Watchguard Cisco VPN problems

Archived from groups: comp.security.firewalls (More info?)

We are having trouble getting a cisco pix and a watchguard firebox II
to establish an IPSEC VPN tunnel.
We are using ESP/DES/MD5 and dynamic isakmp key handling.
After defining routing policy for our two private lans and enabling
the tunnels,
The watchguard log shows that it is trying to do the initial key
exchange and shows its cookie as a hex value. It reports the PIX
cookie as
being all zeros which looks very odd, and no traffic is able to cross
the VPN.


07/08/04 17:50 iked[116]: Deleting SA: peer x.x.x.x
07/08/04 17:50 iked[116]: my_cookie 650FE360118DCBFE
07/08/04 17:50 iked[116]: his_cookie 0000000000000000
07/08/04 17:50 iked[116]: Cancelled acquire for channel (0)
07/08/04 17:50 kernel: ipsec: Acquiring keys for channel 0
07/08/04 17:50 iked[116]: ipsec_nl_catcher: Acquiring key for
channel/policy 0/0

At either end we cant actually see what the issue is. Anyone have any
ideas?


TIA
2 answers Last reply
More about watchguard cisco problems
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
    oscarriverman@yahoo.co.uk says...
    >
    >
    > We are having trouble getting a cisco pix and a watchguard firebox II
    > to establish an IPSEC VPN tunnel.
    > We are using ESP/DES/MD5 and dynamic isakmp key handling.
    > After defining routing policy for our two private lans and enabling
    > the tunnels,

    On the WatchGuard:

    Remote Gateway:
    Remote ID Type: IP Address
    Gateway IP Address: External IP of PIX
    Shared Key (x) 'some shared key'
    Phase 1 Settings:
    Local ID Type: IP Address
    Authentication: SHA1-HMAC
    Encryption: 3DES-CBC
    Diffie-Hellman Group: 1
    Enable Aggressive Mode (X)


    Tunnel Configuration
    Phase 2 Settings:
    Type: ESP
    Authentication: SHA1-HMAC
    Encryption: 3DES-CBC
    Force Key Expiration (X)


    Routing Policy
    Local: Network (local subnet on WG Trusted Interface)
    Remote: Network (local subnet behind PIX)
    Disposition: SECURE
    Tunnel (name of tunnel above)

    NOTES: Make sure that you are NOT using the same subnet on both sides of
    the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
    they need to be different (or any other subnet for this example).

    Once you do get the tunnels built you need to add an ANY (if you want
    everything) rule that permits traffic between the two subnets.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  2. Archived from groups: comp.security.firewalls (More info?)

    it seems to me like some major mistake. Check connectivity between two
    devices, remove access-lists on Cisco and make sure IKE Phase 1 begins. If
    it fails on key negotiation and you DO have network reachability, then it
    may be key mismatch.
    Looks like Cisco side problem...

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b5dad5699e51f3098a796@news-server.columbus.rr.com...
    > In article <gc77f0dg12th4m3mredf9gu7vs0679q61b@4ax.com>,
    > oscarriverman@yahoo.co.uk says...
    > >
    > >
    > > We are having trouble getting a cisco pix and a watchguard firebox II
    > > to establish an IPSEC VPN tunnel.
    > > We are using ESP/DES/MD5 and dynamic isakmp key handling.
    > > After defining routing policy for our two private lans and enabling
    > > the tunnels,
    >
    > On the WatchGuard:
    >
    > Remote Gateway:
    > Remote ID Type: IP Address
    > Gateway IP Address: External IP of PIX
    > Shared Key (x) 'some shared key'
    > Phase 1 Settings:
    > Local ID Type: IP Address
    > Authentication: SHA1-HMAC
    > Encryption: 3DES-CBC
    > Diffie-Hellman Group: 1
    > Enable Aggressive Mode (X)
    >
    >
    > Tunnel Configuration
    > Phase 2 Settings:
    > Type: ESP
    > Authentication: SHA1-HMAC
    > Encryption: 3DES-CBC
    > Force Key Expiration (X)
    >
    >
    > Routing Policy
    > Local: Network (local subnet on WG Trusted Interface)
    > Remote: Network (local subnet behind PIX)
    > Disposition: SECURE
    > Tunnel (name of tunnel above)
    >
    > NOTES: Make sure that you are NOT using the same subnet on both sides of
    > the tunnel, you can not use 192.168.1.1 for the WG and also for the PIX,
    > they need to be different (or any other subnet for this example).
    >
    > Once you do get the tunnels built you need to add an ANY (if you want
    > everything) rule that permits traffic between the two subnets.
    >
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)
Ask a new question

Read More

Firewalls Cisco Cookie Networking