We help IT Professionals succeed at work.

Configuring Site to Site IPSEC VPN Between Pix 506 & Watchguard Edge

wlrandalljr
wlrandalljr asked
on
1,602 Views
Last Modified: 2012-06-27
Currently we have a Cisco PIX 506 at 3 of our office branches, and we've just added a new branch with a Watchguard Edge x5 device. We're a Watchguard partner and versed on the setup of VPN for these devices, however the Pix is more of a "trial by fire" experience.

Here is the configuration of the device after I've tried to update it to match the setup of the other 3 sites:

Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password <removed> encrypted
passwd <removed> encrypted
hostname MHM
domain-name marketplacehome.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 204.147.87.226 eq www
access-list outside_access_in permit tcp any host 204.147.87.226 eq https
access-list outside_access_in permit tcp any host 204.147.87.226 eq ftp
access-list outside_access_in permit tcp any host 204.147.87.226 eq ftp-data
access-list outside_access_in permit tcp any host 204.147.87.226 eq 45535
access-list outside_access_in permit tcp any host 204.147.87.226 eq 3389
access-list outside_access_in permit tcp any host 204.147.87.228 eq 45535
access-list outside_access_in deny udp 192.168.0.0 255.255.248.0 192.168.2.0 255.255.255.0 eq netbios-dgm
access-list outside_access_in deny udp 192.168.0.0 255.255.248.0 192.168.2.0 255.255.255.0 eq 139
access-list outside_access_in permit ip 192.168.0.0 255.255.248.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp any host 204.147.87.226 eq smtp
access-list outside_access_in permit tcp any host 204.147.87.227 eq www
access-list outside_access_in permit tcp any host 204.147.87.227 eq https
access-list outside_access_in permit tcp any host 204.147.87.226 eq pop3
access-list outside_access_in permit tcp any host 204.147.87.230 eq https
access-list outside_access_in permit tcp any host 204.147.87.230 eq 3389
access-list outside_access_in permit gre any host 204.147.87.231
access-list outside_access_in permit tcp any host 204.147.87.231 eq pptp
access-list outside_access_in permit tcp any host 204.147.87.231 eq 45535
access-list outside_access_in permit tcp any host 204.147.87.230 eq www
access-list outside_access_in permit tcp any host 204.147.87.231 eq www
access-list outside_access_in permit tcp any host 204.147.87.231 eq https
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list mendotaheights permit ip 192.168.200.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list mendotaheights permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list mendotaheights permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list mendotaheights permit ip 10.0.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list coonrapids permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list coonrapids permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list coonrapids permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list coonrapids permit ip 10.0.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list duluth permit ip 192.168.200.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list duluth permit ip 192.168.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list duluth permit ip 192.168.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list duluth permit ip 192.168.3.0 255.255.255.0 10.0.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 204.147.87.253 255.255.255.224
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.200.1-192.168.200.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.200.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.200.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.248.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location 192.168.2.7 255.255.255.255 inside
pdm location 192.168.2.9 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.4 255.255.255.255 inside
pdm location 192.168.2.6 255.255.255.255 inside
pdm location 192.168.2.189 255.255.255.255 inside
pdm location 10.0.10.0 255.255.255.0 inside
pdm location 10.0.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 204.147.87.225
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 204.147.87.226 192.168.2.7 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.227 192.168.2.9 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.228 192.168.2.4 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.231 192.168.2.3 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.230 192.168.2.189 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 204.147.87.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set mypix esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set mypix
crypto map edinamap 10 ipsec-isakmp dynamic dynmap
crypto map edinamap 11 ipsec-isakmp
crypto map edinamap 11 match address coonrapids
crypto map edinamap 11 set peer 209.181.247.202
crypto map edinamap 11 set transform-set mypix
crypto map edinamap 12 ipsec-isakmp
crypto map edinamap 12 match address mendotaheights
crypto map edinamap 12 set peer 209.181.247.194
crypto map edinamap 12 set transform-set mypix
crypto map edinamap 13 ipsec-isakmp
crypto map edinamap 13 match address duluth
crypto map edinamap 13 set peer 69.130.223.115
crypto map edinamap 13 set transform-set myset
crypto map edinamap client configuration address initiate
crypto map edinamap client configuration address respond
crypto map edinamap interface outside
isakmp enable outside
isakmp key ******** address 209.181.247.194 netmask 255.255.255.255
isakmp key ******** address 209.181.247.202 netmask 255.255.255.255
isakmp key ******** address 69.130.223.115 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
vpngroup ciscoclient dns-server 192.168.2.3 192.168.2.2
vpngroup ciscoclient wins-server 192.168.2.2
vpngroup ciscoclient default-domain marketplacehome.com
vpngroup ciscoclient idle-time 1800
vpngroup ciscoclient password ********
telnet 192.168.0.0 255.255.248.0 outside
telnet 192.168.200.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns 192.168.2.3 192.168.2.2
vpdn group 1 client configuration wins 192.168.2.2
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username uswest password *********
vpdn username shharris password *********
vpdn username csctech password *********
vpdn enable outside
username qwest password <removed> encrypted privilege 2
username shharris password <removed> encrypted privilege 2
terminal width 80
Cryptochecksum:e3e72c761e85d03e2d7b8b3ae77fd584
: end

I'm using DES-MD5 for both Phase 1 & Phase 2 with IKE Keep Alive and DH Group 2 on the Watchguard. Where am I going wrong?
Comment
Watch Question

Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I've changed the dynamic map as recommended to 65535 and removed the unnecessary routes from the source to destination networks. I've even gone as far as to add a new transform-set (for 3des/sha) and a new ISAKMP policy (for 3des/sha) with no success.

In looking in the Watchguard log, I noticed I am getting this:

2008-07-08-09:52:51MONITORrekey caused by packet from 10.0.10.5 to 192.168.2.5 protocol 1
2008-07-08-09:52:51MONITORremote gateway (204.147.87.253) dead - force rekey
2008-07-08-09:52:11MONITORReceived a packet for an unknown SA
2008-07-08-09:52:11MONITORRejecting peer XAUTH request: not configured

I removed the current key on the PIX and reentered it, but no change. Also on the PIX under the IKE SA VPN status I have a QM_CONF_ADDR with a source of 69.130.223.115 and a destination of 204.147.87.253

Here is my current PIX config:

Result of firewall command: "show run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname MHM
domain-name marketplacehome.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 204.147.87.226 eq www
access-list outside_access_in permit tcp any host 204.147.87.226 eq https
access-list outside_access_in permit tcp any host 204.147.87.226 eq ftp
access-list outside_access_in permit tcp any host 204.147.87.226 eq ftp-data
access-list outside_access_in permit tcp any host 204.147.87.226 eq 45535
access-list outside_access_in permit tcp any host 204.147.87.226 eq 3389
access-list outside_access_in permit tcp any host 204.147.87.228 eq 45535
access-list outside_access_in deny udp 192.168.0.0 255.255.248.0 192.168.2.0 255.255.255.0 eq netbios-dgm
access-list outside_access_in deny udp 192.168.0.0 255.255.248.0 192.168.2.0 255.255.255.0 eq 139
access-list outside_access_in permit ip 192.168.0.0 255.255.248.0 192.168.2.0 255.255.255.0
access-list outside_access_in permit tcp any host 204.147.87.226 eq smtp
access-list outside_access_in permit tcp any host 204.147.87.227 eq www
access-list outside_access_in permit tcp any host 204.147.87.227 eq https
access-list outside_access_in permit tcp any host 204.147.87.226 eq pop3
access-list outside_access_in permit tcp any host 204.147.87.230 eq https
access-list outside_access_in permit tcp any host 204.147.87.230 eq 3389
access-list outside_access_in permit gre any host 204.147.87.231
access-list outside_access_in permit tcp any host 204.147.87.231 eq pptp
access-list outside_access_in permit tcp any host 204.147.87.231 eq 45535
access-list outside_access_in permit tcp any host 204.147.87.230 eq www
access-list outside_access_in permit tcp any host 204.147.87.231 eq www
access-list outside_access_in permit tcp any host 204.147.87.231 eq https
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list no_nat_inside permit ip 192.168.2.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list mendotaheights permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list coonrapids permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list duluth permit ip 192.168.2.0 255.255.255.0 10.0.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 204.147.87.253 255.255.255.224
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.200.1-192.168.200.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.200.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.3 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.200.0 255.255.255.0 inside
pdm location 192.168.0.0 255.255.248.0 outside
pdm location 192.168.50.0 255.255.255.0 outside
pdm location 192.168.2.7 255.255.255.255 inside
pdm location 192.168.2.9 255.255.255.255 inside
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.2.4 255.255.255.255 inside
pdm location 192.168.2.6 255.255.255.255 inside
pdm location 192.168.2.189 255.255.255.255 inside
pdm location 10.0.10.0 255.255.255.0 inside
pdm location 10.0.10.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 204.147.87.225
nat (inside) 0 access-list no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 204.147.87.226 192.168.2.7 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.227 192.168.2.9 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.228 192.168.2.4 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.231 192.168.2.3 netmask 255.255.255.255 0 0
static (inside,outside) 204.147.87.230 192.168.2.189 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 204.147.87.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set mypix esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set securevpn ah-sha-hmac esp-3des
crypto dynamic-map dynmap 65535 set transform-set mypix
crypto map edinamap 11 ipsec-isakmp
crypto map edinamap 11 match address coonrapids
crypto map edinamap 11 set peer 209.181.247.202
crypto map edinamap 11 set transform-set mypix
crypto map edinamap 12 ipsec-isakmp
crypto map edinamap 12 match address mendotaheights
crypto map edinamap 12 set peer 209.181.247.194
crypto map edinamap 12 set transform-set mypix
crypto map edinamap 13 ipsec-isakmp
crypto map edinamap 13 match address duluth
crypto map edinamap 13 set peer 69.130.223.115
crypto map edinamap 13 set transform-set securevpn
crypto map edinamap 65535 ipsec-isakmp dynamic dynmap
crypto map edinamap client configuration address initiate
crypto map edinamap client configuration address respond
crypto map edinamap interface outside
isakmp enable outside
isakmp key ******** address 209.181.247.194 netmask 255.255.255.255
isakmp key ******** address 209.181.247.202 netmask 255.255.255.255
isakmp key ******** address 69.130.223.115 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
vpngroup ciscoclient dns-server 192.168.2.3 192.168.2.2
vpngroup ciscoclient wins-server 192.168.2.2
vpngroup ciscoclient default-domain marketplacehome.com
vpngroup ciscoclient idle-time 1800
vpngroup ciscoclient password ********
telnet 192.168.0.0 255.255.248.0 outside
telnet 192.168.200.0 255.255.255.0 outside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local vpnpool
vpdn group 1 client configuration dns 192.168.2.3 192.168.2.2
vpdn group 1 client configuration wins 192.168.2.2
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username uswest password *********
vpdn username shharris password *********
vpdn username csctech password *********
vpdn enable outside
username qwest password  encrypted privilege 2
username shharris password  encrypted privilege 2
terminal width 80
Cryptochecksum:669f6c8a9b1b15ef2400710dec982763
: end

And a snippet of the Watchguard config:

networking.ipsec.remote_gw.204.147.87.253.ike_prefs:
networking.ipsec.remote_gw.securevpn.id: 204.147.87.253
networking.ipsec.remote_gw.securevpn.id_type: ID_IPV4_ADDR
networking.ipsec.remote_gw.securevpn.ike_prefs:
networking.ipsec.remote_gw.securevpn.ike_prefs.dh_group: 1
networking.ipsec.remote_gw.securevpn.ike_prefs.encr_alg: 2
networking.ipsec.remote_gw.securevpn.ike_prefs.hash_alg: 2
networking.ipsec.remote_gw.securevpn.ike_prefs.hours: 24
networking.ipsec.remote_gw.securevpn.ike_prefs.id: 69.130.223.115
networking.ipsec.remote_gw.securevpn.ike_prefs.kbytes: 0
networking.ipsec.remote_gw.securevpn.ike_prefs.keep_alive_interval: 60
networking.ipsec.remote_gw.securevpn.ike_prefs.keep_alive_max: 3
networking.ipsec.remote_gw.securevpn.ike_prefs.seconds: 86400
networking.ipsec.remote_gw.securevpn.ip: 204.147.87.253
networking.ipsec.remote_gw.securevpn.myid: 69.130.223.115
networking.ipsec.remote_gw.securevpn.myid_type: ID_IPV4_ADDR
networking.ipsec.remote_gw.securevpn.sharedkey:
networking.ipsec.remote_gw.securevpn.type: isakmp
networking.ipsec.tunnel.securevpn000.remote_gw: securevpn
networking.ipsec.tunnel.securevpn000.sap.00.esp.alg: 2
networking.ipsec.tunnel.securevpn000.sap.00.esp.authalg: 2
networking.ipsec.tunnel.securevpn000.sap.00.life.hours: 24
networking.ipsec.tunnel.securevpn000.sap.00.life.kbytes: 8192
networking.ipsec.tunnel.securevpn000.sap.00.life.seconds: 86400
networking.ipsec.tunnel.securevpn000.sap.00.type: ESP
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Try this:

isakmp key ******** address 69.130.223.115 netmask 255.255.255.255 no-xauth no-config-mode

If that doesn't work, I would also like to see result of "show cry is sa" if

I don't see anywhere in the Watchguard config where you specify local and remote protected subnets. It should only have local network 10.0.10.0/24 and remote network 192.168.2.0/24 to mirror your access-list duluth.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Try this:

isakmp key ******** address 69.130.223.115 netmask 255.255.255.255 no-xauth no-config-mode

If that doesn't work, I would also like to see result of "show cry is sa" if it

I don't see anywhere in the Watchguard config where you specify local and remote protected subnets. It should only have local network 10.0.10.0/24 and remote network 192.168.2.0/24 to mirror your access-list duluth.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Try this:

isakmp key ******** address 69.130.223.115 netmask 255.255.255.255 no-xauth no-config-mode

If that doesn't work, I would also like to see result of "show cry is sa" if it show

I don't see anywhere in the Watchguard config where you specify local and remote protected subnets. It should only have local network 10.0.10.0/24 and remote network 192.168.2.0/24 to mirror your access-list duluth.
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Try this:

isakmp key ******** address 69.130.223.115 netmask 255.255.255.255 no-xauth no-config-mode

If that doesn't work, I would also like to see result of "show cry is sa" if it shows QM_IDLE, then post also show cry ip sa

I don't see anywhere in the Watchguard config where you specify local and remote protected subnets. It should only have local network 10.0.10.0/24 and remote network 192.168.2.0/24 to mirror your access-list duluth.

Author

Commented:
I think with the Watchguard the local/remote network mappings are in a different part of the configuration, but in the GUI it is setup as your mentioned.

After updating the key policy there's still no connection.

Here is the result of the "show cry is sa":

Total : 3
Embryonic : 0
dst src state pending created
204.147.87.253 69.130.223.115 OAK_CONF_ADDR 0 0
209.181.247.202 204.147.87.253 QM_IDLE 0 6
204.147.87.253 209.181.247.194 QM_IDLE 0 1

And here the "show cry ip sa":
Result of firewall command: "show cry ip sa"

interface: outside
Crypto map tag: edinamap, local addr. 204.147.87.253
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 209.181.247.194:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2088983, #pkts encrypt: 2088983, #pkts digest 2088983
#pkts decaps: 2091238, #pkts decrypt: 2091244, #pkts verify 2091244
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.194
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: d9fd6ec
inbound esp sas:
spi: 0x9a2f9fba(2586812346)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 11, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4513292/11952)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xd9fd6ec(228579052)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 12, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4513920/11959)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 209.181.247.202:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1993013, #pkts encrypt: 1993013, #pkts digest 1993013
#pkts decaps: 2346293, #pkts decrypt: 2346518, #pkts verify 2346518
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.202
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 740868dd
inbound esp sas:
spi: 0x12aa8966(313166182)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4607628/28249)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x740868dd(1946708189)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4607602/28249)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 209.181.247.194:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 4311, #pkts decrypt: 4311, #pkts verify 4311
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.194
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 1f561f49
inbound esp sas:
spi: 0x3f356b2b(1060465451)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4607994/13494)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1f561f49(525737801)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4608000/13494)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 209.181.247.202:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 4929, #pkts decrypt: 4929, #pkts verify 4929
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.202
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 1d7f0d9f
inbound esp sas:
spi: 0x1c673e96(476528278)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 10, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4607999/28638)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1d7f0d9f(494865823)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 9, crypto map: edinamap
sa timing: remaining key lifetime (k/sec): (4608000/28647)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer: 69.130.223.115:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 69.130.223.115
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer: 69.130.223.115:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 278, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 69.130.223.115
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer: 69.130.223.115:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 69.130.223.115
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 209.181.247.194:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.194
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer: 69.130.223.115:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 69.130.223.115
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 209.181.247.202:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.202
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 209.181.247.202:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.202
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 209.181.247.194:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.147.87.253, remote crypto endpt.: 209.181.247.194
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Les MooreSystems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I think we're almost there; the reboot has seem to make some difference!
 
I'm seeing QM_IDLE on the PIX for the tunnel, and in the WG logs I'm seeing this:

2008-07-08-21:44:17MONITORQuick Mode processing failed
2008-07-08-21:44:17MONITORACTION - Verify Gateway 204.147.87.253 Tunnel Phase 2 Settings
2008-07-08-21:44:17MONITORWARNING - Remote Gateway 204.147.87.253 using AH, expecting ESP
2008-07-08-21:44:13MONITORReceived a packet for an unknown SA
2008-07-08-21:44:13MONITORRejecting peer XAUTH request: not configured

Im thinking there's something on the WG I need to change to match the PIX, but what could it be?

Author

Commented:
Figured it out!

I had to issue the following commands in the PIX:

no crypto ipsec transform-set securevpn ah-sha-hmac esp-3des
crypto ipsec transform-set securevpn esp-3des esp-sha-hmac

Once I saved and rebooted, the VPN was up!

Thanks for your help in getting me this far - the points are yours!
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.