Watchguard Cisco VPN problems
Last response: in Networking
Archived from groups: comp.security.firewalls (More info?)
We are having trouble getting a cisco pix and a watchguard firebox II
to establish an IPSEC VPN tunnel.
We are using ESP/DES/MD5 and dynamic isakmp key handling.
After defining routing policy for our two private lans and enabling
the tunnels,
The watchguard log shows that it is trying to do the initial key
exchange and shows its cookie as a hex value. It reports the PIX
cookie as
being all zeros which looks very odd, and no traffic is able to cross
the VPN.
07/08/04 17:50 iked[116]: Deleting SA: peer x.x.x.x
07/08/04 17:50 iked[116]: my_cookie 650FE360118DCBFE
07/08/04 17:50 iked[116]: his_cookie 0000000000000000
07/08/04 17:50 iked[116]: Cancelled acquire for channel (0)
07/08/04 17:50 kernel: ipsec: Acquiring keys for channel 0
07/08/04 17:50 iked[116]: ipsec_nl_catcher: Acquiring key for
channel/policy 0/0
At either end we cant actually see what the issue is. Anyone have any
ideas?
TIA
We are having trouble getting a cisco pix and a watchguard firebox II
to establish an IPSEC VPN tunnel.
We are using ESP/DES/MD5 and dynamic isakmp key handling.
After defining routing policy for our two private lans and enabling
the tunnels,
The watchguard log shows that it is trying to do the initial key
exchange and shows its cookie as a hex value. It reports the PIX
cookie as
being all zeros which looks very odd, and no traffic is able to cross
the VPN.
07/08/04 17:50 iked[116]: Deleting SA: peer x.x.x.x
07/08/04 17:50 iked[116]: my_cookie 650FE360118DCBFE
07/08/04 17:50 iked[116]: his_cookie 0000000000000000
07/08/04 17:50 iked[116]: Cancelled acquire for channel (0)
07/08/04 17:50 kernel: ipsec: Acquiring keys for channel 0
07/08/04 17:50 iked[116]: ipsec_nl_catcher: Acquiring key for
channel/policy 0/0
At either end we cant actually see what the issue is. Anyone have any
ideas?
TIA
More about : watchguard cisco vpn problems
Archived from groups: comp.security.firewalls (More info?)
In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
oscarriverman@yahoo.co.uk says...
>
>
> We are having trouble getting a cisco pix and a watchguard firebox II
> to establish an IPSEC VPN tunnel.
> We are using ESP/DES/MD5 and dynamic isakmp key handling.
> After defining routing policy for our two private lans and enabling
> the tunnels,
On the WatchGuard:
Remote Gateway:
Remote ID Type: IP Address
Gateway IP Address: External IP of PIX
Shared Key (x) 'some shared key'
Phase 1 Settings:
Local ID Type: IP Address
Authentication: SHA1-HMAC
Encryption: 3DES-CBC
Diffie-Hellman Group: 1
Enable Aggressive Mode (X)
Tunnel Configuration
Phase 2 Settings:
Type: ESP
Authentication: SHA1-HMAC
Encryption: 3DES-CBC
Force Key Expiration (X)
Routing Policy
Local: Network (local subnet on WG Trusted Interface)
Remote: Network (local subnet behind PIX)
Disposition: SECURE
Tunnel (name of tunnel above)
NOTES: Make sure that you are NOT using the same subnet on both sides of
the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
they need to be different (or any other subnet for this example).
Once you do get the tunnels built you need to add an ANY (if you want
everything) rule that permits traffic between the two subnets.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
oscarriverman@yahoo.co.uk says...
>
>
> We are having trouble getting a cisco pix and a watchguard firebox II
> to establish an IPSEC VPN tunnel.
> We are using ESP/DES/MD5 and dynamic isakmp key handling.
> After defining routing policy for our two private lans and enabling
> the tunnels,
On the WatchGuard:
Remote Gateway:
Remote ID Type: IP Address
Gateway IP Address: External IP of PIX
Shared Key (x) 'some shared key'
Phase 1 Settings:
Local ID Type: IP Address
Authentication: SHA1-HMAC
Encryption: 3DES-CBC
Diffie-Hellman Group: 1
Enable Aggressive Mode (X)
Tunnel Configuration
Phase 2 Settings:
Type: ESP
Authentication: SHA1-HMAC
Encryption: 3DES-CBC
Force Key Expiration (X)
Routing Policy
Local: Network (local subnet on WG Trusted Interface)
Remote: Network (local subnet behind PIX)
Disposition: SECURE
Tunnel (name of tunnel above)
NOTES: Make sure that you are NOT using the same subnet on both sides of
the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
they need to be different (or any other subnet for this example).
Once you do get the tunnels built you need to add an ANY (if you want
everything) rule that permits traffic between the two subnets.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Archived from groups: comp.security.firewalls (More info?)
it seems to me like some major mistake. Check connectivity between two
devices, remove access-lists on Cisco and make sure IKE Phase 1 begins. If
it fails on key negotiation and you DO have network reachability, then it
may be key mismatch.
Looks like Cisco side problem...
"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b5dad5699e51f3098a796@news-server.columbus.rr.com...
> In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
> oscarriverman@yahoo.co.uk says...
> >
> >
> > We are having trouble getting a cisco pix and a watchguard firebox II
> > to establish an IPSEC VPN tunnel.
> > We are using ESP/DES/MD5 and dynamic isakmp key handling.
> > After defining routing policy for our two private lans and enabling
> > the tunnels,
>
> On the WatchGuard:
>
> Remote Gateway:
> Remote ID Type: IP Address
> Gateway IP Address: External IP of PIX
> Shared Key (x) 'some shared key'
> Phase 1 Settings:
> Local ID Type: IP Address
> Authentication: SHA1-HMAC
> Encryption: 3DES-CBC
> Diffie-Hellman Group: 1
> Enable Aggressive Mode (X)
>
>
> Tunnel Configuration
> Phase 2 Settings:
> Type: ESP
> Authentication: SHA1-HMAC
> Encryption: 3DES-CBC
> Force Key Expiration (X)
>
>
> Routing Policy
> Local: Network (local subnet on WG Trusted Interface)
> Remote: Network (local subnet behind PIX)
> Disposition: SECURE
> Tunnel (name of tunnel above)
>
> NOTES: Make sure that you are NOT using the same subnet on both sides of
> the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
> they need to be different (or any other subnet for this example).
>
> Once you do get the tunnels built you need to add an ANY (if you want
> everything) rule that permits traffic between the two subnets.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
it seems to me like some major mistake. Check connectivity between two
devices, remove access-lists on Cisco and make sure IKE Phase 1 begins. If
it fails on key negotiation and you DO have network reachability, then it
may be key mismatch.
Looks like Cisco side problem...
"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b5dad5699e51f3098a796@news-server.columbus.rr.com...
> In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
> oscarriverman@yahoo.co.uk says...
> >
> >
> > We are having trouble getting a cisco pix and a watchguard firebox II
> > to establish an IPSEC VPN tunnel.
> > We are using ESP/DES/MD5 and dynamic isakmp key handling.
> > After defining routing policy for our two private lans and enabling
> > the tunnels,
>
> On the WatchGuard:
>
> Remote Gateway:
> Remote ID Type: IP Address
> Gateway IP Address: External IP of PIX
> Shared Key (x) 'some shared key'
> Phase 1 Settings:
> Local ID Type: IP Address
> Authentication: SHA1-HMAC
> Encryption: 3DES-CBC
> Diffie-Hellman Group: 1
> Enable Aggressive Mode (X)
>
>
> Tunnel Configuration
> Phase 2 Settings:
> Type: ESP
> Authentication: SHA1-HMAC
> Encryption: 3DES-CBC
> Force Key Expiration (X)
>
>
> Routing Policy
> Local: Network (local subnet on WG Trusted Interface)
> Remote: Network (local subnet behind PIX)
> Disposition: SECURE
> Tunnel (name of tunnel above)
>
> NOTES: Make sure that you are NOT using the same subnet on both sides of
> the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
> they need to be different (or any other subnet for this example).
>
> Once you do get the tunnels built you need to add an ANY (if you want
> everything) rule that permits traffic between the two subnets.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Related ressources:
- ForumWatchguard / Safenet Client and Cisco VPN Client Compatible?
- Forumnew install watchguard
- ForumCisco PIX 7.0.1 to Watchguard V60 VPN Tunnel
- ForumCisco PIX 7.0.1 to Watchguard V60 VPN Tunnel
- ForumLinksys BEFSX41 Softremote VPN to Watchguard Firebox X
- ForumSite to Site VPN with Watchguard X700
- ForumLinksys vs WatchGuard VPN Protocols
- ForumSonicwall vs Cisco ?
- ForumVPN between offices for voIP
- ForumCisco VPN client/Multiple Connections
- ForumSmall office firewall/ vpn /security appliance
- Forumadsl modem + router for vpn use.
- Forumpda vpn to pix - help!
- ForumRe-install watchguard at new location. no experience in setting up at all.
- ForumSonicwall / Watchguard / Fortinet
- ForumNetgear\'s Breakthrough SSL VPN Gateway
- ForumSymantec 100 VPN /Firewall NAT?
- ForumWhich VPN router is better?
- ForumRouter Setup
- ForumGive me the low down on the differences between the Cisco ..
- More resources
Read discussions in other Networking categories
!
