Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2074
  • Last Modified:

Watchguard site to site VPN odd issue

Hi everyone, saw a previous post on here about an issue with a watchguard site-site vpn similar to the one I am having but it didn't work http://www.experts-exchange.com/Networking/Security/IPSec/Q_22529592.html
The interesting issue with mine is we have 3 sites, A, B and C

Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.

Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.

11/28/07 11:16  iked[135]:  Quick Mode processing failed

11/28/07 11:16  iked[135]:  FROM  XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID

11/28/07 11:16  iked[135]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

11/28/07 11:16  iked[135]:  Sending INVALID_ID_INFO message
11/28/07 11:16  iked[135]:  TO    XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16  iked[135]:  Quick Mode processing failed
0
changlinn
Asked:
changlinn
  • 5
  • 4
1 Solution
 
dpk_walCommented:
>>Quick Mode processing failed

Above error log indicates that the phase II of the VPN negotiation failed and hence the VPN tunnel is not coming up; can you check to make sure that the IPSec routing policy which you have created is having the correct subnets, I mean the local and remote on site A are listed as remote and local on site C.

Further the phase II settings like DES, Encryption/Authentication algoithms, etc, are all identical.

>>11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

Above messages also demonstrate that the routing policies are incorrect.

Can you please check and update.

Thank you.
0
 
changlinnAuthor Commented:
Maybe be best with a diagram
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.

0
 
dpk_walCommented:
You need to have two routing policies:
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24

Local                                Remote            Tunnel

On site A:
192.168.1.0/24          192.168.2.0/24       tunnel-to-b
192.168.3.0/24          192.168.2.0/24       tunnel-to-b [you might use even another tunnel but same gateway]

On Site B:
192.168.2.0/24          192.168.1.0/24
192.168.2.0/24          192.168.3.0/24

Please check the settings and update if this makes any difference.

Thank you.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
changlinnAuthor Commented:
yep the routes are set in the VPN, at site b as you said, and if I remove the route to site c I can no longer ping it as expected. The route to site a is there too, and the return routes are setup at site A it is a real head scratcher.
0
 
dpk_walCommented:
Try this out; make a backup of the current configuration; then go ahead and delete the VPN setting for the above from the bos; save to firebox and reboot the box and configure from scratch again; observe results.

We would have the config backup as backup plan if anything breaks further.

I am not sure if this would be possible for you to do, please advice.

Thank you.
0
 
changlinnAuthor Commented:
Nope still the same, completely wiped the VPN configs and tried again. It is really odd.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
0
 
prulandCommented:
Anyone here figuure out this issue? I just started having the exact same problem.
0
 
changlinnAuthor Commented:
This almost did my head in, but another (3rd one to look at it) colleague looked at it today and within ten minutes found that at site A aggressive mode wasn't ticked, both the first guy that looked at it and my self had checked this, and ticked it at both ends and un-ticked it to no avail, so I have no idea why it worked when he ticked it, but we are backup.
All in all a very annoying experience.
0
 
dpk_walCommented:
I am not sure why agressive mode would have any impact; AM is used for phase I and the routing problem faced should be a result of phase II; am happy thtat at least the problem is resolved.
0
 
changlinnAuthor Commented:
Yeah I don't know either, and as the log above shows it was phase 2 that was failing.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now