Solved

Watchguard site to site VPN odd issue

Posted on 2007-11-27
10
1,977 Views
Last Modified: 2010-08-24
Hi everyone, saw a previous post on here about an issue with a watchguard site-site vpn similar to the one I am having but it didn't work http://www.experts-exchange.com/Networking/Security/IPSec/Q_22529592.html
The interesting issue with mine is we have 3 sites, A, B and C

Site A has a firebox, and an MPN (dedicated link) to site C, the firebox does the site-site VPN to site B.

Now site B can't ping or talk to site A (and vice-versa), but oddly enough it can talk to site C (and vice versa)
It was working, and no site-site rules or site-site vpn changes where made, someone did try and setup pptp on site A's firebox, but turned it all off after it didn't work, that is when the problem started.
I have tipple checked the routes, rules and VPN settings at both Site A and B, they are all fine.
I have even uploaded an archived config file from back when it worked, with no avail.

11/28/07 11:16  iked[135]:  Quick Mode processing failed

11/28/07 11:16  iked[135]:  FROM  XXX.XXX.XXX.XXX QM-HDR* -92264A3D ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID

11/28/07 11:16  iked[135]:  Getting IPSEC preferences as Responder propnum=1, mode=(Tunnel), laddr=61.29.41.34, raddr=XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

11/28/07 11:16  iked[135]:  Sending INVALID_ID_INFO message
11/28/07 11:16  iked[135]:  TO    XXX.XXX.XXX.XXX IF-HDR* -EC34339B ISA_HASH ISA_NOTIFY
11/28/07 11:16  iked[135]:  Quick Mode processing failed
0
Comment
Question by:changlinn
  • 5
  • 4
10 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
>>Quick Mode processing failed

Above error log indicates that the phase II of the VPN negotiation failed and hence the VPN tunnel is not coming up; can you check to make sure that the IPSec routing policy which you have created is having the correct subnets, I mean the local and remote on site A are listed as remote and local on site C.

Further the phase II settings like DES, Encryption/Authentication algoithms, etc, are all identical.

>>11/28/07 11:16  iked[135]:  WARNING - No Matching IPSec Policy found for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  ACTION - Verify VPN IPSec Policies for XXX.XXX.XXX.XXX

11/28/07 11:16  iked[135]:  get_ipsec_pref: Unable to find channel info for remote(XXX.XXX.XXX.XXX)

Above messages also demonstrate that the routing policies are incorrect.

Can you please check and update.

Thank you.
0
 
LVL 2

Author Comment

by:changlinn
Comment Utility
Maybe be best with a diagram
<a href="http://img512.imageshack.us/my.php?image=diaggc2.jpg" target="_blank"><img src="http://img512.imageshack.us/img512/7043/diaggc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
The main point I am making is site's B and C can talk to each other, and A and C can talk. B has to send/receive data through A to get to C, so this is what has me confused.
And yes I have checked and triple checked either end of the A-B vpn tunnel, encryption for phase 1 and 2 is the same, and the routes haven't been changed, I even recreated the vpn at both ends with no success.

0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
You need to have two routing policies:
say site C is 192.168.3.0/24
site A is 192.168.1.0/24
site B is 192.168.2.0/24

Local                                Remote            Tunnel

On site A:
192.168.1.0/24          192.168.2.0/24       tunnel-to-b
192.168.3.0/24          192.168.2.0/24       tunnel-to-b [you might use even another tunnel but same gateway]

On Site B:
192.168.2.0/24          192.168.1.0/24
192.168.2.0/24          192.168.3.0/24

Please check the settings and update if this makes any difference.

Thank you.
0
 
LVL 2

Author Comment

by:changlinn
Comment Utility
yep the routes are set in the VPN, at site b as you said, and if I remove the route to site c I can no longer ping it as expected. The route to site a is there too, and the return routes are setup at site A it is a real head scratcher.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Try this out; make a backup of the current configuration; then go ahead and delete the VPN setting for the above from the bos; save to firebox and reboot the box and configure from scratch again; observe results.

We would have the config backup as backup plan if anything breaks further.

I am not sure if this would be possible for you to do, please advice.

Thank you.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Author Comment

by:changlinn
Comment Utility
Nope still the same, completely wiped the VPN configs and tried again. It is really odd.
See the diag here http://img512.imageshack.us/my.php?image=diaggc2.jpg
It must be an issue in site A. As site B can still ping site C but not site A. I just don't know where the issue is.
I have even removed the routes at both ends for site C and site a-b still doesn't work.
0
 

Expert Comment

by:pruland
Comment Utility
Anyone here figuure out this issue? I just started having the exact same problem.
0
 
LVL 2

Accepted Solution

by:
changlinn earned 0 total points
Comment Utility
This almost did my head in, but another (3rd one to look at it) colleague looked at it today and within ten minutes found that at site A aggressive mode wasn't ticked, both the first guy that looked at it and my self had checked this, and ticked it at both ends and un-ticked it to no avail, so I have no idea why it worked when he ticked it, but we are backup.
All in all a very annoying experience.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
I am not sure why agressive mode would have any impact; AM is used for phase I and the routing problem faced should be a result of phase II; am happy thtat at least the problem is resolved.
0
 
LVL 2

Author Comment

by:changlinn
Comment Utility
Yeah I don't know either, and as the log above shows it was phase 2 that was failing.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now