?
Solved

FireboxX550E to SOHO|tc

Posted on 2008-10-03
22
Medium Priority
?
1,157 Views
Last Modified: 2013-11-16
I am trying to create an IPSec tunnel between a Firebox X550E using the new Fireware interface to a SOHO|tc (not a 5 or 6).  I have found many documents online discussing the connections to a SOHO 5 and 6 box, but nothing to just a SOHO|tc.  The problem with setting up the SOHO|tc is that there is no Phase 1 settings, so I can't set it to match the X550E settings.  I REALLY need some help setting this up as my experience in this matter is limited.  Any help would be GREATLY appreciated.
0
Comment
Question by:Programgod
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 8
22 Comments
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638626
Programgod - to start with both ends will need to have a static IP.  On the SOHO you need to create the manual gateway.  Click VPN and then click MANUAL VPN - Click ADD to add a gateway.  Phase 1 settings will be here.
0
 

Author Comment

by:Programgod
ID: 22638745
Thank you for the quick response.  :)
The internal company firewall (firebox x550e) has a static IP, but the remote location is using dyn-dns, which the x550e supports.  From what I understand from what I have read online, this configuration should be possible.  As for the Manual VPN page, there is not one that I can see.  I have attached screenshots of my main firewall page and the Remote Gateway page.  Hopefully this helps.
SOHOConfig.bmp
SOHOConfig2.bmp
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22638842
Yes, you can use a dynamic dns provider but I try to stay away from those because it is somthing that is out of your control - anyway..you are running a SOHO version 5.0.29..the latest code for that box is 5.2.11.  I don't see any documentation on using that box without using a DVCP server or VPN manager with a headend device but I am sure it will work.   Is that your only option in the drop down"manual SOHO VPN" ??
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:Programgod
ID: 22639057
The options in the drop-down are:
VPN Manager SOHO
VPN Manager Telecommuter
Manual SOHO VPN
Manual Telecommuter VPN

This was originally set up using DVCP with our old Firebox II 1200 (which is now dead).  We replaced it with the X550E with Watchguard telling us that they no longer support DVCP but we would still be able to get them to connect using BOVPN.  I have been trying for over a week, reading MANY documents online, but unfortunately not finding much help regarding the SOHO|tc.  Plenty on the new firewall and connecting to SOHO 5's and 6's, but they all show the Manual VPN page, which this one does not seem to have.  In this post I have included a ZIP file that contains the configuration of the X550E.
firebox.zip
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22639079
Can you get the latest firmware loaded on the SOHO?
0
 

Author Comment

by:Programgod
ID: 22639089
Well, that is the tricky part.  1) There are three of these SOHO boxes altogether and 2) none of them have support anymore.  My boss is pretty stubborn about not wanting to have to buy new ones.  Do you know if there is a way to get the latest firmware at no cost?  Legally?  :)
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22639107
Well. The latest code for those boxes is from 2003.  You should still be able to download it from WatchGuard if you have an account even if your live security subscirption is expired.
0
 

Author Comment

by:Programgod
ID: 22639133
Actually, I believe this is the correct software.  According to them it would seem that this is actually a SOHO 5 tc... or at least I hope so.  Is there a way to return back to the current firmware in case this is not the correct one?  Or will I break the firewall and not be able to use it anymore?
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22639173
Typically if the firmware was not compatible it would not load.  At this point with the age of the boxes you really don't have anything to lose.  From your screen shot you are running 5.0.29 code now (7 year old code).
0
 

Author Comment

by:Programgod
ID: 22639199
Do you know if this update will give me the option to set up 1) manual vpn and 2) phase 1 settings?
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 2000 total points
ID: 22639216
I don't know that for a fact but that is what I am hoping.  I have found some threads in the WG forums about people using the 5TC hooking up with a newer X series and they were running the latest 5.2.11 firmware on the SOHO.
0
 

Author Comment

by:Programgod
ID: 22639310
Ok, now I am on the latest, it did actually give me a phase 1 section, and I remember reading somewhere that the phase 1 uses the same authentication and encryption that is set in phase 2.  I am still not connecting for some reason.  I made sure that all the settings are as close to the same as possible, but there is so much more that can be set in Fireware vs. the SOHO configuration.  The one that I know makes a big difference is the Diffie-Hellman group.  In Fireware I can choose between groups 1, 2 and 3.  On the SOHO configuration page it still did not give me an option to set it.  I also remember reading, in almost every place I checked, that ALL of the settings had to match or no connection would be established.  I have attached a picture of the new configuration page, the only change being I checked both PFS and IKE Keep Alive.
SOHOConfig2New.bmp
0
 

Author Comment

by:Programgod
ID: 22639397
Also, another thing that I noticed is that I am not seeing any kind of traffic from the SOHO IP address.  I am configuring the device from my home and I have the firewall plugged directly into my cable modem.  I am connected to the firewall and am able to get out to the Internet, so I know that it is "working" at least as far as allowing traffic.  I have been VPN'ing into the office using PPTP to connect to the system manager server.  I am checking the logs and the only traffic I see coming from the SOHO IP is the Allowed PPTP connection and the allowed HTTP traffic to experts exchange.  But I am not seeing any deny messages.  Is there something special that I have to do on the SOHO to force it to connect?  Shouldn't it automatically attempt when it is rebooted?  If so, shouldn't I see some kind of traffic, either allow or deny, coming from the SOHO IP?
0
 

Author Comment

by:Programgod
ID: 22639735
Ok, I feel kinda foolish now.  It would appear that my problem was that the 192.168 network was on the blocked IP list.  Once I removed that the VPN tunnel opened right up.  I really appreciate all the help you gave me and I will be awarding you full points.  Thanks for taking your time to assist me.
0
 

Author Closing Comment

by:Programgod
ID: 31502943
Ok, I feel kinda foolish now.  It would appear that my problem was that the 192.168 network was on the blocked IP list.  Once I removed that the VPN tunnel opened right up.  I really appreciate all the help you gave me and I will be awarding you full points.  Thanks for taking your time to assist me.

Sorry if this message was posted twice.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22641360
No problem.  That is what this place is for.  Sometimes you just need to work through the problem!
0
 

Author Comment

by:Programgod
ID: 22641603
Know I have another interesting problem.  I don't know if I should start a new thread, but here it is.  The setup I was working on was for my bosses office.  However, I changed certain things to point to my location so that I can setup and test.  Once I had everything working I pointed that setup to my bosses IP and created a new gateway and tunnel to my location.  For some reason when I set it up this way I can't get connected again.  But if I change everything back to point to the gateway/tunnel that I was working with originally it starts working again.  Is there something special that I need to do in Fireware to allow this?
0
 

Author Comment

by:Programgod
ID: 22641607
Oh, and I have been seeing this a lot in the logs on the SOHO

"2008-10-04-12:12:08 MONITOR Received a packet for an unknown SA "
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 22641706
Has the dynamic DNS updated to the new location?
0
 

Author Comment

by:Programgod
ID: 22641866
According to the firewall I am still on the same external IP
0
 

Author Comment

by:Programgod
ID: 22641972
The thing is that I am not seeing any traffic on the internal firewall.  The only traffic I see coming from my external IP is for PPTP.  I would have thought that I would have seen traffic going through the IPSec policies (with logging turned on) that I set up, or at least denied traffic (which WG tells me that fireware logs all denies, there is no option to shut it off anymore).  Any ideas?
0
 

Author Comment

by:Programgod
ID: 22682663
DewFreak, if you are still looking at any of these, can you check out my new post that I started.  It is dealing with pretty much the same issues, only now I am able to get it connected, but not with the Dynamic DNS name.  The message ID is 23798948.  Someone started to help me, but hasn't responded to me all day.  I am in URGENT need of resolving this issue and Watchguard doesn't seem to know how to fix their own products issues.  The message title is "Does anyone know the default Phase 1 settings on a SOHO 5?".  Thanks in advance
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question