-1

I have 4 sites configured with IPsec VPNs like the diagram below:

         Site A ------------ Main Site -------------- Site B
                                 |
                                 |
                              Site C

We use a variety of different models of watchguard firewalls. The one at the main site is a Watchguard XTM510

From the main site, I can connect to systems at sites A, B and C, and they can all connect to the main site.

But site A can't talk to B and C, site B can't talk to A and C, etc.

Is there any way to configure routing between the VPN connections, so that traffic from site A goes:

   Site A -----(vpn)-------Main Site-------(vpn)------Site B

Or do I need to setup tunnels between every site separately? With just 4 sites, that would mean I need to setup 6 VPNs...but as I add more sites it will grow very quickly!

I do realize this would use more bandwidth than connecting directly, but the main site has a nice fibre line and can handle the extra traffic. Hopefully it would also allow me to manage the filtering between VPNs in one place, instead of on each individual box.

Grant
  • 17,859
  • 14
  • 72
  • 103

1 Answers1

0

Turns out this is fairly easy. Watchguard describes how to set it up here: Configure Manual Branch Office VPN Tunnel Switching

The short version is:

  • Setup VPNs just like normal
  • Go into the tunnel configuration at site A and create a tunnel for each other network. The local network will be site A's subnet, the remote ones will be site's B and C's subnets.
  • Do the same at sites B and C
  • At the main site, add more tunnels for each VPN connection. To site A's connection you'd add:
    • Local: Site B, Remote: Site A
    • Local: Site C, Remote: Site A
  • Then on site B's tunnel configuration, add:
    • Local: Site A, Remote: Site B
    • Local: Site C, Remote: Site B

Basically on each VPN connection you are listing all the other subnets that are reachable through the VPN.

Grant
  • 17,859
  • 14
  • 72
  • 103