|
|
VPN Nat Traversal Through Watchguards
Hi!
I have the following config:
Cisco 1721 <--> Watchguard III 3500 <--- Internet ---> Watchguard
Firebox 1000 <---> C 2611
10.0.0.240 PAT to Public Ip PAT
to Public IP 192.168.1.216
In short, a simple VPN between two Cisco routers from network 10.0.0.0
to 192.168.1.0. Access lists, IPs and policies are all setup
correctly. Ports UDP 500 and 4500 are forwarded on the two firewalls
doing PAT.
The isakmp sa negotiation fails with the following debug:
*Mar 1 12:04:22.751: ISAKMP (0:1): purging node -982699947
*Mar 1 12:04:22.751: ISAKMP (0:1): purging node 194628906
*Mar 1 12:04:23.548: ISAKMP: received ke message (1/1)
*Mar 1 12:04:23.552: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 12:04:23.552: ISAKMP: local port 500, remote port 500
*Mar 1 12:04:23.552: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 12:04:23.552: ISAKMP: Find a dup sa in the avl tree during
calling isadb
_insert sa = 82FD33FC
*Mar 1 12:04:23.552: ISAKMP (0:2): Can not start Aggressive mode,
trying Main m
ode.
*Mar 1 12:04:23.552: ISAKMP: Looking for a matching key for
22.222.222.242 in d
efault : success
*Mar 1 12:04:23.556: ISAKMP (0:2): found peer pre-shared key matching
24.159.22
2.242
*Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-07 ID
*Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-03 ID
*Mar 1 12:04:23.556: ISAKMP (0:2): constructed NAT-T vendor-02 ID
*Mar 1 12:04:23.556: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Mar 1 12:04:23.560: ISAKMP (0:2): Old State = IKE_READY New State =
IKE_I_MM1
*Mar 1 12:04:23.560: ISAKMP (0:2): beginning Main Mode exchange
*Mar 1 12:04:23.560: ISAKMP (0:2): sending packet to 22.222.222.242
my_port 500
peer_port 500 (I) MM_NO_STATE.....
Success rate is 0 percent (0/5)
Any ideas out there on what I need to change in the Firebox's to get
them to pass the request for the negotiation to the cisco routers? As
a side note, a VPN setup to a public IP succeeds if the vpn tunnel is
brought up from behind the firewall device, but not if brought up from
the public side.
Any and all ideas are appreciated!
Thanks,
Michael
|
|
0
|
|
|
|
Reply
|
 foxx0171 (4)
|
9/20/2006 5:55:35 AM |
|
Hi Michael,
You may also wish to investigate the two Watchguard Forums:
http://www.watchguard.com/forum/
as well as
http://www.tek-tips.com/threadminder.cfm?pid=872
Sincerely,
Brad Reese
BradReese.Com - Cisco Technical Forums
http://www.bradreese.com/cisco-technical-newsgroups.htm
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
AIM: R2MGrant
BradReese.Com - Cisco Salary and Compensation Rates
http://www.bradreese.com/compensation-database.htm
|
|
|
0
|
|
|
|
Reply
|
 www
|
9/20/2006 9:09:22 AM
|
|
Brad -
Thanks. Will do!
Michael
www.BradReese.Com wrote:
> Hi Michael,
>
> You may also wish to investigate the two Watchguard Forums:
>
> http://www.watchguard.com/forum/
>
> as well as
>
> http://www.tek-tips.com/threadminder.cfm?pid=872
>
> Sincerely,
>
> Brad Reese
> BradReese.Com - Cisco Technical Forums
> http://www.bradreese.com/cisco-technical-newsgroups.htm
> 1293 Hendersonville Road, Suite 17
> Asheville, North Carolina USA 28803
> USA & Canada: 877-549-2680
> International: 828-277-7272
> Fax: 775-254-3558
> AIM: R2MGrant
> BradReese.Com - Cisco Salary and Compensation Rates
> http://www.bradreese.com/compensation-database.htm
|
|
|
0
|
|
|
|
Reply
|
Kitingfox
|
9/20/2006 6:35:44 PM
|
|
|
2 Replies
410 Views
(page loaded in 0.112 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
24755 articles. 
23 followers. 