Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3424
  • Last Modified:

IPSEC VPN won't connect

Having issues connecting IPSEC VPN from my office over our primary WAN, secondary WAN is working fine, but is slower.  My working tunnel is up over a CradlePoint ARC MBR 1400 using a Verizon aircard, bridged to a Watchguard Firebox X550e on X3 interface and the other endpoint is a Sonicwall.  The non-working tunnel is over a Netgear CG3000DCR cable gateway on Comcast cable, bridged to the Watchguard's X0 interface.  Both internet connections work fine in WAN failover with Comcast primary, but the VPN fails over to the secondary Verizon connection.  The Sonicwall endpoint on the other side is setup so that it's tunnel uses the Comcast IP as the primary and the Verizon IP as the secondary, and the same for the Firebox.  If I disconnect the Verizon to try to force the VPN to bring the tunnel up on the Comcast primary WAN the SonicWall logs show an IKE initiator IKE timeout message repeated.  I have confirmed that Phase 1 and Phase 2 match on both ends.  I also checked with Comcast and they tell me the device is bridged, so that connections sent to the static IP assigned in the Firebox effectively bypass the Netgear's firewall for their True Static IP range.  Any help would be appreciated.
0
IT Guy
Asked:
IT Guy
  • 3
  • 3
  • 2
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
You are trying to VPN through one device bridged to the second device. Did I read that correctly?

Then you are double NAT'g and most VPN connections will fail.

On Site to Site, I enable NAT Traversal. That is normally down in Additional Settings. Try that.

For Client to Site, you need an application that can do NAT Traversal. The only one I know that does this effectively is NCP Secure Entry (www.ncp-e.com). That is what I use.

.... Thinkpads_User
0
 
Chris HIT DirectorCommented:
Can you post your IKE session from your system manager traffic monitor?  

From the sound of it, it sounds like your watchguard is blocking the VPN host.  Try adding the sonicwalls IP to block site exceptions list.

Also, make sure you dead peer detection and NAT Traversal enabled on the watchguard gateway for that VPN tunnel.  Try setting from MAIN mode to MAIN FAILOVER TO AGGRESSIVE also, to see if it initiates.
0
 
IT GuySenior EngineerAuthor Commented:
Traffic Monitor logs below.  Dead peer detection and NAT Traversal is enabled in the WG and the mode is set to MAIN FAILOVER TO AGRRESSIVE.  The tunnel currently configured with a primary and secondary gateway on both ends, effectively it looks to use the identical config on both except for a different gateway and on the WG it specifies which interface to use also to match the local gateway.  The SW only has 1 WAN connection, which keeps that simple.  With the primary as the VZW it works fine, with the secondary as VZW it fails over from the Comcast to the VZW.  IIRC, the NAT Traversal may be disabled on the SW, but it had been previously over the working VZW connection, though I'll be the first to admit I'm sure the devices don't work exactly the same.  Also, the ISP says with a static it removes the firewall functionality of the Netgear in front, and does not claim to block IPSEC traffic.



2014-01-07 15:47:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:47:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:47:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:47:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:47:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:47:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:47:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:47:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:47:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:47:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:48:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:48:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:48:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:48:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:49:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:49:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:49:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:49:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:50:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:50:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:50:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:50:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:51:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:51:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:51:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:51:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:51:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:51:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:51:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:52:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:52:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:52:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:52:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:53:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:53:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:53:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:53:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:54:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:54:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:54:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:54:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:55:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:55:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:59 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:55:59 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:55:59 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:55:59 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:55:59 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:55:59 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:56:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:56:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:56:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:56:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:57:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:57:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:57:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:57:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:59:04 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:59:04 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:59:04 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:59:04 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:00:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:00:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:41 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:00:41 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:00:41 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:00:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:00:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:00:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:01:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:01:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:01:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:01:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:02:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:02:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:02:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:02:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:03:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:03:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:03:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:03:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:04:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:04:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:04:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:04:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:05:12 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:05:12 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:05:12 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:05:12 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:05:12 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:05:12 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:05:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:05:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:05:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:05:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:06:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:06:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:06:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:06:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:07:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:07:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:07:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:07:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:07:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:07:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:08:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:08:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:08:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:08:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:08:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:08:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:09:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:09:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:09:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:09:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:09:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:09:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:10:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:10:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:10:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:10:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:10:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:10:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:10:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:10:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:10:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:10:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:10:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:10:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
John HurstBusiness Consultant (Owner)Commented:
It does not appear that you are getting a Phase 1 connect.

There are 3 variables for Phase 1 and 2 or 3 for Phase 2 plus Pre-shared key or other authentication.

Do you phases match both ends?

What is Quick Mode?  Do you need a certificate from one end?  Try without Quick Mode.

.... Thinkpads_User
0
 
Chris HIT DirectorCommented:
Phase 1 is not working.  Make sure you have the correct IP address set in your "(Montreal Gateway*1).  

Edit the gateway and make sure your Local gateway has the Correct Local IP and the two listed under remote gateway are the same remote IP address of the sonic wall.

I do remember having an issue making a sonic wall talk to a watchguard about 2 years back. I believe the solution was to drop the first phase down to SHA, from 3des-MD5 on both sides.
0
 
John HurstBusiness Consultant (Owner)Commented:
For all my client tunnels, I use SHA, DH Group2, and DES or 3DES depending on the client.

The really important thing is that they match on both ends.

.... Thinkpads_User
0
 
IT GuySenior EngineerAuthor Commented:
After working my way through Comcast tech support, I got all the way to a developer who handles firmware for the Netgear CG3000DCR appliance from Comcast and determined that the solution was actually updated firmware.  Once applied and reboot the tunnel came up immediately.  The solution that solved my issue was v1.33.03 and the hardware version of my gateway is v1.04 in case this helps someone else in the future.
0
 
IT GuySenior EngineerAuthor Commented:
Solution came directly from the ISP with a firmware update only they could provide and apply
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now