Cisco IPSEC VPN behind Watchguard

Hi!

Looking for someone with a little watchguard experience out
there...this is a brand that I am not familiar with. I'm hoping that
it is a quick setting change in the watchguards to get this to work.

I have the following config:

Cisco 1721 <--> Watchguard III 3500 <--- Internet ---> Watchguard
Firebox 1000 <---> C 2611
10.0.0.240 PAT to Public Ip PAT
to Public IP 192.168.1.216


In short, a simple VPN between two Cisco routers from network 10.0.0.0
to 192.168.1.0. Access lists, IPs and policies are all setup
correctly. Ports UDP 500 and 4500 are forwarded on the two firewalls
doing PAT.

The isakmp sa negotiation fails with the following debug:



*Mar 1 12:04:22.751: ISAKMP (0:1): purging node -982699947
*Mar 1 12:04:22.751: ISAKMP (0:1): purging node 194628906
*Mar 1 12:04:23.548: ISAKMP: received ke message (1/1)
*Mar 1 12:04:23.552: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 12:04:23.552: ISAKMP: local port 500, remote port 500
*Mar 1 12:04:23.552: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 12:04:23.552: ISAKMP: Find a dup sa in the avl tree during
calling isadb
_insert sa = 82FD33FC
*Mar 1 12:04:23.552: ISAKMP (0:2): Can not start Aggressive mode,
trying Main m
ode.
*Mar 1 12:04:23.552: ISAKMP: Looking for a matching key for
22.222.222.242 in d
efault : success
*Mar 1 12:04:23.556: ISAKMP (0:2): found peer pre-shared key matching
24.159.22
2.242
*Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-07 ID
*Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-03 ID
*Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-02 ID
*Mar 1 12:04:23.556: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Mar 1 12:04:23.560: ISAKMP (0:2): Old State = IKE_READY New State =
IKE_I_MM1


*Mar 1 12:04:23.560: ISAKMP (0:2): beginning Main Mode exchange
*Mar 1 12:04:23.560: ISAKMP (0:2): sending packet to 22.222.222.242
my_port 500
peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)

Any ideas out there on what I need to change in the Firebox's to get
them to pass the request for the negotiation to the cisco routers? As
a side note, a VPN setup to a public IP succeeds if the vpn tunnel is
brought up from behind the firewall device, but not if brought up from
the public side.

Any and all ideas are appreciated!

Thanks,

Michael

Re: Cisco IPSEC VPN behind Watchguard

Post removed (X-No-Archive: yes)

Re: Cisco IPSEC VPN behind Watchguard

Leythos -

I wish that we could do that, but unfortunately I didn't have a choice
in the design of this network. They already had the proper cisco
licenses and did not want to spend money on the Watchguard licenses.

Thanks,

Michael

Leythos wrote:
> In article <1158731914.371804.267690@h48g2000cwc.googlegroups.com>,
> foxx0171@yahoo.com says...
> > Looking for someone with a little watchguard experience out
> > there...this is a brand that I am not familiar with. I'm hoping that
> > it is a quick setting change in the watchguards to get this to work.
> >
> > I have the following config:
> >
> > Cisco 1721 <--> Watchguard III 3500 <--- Internet ---> Watchguard
> > Firebox 1000 <---> C 2611
> > 10.0.0.240 PAT to Public Ip PAT
> > to Public IP 192.168.1.216
>
> Create the tunnels using the WatchGuard to WatchGuard firewalls, why
> pass it through them.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

Re: Cisco IPSEC VPN behind Watchguard

Post removed (X-No-Archive: yes)

Re: Cisco IPSEC VPN behind Watchguard

Leythos -

Wish that I would have known that going in to the project. Oh well,
that is life sometimes. Since I have the units in and setup I'll have
to move ahead with the original plans.

Right now the IPSec rules on the Cisco devices just use the current
private networks (192.168.1.0 and 10.0.0.0) and encapsulate packets
bound for the other networks. You are saying that I have to change
this setup...is that because the WG unit will have a problem with an
IPSec filter that goes to an internal address?

I was just setting these up as secondary gateways on the network...each
of the WG's has a route statement to route the traffic that needs to be
encapsulated to the Cisco devices.

Is there a resource out there that has the WG manuals? I checked on
their site, but it seems like you need a login in order to get any
information.

Thanks for all your help...it is really appreciated.

Michael


So it sounds like I need to setup WG IPSec filter rules
Leythos wrote:
> In article <1158777481.601524.41250@e3g2000cwe.googlegroups.com>,
> foxx0171@yahoo.com says...
> > Leythos -
> >
> > I wish that we could do that, but unfortunately I didn't have a choice
> > in the design of this network. They already had the proper cisco
> > licenses and did not want to spend money on the Watchguard licenses.
>
> Branch-Office VPN is built into the units you are using, for free, and
> they work perfectly. I have a few of the III units here everything in
> the 1000 line and above has LOTS of branch-office VPN connections
> included with the model. Only the really cheap units have optional
> BOVPN.
>
> If you want to do the CISCO then you need to make sure that each network
> is on a different subnet, no network can be the same at any point, then
> setup IPSec Filter rules in the WG units to permit IN/OUT from the
> interfaces as needed.
>
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me