I’m having problems with the VPN connection. I’ve set it up, and it connects but no traffic comes through.
There is a fibre connection to a Draytek router and then into the Firebox on the DMZ (I know this is not an ideal setup, but it’s what I have to work with)
I am new to WatchGuard. What should I be checking?
Traffic monitor. You will probably see either denies with a specific rule or unhanded packet exceptions. Modify your firewall policies appropriately.
The WatchGuard is a router, being new to the brand doesn’t change standard routing policies. Being behind another router means you have to NAT the traffic to and from each router, or put them side by side and assign different gateways on the internal.
This has nothing to do with the WatchGuard and everything to do with the physical perimeter equipment configuration.
The client itself (skinned openvpn really) has a log you can look at. Also has stats (both right click on the tray icon) of your connection, assigned up, routes that have been advertised etc.
Check from the firewall that it’s showing as connected, then it’s the usual end PC troubleshooting, trace, ping, route table etc.
Your WG firewall is behind the other router?
And if you don’t see any traffic at all, it means the other firewall you are behind is either blocking or mis-routing the traffic.
Traffic monitor is your friend. Make sure every single policy has logging enabled. VPN stuff is off by default.
Yes, and unfortunately, it has to stay. The Watchguard is on the DMZ
Well the first thing is to confirm that the user authenticated then if you say it connected. Check the authentication list for mobile users, what virtual IP were they assigned?
If they aren’t listed, attempt to login the user to the SSLVPN again.
While that is attempting/failing, navigate to the Firebox traffic monitor and filter by the public IP you attempted the connection from. You should see it hitting the Firebox and then attempt to authenticate.
If you don’t see anything then the traffic has probably failed to route to the Firebox from upstream. If you do see logs then that could be troubleshot further.
The SSLVPN is a full tunnel by default, so if the connection completes successfully, it should be sending all traffic. If it’s a split tunnel, make sure there are no overlapping networks locally.