Re: PIx to Watchguard Firebox VPN

paulc · ‎07-17-2007

I have set up a VPN to a Watchguard Firebox. I thought it was a relatively easy build but now whenever the SA timeout occurs (8 hours), the VPN tunnel stays down. When I do a sh cry it appears to fail on the key exchange. Once, the remote site tech rebuilds the VPN on the Watchguard side, the tunnel comes up.

Now, of course, I'm not asking for help with a WG Firebox but I am wondering if anyone has had experience with a 515E VPN to a WG Firebox and experienced difficulties with the tunnel.

mattiaseriksson · ‎07-17-2007

First thing that you should verify is that the IKE and IPSec SA lifetimes are identically configured on both sides.

srue · ‎07-17-2007

i would agree with that first step. However, I once read (and i can't remember where) that even if the lifetimes are different, during negotations of each phase, the lowest lifetime will be chosen.

can anyone confirm/deny this?

-thanks

mattiaseriksson · ‎07-17-2007

Yes, that is normally the case but sometimes when you mix equipment from different vendors, that is not always true.

I have personally not had that problem with watchguard, but with other firewalls.

paulc · ‎07-17-2007

Well, we did have a Phase 1 mis-match on time-outs. The tunnel is up and I'll see tomorrow when the time-out expires whether I can bring the tunnel back up.

paulc · ‎07-17-2007

That's what we thought, too, and confirmed that they match. However, if they were wrong, wouldn't that prevent the tunnel from ever coming up?

paulc · ‎07-18-2007

I tried pinging the remote server this morning and got no reply.

sh cry isa sa shows the phase 1 is stuck at "mm key exchange" so, apparently, the timeout wasn't an issue (or, at least, the only issue).

mattiaseriksson · ‎07-18-2007

Then I think you need to run debugging on both sides, especially from the side that is not initiating the connection.

I would also try to change some of the IKE parameters, too see if it makes any difference.

scudderconsulting · ‎07-18-2007

What model watchguard box are you using? Are you using Manual IPSec on the WG?

paulc · ‎07-18-2007

Firebox X Edge and manual.

scudderconsulting · ‎07-18-2007

The watchguard logs each step of the tunnel build. Have the remote admin send you that portion of the log or a screen capture of the negotiation process from the management software. It should help you to pinpoint the problem.

paulc · ‎07-18-2007

Thanks for the suggestion. I'll try that and let you know the results.

paulc · ‎07-20-2007

Finally got it. In the Cisco debug was a line about FQDN so it appears the exchange was failing due to one side looking for a name and the other an IP. I entered isakmp identity address and the problem has been resolved.

bberry · ‎08-20-2007

Just came acorss this conversation as I am having an issue getting the Cisco client to VPN through a Watchbox. Where did you enter the isakmp address?

paulc · ‎08-20-2007

Do you mean on the Watchguard box? I didn't work on that. The customer's rep set that up. I have a screen shot he sent me, though. Open up a browser andplug in the Watchguard's IP. After the page loads, just click on VPN. This is for a Watchguard Firebox X device.