Watchguard ipsec

My user cannot connect with Watchguard client or Shrewsoft client.  Switching users to myself I find that I cannot connect with Watchguard client but I can with Shrewsoft.  This is a Windows 7 Pro PC.  My windows 7 PC can use either client.  Why cant this user use the VPN?
Joe ScarlettAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Iyou provide no basis on which to base a response, log entries reflecting the connection attempt from the vantage point of watchguard firewall.
The log from the client when attempting the connection.
Likely issue is a mismatched entry, versight, possibly.
Please also include the LAN ip segment for the client and the LAN segment behind the firewall.
Joe ScarlettAuthor Commented:
Here's the log from the Watchguard client
10/1/2017 9:53:19 AM  System: Client using OperatingSystem - 6
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  WatchGuard Mobile VPN V10.20 Build 34
10/1/2017 9:53:19 AM  System: Installed as a full license.
10/1/2017 9:53:19 AM  System: License for Oem Version - 12
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Found adapter - name=<Intel(R) 82579LM Gigabit Network Connection> with MTU 1500 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Intel(R) 82579LM Gigabit Network Connection
10/1/2017 9:53:19 AM  System: Found adapter - name=<Intel(R) Centrino(R) Ultimate-N 6300 AGN> with MTU 1500 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Intel(R) Centrino(R) Ultimate-N 6300 AGN
10/1/2017 9:53:19 AM  System: Found adapter - name=<NDISWAN> with MTU 1400 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
10/1/2017 9:53:19 AM  System: Found adapter - name=<NDISWAN> with MTU 1400 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
10/1/2017 9:53:19 AM  System: Found adapter - name=<NDISWAN> with MTU 1400 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
10/1/2017 9:53:19 AM  System: Found adapter - name=<Bluetooth Device (Personal Area Network)> with MTU 1500 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Bluetooth Device (Personal Area Network)
10/1/2017 9:53:19 AM  System: Found adapter - name=<Microsoft Virtual WiFi Miniport Adapter> with MTU 1500 bytes
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  Warning: could not open file - C:\Program Files\WatchGuard\Mobile VPN\ncpphone.cfg
10/1/2017 9:53:19 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Microsoft Virtual WiFi Miniport Adapter
10/1/2017 9:53:19 AM  BUDGET: NcpBudgetInit -> No budget manager configuration found
10/1/2017 9:53:19 AM  BUDGET: NcpBudgetInit -> OK
10/1/2017 9:53:19 AM  System: LinkStatus Change - 1,Intel(R) Centrino(R) Ultimate-N 6300 AGN
10/1/2017 9:53:19 AM  System: Ip Address Change - 201,Intel(R) Centrino(R) Ultimate-N 6300 AGN
10/1/2017 9:53:19 AM  Firewall: adapter Intel(R) Centrino(R) Ultimate-N 6300 AGN is outside the friendly net
10/1/2017 9:53:19 AM  WLAN adapter <Intel(R) Centrino(R) Ultimate-N 6300 AGN> is connected with SSID <FiOS-WSULC-5G>
10/1/2017 9:53:19 AM  System: Disconnect cause - Manual Disconnect.
10/1/2017 9:53:19 AM  System: Disconnect cause - Manual Disconnect.
10/1/2017 9:53:19 AM  MONITOR: Installed - WatchGuard Mobile VPN 1020 Build 34 (920)
10/1/2017 9:53:19 AM  MONITOR: Licensed - WatchGuard Mobile VPN 1020
10/1/2017 9:54:51 AM  System: Protecting RAS adapter - 0
10/1/2017 9:54:51 AM  System: Protecting RAS adapter - 0
10/1/2017 9:54:51 AM  System: Protecting RAS adapter - 0
10/1/2017 9:55:04 AM  IPSec: Start building connection
10/1/2017 9:55:04 AM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=50.121.158.42 : ATS
10/1/2017 9:55:04 AM  Ike: XMIT_MSG1_AGGRESSIVE - ATS
10/1/2017 9:55:33 AM  ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - ATS.
10/1/2017 9:55:33 AM  Ike: phase1:name(ATS) - error - retry timeout - max retries
10/1/2017 9:55:33 AM  IPSec: Disconnected from ATS on channel 1.

Open in new window

The Watchguard doesn't see anything.  I use the same client on another pc with no problem
arnoldCommented:
There are many errors about access to file, main point in the client, confirm the IP of the watchguard as it seems it gets no response..
Joe ScarlettAuthor Commented:
The ip is correct.  I think I have a PC problem and not a Watchguatd client problem.
arnoldCommented:
Check whether you are blocking watchguard client from being allowed to access the network.
If the ip us right, and your client config is correct, I.e. The unable to open various files.

Are you sure you need aggressive and not main mode?
Could you get the log from the other client?

try wireshark, or NS network monitor tool to capture data on the client side to confirm the destination ip, port
And compare that to the same attempt using the other client.
Joe ScarlettAuthor Commented:
Here's a copy of the log on my PC

Ill have to try wireshark.
10/1/2017 8:51:05 AM  System: Client using OperatingSystem - 6
10/1/2017 8:51:05 AM  WatchGuard Mobile VPN V10.20 Build 34
10/1/2017 8:51:05 AM  System: Installed as a full license.
10/1/2017 8:51:05 AM  System: License for Oem Version - 12
10/1/2017 8:51:05 AM  Firewall: FW configures adapter NCP VPN Adapter
10/1/2017 8:51:05 AM  System: Found adapter - name=<Intel(R) 82577LM Gigabit Network Connection> with MTU 1500 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter Intel(R) 82577LM Gigabit Network Connection
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Intel(R) 82577LM Gigabit Network Connection
10/1/2017 8:51:05 AM  System: Found adapter - name=<Broadcom 802.11n Network Adapter> with MTU 1500 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter Broadcom 802.11n Network Adapter
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Broadcom 802.11n Network Adapter
10/1/2017 8:51:05 AM  System: Found adapter - name=<NDISWAN> with MTU 1400 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter NDISWAN
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
10/1/2017 8:51:05 AM  System: Found adapter - name=<NDISWAN> with MTU 1400 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter NDISWAN
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
10/1/2017 8:51:05 AM  System: Found adapter - name=<NDISWAN> with MTU 1400 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter NDISWAN
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - NDISWAN
10/1/2017 8:51:05 AM  System: Found adapter - name=<Bluetooth Device (Personal Area Network)> with MTU 1500 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter Bluetooth Device (Personal Area Network)
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Bluetooth Device (Personal Area Network)
10/1/2017 8:51:05 AM  System: Found adapter - name=<Microsoft Virtual WiFi Miniport Adapter> with MTU 1500 bytes
10/1/2017 8:51:05 AM  Firewall: FW configures adapter Microsoft Virtual WiFi Miniport Adapter
10/1/2017 8:51:05 AM  System: Adapter init => stopping/starting Boot Firewall (0) due to no FNDMODE or RAS adapter or no IP address for adapter - Microsoft Virtual WiFi Miniport Adapter
10/1/2017 8:51:05 AM  BUDGET: NcpBudgetInit -> No budget manager configuration found
10/1/2017 8:51:05 AM  BUDGET: NcpBudgetInit -> OK
10/1/2017 8:51:05 AM  ###### MyServiceSessionLogoff ###
10/1/2017 8:51:05 AM  System: User logged off
10/1/2017 8:51:05 AM  MONITOR: Installed - WatchGuard Mobile VPN 1020 Build 34 (920)
10/1/2017 8:51:05 AM  MONITOR: Licensed - WatchGuard Mobile VPN 1020
10/1/2017 8:51:07 AM  IPSec: Start building connection
10/1/2017 8:51:07 AM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=45.52.2.98 : ATS
10/1/2017 8:51:07 AM  Ike: XMIT_MSG1_AGGRESSIVE - ATS
10/1/2017 8:51:07 AM  Ike: RECV_MSG2_AGGRESSIVE - ATS
10/1/2017 8:51:07 AM  Ike: IKE phase I: Setting LifeTime to 28800 seconds
10/1/2017 8:51:07 AM  Ike: Turning on XAUTH mode - ATS
10/1/2017 8:51:07 AM  Ike: IkeSa negotiated with the following properties -
10/1/2017 8:51:07 AM    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0
10/1/2017 8:51:07 AM  Ike: ATS ->Support for NAT-T version - 2
10/1/2017 8:51:07 AM  Ike: Turning on NATD mode - ATS - 1
10/1/2017 8:51:07 AM  IPSec: Final Tunnel EndPoint is:045.052.002.098
10/1/2017 8:51:07 AM  Ike: XMIT_MSG3_AGGRESSIVE - ATS
10/1/2017 8:51:07 AM  Ike: IkeSa negotiated with the following properties -
10/1/2017 8:51:07 AM    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0
10/1/2017 8:51:07 AM  Ike: Turning on DPD mode - ATS
10/1/2017 8:51:07 AM  Ike: phase1:name(ATS) - connected
10/1/2017 8:51:07 AM  SUCCESS: IKE phase 1 ready
10/1/2017 8:51:07 AM  IPSec: Phase1 is Ready - IkeIndex=1,AltRekey=0
10/1/2017 8:51:07 AM  IkeXauth: RECV_XAUTH_REQUEST
10/1/2017 8:51:07 AM  IkeXauth: XMIT_XAUTH_REPLY
10/1/2017 8:51:08 AM  IkeCfg: RECV_IKECFG_SET - ATS
10/1/2017 8:51:08 AM  IkeCfg: XMIT_IKECFG_ACK - ATS
10/1/2017 8:51:08 AM  IkeXauth: RECV_XAUTH_SET
10/1/2017 8:51:08 AM  IkeXauth: XMIT_XAUTH_ACK
10/1/2017 8:51:08 AM  IkeCfg: name <ATS> - IkeXauth: enter state open
10/1/2017 8:51:08 AM  SUCCESS: Ike Extended Authentication is ready
10/1/2017 8:51:08 AM  IPSec: Quick Mode is Ready: IkeIndex = 00000001 , VpnSrcPort = 4500
10/1/2017 8:51:08 AM  IPSec: Assigned IP Address: 192.168.44.202
10/1/2017 8:51:08 AM  IPSec: DNS Server: 192.168.44.1
10/1/2017 8:51:08 AM  IPSec: DNS Server: 8.8.8.8
10/1/2017 8:51:08 AM  IkeQuick: XMIT_MSG1_QUICK - ATS
10/1/2017 8:51:08 AM  IkeQuick: Received Notify(ATS) -> remote is reducing LifeTime to 28800
10/1/2017 8:51:08 AM  IkeQuick: RECV_MSG2_QUICK - ATS
10/1/2017 8:51:08 AM  IkeQuick: Turning on PFS mode(ATS) with group 1
10/1/2017 8:51:08 AM  IkeQuick: XMIT_MSG3_QUICK - ATS
10/1/2017 8:51:08 AM  IkeQuick: phase2:name(ATS) - connected
10/1/2017 8:51:08 AM  SUCCESS: Ike phase 2 (quick mode) ready
10/1/2017 8:51:08 AM  IPSec: Created an IPSEC SA with the following characteristics -
10/1/2017 8:51:08 AM    IpSrcRange=[192.168.44.202-192.168.44.202],IpDstRange=[0.0.0.0-255.255.255.255],IpProt=0,SrcPort=0,DstPort=0
10/1/2017 8:51:08 AM  IPSec: connected: LifeDuration in Seconds = 20160 and in KiloBytes = 102400000
10/1/2017 8:51:08 AM  IPSec: Connected to ATS on channel 1.
10/1/2017 8:51:08 AM  PPP(Ipcp): connected to ATS with IP Address: 192.168.044.202. : 192.168.044.203.
10/1/2017 8:51:08 AM  SUCCESS: IpSec connection ready
10/1/2017 8:51:10 AM  SUCCESS: Link -> <ATS> IP address assigned to IP stack - link is operational.
10/1/2017 9:11:21 AM  System: Disconnect cause - Manual Disconnect.
10/1/2017 9:11:21 AM  IPSec: Disconnecting from ATS on channel 1.
10/1/2017 9:11:23 AM  IPSec: Disconnected from ATS on channel 1.
10/1/2017 10:43:46 AM  IPSec: Start building connection
10/1/2017 10:43:46 AM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=45.52.2.98 : ATS
10/1/2017 10:43:46 AM  Ike: XMIT_MSG1_AGGRESSIVE - ATS
10/1/2017 10:43:46 AM  Ike: RECV_MSG2_AGGRESSIVE - ATS
10/1/2017 10:43:46 AM  Ike: IKE phase I: Setting LifeTime to 28800 seconds
10/1/2017 10:43:46 AM  Ike: Turning on XAUTH mode - ATS
10/1/2017 10:43:46 AM  Ike: IkeSa negotiated with the following properties -
10/1/2017 10:43:46 AM    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0
10/1/2017 10:43:46 AM  Ike: ATS ->Support for NAT-T version - 2
10/1/2017 10:43:46 AM  Ike: Turning on NATD mode - ATS - 1
10/1/2017 10:43:46 AM  IPSec: Final Tunnel EndPoint is:045.052.002.098
10/1/2017 10:43:46 AM  Ike: XMIT_MSG3_AGGRESSIVE - ATS
10/1/2017 10:43:46 AM  Ike: IkeSa negotiated with the following properties -
10/1/2017 10:43:46 AM    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0
10/1/2017 10:43:46 AM  Ike: Turning on DPD mode - ATS
10/1/2017 10:43:46 AM  Ike: phase1:name(ATS) - connected
10/1/2017 10:43:46 AM  SUCCESS: IKE phase 1 ready
10/1/2017 10:43:46 AM  IPSec: Phase1 is Ready - IkeIndex=2,AltRekey=0
10/1/2017 10:43:46 AM  IkeXauth: RECV_XAUTH_REQUEST
10/1/2017 10:43:46 AM  IkeXauth: XMIT_XAUTH_REPLY
10/1/2017 10:43:47 AM  IkeCfg: RECV_IKECFG_SET - ATS
10/1/2017 10:43:47 AM  IkeCfg: XMIT_IKECFG_ACK - ATS
10/1/2017 10:43:47 AM  IkeXauth: RECV_XAUTH_SET
10/1/2017 10:43:47 AM  IkeXauth: XMIT_XAUTH_ACK
10/1/2017 10:43:47 AM  IkeCfg: name <ATS> - IkeXauth: enter state open
10/1/2017 10:43:47 AM  SUCCESS: Ike Extended Authentication is ready
10/1/2017 10:43:47 AM  IPSec: Quick Mode is Ready: IkeIndex = 00000002 , VpnSrcPort = 4500
10/1/2017 10:43:47 AM  IPSec: Assigned IP Address: 192.168.44.203
10/1/2017 10:43:47 AM  IPSec: DNS Server: 192.168.44.1
10/1/2017 10:43:47 AM  IPSec: DNS Server: 8.8.8.8
10/1/2017 10:43:48 AM  IkeQuick: XMIT_MSG1_QUICK - ATS
10/1/2017 10:43:48 AM  IkeQuick: Received Notify(ATS) -> remote is reducing LifeTime to 28800
10/1/2017 10:43:48 AM  IkeQuick: RECV_MSG2_QUICK - ATS
10/1/2017 10:43:48 AM  IkeQuick: Turning on PFS mode(ATS) with group 1
10/1/2017 10:43:48 AM  IkeQuick: XMIT_MSG3_QUICK - ATS
10/1/2017 10:43:48 AM  IkeQuick: phase2:name(ATS) - connected
10/1/2017 10:43:48 AM  SUCCESS: Ike phase 2 (quick mode) ready
10/1/2017 10:43:48 AM  IPSec: Created an IPSEC SA with the following characteristics -
10/1/2017 10:43:48 AM    IpSrcRange=[192.168.44.203-192.168.44.203],IpDstRange=[0.0.0.0-255.255.255.255],IpProt=0,SrcPort=0,DstPort=0
10/1/2017 10:43:48 AM  IPSec: connected: LifeDuration in Seconds = 20160 and in KiloBytes = 102400000
10/1/2017 10:43:48 AM  IPSec: Connected to ATS on channel 1.
10/1/2017 10:43:48 AM  PPP(Ipcp): connected to ATS with IP Address: 192.168.044.203. : 192.168.044.204.
10/1/2017 10:43:48 AM  SUCCESS: IpSec connection ready
10/1/2017 10:43:50 AM  SUCCESS: Link -> <ATS> IP address assigned to IP stack - link is operational.

Open in new window

arnoldCommented:
The first log points to  50.121.158.42  While the succeeded ip connects to 45.52.2.98

Please recheck which is the correct one........

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joe ScarlettAuthor Commented:
45.52.2.98  is correct. i think we need a new config file.  

Thanks it worked with a new config.
Joe ScarlettAuthor Commented:
Thanks Arnold  I should have caught it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.