Advertisement

10.07.2008 at 11:28AM PDT, ID: 23794770 | Points: 500
[x]
Attachment Details

WatchGuard Firebox x1250e site-to-site VPN to Cisco PIX 515 problems

Asked by GlennRhodes in Watchguard Firewall, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags:

I have a WatchGuard Firebox X1250e at my site.  I am attempting to setup a VPN with a remote facility that uses a Cisco PIX 515.  But we are unable to get the tunnel to come up.  Our settings are as follows:

Pre-Shared Key does match.
Local Gateway: xxx.xxx.24.114
Local ID: xxx.xxx.24.114
Remote Gateway: xxx.xxx.130.22
Remote ID: xxx.xxx.130.22

Phase 1
Authentication: MD5
Encryption: DES
Diffie-Hellman Group: 2
SA Life: 24 Hr
Enabled NAT Traversal
Enabled IKE Keep-Alive
Enabled RFC3706 (Dead Peer Detection)

Phase 2
Type: ESP
Authentication: MD5
Encryption: DES
Force Key Expiration: 24 Hr or 4608000 KB
PFS: Diffie-Hellman Group 2

Tunnel
xxx.xxx.10.0/24  <==>  xxx.xxx.6.0/24

I took screenshots of my setup and emailed them to the PIX admin, and he verified his settings match mine.  But when the VPN negotiation takes place, we get errors.  The error message I get is:

Debug 2008-10-07 13:24:30 iked Drop negotiation to peer xxx.xxx.130.22:500 due to phase 1 retry timeout msg_id="0203-5161"
Debug 2008-10-07 13:24:33 iked Starting phase 1 negotiation using  [AdRad_SAM] to xxx.xxx.130.22:500 main mode msg_id="0203-5031"       
Debug 2008-10-07 13:24:33 iked Received second message with policy [AdRad_SAM] from xxx.xxx.130.22:500 main mode msg_id="0203-5022"       
Debug 2008-10-07 13:24:33 iked  Sending third  message to xxx.xxx.130.22:500 main mode msg_id="0203-5033"       
Debug 2008-10-07 13:24:33 iked Received fourth message with policy [AdRad_SAM] from xxx.xxx.130.22:500 main mode msg_id="0203-5024"       
Debug 2008-10-07 13:24:33 iked  Sending fifth  message with policy [AdRad_SAM] to xxx.xxx.130.22:500 main mode msg_id="0203-5035"       
Debug 2008-10-07 13:24:33 iked Received sixth  message with policy [AdRad_SAM] from xxx.xxx.130.22:500 main mode msg_id="0203-5026"       
Debug 2008-10-07 13:24:33 iked WARNING: Mismatched ID settings at peer xxx.xxx.130.22:500 caused an authentication failure msg_id="0203-5156"       
Debug 2008-10-07 13:24:33 iked Cannot process MM ID payload from xxx.xxx.130.22:500 to xxx.xxx.24.114 cookies i=e4226c65 8d935077 r=64cbb1a6 eac49dad msg_id="0203-5029" Start Free Trial
[+][-]10.07.2008 at 12:52PM PDT, ID: 22663031

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10.09.2008 at 11:50AM PDT, ID: 22681257

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10.09.2008 at 07:53PM PDT, ID: 22684098

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628