Solved

IPSEC VPN won't connect

Posted on 2014-01-07
8
2,953 Views
Last Modified: 2014-01-19
Having issues connecting IPSEC VPN from my office over our primary WAN, secondary WAN is working fine, but is slower.  My working tunnel is up over a CradlePoint ARC MBR 1400 using a Verizon aircard, bridged to a Watchguard Firebox X550e on X3 interface and the other endpoint is a Sonicwall.  The non-working tunnel is over a Netgear CG3000DCR cable gateway on Comcast cable, bridged to the Watchguard's X0 interface.  Both internet connections work fine in WAN failover with Comcast primary, but the VPN fails over to the secondary Verizon connection.  The Sonicwall endpoint on the other side is setup so that it's tunnel uses the Comcast IP as the primary and the Verizon IP as the secondary, and the same for the Firebox.  If I disconnect the Verizon to try to force the VPN to bring the tunnel up on the Comcast primary WAN the SonicWall logs show an IKE initiator IKE timeout message repeated.  I have confirmed that Phase 1 and Phase 2 match on both ends.  I also checked with Comcast and they tell me the device is bridged, so that connections sent to the static IP assigned in the Firebox effectively bypass the Netgear's firewall for their True Static IP range.  Any help would be appreciated.
0
Comment
Question by:IT Guy
  • 3
  • 3
  • 2
8 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
You are trying to VPN through one device bridged to the second device. Did I read that correctly?

Then you are double NAT'g and most VPN connections will fail.

On Site to Site, I enable NAT Traversal. That is normally down in Additional Settings. Try that.

For Client to Site, you need an application that can do NAT Traversal. The only one I know that does this effectively is NCP Secure Entry (www.ncp-e.com). That is what I use.

.... Thinkpads_User
0
 
LVL 16

Expert Comment

by:choward16980
Comment Utility
Can you post your IKE session from your system manager traffic monitor?  

From the sound of it, it sounds like your watchguard is blocking the VPN host.  Try adding the sonicwalls IP to block site exceptions list.

Also, make sure you dead peer detection and NAT Traversal enabled on the watchguard gateway for that VPN tunnel.  Try setting from MAIN mode to MAIN FAILOVER TO AGGRESSIVE also, to see if it initiates.
0
 

Author Comment

by:IT Guy
Comment Utility
Traffic Monitor logs below.  Dead peer detection and NAT Traversal is enabled in the WG and the mode is set to MAIN FAILOVER TO AGRRESSIVE.  The tunnel currently configured with a primary and secondary gateway on both ends, effectively it looks to use the identical config on both except for a different gateway and on the WG it specifies which interface to use also to match the local gateway.  The SW only has 1 WAN connection, which keeps that simple.  With the primary as the VZW it works fine, with the secondary as VZW it fails over from the Comcast to the VZW.  IIRC, the NAT Traversal may be disabled on the SW, but it had been previously over the working VZW connection, though I'll be the first to admit I'm sure the devices don't work exactly the same.  Also, the ISP says with a static it removes the firewall functionality of the Netgear in front, and does not claim to block IPSEC traffic.



2014-01-07 15:47:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:47:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:47:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:47:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:47:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:47:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:47:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:47:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:47:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:47:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:48:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:48:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:48:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:48:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:49:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:49:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:49:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:49:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:50:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:50:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:50:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:50:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:51:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:51:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:51:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:51:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:51:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:51:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:51:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:52:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:52:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:52:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:52:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:53:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:53:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:53:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:53:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:54:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:54:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:54:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:54:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:55:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:55:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:59 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:55:59 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:55:59 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:55:59 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:55:59 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:55:59 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:56:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:56:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:56:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:56:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:57:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:57:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:57:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:57:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:59:04 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:59:04 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:59:04 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:59:04 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:00:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:00:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:41 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:00:41 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:00:41 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:00:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:00:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:00:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:01:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:01:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:01:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:01:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:02:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:02:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:02:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:02:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:03:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:03:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:03:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:03:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:04:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:04:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:04:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:04:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:05:12 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:05:12 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:05:12 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:05:12 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:05:12 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:05:12 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:05:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:05:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:05:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:05:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:06:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:06:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:06:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:06:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:07:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:07:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:07:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:07:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:07:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:07:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:08:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:08:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:08:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:08:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:08:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:08:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:09:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:09:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:09:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:09:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:09:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:09:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:10:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:10:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:10:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:10:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:10:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:10:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:10:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:10:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:10:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:10:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:10:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:10:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
It does not appear that you are getting a Phase 1 connect.

There are 3 variables for Phase 1 and 2 or 3 for Phase 2 plus Pre-shared key or other authentication.

Do you phases match both ends?

What is Quick Mode?  Do you need a certificate from one end?  Try without Quick Mode.

.... Thinkpads_User
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 16

Expert Comment

by:choward16980
Comment Utility
Phase 1 is not working.  Make sure you have the correct IP address set in your "(Montreal Gateway*1).  

Edit the gateway and make sure your Local gateway has the Correct Local IP and the two listed under remote gateway are the same remote IP address of the sonic wall.

I do remember having an issue making a sonic wall talk to a watchguard about 2 years back. I believe the solution was to drop the first phase down to SHA, from 3des-MD5 on both sides.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
For all my client tunnels, I use SHA, DH Group2, and DES or 3DES depending on the client.

The really important thing is that they match on both ends.

.... Thinkpads_User
0
 

Accepted Solution

by:
IT Guy earned 0 total points
Comment Utility
After working my way through Comcast tech support, I got all the way to a developer who handles firmware for the Netgear CG3000DCR appliance from Comcast and determined that the solution was actually updated firmware.  Once applied and reboot the tunnel came up immediately.  The solution that solved my issue was v1.33.03 and the hardware version of my gateway is v1.04 in case this helps someone else in the future.
0
 

Author Closing Comment

by:IT Guy
Comment Utility
Solution came directly from the ISP with a firmware update only they could provide and apply
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now