1. Home
  2. Networking Firewalls
  3. IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name based connection

IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name based connection

Hello,

I have Linksys BEFSX41 VPN endpoint running Linksys firmware 1.52.9 (which is the latest/greatest and supposedly very reliable, and has worked well for me) that is a VPN client to a Watchguard Firebox X1000 running Fireware Pro and OS 8.2.1 (latest/greatest)

I am trying to establish an IPSEC VPN using the following setup: BEFSX41 client: Has a dyndns.org domain name X1000 server: static IP

The X1000 is set up to use a "Domain Name" for the Remote Gatway type and specifies the dyndns.org domain name for the BEFSX41.

If I use the remote gateway id type as IP address, and specify the IP address, the VPN is established right away. However, when I use the domain name as the remote gateway, IT NEVER WORKS.

I have been working with the Watchguard LiveSecurity folks for 3 days with no progress. They have given up and told me that there is something wrong on the Linksys but cannot identify anything. Based on talking to the Watchguard pre-sales tech people as well as looking through manuals, as well as letting watchguard livesecurity connect to and verify my settings, all indicate that all settings are right.

I will greatly appreciate any tips on how this can be achieved and a VPN can be established with the BEFSX41 not requiring a static IP and working with the domain name.

I have included some additional details below.

Thank You.

Some logs: BEFSX41 client

2006-03-16 17:23:49 IKE[1] Tx >> AG_I1 : SA, KE, Nonce, ID 2006-03-16 17:23:50 IKE[1] Rx > AG_R1 : SA, KE, Nonce, ID, HASH 2006-03-16 17:23:56 IKE[1] Rx > AG_R1 : SA, KE, Nonce, ID, HASH

X1000 server iked WARNING: Rejected phase 1 aggressive mode from (no matching policy) cookies i= r=0000000000 000000000 (multiple times)

Some settings for the VPN connection: Encryption DES Authentication MD5

Key Mgmt

----------- Auto. (IKE) PFS Disabled Key Lifetime: 3600 secs Advanced settings

--------------------- Phase 1 Op mode: Aggressive mode Proposal 1 Encryption: DES Authentication: MD5 Group: 768-bit

Phase 2 Proposal: Encrpytion: DES, Auth: MD5, PFS OFF Group 768-bit Key Lifetime: 3600 secs

NetBIOS broadcast: OFF Anti-replay: OFF Keep-Alive: ON

I have tested Main Mode, and also switching between User domain name and domain name, but none of that helps.

Reply to
almathsec
Loading thread data ...

I forgot to mention that this is a Branch Office VPN (BOVPN) created manually by setting up the Gateway and Tunnel on The Firebox.

Reply to
almathsec

I've setup hundreds of Linksys BEFSX and BEFVP units, and dyndns.org has never been part of the solution, it fact, I would never set it up like that.

Set the WG as follows:

Remote Gateway: Remote ID Type: User Name Gateway IP Add: leave empty Gateway Identifier: enter something Shared Key - create one, you will need this on the Linksys Local ID Type: IP Address Authentication: SHA1-HMAC Encryption: DES DH Group 1 Enable PFS - No Enable Aggressive Mode - Yes

Phase 2 Setting:

ESP, Sha1, 3DES

do the linksys according to the above

Now, if you don't keep traffic flowing it will kill the tunnel, set it for 24 hours if you can. If you don't at least ping between networks the tunnel will die until something causes traffic.

Don't forget to create a rule for your tunnel to allow traffic.

Forget the Dynamic IP crap, get a real connection.

Reply to
Leythos

I want/need to set up the VPN using domain names and dynamic IPs. Hopefully someone else can help figure that out.

Reply to
almathsec

Since there are means to do the setup WITHOUT domain names, means that already work, what's your problem?

Since you are not using a fixed IP, since DYDNS doesn't always work right, and since there is an already existing method, use what works.

Why can't you get a fixed IP?

If you can afford a X1000, you can certainly afford a fixed IP.

Reply to
Leythos

I have 4 of the Linksys devices on 4 remote offices - two of them home based, 3 of the 4 have no static IPs (cannot justify a fixed IP on them). I believe that the domain based identification adds an extra level of security over the preshared key.

Does anyone know how to resolve this problem? I can provide additional details upon request.

Reply to
axm26

I had a couple of these boxes , used for office to home hardware vpn. They worked well for 6-9 months, then needed to be restarted a lot. They ended up being temperature sensitive and even with a fan on them, they both had trouble. Eventually I ditched them and bought the similar SMC box. gr

Reply to
gr

Since the domain can be faked, since a quality key can take years to break, since you can change the key once in a while, you're mistaken.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.