Watchguard site to site VPN odd issue

Hi everyone, saw a previous post on here about an issue with a watchguard site-site vpn similar to the one I am having but it didn't work http://www.experts-exchange.com/Networking/Security/IPSec/Q_22529592.html
The interesting issue with mine is we have 3 sites, A, B and C

Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.

Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.

11/28/07 11:16  iked[135]:  Quick Mode processing failed

11/28/07 11:16  iked[135]:  FROM  XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID

11/28/07 11:16  iked[135]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

11/28/07 11:16  iked[135]:  Sending INVALID_ID_INFO message
11/28/07 11:16  iked[135]:  TO    XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16  iked[135]:  Quick Mode processing failed
LVL 2
changlinnAsked:
Who is Participating?
 
changlinnConnect With a Mentor Author Commented:
This almost did my head in, but another (3rd one to look at it) colleague looked at it today and within ten minutes found that at site A aggressive mode wasn't ticked, both the first guy that looked at it and my self had checked this, and ticked it at both ends and un-ticked it to no avail, so I have no idea why it worked when he ticked it, but we are backup.
All in all a very annoying experience.
0
 
dpk_walCommented:
>>Quick Mode processing failed

Above error log indicates that the phase II of the VPN negotiation failed and hence the VPN tunnel is not coming up; can you check to make sure that the IPSec routing policy which you have created is having the correct subnets, I mean the local and remote on site A are listed as remote and local on site C.

Further the phase II settings like DES, Encryption/Authentication algoithms, etc, are all identical.

>>11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

Above messages also demonstrate that the routing policies are incorrect.

Can you please check and update.

Thank you.
0
 
changlinnAuthor Commented:
Maybe be best with a diagram
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
dpk_walCommented:
You need to have two routing policies:
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24

Local                                Remote            Tunnel

On site A:
192.168.1.0/24          192.168.2.0/24       tunnel-to-b
192.168.3.0/24          192.168.2.0/24       tunnel-to-b [you might use even another tunnel but same gateway]

On Site B:
192.168.2.0/24          192.168.1.0/24
192.168.2.0/24          192.168.3.0/24

Please check the settings and update if this makes any difference.

Thank you.
0
 
changlinnAuthor Commented:
yep the routes are set in the VPN, at site b as you said, and if I remove the route to site c I can no longer ping it as expected. The route to site a is there too, and the return routes are setup at site A it is a real head scratcher.
0
 
dpk_walCommented:
Try this out; make a backup of the current configuration; then go ahead and delete the VPN setting for the above from the bos; save to firebox and reboot the box and configure from scratch again; observe results.

We would have the config backup as backup plan if anything breaks further.

I am not sure if this would be possible for you to do, please advice.

Thank you.
0
 
changlinnAuthor Commented:
Nope still the same, completely wiped the VPN configs and tried again. It is really odd.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
0
 
prulandCommented:
Anyone here figuure out this issue? I just started having the exact same problem.
0
 
dpk_walCommented:
I am not sure why agressive mode would have any impact; AM is used for phase I and the routing problem faced should be a result of phase II; am happy thtat at least the problem is resolved.
0
 
changlinnAuthor Commented:
Yeah I don't know either, and as the log above shows it was phase 2 that was failing.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.