Solved

IPSEC VPN won't connect

Posted on 2014-01-07
8
3,022 Views
Last Modified: 2014-01-19
Having issues connecting IPSEC VPN from my office over our primary WAN, secondary WAN is working fine, but is slower.  My working tunnel is up over a CradlePoint ARC MBR 1400 using a Verizon aircard, bridged to a Watchguard Firebox X550e on X3 interface and the other endpoint is a Sonicwall.  The non-working tunnel is over a Netgear CG3000DCR cable gateway on Comcast cable, bridged to the Watchguard's X0 interface.  Both internet connections work fine in WAN failover with Comcast primary, but the VPN fails over to the secondary Verizon connection.  The Sonicwall endpoint on the other side is setup so that it's tunnel uses the Comcast IP as the primary and the Verizon IP as the secondary, and the same for the Firebox.  If I disconnect the Verizon to try to force the VPN to bring the tunnel up on the Comcast primary WAN the SonicWall logs show an IKE initiator IKE timeout message repeated.  I have confirmed that Phase 1 and Phase 2 match on both ends.  I also checked with Comcast and they tell me the device is bridged, so that connections sent to the static IP assigned in the Firebox effectively bypass the Netgear's firewall for their True Static IP range.  Any help would be appreciated.
0
Comment
Question by:IT Guy
  • 3
  • 3
  • 2
8 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 39763310
You are trying to VPN through one device bridged to the second device. Did I read that correctly?

Then you are double NAT'g and most VPN connections will fail.

On Site to Site, I enable NAT Traversal. That is normally down in Additional Settings. Try that.

For Client to Site, you need an application that can do NAT Traversal. The only one I know that does this effectively is NCP Secure Entry (www.ncp-e.com). That is what I use.

.... Thinkpads_User
0
 
LVL 16

Expert Comment

by:choward16980
ID: 39763315
Can you post your IKE session from your system manager traffic monitor?  

From the sound of it, it sounds like your watchguard is blocking the VPN host.  Try adding the sonicwalls IP to block site exceptions list.

Also, make sure you dead peer detection and NAT Traversal enabled on the watchguard gateway for that VPN tunnel.  Try setting from MAIN mode to MAIN FAILOVER TO AGGRESSIVE also, to see if it initiates.
0
 

Author Comment

by:IT Guy
ID: 39763369
Traffic Monitor logs below.  Dead peer detection and NAT Traversal is enabled in the WG and the mode is set to MAIN FAILOVER TO AGRRESSIVE.  The tunnel currently configured with a primary and secondary gateway on both ends, effectively it looks to use the identical config on both except for a different gateway and on the WG it specifies which interface to use also to match the local gateway.  The SW only has 1 WAN connection, which keeps that simple.  With the primary as the VZW it works fine, with the secondary as VZW it fails over from the Comcast to the VZW.  IIRC, the NAT Traversal may be disabled on the SW, but it had been previously over the working VZW connection, though I'll be the first to admit I'm sure the devices don't work exactly the same.  Also, the ISP says with a static it removes the firewall functionality of the Netgear in front, and does not claim to block IPSEC traffic.



2014-01-07 15:47:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:47:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:47:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:47:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:47:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:47:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:47:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:47:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:47:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:47:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:48:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:48:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:48:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:48:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:49:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:49:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:49:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:49:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:50:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:50:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:50:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:50:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:51:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:51:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:51:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:51:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:51:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:51:56 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:51:56 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:51:56 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:52:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:52:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:52:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:52:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:53:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:53:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:53:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:53:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:54:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:54:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:54:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:54:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:55:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:55:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:55:59 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:55:59 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:55:59 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:55:59 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 15:55:59 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 15:55:59 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 15:56:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:56:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:56:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:56:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:57:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:57:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:57:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:57:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:59:04 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:59:04 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 15:59:04 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 15:59:04 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:00:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:09 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:00:09 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:00:41 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:00:41 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:00:41 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:00:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:00:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:00:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:01:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:01:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:01:14 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:01:14 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:02:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:02:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:02:19 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:02:19 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:03:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:03:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:03:24 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:03:24 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:04:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:04:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:04:29 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:04:29 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:05:12 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:05:12 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:05:12 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:05:12 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:05:12 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:05:12 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:05:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:05:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:05:34 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:05:34 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:06:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:06:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:06:39 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:06:39 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:07:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:07:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:07:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:07:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:07:44 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:07:44 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:08:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:08:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:08:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:08:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:08:49 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:08:49 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:09:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:09:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:09:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:09:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:09:54 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:09:54 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:10:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=4006fa         Debug
2014-01-07 16:10:31 sessiond OK! Sent out wgapi msg xpath=/toSessionClient/checkActivity, dstIPCAddr=8006fa         Debug
2014-01-07 16:10:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:10:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:10:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:10:42 iked Check Payloads : next should be SA payload (QM)        Debug
2014-01-07 16:10:42 iked QuickMode: <<1st - payload check failed        Debug
2014-01-07 16:10:42 iked Process IKE Packet : return FAILURE after processing 1st QM msg        Debug
2014-01-07 16:10:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:10:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
2014-01-07 16:10:59 iked IPSecGetPolicyInfo: failed to use ikePcyName(Montreal Gateway*1) to find the matching ipsecPolicy object        Debug
2014-01-07 16:10:59 iked QuickMode: <<1st - failed to get policy by ID payload        Debug
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39763399
It does not appear that you are getting a Phase 1 connect.

There are 3 variables for Phase 1 and 2 or 3 for Phase 2 plus Pre-shared key or other authentication.

Do you phases match both ends?

What is Quick Mode?  Do you need a certificate from one end?  Try without Quick Mode.

.... Thinkpads_User
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 16

Expert Comment

by:choward16980
ID: 39763438
Phase 1 is not working.  Make sure you have the correct IP address set in your "(Montreal Gateway*1).  

Edit the gateway and make sure your Local gateway has the Correct Local IP and the two listed under remote gateway are the same remote IP address of the sonic wall.

I do remember having an issue making a sonic wall talk to a watchguard about 2 years back. I believe the solution was to drop the first phase down to SHA, from 3des-MD5 on both sides.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39763457
For all my client tunnels, I use SHA, DH Group2, and DES or 3DES depending on the client.

The really important thing is that they match on both ends.

.... Thinkpads_User
0
 

Accepted Solution

by:
IT Guy earned 0 total points
ID: 39780666
After working my way through Comcast tech support, I got all the way to a developer who handles firmware for the Netgear CG3000DCR appliance from Comcast and determined that the solution was actually updated firmware.  Once applied and reboot the tunnel came up immediately.  The solution that solved my issue was v1.33.03 and the hardware version of my gateway is v1.04 in case this helps someone else in the future.
0
 

Author Closing Comment

by:IT Guy
ID: 39791951
Solution came directly from the ISP with a firmware update only they could provide and apply
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CheckPoint Endpoint VPN Running POST Action 5 159
ASA 8.2 L2l > ASA 9.0 l2l 3 48
Cisco ASA - IPSec to multiple peers all with the same private subnet 7 362
IOS for 2811 2 73
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now