WellingtonIS
asked on
Watchguard Firewall xtm515
I'm having issues connecting:
The routing is set up to 172.16.0.0/23 to the gateway 172.16.1.254
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption AES, expecting 3DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption AES, expecting DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 256, expecting 128 id="0203-0008" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 256, expecting 192 id="0203-0008" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received hash SHA1, expecting MD5 id="0203-0005" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption AES, expecting 3DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption AES, expecting DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received hash SHA1, expecting MD5 id="0203-0005" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 128, expecting 192 id="0203-0008" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 128, expecting 256 id="0203-0008" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption AES, expecting 3DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption AES, expecting DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 256, expecting 128 id="0203-0008" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 256, expecting 192 id="0203-0008" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received hash SHA1, expecting MD5 id="0203-0005" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received DH group 14, expecting 2 id="0203-0004" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption 3DES, expecting DES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption 3DES, expecting AES id="0203-0006" | Debug |
2021-03-29 11:55:38 iked (75.99.10.90<->73.139.206.63)IKE phase-1 negotiation from 75.99.10.90:500 to 73.139.206.63:500 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received encryption 3DES, expecting AES id="0203-0006" | Debug |
ASKER
For the VPN settings I have IPSec phase one only:
MD5-DES
SHA1-3DES
MD5-128 AES
SHA1-128AES
On the actually VPN setting, it's microsoft I have
Layer 2 Tunneling Protocal with IPsec (L2TP/IPsec)
I have a password
and for encryption I have Microsoft Chap version 2 checked and nothing else.
MD5-DES
SHA1-3DES
MD5-128 AES
SHA1-128AES
On the actually VPN setting, it's microsoft I have
Layer 2 Tunneling Protocal with IPsec (L2TP/IPsec)
I have a password
and for encryption I have Microsoft Chap version 2 checked and nothing else.
ASKER
NO matter what I change I'm still getting this error: is there any way to change the setting in the VPN connection?
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption AES, expecting DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption AES, expecting 3DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption AES, expecting DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption AES, expecting 3DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption AES, expecting DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption AES, expecting 3DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption 3DES, expecting DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received DH group 14, expecting 2 id="0203-0004" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-1 negotiation from 75.99.10.90:500 to 8.25.188.116:500 failed. Gateway-Endpoint='L2TP-IPS ec_l2' Reason=Received encryption 3DES, expecting DES id="0203-0006" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-2 negotiation from 75.99.10.90:4500 to 8.25.188.116:4500 failed. Tunnel='L2TP-IPSec' Reason=Received AES key length 128, expecting 256 id="0205-0008" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-2 negotiation from 75.99.10.90:4500 to 8.25.188.116:4500 failed. Tunnel='L2TP-IPSec' Reason=Received ESP authentication None, expecting HMAC-SHA1 id="0205-0007" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-2 negotiation from 75.99.10.90:4500 to 8.25.188.116:4500 failed. Tunnel='L2TP-IPSec' Reason=Received ESP encryption AES, expecting 3DES id="0205-0005" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-2 negotiation from 75.99.10.90:4500 to 8.25.188.116:4500 failed. Tunnel='L2TP-IPSec' Reason=Received AES key length 128, expecting 256 id="0205-0008" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11 6)IKE phase-2 negotiation from 75.99.10.90:4500 to 8.25.188.116:4500 failed. Tunnel='L2TP-IPSec' Reason=Received ESP authentication None, expecting HMAC-MD5 id="0205-0007" Debug
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
2021-03-30 08:46:04 iked (75.99.10.90<->8.25.188.11
There's a lot not right with the configuration by the look of the logs.
When you configure the VPN connection, you need to make sure the settings are exactly the same at both ends. It looks to me like your configuration is rattling through multiple options in order to try to find a combination that works. Can you show us your configuration for Phase1 and Phase2 for each end, please?
When you configure the VPN connection, you need to make sure the settings are exactly the same at both ends. It looks to me like your configuration is rattling through multiple options in order to try to find a combination that works. Can you show us your configuration for Phase1 and Phase2 for each end, please?
ASKER
The reason for that is I'm trying every combination because my original config isn't working - So here's what I have. Any suggestions to solve this mystery are welcome. Origionally I only had MD5-DES and SHA1-3DES but I'm still getting errors.
l2tpphase2.PNG
phase1.PNG
l2tpphase2.PNG
phase1.PNG
Thanks.
I see the Watchguard trying to use PFS, but in the config you showed for Phase2 there is no PFS configured. Set that to DH Group 2 and see if it works.
I see the Watchguard trying to use PFS, but in the config you showed for Phase2 there is no PFS configured. Set that to DH Group 2 and see if it works.
ASKER
If you're talking about MD5-DES I changed it to DH group 2 same errors. UGH.
No I'm talking about in the IPSec PFS settings.
In the IPSec Phase2 tab you have a tick-box for Perfect Forward Secrecy. You have it disabled but it looks like the Watchguard wants to use it, as it is expecting to see Diffe-Hellman Group 2 configured at the client. Enable that and see if it works.
In the IPSec Phase2 tab you have a tick-box for Perfect Forward Secrecy. You have it disabled but it looks like the Watchguard wants to use it, as it is expecting to see Diffe-Hellman Group 2 configured at the client. Enable that and see if it works.
ASKER
now it will not even connect at all.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to help :-/
Open in new window
That means you have AES configured at one end but 3DES at the other. Make sure the Phase1 configuration matches at both ends.