Does anyone know the default Phase 1 settings on a SOHO 5?

I have been working on creating a IPSec VPN tunnel between my office (firebox X550E) and my home (SOHO 5).  If I set the Phase 1 settings in my office to Agressive, the connection is forced and the tunnel is created.  However, I have to manually connect everytime when it is set up that way.  If I set office to "Main Mode" I keep getting an error on the firewall that says:

2008-10-08 15:09:45 iked WARNING: Mismatched ID settings at peer XX.XX.XX.XX:500 caused an authentication failure msg_id="0203-5156"       Debug
2008-10-08 15:09:45 iked Cannot process MM ID payload from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=552d2287 1723b34b r=191f04b5 7d31e79f msg_id="0203-5029"       Debug

So basically, from what I have read/understood from very few others on the internet having the same problem is that it has to do with my phase 1 settings not matching.  The problem is that on the SOHO 5 (version 5.2.11 of the firmware) there is only two checkboxes under Phase 1 on the gateway configuration.  Does anyone know what the default settings are for Phase 1 authentication/encryption and pfs?  Any help would be GREATLY appreciated.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

dpk_walConnect With a Mentor Commented:
I do not think that SOHO5 is supported by the new Management server [read new avataar of VPN Manager]; had you had VPN manager [supported till versions 7.x] instead I think there was hope.

As SOHO5 have been EOL for so long, I think that Management server does not have any support for this device type; and it is treating the device as SOHO6 instead; SOHO6 had far better configuration settings.

As evident from logs:
>> Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy)

management server is trying to use aggressive mode for SOHO5 [as it got added as dynamic device]; whereas SOHO5 is configured for main mode for phase I; hence the tunnel would not come up.

As I said earlier I have not tried to configure a VPN between SOHO 5 and firebox X-peak myself; above comments are *what I think* rather than based on some concrete fact.

If it works without management server then it does; dont think with management server it would work at all.

Thank you.
The default settings on the SOHO for Phase 1 negotiations are DES, SHA1, and Diffie Helman group
1. These settings cannot be changed. PFS is part of phase II configuration; it is disabled.

Thank you.
ProgramgodAuthor Commented:
Thank you for the response.  Just out of curiousity, do you have any experience setting up a connection between the new Fireware System Manager and a SOHO on 5.2.11 using Dynamic DNS?  If not, that's fine, thought I would at least ask.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

ProgramgodAuthor Commented:
Here is what I am seeing in the logs:

2008-10-09 13:05:19 iked WARNING: Rejected phase 2 PFS dh_group 1, expecting 0 msg_id="0205-5221"       Debug
2008-10-09 13:05:19 iked Peer XX.XX.XX.XX phase 2 negotiation failed because there is no matching IPSec proposal msg_id="0205-5204"       Debug
2008-10-09 13:05:19 iked Rejected QM first  message from XX.XX.XX.XX:500 to XX.XX.XX.XX cookies i=edb5ffdb a0a512e8 r=69eb7384 3a10b53c msg_id="0203-5086"       Debug
2008-10-09 13:05:19 iked  Sending NO_PROPOSAL_CHOSEN message to XX.XX.XX.XX:500 msg_id="0203-5060"       Debug

I do not have the ability to set the DH to 0 on the X550E, so am I out of luck?
SOHO was long time back EOL; I myself did not get much chance to work on the units; no, I have never created a VPN tunnel between a SOHO and the fireware. I actually read some old documents which I happened to have, in which as a side note the phase I settings were mentioned.

You cannot set DH 0 on any device I think (not 100% sure); would it be possible for you to post a sanitized screenshot of SOHO VPN configuration; please blur out all public IP/usernmaes/passwords/hashes.

We can at least give a try one more time if fine with you.

Thank you.
ProgramgodAuthor Commented:
Sorry for taking so long to respond.  I have been going crazy trying to set these wonderfully annoying devices up.  Well, since my last post I have talked with Watchguard several times.  In fact, they have given up on trying to figure out why we are not able to establish a connection between the firebox and the SOHO when pointing to the dynamic domain name.  Now we have licenses to set up a managed connection, but I am again having some issues.  Here is what the firebox (main office firewall) has in the logs:
2008-10-11 11:44:08 iked WARNING: Rejected phase 1 aggressive mode from XX.XX.XX.XX to XX.XX.XX.XX (no matching policy) cookies i=5acfe164 718905dd r=00000000 00000000 msg_id="0203-5040"       Debug

There are very few settings, on both sides, regarding connection mode, authentication and encryption.  From what I have read on the web this is supposed to be a nice and easy drag-and-drop VPN client manager.

The setup on the SOHO was rather simplistic (see attached SOHO1 & 2 JPG's)  There are two sections that I read needed to be set up.  1) the VPN Manager Access so that the main firebox can "manage" the SOHO and 2) the Remote Gateway needs to be set to managed.  Both have very few options and setup really quickly.

The setup on the Firebox (main office) was quite different, and I had issues right from the start.  I entered the IP address and Status/Config passwords, but it said WSM could not connect to the device.  I created the device using the "I don't know the IP" option and created the VPN resource as the SOHO internal network range.  I did the same thing for the main office firebox (created device and vpn resource).  Then I created a managed VPN between the two.  (See all "firebox-" screenshots starting with firebox-Device.jpg).

Sorry for the length of this post, there is just so much information for what was explained to me as a nice and easy drag-and-drop VPN configuration.  Hopefully you will see something that I don't.  :)
ProgramgodAuthor Commented:
Oh, and if you look at the firebox-EricOffice JPG you will see that it says "Type: Firebox SOHO6"... thats a lie, its actually a SOHO|tc WG2500 (or WG2501 depending on the sticker you look at on the device).  From what I understand this is technically the SOHO 5.
ProgramgodAuthor Commented:
I figured out what my problem was.  When I created the device for the internal firewall I did not realize that I had to, in the policy manager, set the firebox up as a managed client.  I deleted the managed VPN, deleted the device, set up the firebox to be a managed client and recreated everything.  I eventually did get the connection going, now the only thing is I have to figure out why I still can't access the company network.  But at least the connection is established, everything else is just rules and policies.  Thank you so much for even attempting to help me with this issue.  You deserve the points.

Thank you for the points; and also for the post; it would be helpful for everyone attempting to use SOHO.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.