Solved

VPN Setup on a firebox X55e

Posted on 2007-11-21
31
6,843 Views
Last Modified: 2008-02-01
Hi

I really need som help with setting up a VPN tunnel.

This is what i have,
1: Laptop with mobile broadband
2: Win 2003 server with Watchguard Firebox X55e

This is what i want to do:
1: Conenct my labtop to my win 2003 server using a VPN tunnel

This is what I need help with:
1: Choose type of VPN connection, MUVPN  maybe?
2: Make the correct settings for this.
3: Make the connection

I have tried this:
1: Created a new user under Firebox Users
2: Enable MUVPN for this account.
3: downloaded the .wgx file and imported that in "WatchGurad Mobile VPN" software
4: Tried to connect, but got the error: Lost connect to peer phase 1 eror

I have looked in the profile but I'm not sure about the settings in the profile.
For example in my case what the of conenction medium should I choose?
and so on...

So I really need some help with this guys.

1: Choose type of VPN connection, MUVPN  maybe?
2: Make the correct settings for this.
3: Make the connection

0
Comment
Question by:AWestEng
  • 19
  • 11
31 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 20329139
In your scenario, there are three options by which you can configure VPN:

MUVPN:
  Create user on X55e, click the MUVPN tab; make sure that Enable MUVPN for this account check box is selected and VPN client type is Mobile User, I think you have already configured all this.
As phase I is failing, it means that the remote computer is not able to communicate with the X55 for VPN negotiations; make sure that you are using different internet connections and that the machine is not connected to the X55 when you attempt VPN.

X55 acting as PPTP server:
With the new firmware ver 8.6, Edge boxes can act as PPTP Server, for this you need not install any client on the remote machines, they would be able to establish VPN using windows Network Connection; you would need to add a VPN connection through the windows wizard.
For this when you add a user on X55, under Settings tab, select the Allow remote access with PPTP check box.

As you also have a win2003 server, you can configure the server to act as PPTP sever:
Configure Routing and remote access on win2003 server, on X55 you would need to create a service to allow incoming traffic on TCP port 1723 and allow GRE protocol.

Please advice which method you would wish to connect, we can work on any method or troubleshoot as the need be.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20334333
Ok, thx..

If I choose to you MUVPN what i'm I doing wrong.

This is my settings for the user:

Settings
---------------------
Account name  Hellberg
Full name   xxxxxxx
Description  
   
Administrative access:  Full  
Session maximum timeout   (minutes) : 0
Session idle timeout   (minutes) : 0
 Allow access to the External Network: True
 Allow access to manual and managed VPN tunnels: True
 Allow remote access with PPTP: False

Webblocker
----------------------------
No webblocker

MUVPN
------------------------------
 Enable MUVPN for this account. TRUE
Shared Key   ***********
Virtual IP Address  : Empty
Authentication Algorithm  MD5-HMAC
Encryption Algorithm  DES-CBC
Key expires in  kilobytes : 82000
Key expires in  hours : 0
VPN Client Type:  Mobile User
 All traffic uses tunnel (0.0.0.0/0 IP Subnet). False

 I download .wgx file and import that to the  "WatchGurad Mobile VPN" software

But there are alot of settings in that software i'm not sure of.

This is what I do later, I disconenct from the local intranet.

I connect to internet again with a mobile broadband
start the VPN software, and press connect, the I get the error about phase 1
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20334569
You cannot leave Virtual IP address empty; configure virtual IP as one of the unused IP address on your network, generate a new wgx file and try connection.

Please check and update.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20335012
oki i will try it, thx

I'll get back to you tomorrow
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20337686
I picked a IP adress: 192.168.0.200 thats in my secure network, but I still get the same error message.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20341790
It appears that the IPSec traffic is not coming to the box at all; can you change
Allow remote access with PPTP: False
to true;
and then make a VPN connection by going to Windows Network Connections; New Connection; connect to office or Virtual private network; give some name; specify public IP of your device; after finishing wizard, specify username/password as defined when creating the user and check if you are able to connect.

Please note the password or shred key should be at least 8 characters in length.

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20348924
Ok, it have change to enable now, I got this mess.

Warning. PPTP VPN Connections are not enabled.
Activate remote user PPTP VPN (VPN  > Mobile user)

I will try to find that setting now. and change it
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20348945
I found the setting:
This is my Mobile user page:

VPN
Mobile User

--------------------------------------------------------------------------------
Firebox IPSEC MUVPN Configuration
Make the MUVPN client security policy read-only.  False
Virtual Adapter  : Disabled

--------------------------------------------------------------------------------
Firebox PPTP Configuration
 Activate remote user VPN with PPTP.   :True  
 Allow drop from 128-bit to 40-bit encryption. : False  
 Log all allowed PPTP traffic.  False

--------------------------------------------------------------------------------
WINS/DNS Setting for IPSEC MUVPN and PPTP Clients
DNS Server IP Address  : Empty
WINS Server IP Address  : Empty
 
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20349041
This is my profile settings in "WatchGuard Mobile VPN software"
Basic Settings:
---------------------------------------------
Profile Nmae: Hellberg
Connection type: VPN Conenction to IPSec Gateway
Communication Medium: automatic media detection
Default Profile after system Reboot: False

Line Management
---------------------------------------------
Connection mode: manual
Inactivity Timoout (sec): 0
Voice over IP (VoIP) Setting Priorites; False
(ISDN Multilink : all disabled/off)
EAP Authentication: False
HTTP Authentication: False

IPSec General Settings
---------------------------------------------
Gateway:  External IP adress on Firebox
IKE Police: Hellberg
IPSec Policy: Hellberg
Exch Mode: Aggressive Mode
PFs Group: none

Advanded IPSec Options
---------------------------------------------
IP Compression: False
Disabled DPD (Ded peer Detection): False
UDP Encapsulation: False
Port: 500

Identities
---------------------------------------------
Type: Full Qualified Username
ID: Hellberg
Pre-Shared key: True
Shared secret: Empty
Confirm Secret: Empty
Extended Authentications (XAUTH): False

IP Adress assignment
---------------------------------------------
Private IP Adress Assignment: local IP adress
Ip adress: 0.0.0.0
DNS/WINS Server: False

Remote Networks
---------------------------------------------
Network Adresses
192168.0.0
Subnet Masks: 255.255.255.0

Certificate Check
---------------------------------------------
All fileds are empty here

Link Firewall
---------------------------------------------
Stateful Inspection: off
NetBIOS over IP: True
In combination with Microsfts RAS Dialer onlu Tunneling Premittted: False





0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20351918
Please note we are trying to connect using PPTP for which we do not need MUVPN client, please configure windows network connection as I advised in my last post and see if you are able to VPN; if yes, then you can uninstall the MUVPN software from the client machine.

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20356341
I really appreciate the all the help

It was just so you can see all the the settinhs,and check if I have done anything wrong.

I'm trying to conect using PPTP now, but i get error code 800.

The userName when connectiong is the user I have setup in Firebox users "Hellberg" and the password is the user key, it's trying to connect but after awhile I get error code 800
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20356386
I changed The Type of VPN Server from automatic to PPTP VPN in windows VPN connection.

And I now get the error code 678, the "computer" dosen't "answer"
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20356436
One other thing: I have activated proxy server for HTTP, can those rules do something to the connection
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20358938
No HTTP proxy rules would not interfere with the incoming VPN traffic either PPTP or IPSec; looking at all the error messages you are getting it appears to me that your ISP is specifically blocking VPN traffic, please touch base with them about the issue. The port and protocol we need for VPN traffic are:

IPSEC
UDP 500 [for IKE]
UDP 4500 [For NAT-Traversal]
IP 50/51 [these are protocol numbers for ESP/AH]

PPTP
TCP 1723
GRE [IP 47 -- again protocol number]

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20369054
Ok I wil check,

Do  i need to do anything on the win 2003 server to make this to work?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:AWestEng
ID: 20369073
or can my software fire wall on my computer make any problems for the VPN connection
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20370102
can you turn off the firewall on the computer completely and check, i think if the firewall is blocking traffic then it would be it.

If you are successful then you have the option to use PPTP or IPSec per your wish.

Sorry I should have thought about that earlier.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20372277
I'm using f-secure.

I don't know if f-secure can be completly turnd off. If I look in the tab: services I can find that PPTP  isn't used, but I can't find anywhere to turn that on.

I have added the rule now, I have talked to our ISP now but the say that all the ports are open.

So I will test the connection later and get back to you.

Thx m8 :)
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20372484
It seems to work now.

I havn't connected outside out internal network but when connection, the Watchguard Mobile VPN software says it's connected

I don't know what exactly the problem was. What I did was:
1: I opend the ports in my software firewall
2: Created a new profile in Firebox users
3: picked a virual IP adress that was not in my DHCP server range
4: I also activated the PPTP for mobile user
5: Imported the new .wgx file to Watchguard
6: I had to add the the shared secret in the Identities tab

I will test the connection again outside our own network and se if it works there an also using the Microsft VPN connection via PPTP

I will get back to you after I have tested the connection and tell you if it works outside to.

So it maby was my software firewall that made allt the problems. Talk to you later.

thx for helping me.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20380520
You are welcome, please update me about the results per your convenience.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20382437
It seems to connect to the firebox now, but I can't map up the server disk I have hwne working on the internal net.

any tips?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20384388
Try start->run>\\machine-ip-address\share-name

instead of using names use ip and check results; if you are able to access shares with IP then for name resolution we either modify the hosts file on the remote machine or we can use DNS/WiNS server(if you already have configured on the internal network).

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20391053
I'm behind a d-link router now, do I need to open any ports on that to?
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20395180
This is the ip to the server :192.168.0.2

\\192.168.0.2\Scratch

But it dosen't work, do I need to change anyting on the win 2003 sever`?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20396526
What is the subnet address of the network behind d-link; if it is same as WG subnet : 192.168.0.0/24; then you would need to change subnet at one of the ends.
It would be easy to change the LAN address on d-link if you are using DHCP as in that case you would need to reconfigure anything on WG.

Please note as WG is acting as VPN server there are no settings which need be done on any machine behind WG; only thing to make sure is that the machine behind WG do not have firewall which blocks all traffic (inclusing windows firewall); and they have shares which can be accessed from other machines.

Thank you.
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20418162
oki thx, the problem was that both connections was on the same subnet. missed that.. thx :)

It works now, :) THX!!!

Another question: Can I set a password to the VPN connection, the shared key must allwas be in the VPN software, otherwise it will not conenct at all. I tried to use the Extended Authentication but then the connection fails.

any tips?
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20418196
And the last question,

Any tips how I should do this:

My boss only wants users  to access some of the folders in the network unit I connect to.

is it possible to mange anything from the WG or do I need to seperated these folders in the sevrer

For example I connect to Common

In  Common/software
    Common/Customer backup
    Common/Scratch
    Common/Projects

So if I only wants the users to access the Scratch  folder in common can I do this restrictions in the WG in some way, or must I make new folders on the server that only has the folders I want the users to get access to?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20424221
Shared key is the password for your remote users; please note you cannot use certificates or other authentication method with X55e.

Filtering incoming traffic from users is not possible on WG X55e; it would be good to implement access rules through windows; WG would allow all access to the remote users to the trusted network by default. So, as you thought creating folders with specific shares or assigning users to groups with restrictive permissions would be another way to implement.

Please let me know if you need more details.

Thank you.
0
 
LVL 2

Expert Comment

by:Kal Lodin
ID: 20453104
WOW I was reading along I have a Edge 20e and
My remote users VPN does work.... Half the time..
Every now and then they get booted and then they wait about 15 mins to Half hour and they can log in again.
I only Forwarded Ports 1723 and 500 to the server
I have not touched the VPN on the WG cause I am nervous my lack of knowledge..
any chance you could give me a play by play to setup remote access to our SBS with the WG. so that the connection is stable?"
0
 
LVL 1

Author Comment

by:AWestEng
ID: 20547755
sorry, I have been away on a vacation for a couple of weeks.. but I'm back now..

I just need to check so all works before I let you go. hehe,, I't hard to find people who knows so mutch and wants to help.. thx for all the help m8. I will get back to this after new year..

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20548145
Sure let me know if it works, I would be happy to help.

Thank you for the words of encouragement; I think all the EE members hardwork has earned these words.

Have a HAPPY NEW YEAR.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now