Solved

MUVPN Users are unable to log on.

Posted on 2008-06-18
7
7,321 Views
Last Modified: 2013-11-16
Having trouble setting up muvpn users on our new Watchguard Firebox.  I have tried contacting Watchguard tech support but they never seem to call me during an appropriate time.  Any help would be appreciated.  Here is hat I have done so far.  

Step 1:  I first setup the Authentication Server.  I am using Active Directory for authentication.  My settings are as follows:
IP Address:  100.100.100.5 (Domain controller)
Port: 389
Search Base: ou=SBSUsers,ou=Users,ou=MyBusiness,dc=miamicpas,dc=local (This is the active directory ou where all the users reside on the domain controller, SBS 2003)
Group string: memberOf
DN: blank
Password: blank
Login Attribute: sMAccountName
DeadTime: 10 minutes

Step 2:   I created a mobile user vpn group. Under VPN, Remote Users.  These are the settings that I created.
Group name is: SBSUsers
Authentication Server: Active Directory
Allowed Access: 100.100.100.0/24 (IP Scheme of internal network)
Virtual IP Address Pool: 100.100.100.125 - 100.100.100.130 (Reserved address pool for vpn users on DC)
IPSEC Settings:
Key Negotian Type: pre-shared key
Key Exp: 128000KB or 8 hours
Encr: AES (256 bit)
Auth: SHA1

At this point the mobile user vpn policy is automatically created allowing all ports open for this specific user group.  I went ahead and exported the profile o a laptop which had the muvpn software installed.  Imported the profile which was successful and tried logging on using an aircard.  I keep getting the error IKE Error phase 1, lost connection to peer.  This is where I am stuck.

I apologize with the long message, but I wanted to give all the details possible.  I hope someone can help.

Thanks,
Angel
0
Comment
Question by:montekane
  • 3
  • 2
  • 2
7 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21819268
Can you update if you tried connecting from behind WG itself or from another internet connection; from behind WG you would not be able to connect using MUVPN.

also, can you post some logs from traffic monitor or client which would give some details as to what exactly failed in VPN negotiations.

Thank you.
0
 
LVL 1

Accepted Solution

by:
sam99my earned 250 total points
ID: 21819308
Before you install the client software, make sure the computer does not have any other IPSec
mobile user VPN client software installed. and make sure WG network adpater are not disable (WatchGuard Secure Client Virtual NDIS6 Adapter)

getting phase 1 error normaly is because firewall are not listening VPN traffic, or your VPN traffic are blocked by something else, such as, windows firewall or any other firewall installed in your computer and Gateway firewall, make sure all are allowed VPN traffic outgoing.

try to check profile setting, the vpn gateway ip u try to connect is correct or not.

try to check traffic monitor what are the status when u connect, you can go to policy manager> setup > logging > advance diagnostics > VPN > IKE, set to level high, and enable "Display diagnostics messages in traffic monitor" at bottom.
0
 

Author Comment

by:montekane
ID: 21821697
Okay, I think I made some progress but not much.  I removed the other vpn software I had installed (Sonicwall), I then turned on the logging for the vpn ike connectivity.   Tried logging on from the laptop which is using an aircard that is outside of the internal network.  I'm getting a different error with the client software now, it is VPN Error - Lost contact to VPN Gateway.  I made sure there is no firewall on the client laptop.  Attached please see the log for the vpn traffic.  It shows the user mkane succesfully logs on, it also shows that it connects to AD correctly because it's picking up the users credentials.  At some point it states that it is deleting the tunnel to peer (ip address).

Any ideas?

Thanks,
Angel
trafficmon.jpg
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:dpk_wal
ID: 21822439
There is no reason specified in the logs why firebox closed the session; can you delete the user; re-configure user on firebox and then use the new .wgx file and try if that changes anything.

Thank you.
0
 

Author Comment

by:montekane
ID: 21822549
The authentication is done through Active Directory.  There is no specific user created on the firebox.  If you mean re-create the group that is setup for vpn connection, I have already tried doing that several times.
0
 
LVL 1

Expert Comment

by:sam99my
ID: 21823195
what version of muvpn client you using now? 7 or 10? maybe can you show the log on muvpn software site.
0
 

Author Comment

by:montekane
ID: 21823525
Okay.  I got it to work!  I followed sam99my advise and I did the following.

Step 1:  Removed any other vpn software currently installed on the client laptop.
Step 2:  Double checked that the client firewall was either disabled or had the proper rules for ipsec
Step 3:  Turned on logging for the watchgurad firebox in the corporate office, this was able to at least tell me there as no problem with authentication, the problem was with the actual connection.
Step 4:  Viewed the logs for the muvpn software and noticed what the problem was, DHCP request failed.
Step 5:  Checked the profile settings, IP Address assignment, and noticed that th Private IP Address assignment was set to DHCP over IPSec.  I changed it to local IP address and it worked from there.

Once I connected the virtual adapter picked an ip address from the pool of ip's that I setup on the firebox.  After that I was unable to browse the network via DNS but I was successful using ip addresses.  I disconnected, went into the profile settings and manually setup the DNS server address and the WINS server address.  Connected and I was browsing 100%.

Sorry about the long answer, I was descriptive just in case someone had the same problem.

Thanks for all your help!

Angel
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now