1. Home
  2. Networking Firewalls
  3. Cisco IPSEC VPN behind Watchguard

Cisco IPSEC VPN behind Watchguard

Hi!

Looking for someone with a little watchguard experience out there...this is a brand that I am not familiar with. I'm hoping that it is a quick setting change in the watchguards to get this to work.

I have the following config:

Cisco 1721 Watchguard III 3500 Watchguard Firebox 1000 C 2611

10.0.0.240 PAT to Public Ip PAT to Public IP 192.168.1.216

In short, a simple VPN between two Cisco routers from network 10.0.0.0 to 192.168.1.0. Access lists, IPs and policies are all setup correctly. Ports UDP 500 and 4500 are forwarded on the two firewalls doing PAT.

The isakmp sa negotiation fails with the following debug:

*Mar 1 12:04:22.751: ISAKMP (0:1): purging node -982699947 *Mar 1 12:04:22.751: ISAKMP (0:1): purging node 194628906 *Mar 1 12:04:23.548: ISAKMP: received ke message (1/1) *Mar 1 12:04:23.552: ISAKMP (0:0): SA request profile is (NULL) *Mar 1 12:04:23.552: ISAKMP: local port 500, remote port 500 *Mar 1 12:04:23.552: ISAKMP: set new node 0 to QM_IDLE *Mar 1 12:04:23.552: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 82FD33FC *Mar 1 12:04:23.552: ISAKMP (0:2): Can not start Aggressive mode, trying Main m ode. *Mar 1 12:04:23.552: ISAKMP: Looking for a matching key for 22.222.222.242 in d efault : success *Mar 1 12:04:23.556: ISAKMP (0:2): found peer pre-shared key matching 24.159.22 2.242 *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-07 ID *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-03 ID *Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-02 ID *Mar 1 12:04:23.556: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Mar 1 12:04:23.560: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 12:04:23.560: ISAKMP (0:2): beginning Main Mode exchange

*Mar 1 12:04:23.560: ISAKMP (0:2): sending packet to 22.222.222.242 my_port 500 peer_port 500 (I) MM_NO_STATE..... Success rate is 0 percent (0/5)

Any ideas out there on what I need to change in the Firebox's to get them to pass the request for the negotiation to the cisco routers? As a side note, a VPN setup to a public IP succeeds if the vpn tunnel is brought up from behind the firewall device, but not if brought up from the public side.

Any and all ideas are appreciated!

Thanks,

Michael

Reply to
foxx0171
Loading thread data ...

Create the tunnels using the WatchGuard to WatchGuard firewalls, why pass it through them.

Reply to
Leythos

Leythos -

I wish that we could do that, but unfortunately I didn't have a choice in the design of this network. They already had the proper cisco licenses and did not want to spend money on the Watchguard licenses.

Thanks,

Michael

Leythos wrote:

Reply to
Kitingfox

Branch-Office VPN is built into the units you are using, for free, and they work perfectly. I have a few of the III units here everything in the 1000 line and above has LOTS of branch-office VPN connections included with the model. Only the really cheap units have optional BOVPN.

If you want to do the CISCO then you need to make sure that each network is on a different subnet, no network can be the same at any point, then setup IPSec Filter rules in the WG units to permit IN/OUT from the interfaces as needed.

Reply to
Leythos

Leythos -

Wish that I would have known that going in to the project. Oh well, that is life sometimes. Since I have the units in and setup I'll have to move ahead with the original plans.

Right now the IPSec rules on the Cisco devices just use the current private networks (192.168.1.0 and 10.0.0.0) and encapsulate packets bound for the other networks. You are saying that I have to change this setup...is that because the WG unit will have a problem with an IPSec filter that goes to an internal address?

I was just setting these up as secondary gateways on the network...each of the WG's has a route statement to route the traffic that needs to be encapsulated to the Cisco devices.

Is there a resource out there that has the WG manuals? I checked on their site, but it seems like you need a login in order to get any information.

Thanks for all your help...it is really appreciated.

Michael

So it sounds like I need to setup WG IPSec filter rules Leythos wrote:

Reply to
Kitingfox

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.