It seems that our PIX firewall is unable to initiate a tunnel to a remote Watchguard Firebox VPN peer. The Watchguard Firebox can initiate a tunnel to our PIX firewall. Once the tunnel has been initiated via the Watchguard firewall, I can access resources on the remote peer network.
The admin of the Watchguard firewall states that he is not blocking access to the hosts on the peer network.
Is it possible that the Watchguard firewall is not allowing ISAKMP (UDP 500) or ESP (IP 50) being intiated from the PIX firewall?
Is anyone aware of tunnel initiation issues between PIX and Watchguard firewalls?
I can provide debugs if needed.
Thanks in advance for any and all help with this matter.
Can you send the "debug cry ipsec" and "debug cry isa" output from the PIX when it fails? Are the Phase 1 and 2 lifetimes exactly the same, cause this can cause problems, especially if the Phase 1 times are different. Are the crypto access-lists exactly the opposite of each other on both devices?
Below are two different debugs. The first debug is of the VPN between my PIX firewall and a remote Watchguard firewall that does not work. The second debug is of a VPN between the same PIX firewall and a remote Checkpoint firewall that does work. Thought maybe seeing working and non-working ipsec and isakmp debugs would help.
***************PIX/Watchguard VPN - VPN Not Working***************
VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x Total VPN Peers:2
Concerning Phase1 and Phase 2 Settings: The admin of the Watchguard peer states that the VPN settings are an exact mirror of the settings I have on the PIX. I will ask for screen-shots of the Watchguard settings to verify that the settings are indeed the same.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...