Use a Branch Office VPN for Failover from a Leased Line (OSPF)

This topic provides an example of how to configure failover from a leased line that uses OSPF to a branch office VPN. For an overview of how failover to a branch office VPN works, go to Configure a Branch Office VPN for Failover from a Leased Line.

In this example, an organization has a leased line that connects Fireboxes at two sites, Site 1 and Site 2. The router for the leased line is connected to the trusted network at each site. The network administrator for the organization wants to configure a branch office VPN connection between the two sites, which can be used for failover if the leased line connection becomes unavailable.

This diagram shows the configuration settings that apply to each site for this example.

Network diagram that shows the IP addresses used at Site 1 and Site 2

Site 1 Network Configuration

WatchGuard Firebox at Site 1:

  • External interface IP address: 203.0.113.2/24
  • Default gateway IP address: 203.0.113.1
  • Trusted-1 interface IP address: 10.0.1.1/24 — connected to the Site 1 trusted network
  • Trusted network IP address: 10.0.1.0/24
  • Trusted-2 interface IP address: 10.0.2.1/30 — connected to the router

Router connected to the leased line, and connected to the Site 1 optional interface:

  • LAN IP address: 10.0.2.2/30
  • WAN IP address: 172.16.0.1

Site 2 Network Configuration

WatchGuard Firebox at Site 2:

  • External interface IP address: 198.51.100.2/24
  • Default gateway IP address: 198.51.100.2.1
  • Trusted-1 interface IP address: 10.50.1.1/24 — connected to the Site 2 trusted network
  • Trusted network IP address: 10.50.1.0/24
  • Trusted-2 interface IP address: 10.50.2.1/30 — connected to the router

Router connected to the leased line, and connected to the Site 2 trusted network:

  • LAN IP address: 10.50.2.2/30
  • WAN IP address: 172.16.0.2

Static Routes

There are routers at each end of the leased line between the two Fireboxes. At each site you must to configure static routes on the Firebox and on the router so the traffic can be routed correctly between the two networks.

The static routes needed on the Firebox and on the router at each site are shown below.

Static Routes at Site 1

  On Site 1 Firebox On Site 1 Router
Route to Site 2 Firebox

Route to: 10.50.2.0/30
Gateway: 10.0.2.2

Network: 10.50.2.0/30
Next Hop: 172.16.0.2

Route to Site 1 trusted network

 

Network: 10.0.1.0/24
Next Hop: 10.0.2.1

Route to Site 2 trusted network  

Network: 10.50.1.0/24

Next Hop: 172.16.0.2

Static Routes at Site B

  On Site 2 Firebox On Site 2 Router
Route to Site 1 Firebox

Route to: 10.0.2.0/30
Gateway: 10.50.2.2

Network: 10.0.2.0/30
Next Hop: 172.16.0.1

Route to Site 1 trusted network  

Network: 10.0.1.0/24
Next Hop: 172.16.0.1

Route to Site 2 trusted network  

Network: 10.50.1.0/24

Next Hop: 10.50.2.1

For information about how to add a static route to the Firebox, go to Add a Static Route.

After you configure the static routes and verify that the devices can reach each other, you can configure dynamic routing across the private network link.

Configure Dynamic Routing at Site 1

To use the branch office VPN connection for failover, you must enable dynamic routing on the Firebox at each site. You can use any supported dynamic routing protocol (RIP v1, RIP v2, OSPF, or BGP v4). This example uses OSPF.

After you configure dynamic routing, you can configure authentication and restrict the OSPF policy to listen only on the correct interfaces.

Configure Dynamic Routing at Site 2

To configure dynamic routing at Site 2, repeat the same steps, with the appropriate addresses in the dynamic routing configuration.

Configure the Branch Office VPN at Site 1

This example uses the default Phase 1 and Phase 2 settings.

At Site 1, configure the branch office VPN gateway to Site 2

At Site 1, configure the branch office VPN tunnel to Site 2

At Site 1, in the Global VPN Settings, enable failover to the VPN.

Configure the Branch Office VPN at Site 2

At Site 2, configure the branch office VPN gateway to Site 1

At Site 2, configure the branch office VPN tunnel to Site 1

At Site 2, in the Global VPN Settings, enable failover to the VPN.

Related Topics

Configure a Branch Office VPN for Failover from a Leased Line

Use a Branch Office VPN for Failover from a Leased Line (BGP)