MUVPN Users are unable to log on.

Posted on 2008-06-18
Last Modified: 2013-11-16
Having trouble setting up muvpn users on our new Watchguard Firebox.  I have tried contacting Watchguard tech support but they never seem to call me during an appropriate time.  Any help would be appreciated.  Here is hat I have done so far.  

Step 1:  I first setup the Authentication Server.  I am using Active Directory for authentication.  My settings are as follows:
IP Address: (Domain controller)
Port: 389
Search Base: ou=SBSUsers,ou=Users,ou=MyBusiness,dc=miamicpas,dc=local (This is the active directory ou where all the users reside on the domain controller, SBS 2003)
Group string: memberOf
DN: blank
Password: blank
Login Attribute: sMAccountName
DeadTime: 10 minutes

Step 2:   I created a mobile user vpn group. Under VPN, Remote Users.  These are the settings that I created.
Group name is: SBSUsers
Authentication Server: Active Directory
Allowed Access: (IP Scheme of internal network)
Virtual IP Address Pool: - (Reserved address pool for vpn users on DC)
IPSEC Settings:
Key Negotian Type: pre-shared key
Key Exp: 128000KB or 8 hours
Encr: AES (256 bit)
Auth: SHA1

At this point the mobile user vpn policy is automatically created allowing all ports open for this specific user group.  I went ahead and exported the profile o a laptop which had the muvpn software installed.  Imported the profile which was successful and tried logging on using an aircard.  I keep getting the error IKE Error phase 1, lost connection to peer.  This is where I am stuck.

I apologize with the long message, but I wanted to give all the details possible.  I hope someone can help.

Question by:montekane
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 32

Expert Comment

ID: 21819268
Can you update if you tried connecting from behind WG itself or from another internet connection; from behind WG you would not be able to connect using MUVPN.

also, can you post some logs from traffic monitor or client which would give some details as to what exactly failed in VPN negotiations.

Thank you.

Accepted Solution

sam99my earned 250 total points
ID: 21819308
Before you install the client software, make sure the computer does not have any other IPSec
mobile user VPN client software installed. and make sure WG network adpater are not disable (WatchGuard Secure Client Virtual NDIS6 Adapter)

getting phase 1 error normaly is because firewall are not listening VPN traffic, or your VPN traffic are blocked by something else, such as, windows firewall or any other firewall installed in your computer and Gateway firewall, make sure all are allowed VPN traffic outgoing.

try to check profile setting, the vpn gateway ip u try to connect is correct or not.

try to check traffic monitor what are the status when u connect, you can go to policy manager> setup > logging > advance diagnostics > VPN > IKE, set to level high, and enable "Display diagnostics messages in traffic monitor" at bottom.

Author Comment

ID: 21821697
Okay, I think I made some progress but not much.  I removed the other vpn software I had installed (Sonicwall), I then turned on the logging for the vpn ike connectivity.   Tried logging on from the laptop which is using an aircard that is outside of the internal network.  I'm getting a different error with the client software now, it is VPN Error - Lost contact to VPN Gateway.  I made sure there is no firewall on the client laptop.  Attached please see the log for the vpn traffic.  It shows the user mkane succesfully logs on, it also shows that it connects to AD correctly because it's picking up the users credentials.  At some point it states that it is deleting the tunnel to peer (ip address).

Any ideas?

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

LVL 32

Expert Comment

ID: 21822439
There is no reason specified in the logs why firebox closed the session; can you delete the user; re-configure user on firebox and then use the new .wgx file and try if that changes anything.

Thank you.

Author Comment

ID: 21822549
The authentication is done through Active Directory.  There is no specific user created on the firebox.  If you mean re-create the group that is setup for vpn connection, I have already tried doing that several times.

Expert Comment

ID: 21823195
what version of muvpn client you using now? 7 or 10? maybe can you show the log on muvpn software site.

Author Comment

ID: 21823525
Okay.  I got it to work!  I followed sam99my advise and I did the following.

Step 1:  Removed any other vpn software currently installed on the client laptop.
Step 2:  Double checked that the client firewall was either disabled or had the proper rules for ipsec
Step 3:  Turned on logging for the watchgurad firebox in the corporate office, this was able to at least tell me there as no problem with authentication, the problem was with the actual connection.
Step 4:  Viewed the logs for the muvpn software and noticed what the problem was, DHCP request failed.
Step 5:  Checked the profile settings, IP Address assignment, and noticed that th Private IP Address assignment was set to DHCP over IPSec.  I changed it to local IP address and it worked from there.

Once I connected the virtual adapter picked an ip address from the pool of ip's that I setup on the firebox.  After that I was unable to browse the network via DNS but I was successful using ip addresses.  I disconnected, went into the profile settings and manually setup the DNS server address and the WINS server address.  Connected and I was browsing 100%.

Sorry about the long answer, I was descriptive just in case someone had the same problem.

Thanks for all your help!


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question