Configure Network Settings > Manual Branch Office VPN Tunnels > Manual BOVPN Configuration Examples > Configure Manual Branch Office VPN Tunnel Switching

Configure Manual Branch Office VPN Tunnel Switching

When you connect two or more remote BOVPN tunnels to your network, you must configure tunnel switching if you want the computers on each remote network to exchange data. When you set up this feature, the Firebox decrypts packets sent from one VPN and sends the re-encrypted packets to their destination on the other VPN.

This document does not give detailed information on each setting in the BOVPN configuration dialog boxes, or the effects they may have on the tunnel that is built. If you want to know more about a particular setting, or about manual BOVPN tunnels in general, see About Manual Branch Office VPNs.

Tunnel Switching configurations require that you understand how to create a Manual Branch Office Virtual Private Network (Manual BOVPN).

BOVPN Tunnel Switching Scenario

In the following exercises, we configure tunnel switching for an XTM 530 at the Central Office, an XTM 23-W at Remote Office A, and an XTM 21 at Remote Office B. The diagram below shows the tunnel switching configuration in this example:

Network Diagram

Site 1 (Central Office) XTM 530

External interface IP address: 203.0.113.2/24

Default Gateway: 203.0.113.1

Trusted interface IP address: 10.10.10.1/24

Private network IP address: 10.10.10.0/24

Site 2 (Remote Office A) XTM 23-W

External interface IP address: 198.51.100.2/24

Default Gateway: 198.51.100.1

Trusted interface IP address: 172.16.20.1/24

Private network IP address: 172.16.20.0/24

Site 3 (Remote Office B) XTM 21

External interface IP address: 192.0.2.2/24

Default Gateway: 192.0.2.1

Trusted interface IP address: 192.168.30.1/24

Private network IP address: 192.168.30.0/24

This example describes how to configure the settings in Policy Manager. You can use Fireware Web UI to configure the same settings.

Overview

In this example, we demonstrate how to pass traffic from the trusted network of Remote Office A to the trusted network of Remote Office B without creating a third BOVPN tunnel between the two remote offices. This scenario is useful when you require control of network security at the Central Office, because you can apply policies to traffic between Sites A and B at the Central Office.

We also define the actual subnet of each trusted network at the respective locations rather than create a default route tunnel between the central office and the remote offices. This preserves the split tunnel of each location. We therefore try not to use the 0.0.0.0/0 route on our tunnels.

The external IP addresses used throughout this example are fictitious Public IP addresses. The default authentication and encryption of Phase 1 and Phase 2 IPSec proposals of the Fireboxes are used to set up the gateways and tunnels of the BOVPN.

Define the BOVPN Gateways

First, we configure the BOVPN gateways of Remote Office A, the Central Office and Remote Office B.

Define Remote Office A Gateway

On the XTM 23-W at Remote Office A, use Policy Manager to configure the BOVPN gateway of Tunnel A that connects to the Central Office.

  1. Select VPN > Branch Office Gateways.
    The Gateways dialog box appears.
  2. Click Add.
    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  4. In the Credential Method section of the General Settings tab, select Use Pre-Shared Key. Type the shared key in the adjacent text box.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the New Gateway Endpoints Settings dialog box, settings for the Remote Office A gateway that connects with the Central Office entered.

  1. In the Local Gateway section, select By IP Address.
  2. From the IP Address drop-down list, select the external IP address of the Firebox at Remote Office A, 198.41.100.2.
  3. From the External Interface drop-down list, select the primary external interface of the Central Office Firebox.
  4. In the Remote Gateway section, for Specify the remote gateway IP address, select Static IP address. In the adjacent text box, type the external IP address of the Central Office Firebox, 203.0.113.2.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. In the adjacent text box, type the external IP address of the Central Office Firebox, 203.0.113.2.
  6. Click OK to close the New Gateway Endpoints Settings dialog box.
    The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints.
  7. Click OK twice to close the New Gateway and Gateways dialog boxes.

Define Central Office Gateways

On the Central Office XTM 530, use Policy Manager to configure the gateway that connects with Remote Office A.

  1. Select VPN > Branch Office Gateways.
    The Gateways dialog box appears.
  2. Click Add.
    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  4. In the Credential Method area of the General Settings tab, select Use Pre-Shared Key. Type the shared key in the adjacent text box.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the New Gateway Endpoints Settings dialog box, settings for the Central Office gateway that connects with Remote Office A entered.

  1. In the Local Gateway section, select By IP Address.
  2. From the IP Address drop-down list, select the external IP address of the Central Office Firebox. For this example, select 203.0.113.2.
  3. From the External Interface drop-down list, select the primary external interface of the Central Office Firebox.
  4. In the Remote Gateway section, for Specify the remote gateway IP address, select Static IP address. In the adjacent text box, type the external IP address of the device at Remote Office A, 198.51.100.2.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. In the adjacent text box, type the external IP address of the device at Remote Office A, 198.51.100.2.
  6. Click OK to close the New Gateway Endpoints Settings dialog box.
    The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints.
  7. Click OK to close the New Gateway dialog box.
    You return to the Gateways dialog box.

On the Central Office XTM 530, configure the gateway that connects with Remote Office B.

  1. In the Gateways dialog box, click Add.
    The New Gateway dialog box appears.
  2. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  3. In the Credential Method area of the General Settings tab, select Use Pre-Shared Key. Type the shared key in the adjacent text box.
  4. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the New Gateway Endpoints Settings dialog box, settings for the Central Office gateway that connects with Remote Office B entered.

  1. In the Local Gateway section, select By IP Address.
  2. From the IP Address drop-down list, select the address.
  3. From the External Interface drop-down list, select the primary external interface of your Firebox.
  4. In the Remote Gateway section, for Specify the remote gateway IP address, select Static IP address. Type the external IP address of the device at Remote Office B in the adjacent text box.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. Type the external IP address of the device at Remote Office B in the adjacent text box.
  6. Click OK to close the New Gateway Endpoints Settings dialog box.
    The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints.
  7. Click OK twice to close the New Gateway and Gateways dialog boxes.

Define Remote Office B Gateway

On the XTM 21 at Remote Office B, use Policy Manager to configure the BOVPN gateway of Tunnel B that connects with the Central Office.

  1. Select VPN > Branch Office Gateways.
    The Gateways dialog box appears.
  2. Click Add.
    The New Gateway dialog box appears.
  3. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  4. In the Credential Method area of the General Settings tab, select Use Pre-Shared Key. Type the shared key in the adjacent text box.
  5. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the New Gateway Endpoints Settings dialog box, settings for the Remote Office B gateway that connects with the Central Office entered.

  1. In the Local Gateway section, select By IP Address.
  2. From the IP Address drop-down list, select the external IP address of the Firebox at Remote Office B, 192.0.2.2.
  3. From the External Interface drop-down list, select the primary external interface of the Central Office Firebox.
  4. In the Remote Gateway section, for Specify the remote gateway IP address, select Static IP address. In the adjacent text box, type the external IP address of the Central Office Firebox, 203.0.113.2.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. In the adjacent text box, type the external IP address of the Central Office Firebox, 203.0.113.2 .
  6. Click OK to close the New Gateway Endpoints Settings dialog box.
    The New Gateway dialog box appears. The gateway pair you defined appears in the list of gateway endpoints.
  7. Click OK twice to close the New Gateway and Gateways dialog boxes.

Define the Tunnel Routes

Before you define the tunnel resources of the BOVPN, keep in mind that the objective is to pass BOVPN traffic from the trusted network of Remote Office A to the trusted networks of Central office, and more importantly to the trusted network of Remote Office B. This can be achieved even if there is no direct BOVPN Tunnel between Remote Offices A and B.

Consider this diagram:

A diagram showing the networks of all three offices and the VPN tunnels that connect them, with the Central Office Firebox grouped with Remote Office B.

In this example, the Central Office and Remote Office B were grouped together and called Group B. This group represents the Tunnel Resources of the Central Office when the tunnel routes are defined between Remote Office A and the Central Office. From Remote Office A, the tunnel connects to both the trusted network of the Central Office (10.10.10.0/.24) and the trusted network of Remote Office B (192.168.30.0/24).

Configure Remote Office A Tunnel Routes that Connect to the Central Office

On the XTM 23-W at Remote Office A, use Policy Manager to create two tunnel routes that go to the Central Office Firebox. One is for the private network of the Central Office, and the other is for the private network of Remote Office B.

  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.

Screen shot of the New Tunnel dialog box, with the Remote Office A tunnel routes entered

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway defined for Remote Office A.
  3. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address for this Firebox, 172.16.20.0/24
    • Remote: the trusted network address of the Central Office Firebox, 10.10.10.0/24
    • Direction: <===>
  4. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address of this Firebox, 172.16.20.0/24
    • Remote: the trusted network address of the Remote Office B Firebox, 192.168.30.0/24
    • Direction: <===>

Configure Central Office Tunnel Routes that Connect to Remote Office A

On the Central Office XTM 530, you must also use Policy Manager to configure two tunnel routes that go to Remote Office A. This allows the Central Office to use the private network of Remote Office B as if it was its own local network when it connects to Remote Office A.

  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.

Screen shot of the New Tunnel dialog box, with the settings for the Central Office to Remote Office A tunnel routes entered.

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway defined for Remote Office A.
  3. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address of the Central Office Firebox, 10.10.10.0/24
    • Remote: the trusted network address of the Remote Office A Firebox, 172.16.20.0/24
    • Direction: <===>
  4. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address of the Remote Office B Firebox, 192.168.30.0/24
    • Remote: the trusted network address of the Remote Office A Firebox, 172.16.20.0/24
    • Direction: <===>

Define the Tunnel Routes Between the Central Office and Remote Office B

To complete the Tunnel Switching configuration, you must do a similar but opposite configuration for the BOVPN tunnel between the Central Office and Remote Office B. This time, we group Remote Office A and the Central Office together and call it Group A. The tunnel routes between Central Office and the Remote Office B are configured afterwards.

A diagram showing the networks of all three offices and the VPN tunnels that connect them, with the Central Office Firebox grouped with Remote Office A.

From Remote Office B, the tunnel connects to both the trusted network of Central Office (10.10.10.0/.24) and the trusted network of Remote Office A (172.16.20.0/24).

Configure Central Office Tunnel Routes that Connect to Remote Office B

On the Central Office XTM 530, use Policy Manager to configure two tunnel routes that go to Remote Office B. This allows the Central Office to use the private network of Remote Office A as if it was its own local network when it connects to Remote Office B.

  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.

Screen shot of the New Tunnel dialog box, with the settings for the Remote Office B tunnel routes entered.

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway defined for Remote Office B.
  3. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address of the Central Office Firebox, 10.10.10.0/24
    • Remote: the trusted network address of the Remote Office B Firebox, 192.168.30.0/24
    • Direction: <===>
  4. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address of the Remote Office A Firebox, 172.16.20.0/24
    • Remote: the trusted network address of the Remote B Firebox, 192.168.30.0/24
    • Direction: <===>

Configure Remote Office B tunnel routes that Connect to the Central Office

To complete the configuration, use Policy Manager to define two tunnel routes on the Edge X10e at Remote Office B that go to the Central Office. One is for the private network of the Central Office, and the other is for the private network of Remote Office A.

  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.

Screen shot of the New Tunnel dialog box, with the settings for the Remote Office B tunnel routes entered.

  1. In the Tunnel Name text box, type a name for the tunnel.
  2. From the Gateway drop-down list, select the gateway defined for Remote Office B.
  3. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address for this Firebox, 192.168.30.0/24
    • Remote: the trusted network address of the Central Office Firebox, 10.10.10.0/24
    • Direction: <===>
  4. Click Add to add a tunnel route with these settings:
    • Local: the trusted network address of this Firebox, 192.168.30.0/24
    • Remote: the trusted network address of the Remote Office B Firebox, 172.16.20.0/24
    • Direction: <===>
  5. Save the configuration changes to the Fireboxes at all three locations.

Check the Tunnel Switching Configuration

To see if Tunnel Switching works, try to ping a computer on Remote Office B’s trusted network from Remote Office A’s trusted network. You must also make sure that the Central Office Firebox is not configured to deny ping attempts. If the ping is successful, you have configured Tunnel Switching correctly.

To verify that the tunnels are active, you can also look at Firebox System Manager for the Firebox at the Central Office. In Firebox System Manager, expand the Branch Office VPN tunnels section in the Front Panel to see the gateways and tunnels between each site. You might need to wait a moment for Firebox System Manager to connect to the Firebox before you can see status information. If Firebox System Manager on the XTM 530 at the Central Office shows that there are two BOVPN Gateways, each with two active tunnels, Tunnel Switching is configured correctly.

The active BOVPN Tunnels for the Central Office’s XTM 530 appear in Firebox System Manager.

Screen shot of Firebox System Manager routes between different tunnels that indicate Tunnel Switching operates correctly.

Give Us Feedback     Get Support     All Product Documentation     Technical Search