Watchguard Site to Site VPN not working via FusionHub bonding of 2 WANs

Hello! One of my customers uses a Watchguard firewall which does a site to site VPN between 2 locations. We are trying to bond 2 DSL connections as they need better performance, but before ordering DSL we are using 2 LTE SIM cards instead with FusionHub hosted on DigitalOcean. A HD2 LTE-A is the device at the customer site. Outbound policy has the PepVPN connection first, and then each SIM/WAN next set as priority.

The PepVPN connection is created and works fine, and any outbound traffic shows that it’s coming from the DigitalOcean IP address as you’d expect. The customer needs to program that IP into their VPN as it will only allow connections from a specific IP. However, when they do this with the DigitalOcean IP their VPN will not establish.

He said they then reconfigured the VPN using one of the dynamic IP addresses on the LTE SIM cards and it established right away, but just using the 1 SIM card and not the VPN.

I have this issue all the time which is why I never use Peplink when a customer has an existing VPN, but is there anything else I can do? In FusionHub I set it to forward all WAN TCP and UDP to being the customer’s router connected to LAN1 on the HD2 but not sure if I have to do anything else. I know there’s options like “send all traffic over VPN” etc, but anything else I can try? I’m not at the customer site and doing this remotely so any changes we make need to ideally allow me to keep connecting to the device.

VPN issues like these involving firewalls on the LAN of Peplink appliances are nearly always caused by one of two things. The first is that the 3rd party VPN is trying to use UDP 4500 which is already in use by the Peplink appliance for Speedfusion. To fix this, move the SpeedFusion VPN to a different data port.

The second reason shouldn’t be affecting you but is when IPsec NAT-T is needed and enabled in Network > Misc. Settings | Service Passthrough for Site to SIte VPN traffic passthrough to a LAN side VPN appliance. Since IPSEC is not multi-wan aware, site to site traffic needs to get nailed down to an interface and you can pick that interface here in the drop down.

Great thank you I’ll try all of that. Should I need to do any kind of port forwarding or is that necessary? Also are there any recommendations on another port to use or can it be something like 4501? Just don’t want it to be that the current VPN uses a range or something. Thanks!

No luck unfortunately, changed the port to 4550 and still won’t establish. Also there’s no Misc under Network so I wasn’t able to check that option.

Any other suggestions to try? Otherwise I’ll have the customer ship it back to me today. Thanks!

Good news it’s working! But I’m not sure how to fix this in future. So we have all traffic going through DigitalOcean where FH is. The customer added the DigitalOcean IP to their WatchGuard to whitelist it for VPN but no luck. Just for fun, they changed it now to whitelist 192.168.50.x range and the WatchGuard VPN established immediately.

Would love to hear any feedback on this or any comments etc that might explain why that worked. As a reminder, that is the LAN range, with the WatchGuard being

Thanks so much!