Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel

Before your Mobile VPN with SSL users can use resources through a BOVPN tunnel, you must add the appropriate tunnel routes and resources to your BOVPN configuration.

In this example, a BOVPN tunnel is already configured between the Site A Firebox and the Site B Firebox.

Site A Firebox configuration

External interface IP address — 203.0.113.2

Trusted network IP address — 10.0.1.0/24

Mobile VPN with SSL IP address pool — 192.168.113.0/24

Site B Firebox configuration

External interface IP address — 198.51.100.2

Trusted network IP address — 10.50.1.0/24

To allow the Mobile VPN with SSL users who connect to the Firebox at Site A to use resources on the trusted network of the Firebox at Site B, follow the procedures in the next sections.

Configure the Firebox at Site A

First, you must configure the Firebox at Site A to allow SSL VPN traffic to the Firebox at Site B.

  1. Connect to Fireware Web UI for the Firebox at Site A.
    This is the Firebox that the SSL VPN users connect to.
  2. Select VPN > Mobile VPN with SSL.
    The Mobile VPN with SSL page appears.

Screen shot of the Mobile VPN with SSLVPN page

  1. Select the Activate Mobile VPN with SSL check box.
  2. In the Allowed Resources section, select Specify allowed resources.
  3. Add the IP addresses of the trusted networks on both the local and remote Firebox.
    For this example, for the IP address of the trusted network at Site A, add 10.0.1.0/24.
    For the IP address of the trusted network at Site B, add 10.50.1.0/24.
  4. Add the network addresses for any other networks you want to make available to your SSL VPN users.
    For example, you could add the optional networks on the local and remote Firebox.
  5. Make a note of the address specified in the Virtual P Address Pool text box. You use this address when you set up tunnel routes to the resources. Click Save.
  6. Select VPN > Branch Office VPN.
    The Branch Office VPN page appears.
  7. In the Tunnels list, select a tunnel and click Edit.
    The Edit Tunnel dialog box appears. The existing tunnel route between the devices at Site A and Site B appears in the Addresses list.

Screen shot of the Tunnel page with the existing tunnel route

  1. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type 192.168.113.0/24.
    This is the network IP address assigned to your SSLVPN users for this example. You can find this IP address in the Mobile VPN with SSL Configuration dialog box, in the IP Address Pool text box.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type 10.50.1.0/24.
    This is the trusted network IP address of the remote Firebox for this example.
  5. Click OK.
    The new tunnel route is added to the Addresses list.

Screen shot of the Addresses tab with the new tunnel route added

  1. Click Save.

The Firebox at Site A now allows traffic from Mobile VPN for SSL users through the BOVPN tunnel to the remote network at Site B.

  1. Open Policy Manager with the configuration file for the Firebox at Site A.
    This is the Firebox that the SSL VPN users connect to.
    Policy Manager appears with the selected configuration file.
  2. Select VPN > Mobile VPN > SSL.
    The Mobile VPN with SSL Configuration dialog box appears.

Screen shot of the Mobile VPN with SSL Configuration dialog box

If you select the Force all client traffic through tunnel check box, the Firebox allows access to all resources, and you can skip steps 3, 4, and 5.

  1. In the Allowed Resources section, select Specify allowed resources.
  2. Add the IP addresses of the trusted networks on both the local and remote Firebox.
    For this example, for the IP address of the trusted network at Site A, add 10.0.1.0/24.
    For the IP address of the trusted network at Site B, add 10.50.1.0/24.
  3. Add the network addresses for any other networks you want to make available to your SSL VPN users.
    For example, you could add the optional networks on the local and remote Firebox.
  4. Make a note of the address specified in the Virtual IP Address Pool text box. You use this address when you set up tunnel routes to the resources. Click OK.
    Policy Manager appears.
  5. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  6. Select a tunnel and click Edit.
    The Edit Tunnel dialog box appears. The existing tunnel route between the devices at Site A and Site B appears in the Addresses list.

Screen shot of the Edit Tunnel dialog box

  1. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. In the Local text box, type 192.168.113.0/24.
    This is the network IP address assigned to your SSLVPN users for this example. You can find this IP address in the Mobile VPN with SSL Configuration dialog box, in the IP Address Pool text box.
  2. In the Remote text box, type 10.50.1.0/24.
    This is the trusted network IP address of the remote Firebox for this example.
  3. Click OK.
    The new tunnel route is added to the Addresses tab.

Screen shot of the Edit Tunnel dialog box with the new tunnel route added

  1. Click OK. Save the configuration to the Firebox.

The Firebox at Site A now allows traffic from Mobile VPN for SSL users through the BOVPN tunnel to the remote network at Site B.

Configure the Firebox at Site B

Next, you must configure the Firebox at Site B to accept traffic from Mobile VPN for SSL users through the BOVPN tunnel to its local network.

  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Select a tunnel and click Edit.
    The Edit Tunnel dialog box appears. The existing tunnel route between the devices at Site A and Site B appears in the Addresses list.

Screen shot of the Tunnel for the XTM device at Site B

  1. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box for the XTM device at Site B

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IPtext box, type 10.50.1.0/24.
    This is the IP address of the local network of the Firebox at Site B for this example.  
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type 192.168.113.0/24.
    This the network IP address assigned to your SSLVPN users at Site A for this example. You can find this IP address in the Mobile VPN with SSL Configuration dialog box, in the IP Address Pool text box.
  5. Click OK.
    The new tunnel route is added to the Addresses list.

Screen shot of the Addresses tab with the new tunnel route added

  1. Click Save.

The Firebox at Site B is now configured to accept traffic from Mobile VPN for SSL users through the BOVPN tunnel.

  1. Open Policy Manager with the configuration file for the Firebox at Site B.
    Policy Manager appears with the selected configuration file.
  2. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  3. Select a tunnel and click Edit.
    The Edit Tunnel dialog box appears.The existing tunnel route between the devices at Site A and Site B appears in the Addresses list.

Screen shot of the Edit Tunnel dialog box

  1. On the Addresses tab, click Add.
    The Tunnel Route Settings dialog box appears.
  2. In the Local text box, type 10.50.1.0/24.
    This is the IP address of the local network of the Firebox at Site B for this example.  
  3. In the Remote text box, type 192.168.113.0/24.
    This the network IP address assigned to your SSLVPN users at Site A for this example. You can find this IP address in the Mobile VPN with SSL Configuration dialog box, in the IP Address Pool text box.
  4. Click OK.
    The tunnel route is added to the Addresses tab.

Screen shot of the Edit Tunnel dialog box with the new tunnel route added

  1. Click OK. Save the configuration to the Firebox.

The Firebox at Site B is now configured to accept traffic from Mobile VPN for SSL users through the BOVPN tunnel.