ASA 5505 to Watchguard x1000

Unanswered Question
Oct 15th, 2007
User Badges:

Trying to get a VPN tunnel up from an ASA 5505 to a Watchguard X1000 firewall at our colo. I'm a total newb at Cisco VPN configs, so I've probably got something monkeyed up...


By the debugs, it looks like Phase 1 and Phase 2 both are coming up, but the tunnel gets closed out immediately. 1.2.3.4 is the ASA 5505, 5.6.7.8 is the X1000:


9:43 AM IP = 5.6.7.8, IKE Initiator: New Phase 1, Intf 0, IKE Peer 5.6.7.8 local Proxy Address 10.20.2.0, remote Proxy Address 10.1.0.0, Crypto map (mdc-vpn-map)

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes

9:43 AM AAA retrieved default group policy (DfltGrpPolicy) for user = 5.6.7.8

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Security negotiation complete for LAN-to-LAN Group (5.6.7.8) Initiator, Inbound SPI = 0x6c81df4e, Outbound SPI = 0x68bee110

9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.

9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 2 COMPLETED (msgid=6b391f01)

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0

9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.

9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.

9:43 AM Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

9:43 AM User 'username' executed the 'ping inside 10.1.0.2' command.


Any clues? Debug text and the config file are attached...


ASA 5505, ASA v7.2(1)

Watchguard Firebox X1000, Fireware v9.1



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rmeans Mon, 10/15/2007 - 09:23
User Badges:

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0


This would suggest that your rules for encryption do not match or has a problem (acl mgc). We need to sure you side matches the inverse of the Watchguard. Of course you need to make sure you are sending the data to Watchdog as a private 10.20.2.0/24 address. This led me to look at your NAT rules. I noticed that all internal addresses PAT to the outside interface address. I think you should add a nonat rule for the VPN traffic. Something like


access-list nonat permit ip 10.20.2.0 255.255.255.0 10.1.0.0 255.255.255.0


nat (inside) 0 access-list nonat


This will prevent the inside addresses from NAT when going across the VPN to Watchguard. I would not reuse the mgc acl. Defining a separate acl gives you flexibility in the future.


If you still are having trouble check the Watchguard rules for encryption.

Actions

This Discussion