1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ipsec vpn WAG54Gv3 to watchguard firebox x500e

Discussion in 'Networking Issues' started by minimac, Jan 8, 2008.

  1. minimac

    minimac Guest

    I'm hoping someone might have been here before with a linksys product.

    We have a watchguard at one end which is running vpn's to dlink, juniper and other products. This particular vpn is to a branch who were running on a dlink di804hv.

    The ip subnet and addressing is correct, as is the static ip address.

    Phase 1 is running 3DES and MD5, with group 1 (768 bit) on both ends). We have pfs enabled (have also tried it disabled). Auto IKE with common preshared key.

    Phase 2 has been set up the same, but we have varied the config a few times trying to get a connect.

    The firebox tells us that phase 1 is connecting successfully.
    When it comes to phase 2, it fails. Log from firebox;
    2008-01-08 10:24:04 iked Searching ID: IP address - policy [ss_mike] peerId []

    2008-01-08 10:24:04 iked Phase 1 started by peer with policy [ss_mike] from aggressive mode

    2008-01-08 10:24:04 iked Sending second message with policy [ss_mike] to aggressive mode

    2008-01-08 10:24:04 iked Received third message with policy [ss_mike] from aggressive mode

    2008-01-08 10:24:04 iked Phase 1 completed as responder

    2008-01-08 10:24:04 iked AG hash_alg=1 encr_alg=5 key_len=168 auth_alg=1 dh_group=1 seconds=28803 kbytes=0

    2008-01-08 10:24:04 iked Phase 2 started by peer with message(id 50dee14d) from quick mode

    2008-01-08 10:24:04 iked Isakmp INFO_EXCHANGE : HDR EncryptBit/AuthBit are not set or both set 0

    2008-01-08 10:24:04 iked PMM rejected Remote P2SA Request, reason code=10102

    2008-01-08 10:24:04 iked WARNING: Rejected phase 2 negotiation from due to not preferred IKE gateway (multi-WAN)

    2008-01-08 10:24:04 QuickMode: <<1st - failed to get policy by ID payload new_msg=" QuickMode: <<1st - failed to get policy by ID payload"

    2008-01-08 10:24:04 iked Rejected QM first message from to cookies i=27cff5f6 195c5783 r=d6d5734d 0839a749

    2008-01-08 10:24:04 iked Sending NO_PROPOSAL_CHOSEN message to

    The WAP54g comes back with
    2008-01-08T12:17:38+12:00 IKE["ss_croy"] Rx << Notify : NO_PROPOSAL_CHOSEN
    2008-01-08T12:17:38+12:00 IKE["ss_croy"] **Check your Encryption,Authentication method and PFS settings !

    At least they agree!!

    We have tried all different options wtih this but can't seem to get phase 2 to work. I am hoping there is more clarity somewhere on this error message.

  2. jedimastermopar

    jedimastermopar LI Guru Member

    I am getting the exact same issue, with a watchguard X700 and a Netgear ProSafe, Did you find a fix for this? Same error on both ends, including the watchguard log file.
  3. infested

    infested Guest

    I would like to know if anyone has had luck with this. I am using an x750e with a RV042 trying to get a tunnel to connect. Same error on Phase 2. Phase 1 connects fine.
  4. jedimastermopar

    jedimastermopar LI Guru Member

    I did get them working after many hours of agony, and several cases of Red Bull. :)
    I am just trying to remember what the settings were on the watchguard.
    A I recall off hand a few settings needed to be tweaked on the watchguard.

    On the watchguard phase 2
    Disable PFS
    use ESP-DES-MD5
    The local address is the local internal subnet, the remote address is the remote internal subnet
    Enable IPSec Pass Through, Disabe TOS
    Phase 1
    IKE Keep-Alive MUST be enable with Nat transversal disabled
    MD5-DES DH1

    Also You need to do a hard boot on the Watchguard or it won't accept the settings.

    Thats about all I can remember off hand. Hope it helps.
  5. shane523

    shane523 Addicted to LI Member

    I have successfully connected a RV042 to a X750e, if you still need help I will gladly help. BTW this is with Firmware 8.31 on the Watchguard.

    Now I am trying to do the same with a WRV200 but am not having the same success. With the RV042 you can setup the gateway and tunnel where in the WRV200 you can only setup the tunnel and I think that is my issue. Has anyone else been able to have any success with this?

Share This Page