MUVPN Users are unable to log on.

Posted on 2008-06-18
Medium Priority
Last Modified: 2013-11-16
Having trouble setting up muvpn users on our new Watchguard Firebox.  I have tried contacting Watchguard tech support but they never seem to call me during an appropriate time.  Any help would be appreciated.  Here is hat I have done so far.  

Step 1:  I first setup the Authentication Server.  I am using Active Directory for authentication.  My settings are as follows:
IP Address: (Domain controller)
Port: 389
Search Base: ou=SBSUsers,ou=Users,ou=MyBusiness,dc=miamicpas,dc=local (This is the active directory ou where all the users reside on the domain controller, SBS 2003)
Group string: memberOf
DN: blank
Password: blank
Login Attribute: sMAccountName
DeadTime: 10 minutes

Step 2:   I created a mobile user vpn group. Under VPN, Remote Users.  These are the settings that I created.
Group name is: SBSUsers
Authentication Server: Active Directory
Allowed Access: (IP Scheme of internal network)
Virtual IP Address Pool: - (Reserved address pool for vpn users on DC)
IPSEC Settings:
Key Negotian Type: pre-shared key
Key Exp: 128000KB or 8 hours
Encr: AES (256 bit)
Auth: SHA1

At this point the mobile user vpn policy is automatically created allowing all ports open for this specific user group.  I went ahead and exported the profile o a laptop which had the muvpn software installed.  Imported the profile which was successful and tried logging on using an aircard.  I keep getting the error IKE Error phase 1, lost connection to peer.  This is where I am stuck.

I apologize with the long message, but I wanted to give all the details possible.  I hope someone can help.

Question by:montekane
  • 3
  • 2
  • 2
LVL 32

Expert Comment

ID: 21819268
Can you update if you tried connecting from behind WG itself or from another internet connection; from behind WG you would not be able to connect using MUVPN.

also, can you post some logs from traffic monitor or client which would give some details as to what exactly failed in VPN negotiations.

Thank you.

Accepted Solution

sam99my earned 1000 total points
ID: 21819308
Before you install the client software, make sure the computer does not have any other IPSec
mobile user VPN client software installed. and make sure WG network adpater are not disable (WatchGuard Secure Client Virtual NDIS6 Adapter)

getting phase 1 error normaly is because firewall are not listening VPN traffic, or your VPN traffic are blocked by something else, such as, windows firewall or any other firewall installed in your computer and Gateway firewall, make sure all are allowed VPN traffic outgoing.

try to check profile setting, the vpn gateway ip u try to connect is correct or not.

try to check traffic monitor what are the status when u connect, you can go to policy manager> setup > logging > advance diagnostics > VPN > IKE, set to level high, and enable "Display diagnostics messages in traffic monitor" at bottom.

Author Comment

ID: 21821697
Okay, I think I made some progress but not much.  I removed the other vpn software I had installed (Sonicwall), I then turned on the logging for the vpn ike connectivity.   Tried logging on from the laptop which is using an aircard that is outside of the internal network.  I'm getting a different error with the client software now, it is VPN Error - Lost contact to VPN Gateway.  I made sure there is no firewall on the client laptop.  Attached please see the log for the vpn traffic.  It shows the user mkane succesfully logs on, it also shows that it connects to AD correctly because it's picking up the users credentials.  At some point it states that it is deleting the tunnel to peer (ip address).

Any ideas?

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 32

Expert Comment

ID: 21822439
There is no reason specified in the logs why firebox closed the session; can you delete the user; re-configure user on firebox and then use the new .wgx file and try if that changes anything.

Thank you.

Author Comment

ID: 21822549
The authentication is done through Active Directory.  There is no specific user created on the firebox.  If you mean re-create the group that is setup for vpn connection, I have already tried doing that several times.

Expert Comment

ID: 21823195
what version of muvpn client you using now? 7 or 10? maybe can you show the log on muvpn software site.

Author Comment

ID: 21823525
Okay.  I got it to work!  I followed sam99my advise and I did the following.

Step 1:  Removed any other vpn software currently installed on the client laptop.
Step 2:  Double checked that the client firewall was either disabled or had the proper rules for ipsec
Step 3:  Turned on logging for the watchgurad firebox in the corporate office, this was able to at least tell me there as no problem with authentication, the problem was with the actual connection.
Step 4:  Viewed the logs for the muvpn software and noticed what the problem was, DHCP request failed.
Step 5:  Checked the profile settings, IP Address assignment, and noticed that th Private IP Address assignment was set to DHCP over IPSec.  I changed it to local IP address and it worked from there.

Once I connected the virtual adapter picked an ip address from the pool of ip's that I setup on the firebox.  After that I was unable to browse the network via DNS but I was successful using ip addresses.  I disconnected, went into the profile settings and manually setup the DNS server address and the WINS server address.  Connected and I was browsing 100%.

Sorry about the long answer, I was descriptive just in case someone had the same problem.

Thanks for all your help!


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question