[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1161
  • Last Modified:

FireboxX550E to SOHO|tc

I am trying to create an IPSec tunnel between a Firebox X550E using the new Fireware interface to a SOHO|tc (not a 5 or 6).  I have found many documents online discussing the connections to a SOHO 5 and 6 box, but nothing to just a SOHO|tc.  The problem with setting up the SOHO|tc is that there is no Phase 1 settings, so I can't set it to match the X550E settings.  I REALLY need some help setting this up as my experience in this matter is limited.  Any help would be GREATLY appreciated.
0
Programgod
Asked:
Programgod
  • 14
  • 8
1 Solution
 
DewFreakCommented:
Programgod - to start with both ends will need to have a static IP.  On the SOHO you need to create the manual gateway.  Click VPN and then click MANUAL VPN - Click ADD to add a gateway.  Phase 1 settings will be here.
0
 
ProgramgodAuthor Commented:
Thank you for the quick response.  :)
The internal company firewall (firebox x550e) has a static IP, but the remote location is using dyn-dns, which the x550e supports.  From what I understand from what I have read online, this configuration should be possible.  As for the Manual VPN page, there is not one that I can see.  I have attached screenshots of my main firewall page and the Remote Gateway page.  Hopefully this helps.
SOHOConfig.bmp
SOHOConfig2.bmp
0
 
DewFreakCommented:
Yes, you can use a dynamic dns provider but I try to stay away from those because it is somthing that is out of your control - anyway..you are running a SOHO version 5.0.29..the latest code for that box is 5.2.11.  I don't see any documentation on using that box without using a DVCP server or VPN manager with a headend device but I am sure it will work.   Is that your only option in the drop down"manual SOHO VPN" ??
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
ProgramgodAuthor Commented:
The options in the drop-down are:
VPN Manager SOHO
VPN Manager Telecommuter
Manual SOHO VPN
Manual Telecommuter VPN

This was originally set up using DVCP with our old Firebox II 1200 (which is now dead).  We replaced it with the X550E with Watchguard telling us that they no longer support DVCP but we would still be able to get them to connect using BOVPN.  I have been trying for over a week, reading MANY documents online, but unfortunately not finding much help regarding the SOHO|tc.  Plenty on the new firewall and connecting to SOHO 5's and 6's, but they all show the Manual VPN page, which this one does not seem to have.  In this post I have included a ZIP file that contains the configuration of the X550E.
firebox.zip
0
 
DewFreakCommented:
Can you get the latest firmware loaded on the SOHO?
0
 
ProgramgodAuthor Commented:
Well, that is the tricky part.  1) There are three of these SOHO boxes altogether and 2) none of them have support anymore.  My boss is pretty stubborn about not wanting to have to buy new ones.  Do you know if there is a way to get the latest firmware at no cost?  Legally?  :)
0
 
DewFreakCommented:
Well. The latest code for those boxes is from 2003.  You should still be able to download it from WatchGuard if you have an account even if your live security subscirption is expired.
0
 
ProgramgodAuthor Commented:
Actually, I believe this is the correct software.  According to them it would seem that this is actually a SOHO 5 tc... or at least I hope so.  Is there a way to return back to the current firmware in case this is not the correct one?  Or will I break the firewall and not be able to use it anymore?
0
 
DewFreakCommented:
Typically if the firmware was not compatible it would not load.  At this point with the age of the boxes you really don't have anything to lose.  From your screen shot you are running 5.0.29 code now (7 year old code).
0
 
ProgramgodAuthor Commented:
Do you know if this update will give me the option to set up 1) manual vpn and 2) phase 1 settings?
0
 
DewFreakCommented:
I don't know that for a fact but that is what I am hoping.  I have found some threads in the WG forums about people using the 5TC hooking up with a newer X series and they were running the latest 5.2.11 firmware on the SOHO.
0
 
ProgramgodAuthor Commented:
Ok, now I am on the latest, it did actually give me a phase 1 section, and I remember reading somewhere that the phase 1 uses the same authentication and encryption that is set in phase 2.  I am still not connecting for some reason.  I made sure that all the settings are as close to the same as possible, but there is so much more that can be set in Fireware vs. the SOHO configuration.  The one that I know makes a big difference is the Diffie-Hellman group.  In Fireware I can choose between groups 1, 2 and 3.  On the SOHO configuration page it still did not give me an option to set it.  I also remember reading, in almost every place I checked, that ALL of the settings had to match or no connection would be established.  I have attached a picture of the new configuration page, the only change being I checked both PFS and IKE Keep Alive.
SOHOConfig2New.bmp
0
 
ProgramgodAuthor Commented:
Also, another thing that I noticed is that I am not seeing any kind of traffic from the SOHO IP address.  I am configuring the device from my home and I have the firewall plugged directly into my cable modem.  I am connected to the firewall and am able to get out to the Internet, so I know that it is "working" at least as far as allowing traffic.  I have been VPN'ing into the office using PPTP to connect to the system manager server.  I am checking the logs and the only traffic I see coming from the SOHO IP is the Allowed PPTP connection and the allowed HTTP traffic to experts exchange.  But I am not seeing any deny messages.  Is there something special that I have to do on the SOHO to force it to connect?  Shouldn't it automatically attempt when it is rebooted?  If so, shouldn't I see some kind of traffic, either allow or deny, coming from the SOHO IP?
0
 
ProgramgodAuthor Commented:
Ok, I feel kinda foolish now.  It would appear that my problem was that the 192.168 network was on the blocked IP list.  Once I removed that the VPN tunnel opened right up.  I really appreciate all the help you gave me and I will be awarding you full points.  Thanks for taking your time to assist me.
0
 
ProgramgodAuthor Commented:
Ok, I feel kinda foolish now.  It would appear that my problem was that the 192.168 network was on the blocked IP list.  Once I removed that the VPN tunnel opened right up.  I really appreciate all the help you gave me and I will be awarding you full points.  Thanks for taking your time to assist me.

Sorry if this message was posted twice.
0
 
DewFreakCommented:
No problem.  That is what this place is for.  Sometimes you just need to work through the problem!
0
 
ProgramgodAuthor Commented:
Know I have another interesting problem.  I don't know if I should start a new thread, but here it is.  The setup I was working on was for my bosses office.  However, I changed certain things to point to my location so that I can setup and test.  Once I had everything working I pointed that setup to my bosses IP and created a new gateway and tunnel to my location.  For some reason when I set it up this way I can't get connected again.  But if I change everything back to point to the gateway/tunnel that I was working with originally it starts working again.  Is there something special that I need to do in Fireware to allow this?
0
 
ProgramgodAuthor Commented:
Oh, and I have been seeing this a lot in the logs on the SOHO

"2008-10-04-12:12:08 MONITOR Received a packet for an unknown SA "
0
 
DewFreakCommented:
Has the dynamic DNS updated to the new location?
0
 
ProgramgodAuthor Commented:
According to the firewall I am still on the same external IP
0
 
ProgramgodAuthor Commented:
The thing is that I am not seeing any traffic on the internal firewall.  The only traffic I see coming from my external IP is for PPTP.  I would have thought that I would have seen traffic going through the IPSec policies (with logging turned on) that I set up, or at least denied traffic (which WG tells me that fireware logs all denies, there is no option to shut it off anymore).  Any ideas?
0
 
ProgramgodAuthor Commented:
DewFreak, if you are still looking at any of these, can you check out my new post that I started.  It is dealing with pretty much the same issues, only now I am able to get it connected, but not with the Dynamic DNS name.  The message ID is 23798948.  Someone started to help me, but hasn't responded to me all day.  I am in URGENT need of resolving this issue and Watchguard doesn't seem to know how to fix their own products issues.  The message title is "Does anyone know the default Phase 1 settings on a SOHO 5?".  Thanks in advance
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 14
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now