From Dimension, you can create and manage hub-and-spoke VPNs between your Fireboxes that are managed by Dimension. With a hub-and-spoke VPN, one Firebox is the hub, or central location, of the BOVPN tunnel, and one Firebox is the spoke, or remote location, of the BOVPN tunnel. For each VPN, you must add one hub device, but you can add many spoke devices that use the same hub device. A spoke device can also be the hub device in another BOVPN tunnel, but a device cannot be a hub and a spoke in the same BOVPN tunnel.
When you create a BOVPN tunnel from Dimension, you add VPN resources and specify the security templates to use. A VPN Resource is the set of IP addresses that can be used to sent traffic through the BOVPN tunnel. A Security Template is the set of parameters you select to configure the BOVPN gateways and tunnels. Dimension includes a built-in Security Template that enables the highest security and WatchGuard recommended settings. You can also create custom Security Templates.
BOVPN tunnels that you create between two Fireboxes managed by Dimension can be configured to allow traffic to pass in both directions between the hub and spoke devices, or to restrict traffic to only one direction. You can configure a BOVPN tunnel to allow traffic only between the hub device and each spoke device (traditional hub-and-spoke VPN), or to also allow traffic between the spoke devices (hub-and-spoke VPN with tunnel switching). You can also use multi-WAN for VPN failover, to dedicate external interfaces, or to restrict external interfaces.
For instructions to set up a managed VPN from Dimension, see Configure Managed VPNs.
Traditional Hub-And-Spoke VPN
When you configure a traditional hub-and-spoke VPN, on each Firebox, you configure a single BOVPN gateway that includes a single gateway endpoint pair. The spoke endpoint is configured with a dynamic IP address or domain name, and the hub endpoint is configured with a static IP address. You can also specify a zero-route (0.0.0.0) for the VPN resource on the spoke device, and traffic to the Internet will be routed through the hub device.
For example, if you create a single tunnel that routes traffic from 192.168.1.0/24 on the spoke device to 10.0.1.0/24 on the hub device, and allows traffic in both directions, the tunnel configuration is:
192.168.1.0/24 <-> 10.0.1.0/24
Hub-And-Spoke VPN with Tunnel Switching
For a hub-and-spoke VPN with tunnel switching, on each Firebox, you also configure a single BOVPN gateway that includes a single gateway endpoint pair. When you specify the tunnel routes, you configure each route to allow the VPN resources at each spoke device to communicate with the hub device and with the other spoke devices that are connected to the hub device.
For example, if you create a single tunnel at each spoke device, with tunnel routes that include the VPN resources for both the hub device (10.0.1.0/24) and the other spoke devices (spoke A: 192.168.1.0/24, spoke B: 192.168.2.0/24), and that allows traffic in both directions, the tunnel routes look like this:
Tunnel A — Tunnel between spoke A and hub device
192.168.1.0/24 <-> 10.0.1.0/24
192.168.1.0/24 <-> 192.168.2.0/24
Tunnel B — Tunnel between spoke B and hub device
192.168.2.0/24 <-> 10.0.1.0/24
192.168.2.0/24 <-> 192.168.1.0/24
In this example, traffic is routed from spoke A to spoke B through the hub device.
Hub-And-Spoke VPN with Multi-WAN
You can also use multi-WAN in your hub-and-spoke VPN configuration for VPN failover, to dedicate external interfaces, or to restrict external interfaces.
When you configure a hub-and-spoke VPN for VPN failover, you configure two external interfaces on both the hub and spoke devices in the tunnel. Only a single tunnel must be added between the hub and spoke devices, but the external interfaces must be configured for VPN failover.
On each hub and spoke device, you add more than one gateway endpoint pair in the BOVPN gateway configuration. You then associate a security template with the configuration, which includes either IKE keepalive or DPD settings to determine the options for failover. Gateway endpoint pairs are generated in the order you specify in the gateway configuration.
For example, if your hub device has three external interfaces (H1, H2, H3) and your spoke device has two external interfaces (S1, S2), the gateway endpoint pairs order is:
H1–S1, H2–S1, H3–S1, H1–S2, H2–S2, H2–S2
In this example, if your tunnel has more than one set of gateway endpoint pairs, is configured to allow traffic between your hub device and the spoke device (192.168.1.0/24), and allows traffic in both directions, the gateway endpoint pairs look like this:
Hub device gateway endpoint pairs order
Hub External-1 <-> Spoke External-1
Hub External-2 <-> Spoke External-1
Hub External-1 <-> Spoke External-2
Hub External-2 <-> Spoke External-2
Spoke device gateway endpoint pairs order
IP addresses are reversed but the order is the same:
Spoke External-1 <-> Hub External-1
Spoke External-1 <-> Hub External-2
Spoke External-2 <-> Hub External-1
Spoke External-2 <-> Hub External-2
Dedicated External Interfaces
Another option is to enable more than one external interface on your spoke devices. You can then select to use a specific external interface to send traffic to specific locations.
For this type of hub-and-spoke VPN, you configure a BOVPN gateway on each spoke device for a local interface that participates in the VPN. You then configure a BOVPN tunnel for each gateway and associate specific VPN resources with that gateway.
For example, you configure your spoke device with two BOVPN gateways and two BOVPN tunnels, one for each interface. Then, configure your hub device with more than one external interface, and add two BOVPN gateways and two BOVPN tunnels for the hub device. When you configure the gateways, you specify over which interface traffic is sent. This enables you to control the destination of the traffic through the tunnel
Restrict External Interfaces
Regardless of the number of external interfaces configured on your Firebox, you can use your VPN settings to restrict traffic through specific interfaces. When you configure the settings for the hub and spoke devices, specify which external interfaces can be used to send traffic through the tunnel.
A Security Template defines the Phase 1 and Phase 2 settings for your BOVPN tunnel, and configures these settings for all the Fireboxes included in the hub-and-spoke VPN:
- NAT Traversal (Phase 1)
- IKE Keep-Alive (Phase 1)
- DPD (Phase 1)
- Transform Settings (Phase 1)
- SA Lifetime
- Key Group
- Perfect Forward Secrecy (Phase 2)
- IPsec Proposal (Phase 2)
- Force key expiration time and traffic
When you configure a managed VPN, the Phase 1 settings are automatically configured. When both the hub device and spoke device use static IP addresses for the BOVPN tunnel, the mode can be set to Main failback to Aggressive. If more than one device in the BOVPN tunnel has a dynamic address, the mode must be set to Aggressive. Then Phase 2 proposal is always set to ESP (Encapsulating Security Payload).
A VPN Resource specifies the IP addresses used in the BOVPN tunnel routes. These are the resources that are shared over the BOVPN tunnel. Each VPN resource includes a list of host and/or network IP addresses that can be used in the tunnel.
When you configure a traditional hub-and-spoke VPN, you can specify the direction that traffic can travel to or from each IP address. You can also select to configure 1:1 NAT addresses for each IP address.
If you add a VIF BOVPN tunnel, for each IP address, you can configure the metrics for the routes associate with each device.
When you run the Hub Device and Spoke Device wizards to configure a managed VPN from Dimension, you specify which external interfaces on a Firebox to use to connect to a specific network, and configure a gateway to use in your hub-and-spoke BOVPN tunnel. You also configure the VPN resources to use in the tunnel.