Solved

FireboxX550E to SOHO|tc

Posted on 2008-10-03
22
1,147 Views
Last Modified: 2013-11-16
I am trying to create an IPSec tunnel between a Firebox X550E using the new Fireware interface to a SOHO|tc (not a 5 or 6).  I have found many documents online discussing the connections to a SOHO 5 and 6 box, but nothing to just a SOHO|tc.  The problem with setting up the SOHO|tc is that there is no Phase 1 settings, so I can't set it to match the X550E settings.  I REALLY need some help setting this up as my experience in this matter is limited.  Any help would be GREATLY appreciated.
0
Comment
Question by:Programgod
  • 14
  • 8
22 Comments
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Programgod - to start with both ends will need to have a static IP.  On the SOHO you need to create the manual gateway.  Click VPN and then click MANUAL VPN - Click ADD to add a gateway.  Phase 1 settings will be here.
0
 

Author Comment

by:Programgod
Comment Utility
Thank you for the quick response.  :)
The internal company firewall (firebox x550e) has a static IP, but the remote location is using dyn-dns, which the x550e supports.  From what I understand from what I have read online, this configuration should be possible.  As for the Manual VPN page, there is not one that I can see.  I have attached screenshots of my main firewall page and the Remote Gateway page.  Hopefully this helps.
SOHOConfig.bmp
SOHOConfig2.bmp
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Yes, you can use a dynamic dns provider but I try to stay away from those because it is somthing that is out of your control - anyway..you are running a SOHO version 5.0.29..the latest code for that box is 5.2.11.  I don't see any documentation on using that box without using a DVCP server or VPN manager with a headend device but I am sure it will work.   Is that your only option in the drop down"manual SOHO VPN" ??
0
 

Author Comment

by:Programgod
Comment Utility
The options in the drop-down are:
VPN Manager SOHO
VPN Manager Telecommuter
Manual SOHO VPN
Manual Telecommuter VPN

This was originally set up using DVCP with our old Firebox II 1200 (which is now dead).  We replaced it with the X550E with Watchguard telling us that they no longer support DVCP but we would still be able to get them to connect using BOVPN.  I have been trying for over a week, reading MANY documents online, but unfortunately not finding much help regarding the SOHO|tc.  Plenty on the new firewall and connecting to SOHO 5's and 6's, but they all show the Manual VPN page, which this one does not seem to have.  In this post I have included a ZIP file that contains the configuration of the X550E.
firebox.zip
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Can you get the latest firmware loaded on the SOHO?
0
 

Author Comment

by:Programgod
Comment Utility
Well, that is the tricky part.  1) There are three of these SOHO boxes altogether and 2) none of them have support anymore.  My boss is pretty stubborn about not wanting to have to buy new ones.  Do you know if there is a way to get the latest firmware at no cost?  Legally?  :)
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Well. The latest code for those boxes is from 2003.  You should still be able to download it from WatchGuard if you have an account even if your live security subscirption is expired.
0
 

Author Comment

by:Programgod
Comment Utility
Actually, I believe this is the correct software.  According to them it would seem that this is actually a SOHO 5 tc... or at least I hope so.  Is there a way to return back to the current firmware in case this is not the correct one?  Or will I break the firewall and not be able to use it anymore?
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Typically if the firmware was not compatible it would not load.  At this point with the age of the boxes you really don't have anything to lose.  From your screen shot you are running 5.0.29 code now (7 year old code).
0
 

Author Comment

by:Programgod
Comment Utility
Do you know if this update will give me the option to set up 1) manual vpn and 2) phase 1 settings?
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
Comment Utility
I don't know that for a fact but that is what I am hoping.  I have found some threads in the WG forums about people using the 5TC hooking up with a newer X series and they were running the latest 5.2.11 firmware on the SOHO.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Programgod
Comment Utility
Ok, now I am on the latest, it did actually give me a phase 1 section, and I remember reading somewhere that the phase 1 uses the same authentication and encryption that is set in phase 2.  I am still not connecting for some reason.  I made sure that all the settings are as close to the same as possible, but there is so much more that can be set in Fireware vs. the SOHO configuration.  The one that I know makes a big difference is the Diffie-Hellman group.  In Fireware I can choose between groups 1, 2 and 3.  On the SOHO configuration page it still did not give me an option to set it.  I also remember reading, in almost every place I checked, that ALL of the settings had to match or no connection would be established.  I have attached a picture of the new configuration page, the only change being I checked both PFS and IKE Keep Alive.
SOHOConfig2New.bmp
0
 

Author Comment

by:Programgod
Comment Utility
Also, another thing that I noticed is that I am not seeing any kind of traffic from the SOHO IP address.  I am configuring the device from my home and I have the firewall plugged directly into my cable modem.  I am connected to the firewall and am able to get out to the Internet, so I know that it is "working" at least as far as allowing traffic.  I have been VPN'ing into the office using PPTP to connect to the system manager server.  I am checking the logs and the only traffic I see coming from the SOHO IP is the Allowed PPTP connection and the allowed HTTP traffic to experts exchange.  But I am not seeing any deny messages.  Is there something special that I have to do on the SOHO to force it to connect?  Shouldn't it automatically attempt when it is rebooted?  If so, shouldn't I see some kind of traffic, either allow or deny, coming from the SOHO IP?
0
 

Author Comment

by:Programgod
Comment Utility
Ok, I feel kinda foolish now.  It would appear that my problem was that the 192.168 network was on the blocked IP list.  Once I removed that the VPN tunnel opened right up.  I really appreciate all the help you gave me and I will be awarding you full points.  Thanks for taking your time to assist me.
0
 

Author Closing Comment

by:Programgod
Comment Utility
Ok, I feel kinda foolish now.  It would appear that my problem was that the 192.168 network was on the blocked IP list.  Once I removed that the VPN tunnel opened right up.  I really appreciate all the help you gave me and I will be awarding you full points.  Thanks for taking your time to assist me.

Sorry if this message was posted twice.
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
No problem.  That is what this place is for.  Sometimes you just need to work through the problem!
0
 

Author Comment

by:Programgod
Comment Utility
Know I have another interesting problem.  I don't know if I should start a new thread, but here it is.  The setup I was working on was for my bosses office.  However, I changed certain things to point to my location so that I can setup and test.  Once I had everything working I pointed that setup to my bosses IP and created a new gateway and tunnel to my location.  For some reason when I set it up this way I can't get connected again.  But if I change everything back to point to the gateway/tunnel that I was working with originally it starts working again.  Is there something special that I need to do in Fireware to allow this?
0
 

Author Comment

by:Programgod
Comment Utility
Oh, and I have been seeing this a lot in the logs on the SOHO

"2008-10-04-12:12:08 MONITOR Received a packet for an unknown SA "
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Has the dynamic DNS updated to the new location?
0
 

Author Comment

by:Programgod
Comment Utility
According to the firewall I am still on the same external IP
0
 

Author Comment

by:Programgod
Comment Utility
The thing is that I am not seeing any traffic on the internal firewall.  The only traffic I see coming from my external IP is for PPTP.  I would have thought that I would have seen traffic going through the IPSec policies (with logging turned on) that I set up, or at least denied traffic (which WG tells me that fireware logs all denies, there is no option to shut it off anymore).  Any ideas?
0
 

Author Comment

by:Programgod
Comment Utility
DewFreak, if you are still looking at any of these, can you check out my new post that I started.  It is dealing with pretty much the same issues, only now I am able to get it connected, but not with the Dynamic DNS name.  The message ID is 23798948.  Someone started to help me, but hasn't responded to me all day.  I am in URGENT need of resolving this issue and Watchguard doesn't seem to know how to fix their own products issues.  The message title is "Does anyone know the default Phase 1 settings on a SOHO 5?".  Thanks in advance
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now