[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Does anyone know the default Phase 1 settings on a SOHO 5?

Posted on 2008-10-08
Medium Priority
Last Modified: 2013-11-16
I have been working on creating a IPSec VPN tunnel between my office (firebox X550E) and my home (SOHO 5).  If I set the Phase 1 settings in my office to Agressive, the connection is forced and the tunnel is created.  However, I have to manually connect everytime when it is set up that way.  If I set office to "Main Mode" I keep getting an error on the firewall that says:

2008-10-08 15:09:45 iked WARNING: Mismatched ID settings at peer XX.XX.XX.XX:500 caused an authentication failure msg_id="0203-5156"       Debug
2008-10-08 15:09:45 iked Cannot process MM ID payload from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=552d2287 1723b34b r=191f04b5 7d31e79f msg_id="0203-5029"       Debug

So basically, from what I have read/understood from very few others on the internet having the same problem is that it has to do with my phase 1 settings not matching.  The problem is that on the SOHO 5 (version 5.2.11 of the firmware) there is only two checkboxes under Phase 1 on the gateway configuration.  Does anyone know what the default settings are for Phase 1 authentication/encryption and pfs?  Any help would be GREATLY appreciated.
Question by:Programgod
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 32

Expert Comment

ID: 22677371
The default settings on the SOHO for Phase 1 negotiations are DES, SHA1, and Diffie Helman group
1. These settings cannot be changed. PFS is part of phase II configuration; it is disabled.

Thank you.

Author Comment

ID: 22679211
Thank you for the response.  Just out of curiousity, do you have any experience setting up a connection between the new Fireware System Manager and a SOHO on 5.2.11 using Dynamic DNS?  If not, that's fine, thought I would at least ask.

Author Comment

ID: 22680925
Here is what I am seeing in the logs:

2008-10-09 13:05:19 iked WARNING: Rejected phase 2 PFS dh_group 1, expecting 0 msg_id="0205-5221"       Debug
2008-10-09 13:05:19 iked Peer XX.XX.XX.XX phase 2 negotiation failed because there is no matching IPSec proposal msg_id="0205-5204"       Debug
2008-10-09 13:05:19 iked Rejected QM first  message from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=edb5ffdb a0a512e8 r=69eb7384 3a10b53c msg_id="0203-5086"       Debug
2008-10-09 13:05:19 iked  Sending NO_PROPOSAL_CHOSEN message to XX.XX.XX.XX:500 msg_id="0203-5060"       Debug

I do not have the ability to set the DH to 0 on the X550E, so am I out of luck?
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 32

Expert Comment

ID: 22684086
SOHO was long time back EOL; I myself did not get much chance to work on the units; no, I have never created a VPN tunnel between a SOHO and the fireware. I actually read some old documents which I happened to have, in which as a side note the phase I settings were mentioned.

You cannot set DH 0 on any device I think (not 100% sure); would it be possible for you to post a sanitized screenshot of SOHO VPN configuration; please blur out all public IP/usernmaes/passwords/hashes.

We can at least give a try one more time if fine with you.

Thank you.

Author Comment

ID: 22694951
Sorry for taking so long to respond.  I have been going crazy trying to set these wonderfully annoying devices up.  Well, since my last post I have talked with Watchguard several times.  In fact, they have given up on trying to figure out why we are not able to establish a connection between the firebox and the SOHO when pointing to the dynamic domain name.  Now we have licenses to set up a managed connection, but I am again having some issues.  Here is what the firebox (main office firewall) has in the logs:
2008-10-11 11:44:08 iked WARNING: Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy) cookies i=5acfe164 718905dd r=00000000 00000000 msg_id="0203-5040"       Debug

There are very few settings, on both sides, regarding connection mode, authentication and encryption.  From what I have read on the web this is supposed to be a nice and easy drag-and-drop VPN client manager.

The setup on the SOHO was rather simplistic (see attached SOHO1 & 2 JPG's)  There are two sections that I read needed to be set up.  1) the VPN Manager Access so that the main firebox can "manage" the SOHO and 2) the Remote Gateway needs to be set to managed.  Both have very few options and setup really quickly.

The setup on the Firebox (main office) was quite different, and I had issues right from the start.  I entered the IP address and Status/Config passwords, but it said WSM could not connect to the device.  I created the device using the "I don't know the IP" option and created the VPN resource as the SOHO internal network range.  I did the same thing for the main office firebox (created device and vpn resource).  Then I created a managed VPN between the two.  (See all "firebox-" screenshots starting with firebox-Device.jpg).

Sorry for the length of this post, there is just so much information for what was explained to me as a nice and easy drag-and-drop VPN configuration.  Hopefully you will see something that I don't.  :)

Author Comment

ID: 22694970
Oh, and if you look at the firebox-EricOffice JPG you will see that it says "Type: Firebox SOHO6"... thats a lie, its actually a SOHO|tc WG2500 (or WG2501 depending on the sticker you look at on the device).  From what I understand this is technically the SOHO 5.
LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 22700393
I do not think that SOHO5 is supported by the new Management server [read new avataar of VPN Manager]; had you had VPN manager [supported till versions 7.x] instead I think there was hope.

As SOHO5 have been EOL for so long, I think that Management server does not have any support for this device type; and it is treating the device as SOHO6 instead; SOHO6 had far better configuration settings.

As evident from logs:
>> Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy)

management server is trying to use aggressive mode for SOHO5 [as it got added as dynamic device]; whereas SOHO5 is configured for main mode for phase I; hence the tunnel would not come up.

As I said earlier I have not tried to configure a VPN between SOHO 5 and firebox X-peak myself; above comments are *what I think* rather than based on some concrete fact.

If it works without management server then it does; dont think with management server it would work at all.

Thank you.

Author Closing Comment

ID: 31505768
I figured out what my problem was.  When I created the device for the internal firewall I did not realize that I had to, in the policy manager, set the firebox up as a managed client.  I deleted the managed VPN, deleted the device, set up the firebox to be a managed client and recreated everything.  I eventually did get the connection going, now the only thing is I have to figure out why I still can't access the company network.  But at least the connection is established, everything else is just rules and policies.  Thank you so much for even attempting to help me with this issue.  You deserve the points.

LVL 32

Expert Comment

ID: 22708353
Thank you for the points; and also for the post; it would be helpful for everyone attempting to use SOHO.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question