Allowing SSLVPN users to traverse BOVPN between two Cloud Managed T80s

I’ve looked at documentation and there’s no information for doing this with the Cloud Managed Fireboxes. I tried following the locally managed instructions ( Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel (watchguard.com) ) but there’s some options lost in translation for the Cloud Managed devices. The BOVPN and the SSLVPN works well but this is the last hurdle. Thanks for any help.

According to Watchguard support, it can’t be done with Cloud Managed Fireboxes.

I literally just implemented this with a Cloud managed firecluster. It’s possible! BOVPN was to an external non watchguard device.
Here’s what I did:
1- add VPN network as a private network resource.
2- this is the main one: on the SSLVPN SETTINGS, use the “force all traffic trough tunnel”
It did not work with the below two options:

  • allow access to all internal and guest networks.
  • specify allowed resources.
    3: this might be optional but I added it anyways.
  • create a policy to allow the traffic you want over the tunnel from the sslvpn group to the local network at the other end of the tunnel.

Note: IKv2 might have been nice for this but didn’t want to go through the hassle of configuring windows vpn client for over 100 PCs. It is much easier to push the VPN client via group policy.

It: SSLVPN users traversing the BOVPN to access remote networks. From the support ticket:

Within the cloud while it does look like their should be an option to do a “Specify allowed resources” option for the SSLVPN networks, currently it looks like you can only select internal networks when using that option.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/mvpn\_configure\_ssl.html

"In the Networking section, select the method the Firebox uses to send traffic through the VPN tunnel.

Specify allowed resources

Select this option to restrict Mobile VPN with SSL client access to only specified devices on your private network. This option is also known as split tunneling."

I searched around, and there does look to be a feature enhancement request in for this:

FCCM-4035

Specify the remote resources of a BOVPN in the SSL VPN menu

However, I don’t’ have a timeline on if or when this would be implemented.

Currently the only workaround I can see/think would be to set the SSLVPN to Full tunnel so all traffic arrives to the cloud side. This should allow the client to send BOVPN subnet traffic to the Cloud firebox, and once the cloud firebox receives the traffic it should forward across the tunnel.

For now I can add this case to the bug, and . For proper case tracking and notifications, I will set the status of this case to ‘Bug/ Enhancement Submitted’. This allows you to receive an update when either the Bug has been resolved or the feature enhancement becomes available.