Solved

Watchguard site to site VPN odd issue

Posted on 2007-11-27
10
1,994 Views
Last Modified: 2010-08-24
Hi everyone, saw a previous post on here about an issue with a watchguard site-site vpn similar to the one I am having but it didn't work http://www.experts-exchange.com/Networking/Security/IPSec/Q_22529592.html
The interesting issue with mine is we have 3 sites, A, B and C

Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.

Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.

11/28/07 11:16  iked[135]:  Quick Mode processing failed

11/28/07 11:16  iked[135]:  FROM  XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID

11/28/07 11:16  iked[135]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

11/28/07 11:16  iked[135]:  Sending INVALID_ID_INFO message
11/28/07 11:16  iked[135]:  TO    XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16  iked[135]:  Quick Mode processing failed
0
Comment
Question by:changlinn
  • 5
  • 4
10 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20366359
>>Quick Mode processing failed

Above error log indicates that the phase II of the VPN negotiation failed and hence the VPN tunnel is not coming up; can you check to make sure that the IPSec routing policy which you have created is having the correct subnets, I mean the local and remote on site A are listed as remote and local on site C.

Further the phase II settings like DES, Encryption/Authentication algoithms, etc, are all identical.

>>11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

Above messages also demonstrate that the routing policies are incorrect.

Can you please check and update.

Thank you.
0
 
LVL 2

Author Comment

by:changlinn
ID: 20369583
Maybe be best with a diagram
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20380529
You need to have two routing policies:
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24

Local                                Remote            Tunnel

On site A:
192.168.1.0/24          192.168.2.0/24       tunnel-to-b
192.168.3.0/24          192.168.2.0/24       tunnel-to-b [you might use even another tunnel but same gateway]

On Site B:
192.168.2.0/24          192.168.1.0/24
192.168.2.0/24          192.168.3.0/24

Please check the settings and update if this makes any difference.

Thank you.
0
 
LVL 2

Author Comment

by:changlinn
ID: 20382106
yep the routes are set in the VPN, at site b as you said, and if I remove the route to site c I can no longer ping it as expected. The route to site a is there too, and the return routes are setup at site A it is a real head scratcher.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20384371
Try this out; make a backup of the current configuration; then go ahead and delete the VPN setting for the above from the bos; save to firebox and reboot the box and configure from scratch again; observe results.

We would have the config backup as backup plan if anything breaks further.

I am not sure if this would be possible for you to do, please advice.

Thank you.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Author Comment

by:changlinn
ID: 20482825
Nope still the same, completely wiped the VPN configs and tried again. It is really odd.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
0
 

Expert Comment

by:pruland
ID: 20491428
Anyone here figuure out this issue? I just started having the exact same problem.
0
 
LVL 2

Accepted Solution

by:
changlinn earned 0 total points
ID: 20497692
This almost did my head in, but another (3rd one to look at it) colleague looked at it today and within ten minutes found that at site A aggressive mode wasn't ticked, both the first guy that looked at it and my self had checked this, and ticked it at both ends and un-ticked it to no avail, so I have no idea why it worked when he ticked it, but we are backup.
All in all a very annoying experience.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20498010
I am not sure why agressive mode would have any impact; AM is used for phase I and the routing problem faced should be a result of phase II; am happy thtat at least the problem is resolved.
0
 
LVL 2

Author Comment

by:changlinn
ID: 20498821
Yeah I don't know either, and as the log above shows it was phase 2 that was failing.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 887 nat exemption for IPSEC vpn 13 147
DrayTek VPN Setup 2 41
ipsec tunnel question 15 67
Some Workstations cannot connect to RDS over VPN 10 29
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now