VPN Concentrator to Watchguard Phase 1 fails

simplecisco · ‎02-12-2008

I am trying to setup a lan-lan between our VPNConcentrator and a Watchguard firewall it is failing on Phase 1

Phase 1 failure against global IKE proposal # 1:

Mismatched attr types for class Auth Method:

Rcv'd: Preshared Key

Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

I am confused as to where the XAUTH error lies is it my end or the remote end?

Thanks

Roger

tstanik · ‎02-18-2008

The error means that the IKE policies are not matching on your end and the remote end. Also check the pre-shared key and make sure that they are the same. Following link may help you

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Richard Burts · ‎02-18-2008

Roger

The error message is indicating that XAUTH is configured on your side and not configured on the other side. It can work if both sides are configured for XAUTH or if both sides are not configured for XAUTH. The suggestion from Theo to check and make sure that the key configured on both sides is the same is a good suggestion. But I do not believe that you have gotten to that stage yet.

HTH

Rick

HTH

Rick

cisco24x7 · ‎02-18-2008

LAN-2-LAN IPSec VPN does NOT require XAUTH.

XAUTH is remote access VPN, NOT L2L vpn.

To fix this, go into the VPN concentrator, look at phase I proposal that is attached

to this VPN tunnel and you will see that

it has XAUTH associated to it. Click on the

drop down menu and select "no xauth" and

it will work after that.

Easy right?

CCIE Security