We use “branch-office VPNs” (which use IPSec) through our Watchguard firewalls to link sites together. At our main office we have three broadband connections for redundancy – one with Zen Internet (18Mbps), one with Virgin Media (50Mbps) and one with Combined Business Systems (18Mbps – mainly used for VoIP).
We have always used the Zen Internet connection for the VPN links because it is much more reliable than the Virgin Media connection, but we have seen that the new versions of our Watchguard firewalls can do VPN failover. So, we decided to set up two VPN links, one using Virgin, for the speed, and a failover one one using Zen for when the Virgin one fails. With the Watchguard firewalls this is (should be) as simple as creating a second set of gateway pair configurations.
Indeed, it did seem to be that simple – once we set up the second gateway pair, the firewalls immediately set up the tunnels on the new IP addresses. Unfortunately, no traffic could go over the links, even though the tunnel settings hadn’t changed. If we took down the link via Virgin, then it started working again.
After a while and lots of fiddling, we decided it must be a problem with the Virgin connection, rather than the firewall configuration. A bit of Googling found that people were suggesting setting the Virgin SuperHub into ‘Modem Mode’ to allow VPNs – however, there is very little documentation on ‘Modem Mode’ for the Virgin Business Broadband connections, and a quick attempt at it, totally failed. We have 5 static IP addresses with our Virgin connection, so the SuperHub does not do NAT translation, and the Firewall option in the SuperHub was turned off, so we thought it should work fine as the firewall shouldn’t be blocking anything, and there’s no NAT to mess with the VPN link.
As a last resort “we’ll try this, and if it doesn’t work, we’ll give up, but we can’t see how it could work” option, what we did was turn ON the firewall in the SuperHub and turn on “IPSec Pass-Through” (and “PPTP Pass-Through”, even though that shouldn’t matter), and then turn OFF the firewall again. Amazingly, this seems to have fixed the problem! You can’t turn on “IPSec Pass-Through” when the firewall is off, so common-sense would suggest that that setting is irrelevant when the firewall is off, but apparently that’s not the case.