Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
Manual BOVPN Tunnel Switching
Contributed by Charles Cooper
Before you try to set manual tunnel switching, you should already have manual BOVPN tunnels configured which link your remote locations to your central Firebox.
Tunnel switching is a term to describe a central Firebox, accepting traffic from a remote Firebox network over a BOVPN tunnel, decrypting it,routing it, re-encrypting it, and finally forwarding it on to it's final destination.
Here are instructions for setting Manual BOVPN Tunnel Switching to route traffic from a remote network, through a central Firebox, to another remote network.
Here is an example of what to do:
<-> 
<-> 
FBX700 (WFS) FBX1000 (Fireware) EdgeX15
10.10.69.0/24 192.168.69.0/24 172.16.69.0/24
For this example, we will be giving the Fireboxes fictitious public IP addresses for their External interfaces:
The External interface of the FBX700 will have an IP address of 1.1.1.2
The External interface of the FBX1000 will have an IP address of 2.2.2.2
The External interface of the EdgeX15 will have an IP address of 3.3.3.2
The FBX700 and the EdgeX15 are at remote locations.
The FBX1000 is the central Firebox. The FBX1000 will be routing traffic between the two remote networks.
172.16.69.0/24 will view the FBX1000 as the Remote Gateway of 10.10.69.0/24.
10.10.69.0/24 will view the FBX1000 as the Remote Gateway of 172.16.69.0/24.
One thing that is very useful, when doing manual tunnel switching, is applying a useful name to your policies and tunnels. It helps you visualize the routing of the traffic and where the traffic is going to and coming from.
FBX700:
This is the routing necessary to route traffic from the FBX700 to the FBX1000 and EdgeX15:
Local Network Remote Gateway Remote Network
10.10.69.0/24 FBX1000 172.16.69.0/24
10.10.69.0/24 FBX1000 192.168.69.0/24
Shown below is the existing IPSec routing and ANY service between the FBX700 and the FBX1000:
A new tunnel and IPSec route will need to be added to send and receive traffic to and from the EdgeX15, but you will need to use the same remote gateway (FBX1000) for the new tunnel.
As shown below, a new tunnel (FBX700_to_EdgeX15) was added with the same gateway (FBX1000) as the original tunnel (FBX700_to_FBX1000):
As shown below, a new IPSec route was created using the new tunnel (FBX700_to_EdgeX15):
When the new IPSec route and tunnel are created, you will need to add a new service to allow traffic to pass through the manual BOVPN tunnel to the remote network of the EdgeX15 (172.16.69.0/24).
A separate ANY service should be used instead of adding to the original ANY service already in place, so that the traffic to and from that specific subnet can be monitored.
As shown below, the new ANY service is named ‘FBX700<>EdgeX15’ and is allowing traffic to and from the subnet of the FBX700 (10.10.69.0/24) and to and from the subnet of the EdgeX15 (172.16.69.0/24):
Now, there is a separate tunnel, IPSec route, and service on the FBX700 to allow traffic to and from the EdgeX15.
Save the changes to your FBX700.
At this point, the FBX1000 and the EdgeX15 need to be configured to handle the manual tunnel switching.
EdgeX15:
This is the routing necessary to route traffic from the EdgeX15 to the FBX1000 and FBX700:
Local Network Remote Gateway Remote Network
172.16.69.0/24 FBX1000 10.10.69.0/24
172.16.69.0/24 FBX1000 192.168.69.0/24
Configuring the EdgeX15 for manual BOVPN switching will be the easiest of the three Fireboxes.
As shown below, these are the network settings of the original manual BOVPN tunnel:
As shown below, you will need to add an additional Remote Network, to account for the network of the FBX700:
Submit the change to your EdgeX15.
Finally, there is the configuration of the FBX1000.
The configuration of the FBX1000 will be the most important, because the FBX1000 is going to be handling the IPSec routing between the FBX700 and the EdgeX15.
FBX1000:
This is the routing necessary to route traffic from the FBX1000 to the FBX700 and EdgeX15, also to/from the FBX700 to/from the EdgeX15:
Local Network Remote Gateway Remote Network
192.168.69.0/24 FBX700 10.10.69.0/24
192.168.69.0/24 EdgeX15 172.16.69.0/24
172.16.69.0/24 FBX700 10.10.69.0/24
10.10.69.0/24 EdgeX15 172.16.69.0/24
As shown below, the FBX1000 has a tunnel to the FBX700 and a tunnel to the EdgeX15 already in place:
At this point, we need to create two new tunnels; a tunnel for routing traffic from the EdgeX15 to the FBX700 and a tunnel for routing traffic from the FBX700 to the EdgeX15.
We will use the existing settings for the FBX700 gateway for our first tunnel and IPSec route.
As shown below, the tunnel for routing traffic to the FBX700 will need to list the network of the EdgeX15 (172.16.69.0/24) as a local network and the network of the FBX700 (10.10.69.0/24) as a remote network:
We will use the existing settings for the EdgeX15 gateway for our second tunnel and IPSec route.
As shown below, the tunnel for routing traffic to the EdgeX15 will need to list the network of the FBX700 (10.10.69.0/24) as a local network and the network of the EdgeX15 (172.16.69.0/24) as a remote network:
As shown below, on the Branch Office VPN tab, you will see the new policies and tunnels for the FBX1000:
The last thing to do is to include an ANY policy with the Tunnel-Switch alias.
As shown below, I have added an ANY policy with the name of Tunnel_Switching, included the Tunnel-Switch alias in the FROM list area of the policy, and included the remote networks in the TO list area of the policy:
As shown below, this is how the policy looks in Policy Manager, using the Detail view:
Save this configuration to the FBX1000.
Your remote networks should now be able to communicate with each other. You can test this by sending a ping through the BOVPN tunnel to the other remote network.
