1. Home
  2. Cisco Systems
  3. VPN Nat Traversal Through Watchguards

VPN Nat Traversal Through Watchguards

Hi!

I have the following config:

Cisco 1721 Watchguard III 3500 Watchguard Firebox 1000 C 2611

10.0.0.240 PAT to Public Ip PAT to Public IP 192.168.1.216

In short, a simple VPN between two Cisco routers from network 10.0.0.0 to 192.168.1.0. Access lists, IPs and policies are all setup correctly. Ports UDP 500 and 4500 are forwarded on the two firewalls doing PAT.

The isakmp sa negotiation fails with the following debug:

*Mar 1 12:04:22.751: ISAKMP (0:1): purging node -982699947 *Mar 1 12:04:22.751: ISAKMP (0:1): purging node 194628906 *Mar 1 12:04:23.548: ISAKMP: received ke message (1/1) *Mar 1 12:04:23.552: ISAKMP (0:0): SA request profile is (NULL) *Mar 1 12:04:23.552: ISAKMP: local port 500, remote port 500 *Mar 1 12:04:23.552: ISAKMP: set new node 0 to QM_IDLE *Mar 1 12:04:23.552: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 82FD33FC *Mar 1 12:04:23.552: ISAKMP (0:2): Can not start Aggressive mode, trying Main m ode. *Mar 1 12:04:23.552: ISAKMP: Looking for a matching key for 22.222.222.242 in d efault : success *Mar 1 12:04:23.556: ISAKMP (0:2): found peer pre-shared key matching 24.159.22 2.242 *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-07 ID *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-03 ID *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-02 ID *Mar 1 12:04:23.556: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 12:04:23.560: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 12:04:23.560: ISAKMP (0:2): beginning Main Mode exchange

*Mar 1 12:04:23.560: ISAKMP (0:2): sending packet to 22.222.222.242 my_port 500 peer_port 500 (I) MM_NO_STATE..... Success rate is 0 percent (0/5)

Any ideas out there on what I need to change in the Firebox's to get them to pass the request for the negotiation to the cisco routers? As a side note, a VPN setup to a public IP succeeds if the vpn tunnel is brought up from behind the firewall device, but not if brought up from the public side.

Any and all ideas are appreciated!

Thanks,

Michael

Reply to
foxx0171
Loading thread data ...

Hi Michael,

You may also wish to investigate the two Watchguard Forums:

formatting link
as well as

formatting link
Sincerely,

Brad Reese BradReese.Com - Cisco Technical Forums

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Salary and Compensation Rates
formatting link

Reply to
www.BradReese.Com

Brad -

Thanks. Will do!

Michael

formatting link
wrote:

Reply to
Kitingfox

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.