Solved

Watchguard site to site VPN odd issue

Posted on 2007-11-27
10
2,004 Views
Last Modified: 2010-08-24
Hi everyone, saw a previous post on here about an issue with a watchguard site-site vpn similar to the one I am having but it didn't work http://www.experts-exchange.com/Networking/Security/IPSec/Q_22529592.html
The interesting issue with mine is we have 3 sites, A, B and C

Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.

Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.

11/28/07 11:16  iked[135]:  Quick Mode processing failed

11/28/07 11:16  iked[135]:  FROM  XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID

11/28/07 11:16  iked[135]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

11/28/07 11:16  iked[135]:  Sending INVALID_ID_INFO message
11/28/07 11:16  iked[135]:  TO    XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16  iked[135]:  Quick Mode processing failed
0
Comment
Question by:changlinn
  • 5
  • 4
10 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20366359
>>Quick Mode processing failed

Above error log indicates that the phase II of the VPN negotiation failed and hence the VPN tunnel is not coming up; can you check to make sure that the IPSec routing policy which you have created is having the correct subnets, I mean the local and remote on site A are listed as remote and local on site C.

Further the phase II settings like DES, Encryption/Authentication algoithms, etc, are all identical.

>>11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

Above messages also demonstrate that the routing policies are incorrect.

Can you please check and update.

Thank you.
0
 
LVL 2

Author Comment

by:changlinn
ID: 20369583
Maybe be best with a diagram
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20380529
You need to have two routing policies:
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24

Local                                Remote            Tunnel

On site A:
192.168.1.0/24          192.168.2.0/24       tunnel-to-b
192.168.3.0/24          192.168.2.0/24       tunnel-to-b [you might use even another tunnel but same gateway]

On Site B:
192.168.2.0/24          192.168.1.0/24
192.168.2.0/24          192.168.3.0/24

Please check the settings and update if this makes any difference.

Thank you.
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 2

Author Comment

by:changlinn
ID: 20382106
yep the routes are set in the VPN, at site b as you said, and if I remove the route to site c I can no longer ping it as expected. The route to site a is there too, and the return routes are setup at site A it is a real head scratcher.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20384371
Try this out; make a backup of the current configuration; then go ahead and delete the VPN setting for the above from the bos; save to firebox and reboot the box and configure from scratch again; observe results.

We would have the config backup as backup plan if anything breaks further.

I am not sure if this would be possible for you to do, please advice.

Thank you.
0
 
LVL 2

Author Comment

by:changlinn
ID: 20482825
Nope still the same, completely wiped the VPN configs and tried again. It is really odd.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
0
 

Expert Comment

by:pruland
ID: 20491428
Anyone here figuure out this issue? I just started having the exact same problem.
0
 
LVL 2

Accepted Solution

by:
changlinn earned 0 total points
ID: 20497692
This almost did my head in, but another (3rd one to look at it) colleague looked at it today and within ten minutes found that at site A aggressive mode wasn't ticked, both the first guy that looked at it and my self had checked this, and ticked it at both ends and un-ticked it to no avail, so I have no idea why it worked when he ticked it, but we are backup.
All in all a very annoying experience.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20498010
I am not sure why agressive mode would have any impact; AM is used for phase I and the routing problem faced should be a result of phase II; am happy thtat at least the problem is resolved.
0
 
LVL 2

Author Comment

by:changlinn
ID: 20498821
Yeah I don't know either, and as the log above shows it was phase 2 that was failing.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question