Sign in with
Sign up | Sign in
Your question

Watchguard Cisco VPN problems

Last response: in Networking
Share
Anonymous
July 13, 2004 1:31:11 PM

Archived from groups: comp.security.firewalls (More info?)

We are having trouble getting a cisco pix and a watchguard firebox II
to establish an IPSEC VPN tunnel.
We are using ESP/DES/MD5 and dynamic isakmp key handling.
After defining routing policy for our two private lans and enabling
the tunnels,
The watchguard log shows that it is trying to do the initial key
exchange and shows its cookie as a hex value. It reports the PIX
cookie as
being all zeros which looks very odd, and no traffic is able to cross
the VPN.


07/08/04 17:50 iked[116]: Deleting SA: peer x.x.x.x
07/08/04 17:50 iked[116]: my_cookie 650FE360118DCBFE
07/08/04 17:50 iked[116]: his_cookie 0000000000000000
07/08/04 17:50 iked[116]: Cancelled acquire for channel (0)
07/08/04 17:50 kernel: ipsec: Acquiring keys for channel 0
07/08/04 17:50 iked[116]: ipsec_nl_catcher: Acquiring key for
channel/policy 0/0

At either end we cant actually see what the issue is. Anyone have any
ideas?


TIA
Anonymous
July 13, 2004 5:26:50 PM

Archived from groups: comp.security.firewalls (More info?)

In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
oscarriverman@yahoo.co.uk says...
>
>
> We are having trouble getting a cisco pix and a watchguard firebox II
> to establish an IPSEC VPN tunnel.
> We are using ESP/DES/MD5 and dynamic isakmp key handling.
> After defining routing policy for our two private lans and enabling
> the tunnels,

On the WatchGuard:

Remote Gateway:
Remote ID Type: IP Address
Gateway IP Address: External IP of PIX
Shared Key (x) 'some shared key'
Phase 1 Settings:
Local ID Type: IP Address
Authentication: SHA1-HMAC
Encryption: 3DES-CBC
Diffie-Hellman Group: 1
Enable Aggressive Mode (X)


Tunnel Configuration
Phase 2 Settings:
Type: ESP
Authentication: SHA1-HMAC
Encryption: 3DES-CBC
Force Key Expiration (X)


Routing Policy
Local: Network (local subnet on WG Trusted Interface)
Remote: Network (local subnet behind PIX)
Disposition: SECURE
Tunnel (name of tunnel above)

NOTES: Make sure that you are NOT using the same subnet on both sides of
the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
they need to be different (or any other subnet for this example).

Once you do get the tunnels built you need to add an ANY (if you want
everything) rule that permits traffic between the two subnets.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
July 19, 2004 8:15:31 PM

Archived from groups: comp.security.firewalls (More info?)

it seems to me like some major mistake. Check connectivity between two
devices, remove access-lists on Cisco and make sure IKE Phase 1 begins. If
it fails on key negotiation and you DO have network reachability, then it
may be key mismatch.
Looks like Cisco side problem...

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b5dad5699e51f3098a796@news-server.columbus.rr.com...
> In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
> oscarriverman@yahoo.co.uk says...
> >
> >
> > We are having trouble getting a cisco pix and a watchguard firebox II
> > to establish an IPSEC VPN tunnel.
> > We are using ESP/DES/MD5 and dynamic isakmp key handling.
> > After defining routing policy for our two private lans and enabling
> > the tunnels,
>
> On the WatchGuard:
>
> Remote Gateway:
> Remote ID Type: IP Address
> Gateway IP Address: External IP of PIX
> Shared Key (x) 'some shared key'
> Phase 1 Settings:
> Local ID Type: IP Address
> Authentication: SHA1-HMAC
> Encryption: 3DES-CBC
> Diffie-Hellman Group: 1
> Enable Aggressive Mode (X)
>
>
> Tunnel Configuration
> Phase 2 Settings:
> Type: ESP
> Authentication: SHA1-HMAC
> Encryption: 3DES-CBC
> Force Key Expiration (X)
>
>
> Routing Policy
> Local: Network (local subnet on WG Trusted Interface)
> Remote: Network (local subnet behind PIX)
> Disposition: SECURE
> Tunnel (name of tunnel above)
>
> NOTES: Make sure that you are NOT using the same subnet on both sides of
> the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
> they need to be different (or any other subnet for this example).
>
> Once you do get the tunnels built you need to add an ANY (if you want
> everything) rule that permits traffic between the two subnets.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
!