IPSec Initial Setup

[Centixo]

I have two Watchguard firewalls at two different sites that are configured as a tunnel so that each site can see nodes at the other location.

I started configuring it as so:
site1.com -> IPSec VPN
Nat Traversal on
IPSec Tunnel configured:
Connection Type: Tunnel
Auto Mode: Start
Interface External - External IP (Site1.com's WAN IP)
Remote IP (Site2.com's WAN IP)
Local Network - 10.0.0.0/24 (Site1.com's local LAN subnet)
Local IP: 10.0.0.7 (Internal IP assigned to Untangle device)
Remote Network: 192.168.10.0/24 (Site2's internal IP subnet)
Protect Forward Secrecy (PFS) on
Shared Secret (ex. N#508den$)

site2.com -> IPSec VPN
Nat Traversal on
IPSec Tunnel configured:
Connection Type: Tunnel
Auto Mode: Start
Interface External - External IP (Site2.com's WAN IP)
Remote IP (Site1.com's WAN IP)
Local Network - 192.168.10.0/24 (Site2.com's local LAN subnet)
Local IP: 192.168.10.1 (Internal IP assigned to Untangle device)
Remote Network: 10.0.0.0/24 (Site1's internal IP subnet)
Protect Forward Secrecy (PFS) on
Shared Secret (ex. N#508den$)


This seemed pretty striaght forward and I am not sure what I am missing but as of right now, you cannot ping the gateway or any nodes on the opposite internal network.

This is a brand new untangle install with no additional configuration enabled.

[WebFooL]

Hi Centixo,

Where is Untangle located and how is it configured?

[Centixo]

Both untangle boxes are directly behind the WAN connection - but all is well now. Maybe I just needed to sleep on it. I plugged them in this morning, went through configs on both devices and everything ended up working perfectly.

I have to do some tweaking but I can see nodes on both networks and this was the easiest site-to-site setup I have ever done.

[jcoffin]

Turn Nat Traversal off on both sites if the WAN is not a private IP address range.

Also post 100 or so lines of the IPsec Log tab.