Watchguard FB700 Branch VPN Issue - Firewalls

This is a discussion on Watchguard FB700 Branch VPN Issue - Firewalls ; Hello, I have an issue with a VPN tunnel that has worked fine for 4 years until this week. The tunnel is a one way tunnel. The boxes are both Watchguard 700's. Ping is enabled on the remote firewall. When ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Watchguard FB700 Branch VPN Issue

  1. Watchguard FB700 Branch VPN Issue

    Hello,

    I have an issue with a VPN tunnel that has worked fine for 4 years
    until this week. The tunnel is a one way tunnel. The boxes are both
    Watchguard 700's. Ping is enabled on the remote firewall.
    When I ping the trusted interface on the remote box, 10.x.x.253, it
    responds. When I ping the machine 10.x.x.140 no respond. The machine
    is on and functioning. Now I noticed some wired things in the logs.
    Here are the logs from the remote firebox:

    04/12/08 18:18 iked[133]: FROM 66.184.x.x IF-HDR* -C9279D04
    ISA_HASH
    04/12/08 18:18 iked[133]: Received a packet for an unknown SA
    04/12/08 18:21 dvcpd[119]: opening dvcp server 66.184.x.x with
    client id DGJ
    04/12/08 18:21 dvcpd[119]: Read error from 66.184.x.x : Connection
    refused
    04/12/08 18:21 dvcpd[119]: config file has not changed since last
    dvcp update
    04/12/08 18:21 dvcpd[119]: server will be contacted in 1800 seconds
    04/12/08 18:21 iked[133]: FROM 66.184.x.x IF-HDR* -5B98261D
    ISA_HASH
    04/12/08 18:21 iked[133]: Received a packet for an unknown SA
    04/12/08 18:22 iked[133]: FROM 66.184.x.x MM-HDR ISA_SA
    ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
    04/12/08 18:22 iked[133]: TO 66.184.x.x MM-HDR ISA_SA
    ISA_VENDORID ISA_VENDORID
    04/12/08 18:22 iked[133]: FROM 66.184.x.x MM-HDR ISA_KE ISA_NONCE
    NAT-D NAT-D
    04/12/08 18:22 iked[133]: TO 66.184.x.x MM-HDR ISA_KE ISA_NONCE
    NAT-D NAT-D
    04/12/08 18:22 iked[133]: CRYPTO ACTIVE after delay
    04/12/08 18:22 iked[133]: FROM 66.184.x.x MM-HDR* ISA_ID ISA_HASH
    04/12/08 18:22 iked[133]: TO 66.184.x.x MM-HDR* ISA_ID ISA_HASH
    04/12/08 18:22 iked[133]: FROM 66.184.x.x IF-HDR* -43BD09B5
    ISA_HASH ISA_NOTIFY
    04/12/08 18:22 iked[133]: Received INITIAL_CONTACT message,
    mess_id=0xB509BD43
    04/12/08 18:22 iked[133]: FROM 66.184.x.x QM-HDR* -5D1E747E
    ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
    04/12/08 18:22 iked[133]: TO 66.184.x.x QM-HDR* -5D1E747E
    ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
    04/12/08 18:22 iked[133]: FROM 66.184.x.x QM-HDR* -5D1E747E
    ISA_HASH
    04/12/08 18:22 iked[133]: Load outbound ESP SA, Algs=ESP_DES/
    AUTH_ALG_HMAC_SHA1 Life=0sec/0KB SPI=1404194A
    04/12/08 18:22 iked[133]: Load inbound ESP SA, Algs=ESP_DES/
    AUTH_ALG_HMAC_SHA1 Life=0sec/0KB SPI=12042074
    04/12/08 18:22 iked[133]: Tunnel created for 10.x.x.0/24 <->
    10.x.x.0/14
    04/12/08 18:22 kernel: ipsec: make bundle for channel 14, 1 in SA's,
    1 out SA's
    04/12/08 18:25 iked[133]: FROM 66.184.x.x IF-HDR* -5E28E4FC
    ISA_HASH ISA_NOTIFY
    04/12/08 18:25 iked[133]: Received KEEPALIVE_REQUEST message,
    mess_id=0xFCE4285E
    04/12/08 18:25 iked[133]: Sending KEEPALIVE_ACK message
    04/12/08 18:25 iked[133]: TO 66.184.x.x IF-HDR* -7CD567A1
    ISA_HASH ISA_NOTIFY
    04/12/08 18:25 iked[133]: TO 66.184.x.x IF-HDR* -7CD567A1
    ISA_HASH ISA_NOTIFY
    04/12/08 18:28 iked[133]: FROM 66.184.x.x IF-HDR* -0E19F640
    ISA_HASH ISA_NOTIFY
    04/12/08 18:28 iked[133]: Received KEEPALIVE_REQUEST message,
    mess_id=0x40F6190E
    04/12/08 18:28 iked[133]: Sending KEEPALIVE_ACK message
    04/12/08 18:28 iked[133]: TO 66.184x.x IF-HDR* -E675CDAD ISA_HASH
    ISA_NOTIFY
    04/12/08 18:31 iked[133]: FROM 66.184.x.x IF-HDR* -0762ACC7
    ISA_HASH ISA_NOTIFY
    04/12/08 18:31 iked[133]: Received KEEPALIVE_REQUEST message,
    mess_id=0xC7AC6207
    04/12/08 18:31 iked[133]: Sending KEEPALIVE_ACK message
    04/12/08 18:31 iked[133]: TO 66.184.x.x IF-HDR* -55D1BF24
    ISA_HASH ISA_NOTIFY
    04/12/08 18:34 iked[133]: FROM 66.184.x.x IF-HDR* -459D6CAB
    ISA_HASH ISA_NOTIFY
    04/12/08 18:34 iked[133]: Received KEEPALIVE_REQUEST message,
    mess_id=0xAB6C9D45
    04/12/08 18:34 iked[133]: Sending KEEPALIVE_ACK message
    04/12/08 18:34 iked[133]: TO 66.184.x.x IF-HDR* -FE956D35
    ISA_HASH ISA_NOTIFY
    04/12/08 18:37 iked[133]: FROM 66.184.x.x IF-HDR* -2460B6DE
    ISA_HASH ISA_NOTIFY
    04/12/08 18:37 iked[133]: Received KEEPALIVE_REQUEST message,
    mess_id=0xDEB66024
    04/12/08 18:37 iked[133]: Sending KEEPALIVE_ACK message
    04/12/08 18:37 iked[133]: TO 66.184.x.x IF-HDR* -5F5BE769
    ISA_HASH ISA_NOTIFY

    I'm thinking it's an encryption problem, but I'm not sure.

    Thanks for any help

  2. Re: Watchguard FB700 Branch VPN Issue

    In article <6e5441de-35c7-41f4-8ac0-a66b9f8d8df5
    @a1g2000hsb.googlegroups.com>, mhager@frenchcreekcomp.com says...
    > Hello,
    >
    > I have an issue with a VPN tunnel that has worked fine for 4 years
    > until this week. The tunnel is a one way tunnel. The boxes are both
    > Watchguard 700's. Ping is enabled on the remote firewall.
    > When I ping the trusted interface on the remote box, 10.x.x.253, it
    > responds. When I ping the machine 10.x.x.140 no respond. The machine
    > is on and functioning. Now I noticed some wired things in the logs.
    > Here are the logs from the remote firebox:


    Generate new certificates for both fireboxes and see if that fixes it.

    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  3. Re: Watchguard FB700 Branch VPN Issue

    On Apr 13, 8:30 pm, Leythos wrote:
    > In article <6e5441de-35c7-41f4-8ac0-a66b9f8d8df5
    > @a1g2000hsb.googlegroups.com>, mha...@frenchcreekcomp.com says...
    >
    > > Hello,

    >
    > > I have an issue with a VPN tunnel that has worked fine for 4 years
    > > until this week. The tunnel is a one way tunnel. The boxes are both
    > > Watchguard 700's. Ping is enabled on the remote firewall.
    > > When I ping the trusted interface on the remote box, 10.x.x.253, it
    > > responds. When I ping the machine 10.x.x.140 no respond. The machine
    > > is on and functioning. Now I noticed some wired things in the logs.
    > > Here are the logs from the remote firebox:

    >
    > Generate new certificates for both fireboxes and see if that fixes it.
    >
    > --
    > - Igitur qui desiderat pacem, praeparet bellum.
    > - Calling an illegal alien an "undocumented worker" is like calling a
    > drug dealer an "unlicensed pharmacist"
    > spam999f...@rrohio.com (remove 999 for proper email address)


    Hi,

    Thanks for the response. I'm not using certs, I'm using a shared
    secret.

    Should I dump the shared secret for a cert?

    Thanks

  4. Re: Watchguard FB700 Branch VPN Issue

    In article @a70g2000hsh.googlegroups.com>, mhager@frenchcreekcomp.com says...
    > On Apr 13, 8:30 pm, Leythos wrote:
    > > In article <6e5441de-35c7-41f4-8ac0-a66b9f8d8df5
    > > @a1g2000hsb.googlegroups.com>, mha...@frenchcreekcomp.com says...
    > >
    > > > Hello,

    > >
    > > > I have an issue with a VPN tunnel that has worked fine for 4 years
    > > > until this week. The tunnel is a one way tunnel. The boxes are both
    > > > Watchguard 700's. Ping is enabled on the remote firewall.
    > > > When I ping the trusted interface on the remote box, 10.x.x.253, it
    > > > responds. When I ping the machine 10.x.x.140 no respond. The machine
    > > > is on and functioning. Now I noticed some wired things in the logs.
    > > > Here are the logs from the remote firebox:

    > >
    > > Generate new certificates for both fireboxes and see if that fixes it.
    > >

    >
    > Hi,
    >
    > Thanks for the response. I'm not using certs, I'm using a shared
    > secret.
    >
    > Should I dump the shared secret for a cert?


    I use shared keys also, but I believe that the firebox has a built-in
    certificate for branch office tunnels - I could be wrong, but it's worth
    a shot.

    You could also have that machine with a bad default-gateway address. As
    an example, we had a person install a printer at 10.38.0.200 with a
    gateway of 10.8.0.1 when it should have been 10.38.0.1. They could print
    to the printer on their local network, but it would not route via the
    firewall/VPN's and we could not reach it remotely - when the GW was
    reset it worked perfectly - as one would expect.

    Check your default gateway on the system in question.



    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

+ Reply to Thread