montekane
asked on
MUVPN Users are unable to log on.
Having trouble setting up muvpn users on our new Watchguard Firebox. I have tried contacting Watchguard tech support but they never seem to call me during an appropriate time. Any help would be appreciated. Here is hat I have done so far.
Step 1: I first setup the Authentication Server. I am using Active Directory for authentication. My settings are as follows:
IP Address: 100.100.100.5 (Domain controller)
Port: 389
Search Base: ou=SBSUsers,ou=Users,ou=My
Group string: memberOf
DN: blank
Password: blank
Login Attribute: sMAccountName
DeadTime: 10 minutes
Step 2: I created a mobile user vpn group. Under VPN, Remote Users. These are the settings that I created.
Group name is: SBSUsers
Authentication Server: Active Directory
Allowed Access: 100.100.100.0/24 (IP Scheme of internal network)
Virtual IP Address Pool: 100.100.100.125 - 100.100.100.130 (Reserved address pool for vpn users on DC)
IPSEC Settings:
Key Negotian Type: pre-shared key
Key Exp: 128000KB or 8 hours
Encr: AES (256 bit)
Auth: SHA1
At this point the mobile user vpn policy is automatically created allowing all ports open for this specific user group. I went ahead and exported the profile o a laptop which had the muvpn software installed. Imported the profile which was successful and tried logging on using an aircard. I keep getting the error IKE Error phase 1, lost connection to peer. This is where I am stuck.
I apologize with the long message, but I wanted to give all the details possible. I hope someone can help.
Thanks,
Angel
Step 1: I first setup the Authentication Server. I am using Active Directory for authentication. My settings are as follows:
IP Address: 100.100.100.5 (Domain controller)
Port: 389
Search Base: ou=SBSUsers,ou=Users,ou=My
Group string: memberOf
DN: blank
Password: blank
Login Attribute: sMAccountName
DeadTime: 10 minutes
Step 2: I created a mobile user vpn group. Under VPN, Remote Users. These are the settings that I created.
Group name is: SBSUsers
Authentication Server: Active Directory
Allowed Access: 100.100.100.0/24 (IP Scheme of internal network)
Virtual IP Address Pool: 100.100.100.125 - 100.100.100.130 (Reserved address pool for vpn users on DC)
IPSEC Settings:
Key Negotian Type: pre-shared key
Key Exp: 128000KB or 8 hours
Encr: AES (256 bit)
Auth: SHA1
At this point the mobile user vpn policy is automatically created allowing all ports open for this specific user group. I went ahead and exported the profile o a laptop which had the muvpn software installed. Imported the profile which was successful and tried logging on using an aircard. I keep getting the error IKE Error phase 1, lost connection to peer. This is where I am stuck.
I apologize with the long message, but I wanted to give all the details possible. I hope someone can help.
Thanks,
Angel
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I think I made some progress but not much. I removed the other vpn software I had installed (Sonicwall), I then turned on the logging for the vpn ike connectivity. Tried logging on from the laptop which is using an aircard that is outside of the internal network. I'm getting a different error with the client software now, it is VPN Error - Lost contact to VPN Gateway. I made sure there is no firewall on the client laptop. Attached please see the log for the vpn traffic. It shows the user mkane succesfully logs on, it also shows that it connects to AD correctly because it's picking up the users credentials. At some point it states that it is deleting the tunnel to peer (ip address).
Any ideas?
Thanks,
Angel
trafficmon.jpg
Any ideas?
Thanks,
Angel
trafficmon.jpg
There is no reason specified in the logs why firebox closed the session; can you delete the user; re-configure user on firebox and then use the new .wgx file and try if that changes anything.
Thank you.
Thank you.
ASKER
The authentication is done through Active Directory. There is no specific user created on the firebox. If you mean re-create the group that is setup for vpn connection, I have already tried doing that several times.
what version of muvpn client you using now? 7 or 10? maybe can you show the log on muvpn software site.
ASKER
Okay. I got it to work! I followed sam99my advise and I did the following.
Step 1: Removed any other vpn software currently installed on the client laptop.
Step 2: Double checked that the client firewall was either disabled or had the proper rules for ipsec
Step 3: Turned on logging for the watchgurad firebox in the corporate office, this was able to at least tell me there as no problem with authentication, the problem was with the actual connection.
Step 4: Viewed the logs for the muvpn software and noticed what the problem was, DHCP request failed.
Step 5: Checked the profile settings, IP Address assignment, and noticed that th Private IP Address assignment was set to DHCP over IPSec. I changed it to local IP address and it worked from there.
Once I connected the virtual adapter picked an ip address from the pool of ip's that I setup on the firebox. After that I was unable to browse the network via DNS but I was successful using ip addresses. I disconnected, went into the profile settings and manually setup the DNS server address and the WINS server address. Connected and I was browsing 100%.
Sorry about the long answer, I was descriptive just in case someone had the same problem.
Thanks for all your help!
Angel
Step 1: Removed any other vpn software currently installed on the client laptop.
Step 2: Double checked that the client firewall was either disabled or had the proper rules for ipsec
Step 3: Turned on logging for the watchgurad firebox in the corporate office, this was able to at least tell me there as no problem with authentication, the problem was with the actual connection.
Step 4: Viewed the logs for the muvpn software and noticed what the problem was, DHCP request failed.
Step 5: Checked the profile settings, IP Address assignment, and noticed that th Private IP Address assignment was set to DHCP over IPSec. I changed it to local IP address and it worked from there.
Once I connected the virtual adapter picked an ip address from the pool of ip's that I setup on the firebox. After that I was unable to browse the network via DNS but I was successful using ip addresses. I disconnected, went into the profile settings and manually setup the DNS server address and the WINS server address. Connected and I was browsing 100%.
Sorry about the long answer, I was descriptive just in case someone had the same problem.
Thanks for all your help!
Angel
also, can you post some logs from traffic monitor or client which would give some details as to what exactly failed in VPN negotiations.
Thank you.