Hi!
Looking for someone with a little watchguard experience out there...this is a brand that I am not familiar with. I'm hoping that it is a quick setting change in the watchguards to get this to work.
I have the following config:
Cisco 1721 Watchguard III 3500 Watchguard Firebox 1000 C 2611
10.0.0.240 PAT to Public Ip PAT to Public IP 192.168.1.216In short, a simple VPN between two Cisco routers from network 10.0.0.0 to 192.168.1.0. Access lists, IPs and policies are all setup correctly. Ports UDP 500 and 4500 are forwarded on the two firewalls doing PAT.
The isakmp sa negotiation fails with the following debug:
*Mar 1 12:04:22.751: ISAKMP (0:1): purging node -982699947 *Mar 1 12:04:22.751: ISAKMP (0:1): purging node 194628906 *Mar 1 12:04:23.548: ISAKMP: received ke message (1/1) *Mar 1 12:04:23.552: ISAKMP (0:0): SA request profile is (NULL) *Mar 1 12:04:23.552: ISAKMP: local port 500, remote port 500 *Mar 1 12:04:23.552: ISAKMP: set new node 0 to QM_IDLE *Mar 1 12:04:23.552: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 82FD33FC *Mar 1 12:04:23.552: ISAKMP (0:2): Can not start Aggressive mode, trying Main m ode. *Mar 1 12:04:23.552: ISAKMP: Looking for a matching key for 22.222.222.242 in d efault : success *Mar 1 12:04:23.556: ISAKMP (0:2): found peer pre-shared key matching 24.159.22 2.242 *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-07 ID *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-03 ID *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-02 ID *Mar 1 12:04:23.556: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 12:04:23.560: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1*Mar 1 12:04:23.560: ISAKMP (0:2): beginning Main Mode exchange
*Mar 1 12:04:23.560: ISAKMP (0:2): sending packet to 22.222.222.242 my_port 500 peer_port 500 (I) MM_NO_STATE..... Success rate is 0 percent (0/5)Any ideas out there on what I need to change in the Firebox's to get them to pass the request for the negotiation to the cisco routers? As a side note, a VPN setup to a public IP succeeds if the vpn tunnel is brought up from behind the firewall device, but not if brought up from the public side.
Any and all ideas are appreciated!
Thanks,
Michael