Solved

Does anyone know the default Phase 1 settings on a SOHO 5?

Posted on 2008-10-08
9
3,798 Views
Last Modified: 2013-11-16
I have been working on creating a IPSec VPN tunnel between my office (firebox X550E) and my home (SOHO 5).  If I set the Phase 1 settings in my office to Agressive, the connection is forced and the tunnel is created.  However, I have to manually connect everytime when it is set up that way.  If I set office to "Main Mode" I keep getting an error on the firewall that says:

2008-10-08 15:09:45 iked WARNING: Mismatched ID settings at peer XX.XX.XX.XX:500 caused an authentication failure msg_id="0203-5156"       Debug
2008-10-08 15:09:45 iked Cannot process MM ID payload from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=552d2287 1723b34b r=191f04b5 7d31e79f msg_id="0203-5029"       Debug

So basically, from what I have read/understood from very few others on the internet having the same problem is that it has to do with my phase 1 settings not matching.  The problem is that on the SOHO 5 (version 5.2.11 of the firmware) there is only two checkboxes under Phase 1 on the gateway configuration.  Does anyone know what the default settings are for Phase 1 authentication/encryption and pfs?  Any help would be GREATLY appreciated.
0
Comment
Question by:Programgod
  • 5
  • 4
9 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22677371
The default settings on the SOHO for Phase 1 negotiations are DES, SHA1, and Diffie Helman group
1. These settings cannot be changed. PFS is part of phase II configuration; it is disabled.

Thank you.
0
 

Author Comment

by:Programgod
ID: 22679211
Thank you for the response.  Just out of curiousity, do you have any experience setting up a connection between the new Fireware System Manager and a SOHO on 5.2.11 using Dynamic DNS?  If not, that's fine, thought I would at least ask.
0
 

Author Comment

by:Programgod
ID: 22680925
Here is what I am seeing in the logs:

2008-10-09 13:05:19 iked WARNING: Rejected phase 2 PFS dh_group 1, expecting 0 msg_id="0205-5221"       Debug
2008-10-09 13:05:19 iked Peer XX.XX.XX.XX phase 2 negotiation failed because there is no matching IPSec proposal msg_id="0205-5204"       Debug
2008-10-09 13:05:19 iked Rejected QM first  message from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=edb5ffdb a0a512e8 r=69eb7384 3a10b53c msg_id="0203-5086"       Debug
2008-10-09 13:05:19 iked  Sending NO_PROPOSAL_CHOSEN message to XX.XX.XX.XX:500 msg_id="0203-5060"       Debug

I do not have the ability to set the DH to 0 on the X550E, so am I out of luck?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22684086
SOHO was long time back EOL; I myself did not get much chance to work on the units; no, I have never created a VPN tunnel between a SOHO and the fireware. I actually read some old documents which I happened to have, in which as a side note the phase I settings were mentioned.

You cannot set DH 0 on any device I think (not 100% sure); would it be possible for you to post a sanitized screenshot of SOHO VPN configuration; please blur out all public IP/usernmaes/passwords/hashes.

We can at least give a try one more time if fine with you.

Thank you.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Programgod
ID: 22694951
Sorry for taking so long to respond.  I have been going crazy trying to set these wonderfully annoying devices up.  Well, since my last post I have talked with Watchguard several times.  In fact, they have given up on trying to figure out why we are not able to establish a connection between the firebox and the SOHO when pointing to the dynamic domain name.  Now we have licenses to set up a managed connection, but I am again having some issues.  Here is what the firebox (main office firewall) has in the logs:
2008-10-11 11:44:08 iked WARNING: Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy) cookies i=5acfe164 718905dd r=00000000 00000000 msg_id="0203-5040"       Debug

There are very few settings, on both sides, regarding connection mode, authentication and encryption.  From what I have read on the web this is supposed to be a nice and easy drag-and-drop VPN client manager.

The setup on the SOHO was rather simplistic (see attached SOHO1 & 2 JPG's)  There are two sections that I read needed to be set up.  1) the VPN Manager Access so that the main firebox can "manage" the SOHO and 2) the Remote Gateway needs to be set to managed.  Both have very few options and setup really quickly.

The setup on the Firebox (main office) was quite different, and I had issues right from the start.  I entered the IP address and Status/Config passwords, but it said WSM could not connect to the device.  I created the device using the "I don't know the IP" option and created the VPN resource as the SOHO internal network range.  I did the same thing for the main office firebox (created device and vpn resource).  Then I created a managed VPN between the two.  (See all "firebox-" screenshots starting with firebox-Device.jpg).

Sorry for the length of this post, there is just so much information for what was explained to me as a nice and easy drag-and-drop VPN configuration.  Hopefully you will see something that I don't.  :)
firebox-Device.jpg
firebox-EricOffice.jpg
firebox-NewDevice.jpg
firebox-NewDevice2.jpg
firebox-NewDevice3.jpg
firebox-NewDevice4.jpg
firebox-VPN.jpg
SOHO1.JPG
SOHO2.JPG
SOHO3.JPG
0
 

Author Comment

by:Programgod
ID: 22694970
Oh, and if you look at the firebox-EricOffice JPG you will see that it says "Type: Firebox SOHO6"... thats a lie, its actually a SOHO|tc WG2500 (or WG2501 depending on the sticker you look at on the device).  From what I understand this is technically the SOHO 5.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22700393
I do not think that SOHO5 is supported by the new Management server [read new avataar of VPN Manager]; had you had VPN manager [supported till versions 7.x] instead I think there was hope.

As SOHO5 have been EOL for so long, I think that Management server does not have any support for this device type; and it is treating the device as SOHO6 instead; SOHO6 had far better configuration settings.

As evident from logs:
>> Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy)

management server is trying to use aggressive mode for SOHO5 [as it got added as dynamic device]; whereas SOHO5 is configured for main mode for phase I; hence the tunnel would not come up.

As I said earlier I have not tried to configure a VPN between SOHO 5 and firebox X-peak myself; above comments are *what I think* rather than based on some concrete fact.

If it works without management server then it does; dont think with management server it would work at all.

Thank you.
0
 

Author Closing Comment

by:Programgod
ID: 31505768
I figured out what my problem was.  When I created the device for the internal firewall I did not realize that I had to, in the policy manager, set the firebox up as a managed client.  I deleted the managed VPN, deleted the device, set up the firebox to be a managed client and recreated everything.  I eventually did get the connection going, now the only thing is I have to figure out why I still can't access the company network.  But at least the connection is established, everything else is just rules and policies.  Thank you so much for even attempting to help me with this issue.  You deserve the points.

Thanks,
   Eric
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22708353
Thank you for the points; and also for the post; it would be helpful for everyone attempting to use SOHO.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now