10-15-2007 07:26 AM - edited 02-21-2020 01:43 AM
Trying to get a VPN tunnel up from an ASA 5505 to a Watchguard X1000 firewall at our colo. I'm a total newb at Cisco VPN configs, so I've probably got something monkeyed up...
By the debugs, it looks like Phase 1 and Phase 2 both are coming up, but the tunnel gets closed out immediately. 1.2.3.4 is the ASA 5505, 5.6.7.8 is the X1000:
9:43 AM IP = 5.6.7.8, IKE Initiator: New Phase 1, Intf 0, IKE Peer 5.6.7.8 local Proxy Address 10.20.2.0, remote Proxy Address 10.1.0.0, Crypto map (mdc-vpn-map)
9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes
9:43 AM AAA retrieved default group policy (DfltGrpPolicy) for user = 5.6.7.8
9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED
9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Security negotiation complete for LAN-to-LAN Group (5.6.7.8) Initiator, Inbound SPI = 0x6c81df4e, Outbound SPI = 0x68bee110
9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.
9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.
9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 2 COMPLETED (msgid=6b391f01)
9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0
9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.
9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.
9:43 AM Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
9:43 AM User 'username' executed the 'ping inside 10.1.0.2' command.
Any clues? Debug text and the config file are attached...
ASA 5505, ASA v7.2(1)
Watchguard Firebox X1000, Fireware v9.1
10-15-2007 09:23 AM
9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0
This would suggest that your rules for encryption do not match or has a problem (acl mgc). We need to sure you side matches the inverse of the Watchguard. Of course you need to make sure you are sending the data to Watchdog as a private 10.20.2.0/24 address. This led me to look at your NAT rules. I noticed that all internal addresses PAT to the outside interface address. I think you should add a nonat rule for the VPN traffic. Something like
access-list nonat permit ip 10.20.2.0 255.255.255.0 10.1.0.0 255.255.255.0
nat (inside) 0 access-list nonat
This will prevent the inside addresses from NAT when going across the VPN to Watchguard. I would not reuse the mgc acl. Defining a separate acl gives you flexibility in the future.
If you still are having trouble check the Watchguard rules for encryption.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: