Does anyone know the default Phase 1 settings on a SOHO 5?

Posted on 2008-10-08
Medium Priority
Last Modified: 2013-11-16
I have been working on creating a IPSec VPN tunnel between my office (firebox X550E) and my home (SOHO 5).  If I set the Phase 1 settings in my office to Agressive, the connection is forced and the tunnel is created.  However, I have to manually connect everytime when it is set up that way.  If I set office to "Main Mode" I keep getting an error on the firewall that says:

2008-10-08 15:09:45 iked WARNING: Mismatched ID settings at peer XX.XX.XX.XX:500 caused an authentication failure msg_id="0203-5156"       Debug
2008-10-08 15:09:45 iked Cannot process MM ID payload from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=552d2287 1723b34b r=191f04b5 7d31e79f msg_id="0203-5029"       Debug

So basically, from what I have read/understood from very few others on the internet having the same problem is that it has to do with my phase 1 settings not matching.  The problem is that on the SOHO 5 (version 5.2.11 of the firmware) there is only two checkboxes under Phase 1 on the gateway configuration.  Does anyone know what the default settings are for Phase 1 authentication/encryption and pfs?  Any help would be GREATLY appreciated.
Question by:Programgod
  • 5
  • 4
LVL 32

Expert Comment

ID: 22677371
The default settings on the SOHO for Phase 1 negotiations are DES, SHA1, and Diffie Helman group
1. These settings cannot be changed. PFS is part of phase II configuration; it is disabled.

Thank you.

Author Comment

ID: 22679211
Thank you for the response.  Just out of curiousity, do you have any experience setting up a connection between the new Fireware System Manager and a SOHO on 5.2.11 using Dynamic DNS?  If not, that's fine, thought I would at least ask.

Author Comment

ID: 22680925
Here is what I am seeing in the logs:

2008-10-09 13:05:19 iked WARNING: Rejected phase 2 PFS dh_group 1, expecting 0 msg_id="0205-5221"       Debug
2008-10-09 13:05:19 iked Peer XX.XX.XX.XX phase 2 negotiation failed because there is no matching IPSec proposal msg_id="0205-5204"       Debug
2008-10-09 13:05:19 iked Rejected QM first  message from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=edb5ffdb a0a512e8 r=69eb7384 3a10b53c msg_id="0203-5086"       Debug
2008-10-09 13:05:19 iked  Sending NO_PROPOSAL_CHOSEN message to XX.XX.XX.XX:500 msg_id="0203-5060"       Debug

I do not have the ability to set the DH to 0 on the X550E, so am I out of luck?
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

LVL 32

Expert Comment

ID: 22684086
SOHO was long time back EOL; I myself did not get much chance to work on the units; no, I have never created a VPN tunnel between a SOHO and the fireware. I actually read some old documents which I happened to have, in which as a side note the phase I settings were mentioned.

You cannot set DH 0 on any device I think (not 100% sure); would it be possible for you to post a sanitized screenshot of SOHO VPN configuration; please blur out all public IP/usernmaes/passwords/hashes.

We can at least give a try one more time if fine with you.

Thank you.

Author Comment

ID: 22694951
Sorry for taking so long to respond.  I have been going crazy trying to set these wonderfully annoying devices up.  Well, since my last post I have talked with Watchguard several times.  In fact, they have given up on trying to figure out why we are not able to establish a connection between the firebox and the SOHO when pointing to the dynamic domain name.  Now we have licenses to set up a managed connection, but I am again having some issues.  Here is what the firebox (main office firewall) has in the logs:
2008-10-11 11:44:08 iked WARNING: Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy) cookies i=5acfe164 718905dd r=00000000 00000000 msg_id="0203-5040"       Debug

There are very few settings, on both sides, regarding connection mode, authentication and encryption.  From what I have read on the web this is supposed to be a nice and easy drag-and-drop VPN client manager.

The setup on the SOHO was rather simplistic (see attached SOHO1 & 2 JPG's)  There are two sections that I read needed to be set up.  1) the VPN Manager Access so that the main firebox can "manage" the SOHO and 2) the Remote Gateway needs to be set to managed.  Both have very few options and setup really quickly.

The setup on the Firebox (main office) was quite different, and I had issues right from the start.  I entered the IP address and Status/Config passwords, but it said WSM could not connect to the device.  I created the device using the "I don't know the IP" option and created the VPN resource as the SOHO internal network range.  I did the same thing for the main office firebox (created device and vpn resource).  Then I created a managed VPN between the two.  (See all "firebox-" screenshots starting with firebox-Device.jpg).

Sorry for the length of this post, there is just so much information for what was explained to me as a nice and easy drag-and-drop VPN configuration.  Hopefully you will see something that I don't.  :)

Author Comment

ID: 22694970
Oh, and if you look at the firebox-EricOffice JPG you will see that it says "Type: Firebox SOHO6"... thats a lie, its actually a SOHO|tc WG2500 (or WG2501 depending on the sticker you look at on the device).  From what I understand this is technically the SOHO 5.
LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 22700393
I do not think that SOHO5 is supported by the new Management server [read new avataar of VPN Manager]; had you had VPN manager [supported till versions 7.x] instead I think there was hope.

As SOHO5 have been EOL for so long, I think that Management server does not have any support for this device type; and it is treating the device as SOHO6 instead; SOHO6 had far better configuration settings.

As evident from logs:
>> Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy)

management server is trying to use aggressive mode for SOHO5 [as it got added as dynamic device]; whereas SOHO5 is configured for main mode for phase I; hence the tunnel would not come up.

As I said earlier I have not tried to configure a VPN between SOHO 5 and firebox X-peak myself; above comments are *what I think* rather than based on some concrete fact.

If it works without management server then it does; dont think with management server it would work at all.

Thank you.

Author Closing Comment

ID: 31505768
I figured out what my problem was.  When I created the device for the internal firewall I did not realize that I had to, in the policy manager, set the firebox up as a managed client.  I deleted the managed VPN, deleted the device, set up the firebox to be a managed client and recreated everything.  I eventually did get the connection going, now the only thing is I have to figure out why I still can't access the company network.  But at least the connection is established, everything else is just rules and policies.  Thank you so much for even attempting to help me with this issue.  You deserve the points.

LVL 32

Expert Comment

ID: 22708353
Thank you for the points; and also for the post; it would be helpful for everyone attempting to use SOHO.

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month9 days, 19 hours left to enroll

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question