IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name based connection
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name based connection

From: <almathsec@gmail.com>
Date: Fri Mar 17 2006 - 01:10:40 CET



Hello,



I have Linksys BEFSX41 VPN endpoint


running Linksys firmware 1.52.9  (which is the latest/greatest and


supposedly very reliable, and has worked well for me)


that is a VPN client to a


Watchguard Firebox X1000 running Fireware Pro and OS 8.2.1


(latest/greatest)



I am trying to establish an IPSEC VPN using the following setup:


BEFSX41 client: Has a dyndns.org domain name


X1000 server: static IP



The X1000 is set up to use a "Domain Name" for the Remote Gatway type


and specifies the dyndns.org domain name for the BEFSX41.



If I use the remote gateway id type as IP address, and specify the IP


address, the VPN is established right away. However, when I use the


domain name as the remote gateway, IT NEVER WORKS.



I have been working with the Watchguard LiveSecurity folks for 3 days


with no progress. They have given up and told me that there is


something wrong on the Linksys but cannot identify anything. Based on


talking to the Watchguard pre-sales tech people as well as looking


through manuals, as well as letting watchguard livesecurity connect to


and verify my settings, all indicate that all settings are right.



I will greatly appreciate any tips on how this can be achieved and a


VPN can be established with the BEFSX41 not requiring a static IP and


working with the domain name.



I have included some additional details below.



Thank You.



Some logs:


BEFSX41 client


2006-03-16 17:23:49 IKE[1] Tx >> AG_I1 : <x1000-ip> SA, KE, Nonce, ID


2006-03-16 17:23:50 IKE[1] Rx << AG_I1 : <x1000-ip> SA, KE, NONCE, ID,


VID, VID


2006-03-16 17:23:50 IKE[1] ISAKMP SA CKI=[ad73e4e 1edbc632] CKR=[xxxxx]


2006-03-16 17:23:50 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768


2006-03-16 17:23:50 IKE[1] Tx >> AG_R1 : <x1000-ip> SA, KE, Nonce, ID,


HASH


2006-03-16 17:23:56 IKE[1] Rx << AG_I1 : <x1000-ip> SA, KE, NONCE, ID,


VID, VID


2006-03-16 17:23:56 IKE[1] ISAKMP SA CKI=[xxxxx] CKR=[xxxxx]


2006-03-16 17:23:56 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768


2006-03-16 17:23:56 IKE[1] Tx >> AG_R1 : <x1000-ip> SA, KE, Nonce, ID,


HASH



X1000 server


iked WARNING: Rejected phase 1 aggressive mode from <befsx41-ip> (no


matching policy) cookies i=<xxx> <yyy> r=0000000000 000000000


(multiple times)



Some settings for the VPN connection:


Encryption DES


Authentication MD5



Key Mgmt


-----------


Auto. (IKE)


PFS Disabled


Key Lifetime: 3600 secs


Advanced settings


---------------------


Phase 1


Op mode: Aggressive mode


Proposal 1


Encryption: DES


Authentication: MD5


Group: 768-bit



Phase 2


Proposal:


Encrpytion: DES, Auth: MD5, PFS OFF


Group 768-bit


Key Lifetime: 3600 secs



NetBIOS broadcast: OFF


Anti-replay: OFF


Keep-Alive: ON



I have tested Main Mode, and also switching between User domain name


and domain name, but none of that helps.


Received on Mon May  1 00:59:02 2006