-1" ***
Created On: Wed Sep 9 23:14:30 2015

[Gateway Summary]
Gateway "STARR-VPN-GW-1" contains "1" gateway endpoint(s).
Gateway Endpoint #1 (name "STARR-VPN-GW-1")
Mode: Main PFS: Disabled AlwaysUP: Disabled
DPD: Enabled Keepalive: Enabled
Local ID<->Remote ID: {IP_ADDR(95.66.161.100) <-> IP_ADDR(67.77.172.27)}
Local GW_IP<->Remote GW_IP: {95.66.161.100 <-> 67.77.172.27}
Outgoing Interface: eth0 (ifIndex=2)
ifMark=0x10000
linkStatus=2 (0:unknown, 1:down, 2:up)

[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway

Name: "STARR-VPN-Tun-1"
PFS: "Disabled" DH-Group: "2"
Number of Proposals: "1"
Proposal "ESP-AES-MD5"
ESP:
EncryptAlgo: "AES" KeyLen: "32(bytes)"
AuthAlgo: "MD5"
LifeTime: "28800(seconds)" LifeByte: "128000(kbytes)"
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"10.1.71.0/255.255.255.0<->10.1.191.0/255.255.255.0"

[Run-time Info (gateway IKE_SA)]
Name: "STARR-VPN-GW-1" (IfStatus: 0x80000002)
ISAKMP SAID: "0xc4372ec8" State: "SA Mature"
Created: Wed Sep 9 22:42:29 2015
My Address: 95.66.161.100:500 Peer Address: 67.77.172.27:500
InitCookie: "9a1b34a5bdec7e36" RespCookie: "4478460548f1954c"
LifeTime: "28797(seconds)" LifeByte: "0(kbtyes)" DPD: "Enabled"

[Run-time Info (tunnel IPSEC_SA)]
"3" IPSEC SA(s) are found
"INBOUND"
SPI: 0x68d78221 ISAKMP SA ID: 0xc4372ec8
Created on: Wed Sep 9 22:42:30 2015
Bytes Sent: "0" Packets Sent: "0"
Errors: replay: "0" replay_win: "0" integrity: "0" hw_ctx: "0"
HwCryptoCtx: currErr: "0" ctxState: "1"
Tunnel Endpoint: "67.77.172.27->95.66.161.100"
Tunnel Selector: "10.1.191.0/24 -> 10.1.71.0/24 Proto: ANY"
AUTH: "hmac(md5)" KeyLen: "16(bytes)"
CRYPT: "cbc(aes)" KeyLen: "32(bytes)"
Gateway Name: "STARR-VPN-GW-1"
Tunnel Name: "STARR-VPN-Tun-1"
Owner Id: "80B1031B3CA38"
IFMARK: "0x10000(2)" DPD: "Enabled"
Number of Rekeys: "0"
"OUTBOUND"
SPI: 0xb52633c7 ISAKMP SA ID: 0xc4372ec8
Created on: Wed Sep 9 22:42:30 2015
Bytes Sent: "0" Packets Sent: "0"
Errors: replay: "0" replay_win: "0" integrity: "0" hw_ctx: "0"
HwCryptoCtx: currErr: "0" ctxState: "1"
Tunnel Endpoint: "95.66.161.100->67.77.172.27"
Tunnel Selector: "10.1.71.0/24 -> 10.1.191.0/24 Proto: ANY"
AUTH: "hmac(md5)" KeyLen: "16(bytes)"
CRYPT: "cbc(aes)" KeyLen: "32(bytes)"
Gateway Name: "STARR-VPN-GW-1"
Tunnel Name: "STARR-VPN-Tun-1"
Owner Id: "80B1031B3CA38"
IFMARK: "0x10000(2)" DPD: "Enabled"
Number of Rekeys: "49"
"INBOUND"
SPI: 0x719122f9 ISAKMP SA ID: 0xc4372ec8
Created on: Wed Sep 9 22:41:51 2015
Bytes Sent: "0" Packets Sent: "0"
Errors: replay: "0" replay_win: "0" integrity: "0" hw_ctx: "0"
HwCryptoCtx: currErr: "0" ctxState: "1"
Tunnel Endpoint: "67.77.172.27->95.66.161.100"
Tunnel Selector: "10.1.191.0/24 -> 10.1.71.0/24 Proto: ANY"
AUTH: "hmac(md5)" KeyLen: "16(bytes)"
CRYPT: "cbc(aes)" KeyLen: "32(bytes)"
Gateway Name: "STARR-VPN-GW-1"
Tunnel Name: "STARR-VPN-Tun-1"
Owner Id: "80B1031B3CA38"
IFMARK: "0x10000(2)" DPD: "Enabled"
Number of Rekeys: "48"

[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found
#1
Tunnel Endpoint: "95.66.161.100->67.77.172.27"
Tunnel Selector: 10.1.71.0/24 -> 10.1.191.0/24 Proto: ANY
Created On: Tue Sep 1 14:33:52 2015
Gateway Name: "STARR-VPN-GW-1"
Tunnel Name: "STARR-VPN-Tun-1"

[Related Logs]

Related Networking Questions