Firebox: GRE over IPsec

G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Hi everyone,

I've got a Watchguard Firebox III 700 at the moment and I'd like to
know if its possible to setup GRE over IPsec VPN. If yes, any idea on
how to do that ?

Thanks a lot!
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

Here's my situation: I got this new job as sysadmin for a company. They
have a network where there's a firebox III 700 as the main router and
another CISCO router placed somewhere in the DMZ with a box behind it.

When I asked why they had that CISCO 1711 they told me, because the
Firebox III 700 didn't support GRE over IPsec, they had to buy this
specific CISCO router to be able to do a "branch-to-branch" VPN with
the provider.

[p net]<==>[p router]<++>[o firebox]<++>[o cisco]<==>[o net]

== IP
++ GRE/IPsec
p Provider
o Our

what I would like (eliminate the cisco router):

[p net]<==>[p router]<++>[o firebox]<==>[o net]

Now it's the time to buy "spares" and I'm wondering if it's worth
buying another CISCO 1711 or we're wasting our money since the firebox
III 700 could do that VPN connection. I would like to test that
before making a decision. I'm not really familiar with setting
Branch-to-branch VPNs with GRE over IPsec with the Policy Manager. I'd
appreciate an example.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

We already have 2 VPNs connections with 2 other providers* using IPsec
and it's not a problem. The problem is with "GRE" over IPsec. I've seen
no mention of GRE on the whole interface. That's what I'm looking to
setup.

* Not internet service provider, banking transactions type of provider
that "forces" us to their setup.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

No we are not but they still insist on using GRE for no reason. We are
the little company they are the big one, we have to bend to their setup
unfortunately.
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <1127875453.850180.86440@z14g2000cwz.googlegroups.com>,
sergerivest@yahoo.com says...
> Hi everyone,
>
> I've got a Watchguard Firebox III 700 at the moment and I'd like to
> know if its possible to setup GRE over IPsec VPN. If yes, any idea on
> how to do that ?

I have a BUNCH of firebox units and I'm not having any problems with
IPSec tunnels or PPTP tunnels - maybe you can explain what you are
trying to do with a little more detail?

If you have GRE problems, I suspect that it's the other end of the VPN,
not the WG unit. Many Linksys units have GRE issues, so if you're remote
unit is a Linksys and you are trying to VPN INBOUND to a server behind
the Linksys from the WG, then you are likely to have problems.

--

spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <1127879920.913376.55840@g47g2000cwa.googlegroups.com>,
sergerivest@yahoo.com says...
> Here's my situation: I got this new job as sysadmin for a company. They
> have a network where there's a firebox III 700 as the main router and
> another CISCO router placed somewhere in the DMZ with a box behind it.
>
> When I asked why they had that CISCO 1711 they told me, because the
> Firebox III 700 didn't support GRE over IPsec, they had to buy this
> specific CISCO router to be able to do a "branch-to-branch" VPN with
> the provider.
>
> [p net]<==>[p router]<++>[o firebox]<++>[o cisco]<==>[o net]
>
> == IP
> ++ GRE/IPsec
> p Provider
> o Our
>
> what I would like (eliminate the cisco router):
>
> [p net]<==>[p router]<++>[o firebox]<==>[o net]
>
> Now it's the time to buy "spares" and I'm wondering if it's worth
> buying another CISCO 1711 or we're wasting our money since the firebox
> III 700 could do that VPN connection. I would like to test that
> before making a decision. I'm not really familiar with setting
> Branch-to-branch VPNs with GRE over IPsec with the Policy Manager. I'd
> appreciate an example.

The 700 will easily do a Branch to Branch VPN with every major appliance
out there, and even cheap little BEFVP41 units. You just setup a "Manual
Branch office VPN" and use IPSec, then create rules that permit access
between the two networks.

I have IPSec tunnels between Watchguard and the following: Netscreen,
Linksys BEFVP41, Linksys BEFSX41, WatchGuard, D-Link, Netgear, PIX,
Check Point FW1, and then remote user PPTP connections.

If your provider gives you a Fixed IP with a full connection, not
filtered, you don't need them to do the IPSec tunnels for you, you just
setup the WG unit to do a manual VPN tunnel to the remote location.
Also, if you get a WG unit for the other office, you can use the
Automated BOVPN setup and it will basically auto-configure between the
two - takes about 5 minutes to setup the first time.


--

spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <1127879920.913376.55840@g47g2000cwa.googlegroups.com>,
<sergerivest@yahoo.com> wrote:
:Here's my situation: I got this new job as sysadmin for a company. They
:have a network where there's a firebox III 700 as the main router and
:another CISCO router placed somewhere in the DMZ with a box behind it.

:When I asked why they had that CISCO 1711 they told me, because the
:Firebox III 700 didn't support GRE over IPsec, they had to buy this
:specific CISCO router to be able to do a "branch-to-branch" VPN with
:the provider.

Are you perhaps running some layer 2 traffic between the branches?
Either with both branches being in the same subnet, or sending
something that is non-IP, such as IPX or Appletalk ?

I have never looked at the Firebox series, so I do not know if it
can handle layer 2 traffic.

A need for layer 2 would explain why they didn't use a PIX --
PIX have only recently gained layer 2 transparency.
--
Many food scientists have reported chocolate to be the single most
craved food. -- Northwestern University, 2001
 
G

Guest

Guest
Archived from groups: comp.security.firewalls (More info?)

In article <1127881391.647262.237210@o13g2000cwo.googlegroups.com>,
sergerivest@yahoo.com says...
> We already have 2 VPNs connections with 2 other providers* using IPsec
> and it's not a problem. The problem is with "GRE" over IPsec. I've seen
> no mention of GRE on the whole interface. That's what I'm looking to
> setup.
>
> * Not internet service provider, banking transactions type of provider
> that "forces" us to their setup.

Have you called WatchGuard about it? It might be supported (as I don't
know one way or the other) in a firmware update.

--

spam999free@rrohio.com
remove 999 in order to email me