Watchguard site to site VPN odd issue
Hi everyone, saw a previous post on here about an issue with a watchguard site-site vpn similar to the one I am having but it didn't work https://www.experts-exchange.com/questions/22529592/WatchGuard-Site-to-Site-VPN.html
The interesting issue with mine is we have 3 sites, A, B and C
Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.
Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.
11/28/07 11:16 iked[135]: Quick Mode processing failed
11/28/07 11:16 iked[135]: FROM XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
11/28/07 11:16 iked[135]: Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)
11/28/07 11:16 iked[135]: Sending INVALID_ID_INFO message
11/28/07 11:16 iked[135]: TO XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16 iked[135]: Quick Mode processing failed
The interesting issue with mine is we have 3 sites, A, B and C
Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.
Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.
11/28/07 11:16 iked[135]: Quick Mode processing failed
11/28/07 11:16 iked[135]: FROM XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
11/28/07 11:16 iked[135]: Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)
11/28/07 11:16 iked[135]: Sending INVALID_ID_INFO message
11/28/07 11:16 iked[135]: TO XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16 iked[135]: Quick Mode processing failed
ASKER
Maybe be best with a diagram
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.
You need to have two routing policies:
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24
Local Remote Tunnel
On site A:
192.168.1.0/24 192.168.2.0/24 tunnel-to-b
192.168.3.0/24 192.168.2.0/24 tunnel-to-b [you might use even another tunnel but same gateway]
On Site B:
192.168.2.0/24 192.168.1.0/24
192.168.2.0/24 192.168.3.0/24
Please check the settings and update if this makes any difference.
Thank you.
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24
Local Remote Tunnel
On site A:
192.168.1.0/24 192.168.2.0/24 tunnel-to-b
192.168.3.0/24 192.168.2.0/24 tunnel-to-b [you might use even another tunnel but same gateway]
On Site B:
192.168.2.0/24 192.168.1.0/24
192.168.2.0/24 192.168.3.0/24
Please check the settings and update if this makes any difference.
Thank you.
ASKER
yep the routes are set in the VPN, at site b as you said, and if I remove the route to site c I can no longer ping it as expected. The route to site a is there too, and the return routes are setup at site A it is a real head scratcher.
Try this out; make a backup of the current configuration; then go ahead and delete the VPN setting for the above from the bos; save to firebox and reboot the box and configure from scratch again; observe results.
We would have the config backup as backup plan if anything breaks further.
I am not sure if this would be possible for you to do, please advice.
Thank you.
We would have the config backup as backup plan if anything breaks further.
I am not sure if this would be possible for you to do, please advice.
Thank you.
ASKER
Nope still the same, completely wiped the VPN configs and tried again. It is really odd.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
Anyone here figuure out this issue? I just started having the exact same problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am not sure why agressive mode would have any impact; AM is used for phase I and the routing problem faced should be a result of phase II; am happy thtat at least the problem is resolved.
ASKER
Yeah I don't know either, and as the log above shows it was phase 2 that was failing.
Above error log indicates that the phase II of the VPN negotiation failed and hence the VPN tunnel is not coming up; can you check to make sure that the IPSec routing policy which you have created is having the correct subnets, I mean the local and remote on site A are listed as remote and local on site C.
Further the phase II settings like DES, Encryption/Authentication algoithms, etc, are all identical.
>>11/28/07 11:16 iked[135]: WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX
11/28/07 11:16 iked[135]: get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)
Above messages also demonstrate that the routing policies are incorrect.
Can you please check and update.
Thank you.