Solved

Watchguard Mobile VPN users connect but has no access.

Posted on 2009-05-06
12
5,284 Views
Last Modified: 2013-11-16
Core 550 in drop in mode with the mobile ipsec vpn client. The client connects, gets a virtual ip address from the firebox, but cannot access any services allowed through the tunnel. For example, no one can ping the ip that is an allowed resource.

Here is the summary of my setup:

WMS, Fireware 10.2.8
Mobile VPN Client 10.10 Build 59
Authentication Server: Firebox-DB
Key Negotiation Type: Shared Secret

The VPN shows tx transmitted, zero rx bytes. Log file look OK to me.

Any thoughts appreciated.
5/5/2009 1:42:04 PMIPSec: Start building connection

5/5/2009 1:42:04 PMIke: Outgoing connect request AGGRESSIVE mode - gateway=x.x.x.61 : mobile_vpn_users

5/5/2009 1:42:04 PMIke: XMIT_MSG1_AGGRESSIVE - mobile_vpn_users

5/5/2009 1:42:04 PMIke: RECV_MSG2_AGGRESSIVE - mobile_vpn_users

5/5/2009 1:42:04 PMIPSec: Final Tunnel EndPoint is:x.x.x.061

5/5/2009 1:42:04 PMIke: IKE phase I: Setting LifeTime to 28800 seconds

5/5/2009 1:42:04 PMIke: Turning on XAUTH mode - mobile_vpn_users

5/5/2009 1:42:04 PMIke: IkeSa negotiated with the following properties -

5/5/2009 1:42:04 PM  Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0

5/5/2009 1:42:04 PMIke: mobile_vpn_users ->Support for NAT-T version - 2

5/5/2009 1:42:04 PMIke: Turning on NATD mode - mobile_vpn_users - 1

5/5/2009 1:42:04 PMIke: XMIT_MSG3_AGGRESSIVE - mobile_vpn_users

5/5/2009 1:42:04 PMIke: IkeSa negotiated with the following properties -

5/5/2009 1:42:04 PM  Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0

5/5/2009 1:42:04 PMIke: Turning on DPD mode - mobile_vpn_users

5/5/2009 1:42:04 PMIke: phase1:name(mobile_vpn_users) - connected

5/5/2009 1:42:04 PMSUCCESS: IKE phase 1 ready

5/5/2009 1:42:04 PMIPSec: Phase1 is Ready - IkeIndex=5

5/5/2009 1:42:04 PMIkeXauth: RECV_XAUTH_REQUEST

5/5/2009 1:42:04 PMIkeXauth: XMIT_XAUTH_REPLY

5/5/2009 1:42:05 PMIkeCfg: RECV_IKECFG_SET - mobile_vpn_users

5/5/2009 1:42:05 PMIkeCfg: XMIT_IKECFG_ACK - mobile_vpn_users

5/5/2009 1:42:05 PMIkeXauth: RECV_XAUTH_SET

5/5/2009 1:42:05 PMIkeXauth: XMIT_XAUTH_ACK

5/5/2009 1:42:05 PMIkeCfg: name <mobile_v> - IkeXauth: enter state open

5/5/2009 1:42:05 PMSUCCESS: Ike Extended Authentication is ready

5/5/2009 1:42:05 PMIPSec: Quick Mode is Ready: IkeIndex = 00000005 , VpnSrcPort = 4500

5/5/2009 1:42:05 PMIPSec: Assigned IP Address: x.x.x.52

5/5/2009 1:42:05 PMIPSec: DNS Server: x.x.x.46

5/5/2009 1:42:06 PMIkeQuick: XMIT_MSG1_QUICK - mobile_vpn_users

5/5/2009 1:42:06 PMIkeQuick: Received Notify(mobile_vpn_users) -> remote is reducing LifeTime to 28800

5/5/2009 1:42:06 PMIkeQuick: RECV_MSG2_QUICK - mobile_vpn_users

5/5/2009 1:42:06 PMIkeQuick: Turning on PFS mode(mobile_vpn_users) with group 1

5/5/2009 1:42:06 PMIkeQuick: XMIT_MSG3_QUICK - mobile_vpn_users

5/5/2009 1:42:06 PMIkeQuick: phase2:name(mobile_vpn_users) - connected

5/5/2009 1:42:06 PMSUCCESS: Ike phase 2 (quick mode) ready

5/5/2009 1:42:06 PMIPSec: Created an IPSEC SA with the following characteristics -

5/5/2009 1:42:06 PM  IpSrcRange=[x.x.x.52-x.x.x.52],IpDstRange=[x.x.x.46-x.x.x.46],IpProt=0,SrcPort=0,DstPort=0

5/5/2009 1:42:06 PMIPSec: connected: LifeDuration in Seconds = 20160 and in KiloBytes = 102400000

5/5/2009 1:42:06 PMIPSec: Connected to mobile_vpn_users on channel 1.

5/5/2009 1:42:06 PMPPP(Ipcp): connected to mobile_vpn_users with IP Address: x.x.x.052. : x.x.x.053.

5/5/2009 1:42:06 PMSUCCESS: IpSec connection ready

5/5/2009 1:42:17 PMSUCCESS: Link -> <mobile_vpn_users> IP address assigned to IP stack - link is operational.

Open in new window

0
Comment
Question by:DrewBryant1961
12 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24321881
Two thoughts:
1) If the site from which the client is connecting uses the same subnet as the site to which they are connecting, such as both using something like 192.168.100.x, this will happen.
2) Many firewalls, including the windows firewall, will create exceptions for certain services, but often only for the local subnet, so remote VPN clients, which are on a different subnet, are blocked. Try disabling any software firewalls that may be enabled on the resource to which you are trying to connect.
0
 

Author Comment

by:DrewBryant1961
ID: 24324519

Thanks for the reply.

1. I have tried this from 2 different networks; the same thing happens on both, The source network ip range differ from the destination network. Because the Watchguard is in drop In mode, the destination ip network is public.

2. I have disabled/removed any firewall products that were running. The same events happen whether they were running or not.

I have tried using the Mobile VPN from 2 different desktops on  2 different  (source) networks with 2 different versions of the Mobile VPN client. The default "Any" rule is enabled for Mobile VPN users, however I added a explicit rule for pings and rdp connections. It made no difference.

I recreated the ipsec configuration and wgx profile on the Watchguard side; no change.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24324813
Have a look at the link below. It is for the Netgear client, but it is the same SafeNet client as the Watchguard MUVPN. In the first screen shot under "ID type" any chance you have set this as an IP instead of a subnet? If so it will connect to that IP only. It should be set to subnet, and the last character set to '0' to represent 'any' device on that subnet assuming a LAN subnet mask of 255.255.255.0
http://www.lan-2-wan.com/vpns-netgear-sample1.htm
0
 

Author Comment

by:DrewBryant1961
ID: 24326513

It looks like that section refers to the allowed resources or allowed access on remote network.  The Watchguard 10.10 client is slightly different than the older Watchguard client in the sample.

It is set to an IP address rather than the entire subnet; all of the resources I'm trying to access are on that address.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24326627
The only other thought I have is if a single IP then have you set the subnet mask as 255.255.255.255?
0
 

Author Comment

by:DrewBryant1961
ID: 24327073

Yes.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 24327095
Hopefully others more familiar with the Watchguards will join in.
0
 

Author Comment

by:DrewBryant1961
ID: 24327231

I posted the same question on the Watchguard support forum. Another guy said he had something similar happening to him.

The key IMO is zero Rx bytes.with no firewall running on the client side.
0
 

Author Comment

by:DrewBryant1961
ID: 24381169
This is resolved.

When a Watchguard is in drop-in mode, in order to use the muvpn ipsec client you need to create a secondary private network on the interface you are connecting to. In my case, I was trying to access resources on the trusted (LAN) interface so I added 192.168.2.1/24 as a secondary network.

Add IP addresses on that network to the virtual IP address range and then import the updated profile to the Watchguard client.

Once all that is done the client can access machines on the LAN interface.

Thanks for your efforts.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24381220
Glad to hear you were able to resolve.
Thank you DrewBryant1961 both for the points and posting your findings.
Cheers!
--Rob
0
 

Expert Comment

by:Rattlesnake
ID: 25854242
Hi DrewBryant1961,
i have a question about your solution. I have the same problem. My notebook and workstation work fine with the MUVPN Client. Only my Workstation at home have trouble, with the vpn client. No RX -
Do you add the private subnet to untrustet interface or to the trustet interface as a secondary network ? Must the subnet be the same like the subnet which is already working on my trusted interface ?

Regards

Rattlesnake
0
 

Expert Comment

by:JMS-ITS
ID: 37338607
Hi Rattlesnake,
I know this is an very old thread, but I have the same problem.
My Laptop works fine with MUVPN via LAN at home, but with mobile broadband, I can connect to the firewall but not getting a RDP or even a ping to the client in office.

Regards

Joe
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now