Solved

Does anyone know the default Phase 1 settings on a SOHO 5?

Posted on 2008-10-08
9
3,840 Views
Last Modified: 2013-11-16
I have been working on creating a IPSec VPN tunnel between my office (firebox X550E) and my home (SOHO 5).  If I set the Phase 1 settings in my office to Agressive, the connection is forced and the tunnel is created.  However, I have to manually connect everytime when it is set up that way.  If I set office to "Main Mode" I keep getting an error on the firewall that says:

2008-10-08 15:09:45 iked WARNING: Mismatched ID settings at peer XX.XX.XX.XX:500 caused an authentication failure msg_id="0203-5156"       Debug
2008-10-08 15:09:45 iked Cannot process MM ID payload from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=552d2287 1723b34b r=191f04b5 7d31e79f msg_id="0203-5029"       Debug

So basically, from what I have read/understood from very few others on the internet having the same problem is that it has to do with my phase 1 settings not matching.  The problem is that on the SOHO 5 (version 5.2.11 of the firmware) there is only two checkboxes under Phase 1 on the gateway configuration.  Does anyone know what the default settings are for Phase 1 authentication/encryption and pfs?  Any help would be GREATLY appreciated.
0
Comment
Question by:Programgod
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22677371
The default settings on the SOHO for Phase 1 negotiations are DES, SHA1, and Diffie Helman group
1. These settings cannot be changed. PFS is part of phase II configuration; it is disabled.

Thank you.
0
 

Author Comment

by:Programgod
ID: 22679211
Thank you for the response.  Just out of curiousity, do you have any experience setting up a connection between the new Fireware System Manager and a SOHO on 5.2.11 using Dynamic DNS?  If not, that's fine, thought I would at least ask.
0
 

Author Comment

by:Programgod
ID: 22680925
Here is what I am seeing in the logs:

2008-10-09 13:05:19 iked WARNING: Rejected phase 2 PFS dh_group 1, expecting 0 msg_id="0205-5221"       Debug
2008-10-09 13:05:19 iked Peer XX.XX.XX.XX phase 2 negotiation failed because there is no matching IPSec proposal msg_id="0205-5204"       Debug
2008-10-09 13:05:19 iked Rejected QM first  message from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=edb5ffdb a0a512e8 r=69eb7384 3a10b53c msg_id="0203-5086"       Debug
2008-10-09 13:05:19 iked  Sending NO_PROPOSAL_CHOSEN message to XX.XX.XX.XX:500 msg_id="0203-5060"       Debug

I do not have the ability to set the DH to 0 on the X550E, so am I out of luck?
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 22684086
SOHO was long time back EOL; I myself did not get much chance to work on the units; no, I have never created a VPN tunnel between a SOHO and the fireware. I actually read some old documents which I happened to have, in which as a side note the phase I settings were mentioned.

You cannot set DH 0 on any device I think (not 100% sure); would it be possible for you to post a sanitized screenshot of SOHO VPN configuration; please blur out all public IP/usernmaes/passwords/hashes.

We can at least give a try one more time if fine with you.

Thank you.
0
 

Author Comment

by:Programgod
ID: 22694951
Sorry for taking so long to respond.  I have been going crazy trying to set these wonderfully annoying devices up.  Well, since my last post I have talked with Watchguard several times.  In fact, they have given up on trying to figure out why we are not able to establish a connection between the firebox and the SOHO when pointing to the dynamic domain name.  Now we have licenses to set up a managed connection, but I am again having some issues.  Here is what the firebox (main office firewall) has in the logs:
2008-10-11 11:44:08 iked WARNING: Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy) cookies i=5acfe164 718905dd r=00000000 00000000 msg_id="0203-5040"       Debug

There are very few settings, on both sides, regarding connection mode, authentication and encryption.  From what I have read on the web this is supposed to be a nice and easy drag-and-drop VPN client manager.

The setup on the SOHO was rather simplistic (see attached SOHO1 & 2 JPG's)  There are two sections that I read needed to be set up.  1) the VPN Manager Access so that the main firebox can "manage" the SOHO and 2) the Remote Gateway needs to be set to managed.  Both have very few options and setup really quickly.

The setup on the Firebox (main office) was quite different, and I had issues right from the start.  I entered the IP address and Status/Config passwords, but it said WSM could not connect to the device.  I created the device using the "I don't know the IP" option and created the VPN resource as the SOHO internal network range.  I did the same thing for the main office firebox (created device and vpn resource).  Then I created a managed VPN between the two.  (See all "firebox-" screenshots starting with firebox-Device.jpg).

Sorry for the length of this post, there is just so much information for what was explained to me as a nice and easy drag-and-drop VPN configuration.  Hopefully you will see something that I don't.  :)
firebox-Device.jpg
firebox-EricOffice.jpg
firebox-NewDevice.jpg
firebox-NewDevice2.jpg
firebox-NewDevice3.jpg
firebox-NewDevice4.jpg
firebox-VPN.jpg
SOHO1.JPG
SOHO2.JPG
SOHO3.JPG
0
 

Author Comment

by:Programgod
ID: 22694970
Oh, and if you look at the firebox-EricOffice JPG you will see that it says "Type: Firebox SOHO6"... thats a lie, its actually a SOHO|tc WG2500 (or WG2501 depending on the sticker you look at on the device).  From what I understand this is technically the SOHO 5.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22700393
I do not think that SOHO5 is supported by the new Management server [read new avataar of VPN Manager]; had you had VPN manager [supported till versions 7.x] instead I think there was hope.

As SOHO5 have been EOL for so long, I think that Management server does not have any support for this device type; and it is treating the device as SOHO6 instead; SOHO6 had far better configuration settings.

As evident from logs:
>> Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy)

management server is trying to use aggressive mode for SOHO5 [as it got added as dynamic device]; whereas SOHO5 is configured for main mode for phase I; hence the tunnel would not come up.

As I said earlier I have not tried to configure a VPN between SOHO 5 and firebox X-peak myself; above comments are *what I think* rather than based on some concrete fact.

If it works without management server then it does; dont think with management server it would work at all.

Thank you.
0
 

Author Closing Comment

by:Programgod
ID: 31505768
I figured out what my problem was.  When I created the device for the internal firewall I did not realize that I had to, in the policy manager, set the firebox up as a managed client.  I deleted the managed VPN, deleted the device, set up the firebox to be a managed client and recreated everything.  I eventually did get the connection going, now the only thing is I have to figure out why I still can't access the company network.  But at least the connection is established, everything else is just rules and policies.  Thank you so much for even attempting to help me with this issue.  You deserve the points.

Thanks,
   Eric
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22708353
Thank you for the points; and also for the post; it would be helpful for everyone attempting to use SOHO.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question