IPSEC VPN Tunnel Issue between Cisco 1941 & Watchquard

I have 4 other IPSEC tunnels from my Watchguard to 4 Cisco devices which are working perfectly.  I am trying to setup a tunnel between my Watchguard and a new Cisco 1841 device.  The VPN fails to go into an "UP" status.  My configuration follows.  Thank you for any help!

Current configuration : 7578 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CPDSU-Samworth
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ????????.
!
no aaa new-model
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name compasspharma.com
ip name-server ????????
ip name-server ????????
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-2103469988
!
crypto pki trustpoint TP-self-signed-1324596675
!
username compasspharma privilege 15 secret 5 ????????.
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ???????? address ????????.113 no-xauth
crypto isakmp key ???????? address ????????.2
!
!
crypto ipsec transform-set COMPASSIPSEC esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set SyncreticRep esp-3des esp-md5-hmac
!
crypto ipsec profile SYNCRETIC
 set transform-set ESP-3DES_MD5
!
crypto ipsec profile VTI
 set transform-set COMPASSIPSEC
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to ????????.2
 set peer ????????.2
 set transform-set SyncreticRep
 set pfs group1
 match address 105
!
!
!
interface Tunnel0
 ip address 192.168.90.1 255.255.255.0
 tunnel source ????????.105
 tunnel destination ????????.113
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$
 ip address 10.10.10.1 255.255.255.248
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description LAN$ETH-LAN$
 ip address 192.168.77.254 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description $ES_WAN$$FW_OUTSIDE$
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 encapsulation frame-relay IETF
 ip route-cache flow
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 description WAN
 ip address ????????.105 255.255.255.248
 ip verify unicast reverse-path
 ip nbar protocol-discovery
 ip inspect SDM_LOW out
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 44
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
ip route 192.168.78.0 255.255.255.0 Tunnel0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0.1 overload
ip nat inside source static 192.168.77.1 ???????.106
ip nat inside source static 192.168.77.4 ???????.107
ip nat inside source static 192.168.77.10 ???????.108
!
ip access-list extended CompassDefault
 remark Default_Inbound
 remark SDM_ACL Category=1
 remark ICMP
 deny   icmp any any log
 permit udp any any
 permit ip any any
ip access-list extended sdm_serial0/0/0.1_in
 remark SDM_ACL Category=1
 remark VPN
 permit tcp any host 192.168.77.1 eq 1723
 permit udp any host 192.168.77.1 eq 1723
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.77.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip host 192.168.77.3 host 67.129.119.30
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.77.0 0.0.0.255 67.129.119.0 0.0.0.255
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 129.168.77.0 0.0.0.255 67.129.119.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.77.0 0.0.0.255 67.129.119.0 0.0.0.255 log
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip host 192.168.77.3 host 67.129.119.30 log
access-list 175 remark SDM_ACL Category=18
access-list 175 remark IPSec Rule
access-list 175 deny   ip host 192.168.77.3 host 67.129.119.30 log
access-list 175 remark IPSec Rule
access-list 175 permit ip host 192.168.77.3 host 67.129.119.30 log
access-list 175 deny   ip 192.168.77.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 175
!
!
!
control-plane
!
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
end



==========================
Results of Test (via SMD)
==========================

Router Model  1841  
Image Name  c1841-advsecurityk9-mz.124-3g.bin  
IOS Version  12.4(3g)  
Hostname  CPDSU-Samworth  


Test Activity Summary

Activity Status
Checking the tunnel status...  Down  
Checking interface status...  Successful  
Checking the configuration...  Successful  
Checking Routing...  Successful  
Checking peer connectivity...  Successful  
Checking NAT...  Successful  
Checking Firewall...  Successful  
Debugging the VPN connection ...  Completed  
Checking the tunnel status...  Down  


Test Activity Details

Activity Status
Checking the tunnel status...  Down  
    Encapsulation :0  
    Decapsulation :0  
    Send Error :0  
    Received Error :0  
Checking interface status...  Successful  
    Interface :Serial0/0/0.1  
    Interface physical status :Up  
    Line protocol status :Up  
Checking the configuration...  Successful  
    Checking IPSec  
    Crypto map name : SDM_CMAP_1  
    Sequence number : 1  
    Crypto map type : Static  
    Peer : Configured  
    Transform set : Configured  
    Interesting traffic : Configured  
    IPSec configuration status : Valid  
    Checking IKE  
    IKE Policies : Configured  
    Policies with pre shared key authentication method : Configured  
    Global pre shared key with wild cards : Not configured  
    Pre-shared key for :????????.2 Configured  
    IKE configuration status : Valid  
Checking Routing...  Successful  
    Peer ::????????.2:Valid(Routed through the crypto interface)  
    Traffic source :192.168.77.3:Valid(Route exists in routing table)  
    Traffic destination ::????????.30:Valid(Routed through the crypto interface)  
Checking peer connectivity...  Successful  
    Peer :????????.2:Successful  
Checking NAT...  Successful  
Checking Firewall...  Successful  
Debugging the VPN connection ...  Completed  
Checking the tunnel status...  Down  
    Encapsulation :0  
    Decapsulation :0  
    Send Error :0  
    Received Error :0  


Troubleshooting Results Failure Reason(s) Recommended Action(s)

 There is no response from the peer VPN device.  1) Ensure that the tunnel traffic was generated from one of the tunnel sources. 2) Check the peer VPN device configuration and ensure that the mirror configuration is present. The mirror configuration can be generated at 'Configure->VPN->Site to site VPN->Edit Site to site VPN'.  

Thank you for any help - Tony
jforvilleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ???????? address ????????.113 no-xauth
crypto isakmp key ???????? address ????????.2

I believe above is the policy in question, if yes, then please make sure you have configured phase I with AES and pre-shared key; can you also share some VPN logs from WG as it would help to know which phase of the VPN tunnel is actually failing.

If you are not getting VPN logs, then go to Setup->Logging->Advanced; here enable logging for VPN logs.

Thank you.
0
jforvilleAuthor Commented:
The crypto map in question is the going to the ????????.2 address.  I attached the results of the SDM connection test to the bottom of my original posting.  Do you still need additional information besides this?
0
dpk_walCommented:
Phase I of the VPN tunnel is not going through is all I can tell from the logs, if you have logs from WG side I can give some more details as to what in phase I is not matching.
Please note WG does not support xauth for site-to-site VPN tunnel.

Please make sure all phase I settings are identical, viz, encryption and authentication algorithms, pre-shared key, deffie hellman groups, finally the public IP or FQDN used is correct and maps to the external IP of the devices.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.