IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name ba

IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name ba

am 17.03.2006 01:10:40 von almathsec

Hello,

I have Linksys BEFSX41 VPN endpoint
running Linksys firmware 1.52.9 (which is the latest/greatest and
supposedly very reliable, and has worked well for me)
that is a VPN client to a
Watchguard Firebox X1000 running Fireware Pro and OS 8.2.1
(latest/greatest)

I am trying to establish an IPSEC VPN using the following setup:
BEFSX41 client: Has a dyndns.org domain name
X1000 server: static IP

The X1000 is set up to use a "Domain Name" for the Remote Gatway type
and specifies the dyndns.org domain name for the BEFSX41.

If I use the remote gateway id type as IP address, and specify the IP
address, the VPN is established right away. However, when I use the
domain name as the remote gateway, IT NEVER WORKS.

I have been working with the Watchguard LiveSecurity folks for 3 days
with no progress. They have given up and told me that there is
something wrong on the Linksys but cannot identify anything. Based on
talking to the Watchguard pre-sales tech people as well as looking
through manuals, as well as letting watchguard livesecurity connect to
and verify my settings, all indicate that all settings are right.

I will greatly appreciate any tips on how this can be achieved and a
VPN can be established with the BEFSX41 not requiring a static IP and
working with the domain name.

I have included some additional details below.


Thank You.






Some logs:
BEFSX41 client
2006-03-16 17:23:49 IKE[1] Tx >> AG_I1 : SA, KE, Nonce, ID
2006-03-16 17:23:50 IKE[1] Rx << AG_I1 : SA, KE, NONCE, ID,
VID, VID
2006-03-16 17:23:50 IKE[1] ISAKMP SA CKI=[ad73e4e 1edbc632] CKR=[xxxxx]
2006-03-16 17:23:50 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
2006-03-16 17:23:50 IKE[1] Tx >> AG_R1 : SA, KE, Nonce, ID,
HASH
2006-03-16 17:23:56 IKE[1] Rx << AG_I1 : SA, KE, NONCE, ID,
VID, VID
2006-03-16 17:23:56 IKE[1] ISAKMP SA CKI=[xxxxx] CKR=[xxxxx]
2006-03-16 17:23:56 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
2006-03-16 17:23:56 IKE[1] Tx >> AG_R1 : SA, KE, Nonce, ID,
HASH

X1000 server
iked WARNING: Rejected phase 1 aggressive mode from (no
matching policy) cookies i= r=0000000000 000000000
(multiple times)

Some settings for the VPN connection:
Encryption DES
Authentication MD5

Key Mgmt
-----------
Auto. (IKE)
PFS Disabled
Key Lifetime: 3600 secs
Advanced settings
---------------------
Phase 1
Op mode: Aggressive mode
Proposal 1
Encryption: DES
Authentication: MD5
Group: 768-bit

Phase 2
Proposal:
Encrpytion: DES, Auth: MD5, PFS OFF
Group 768-bit
Key Lifetime: 3600 secs

NetBIOS broadcast: OFF
Anti-replay: OFF
Keep-Alive: ON



I have tested Main Mode, and also switching between User domain name
and domain name, but none of that helps.

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain nam

am 17.03.2006 01:12:36 von almathsec

I forgot to mention that this is a Branch Office VPN (BOVPN) created
manually by setting up the Gateway and Tunnel on The Firebox.

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain nam

am 17.03.2006 01:26:26 von unknown

Post removed (X-No-Archive: yes)

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain nam

am 17.03.2006 03:52:44 von almathsec

I want/need to set up the VPN using domain names and dynamic IPs.
Hopefully someone else can help figure that out.

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain nam

am 17.03.2006 11:47:17 von unknown

Post removed (X-No-Archive: yes)

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain nam

am 18.03.2006 00:52:03 von axm26

I have 4 of the Linksys devices on 4 remote offices - two of them home
based, 3 of the 4 have no static IPs (cannot justify a fixed IP on
them). I believe that the domain based identification adds an extra
level of security over the preshared key.

Does anyone know how to resolve this problem? I can provide additional
details upon request.

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into WatchguardFirebox X1000 fails on domain name

am 18.03.2006 22:18:15 von gr

almathsec@gmail.com wrote:
> Hello,
>
> I have Linksys BEFSX41 VPN endpoint
> running Linksys firmware 1.52.9 (which is the latest/greatest and
> supposedly very reliable, and has worked well for me)
> that is a VPN client to a
> Watchguard Firebox X1000 running Fireware Pro and OS 8.2.1
> (latest/greatest)
>
> I am trying to establish an IPSEC VPN using the following setup:
> BEFSX41 client: Has a dyndns.org domain name
> X1000 server: static IP
>
> The X1000 is set up to use a "Domain Name" for the Remote Gatway type
> and specifies the dyndns.org domain name for the BEFSX41.
>
> If I use the remote gateway id type as IP address, and specify the IP
> address, the VPN is established right away. However, when I use the
> domain name as the remote gateway, IT NEVER WORKS.
>
> I have been working with the Watchguard LiveSecurity folks for 3 days
> with no progress. They have given up and told me that there is
> something wrong on the Linksys but cannot identify anything. Based on
> talking to the Watchguard pre-sales tech people as well as looking
> through manuals, as well as letting watchguard livesecurity connect to
> and verify my settings, all indicate that all settings are right.
>
> I will greatly appreciate any tips on how this can be achieved and a
> VPN can be established with the BEFSX41 not requiring a static IP and
> working with the domain name.
>
> I have included some additional details below.
>
>
> Thank You.
>
>
>
>
>
>
> Some logs:
> BEFSX41 client
> 2006-03-16 17:23:49 IKE[1] Tx >> AG_I1 : SA, KE, Nonce, ID
> 2006-03-16 17:23:50 IKE[1] Rx << AG_I1 : SA, KE, NONCE, ID,
> VID, VID
> 2006-03-16 17:23:50 IKE[1] ISAKMP SA CKI=[ad73e4e 1edbc632] CKR=[xxxxx]
> 2006-03-16 17:23:50 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
> 2006-03-16 17:23:50 IKE[1] Tx >> AG_R1 : SA, KE, Nonce, ID,
> HASH
> 2006-03-16 17:23:56 IKE[1] Rx << AG_I1 : SA, KE, NONCE, ID,
> VID, VID
> 2006-03-16 17:23:56 IKE[1] ISAKMP SA CKI=[xxxxx] CKR=[xxxxx]
> 2006-03-16 17:23:56 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
> 2006-03-16 17:23:56 IKE[1] Tx >> AG_R1 : SA, KE, Nonce, ID,
> HASH
>
> X1000 server
> iked WARNING: Rejected phase 1 aggressive mode from (no
> matching policy) cookies i= r=0000000000 000000000
> (multiple times)
>
> Some settings for the VPN connection:
> Encryption DES
> Authentication MD5
>
> Key Mgmt
> -----------
> Auto. (IKE)
> PFS Disabled
> Key Lifetime: 3600 secs
> Advanced settings
> ---------------------
> Phase 1
> Op mode: Aggressive mode
> Proposal 1
> Encryption: DES
> Authentication: MD5
> Group: 768-bit
>
> Phase 2
> Proposal:
> Encrpytion: DES, Auth: MD5, PFS OFF
> Group 768-bit
> Key Lifetime: 3600 secs
>
> NetBIOS broadcast: OFF
> Anti-replay: OFF
> Keep-Alive: ON
>
>
>
> I have tested Main Mode, and also switching between User domain name
> and domain name, but none of that helps.
>
I had a couple of these boxes , used for office to home hardware vpn.
They worked well for 6-9 months, then needed to be restarted a lot. They
ended up being temperature sensitive and even with a fan on them, they
both had trouble. Eventually I ditched them and bought the similar SMC box.
gr

Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain nam

am 20.03.2006 01:30:21 von unknown

Post removed (X-No-Archive: yes)