VPN Concentrator to Watchguard Phase 1 fails

Unanswered Question
Feb 12th, 2008
User Badges:

I am trying to setup a lan-lan between our VPNConcentrator and a Watchguard firewall it is failing on Phase 1

Phase 1 failure against global IKE proposal # 1:

Mismatched attr types for class Auth Method:

Rcv'd: Preshared Key

Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

I am confused as to where the XAUTH error lies is it my end or the remote end?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 02/18/2008 - 10:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


The error message is indicating that XAUTH is configured on your side and not configured on the other side. It can work if both sides are configured for XAUTH or if both sides are not configured for XAUTH. The suggestion from Theo to check and make sure that the key configured on both sides is the same is a good suggestion. But I do not believe that you have gotten to that stage yet.



cisco24x7 Mon, 02/18/2008 - 11:29
User Badges:
  • Silver, 250 points or more

LAN-2-LAN IPSec VPN does NOT require XAUTH.

XAUTH is remote access VPN, NOT L2L vpn.

To fix this, go into the VPN concentrator, look at phase I proposal that is attached

to this VPN tunnel and you will see that

it has XAUTH associated to it. Click on the

drop down menu and select "no xauth" and

it will work after that.

Easy right?

CCIE Security


This Discussion