Re: IPSEC VPN from Linksys BEFSX41 client endpoint into Watchguard Firebox X1000 fails on domain name based connection

almathsec@gmail.com wrote:
> Hello,
>
> I have Linksys BEFSX41 VPN endpoint
> running Linksys firmware 1.52.9 (which is the latest/greatest and
> supposedly very reliable, and has worked well for me)
> that is a VPN client to a
> Watchguard Firebox X1000 running Fireware Pro and OS 8.2.1
> (latest/greatest)
>
> I am trying to establish an IPSEC VPN using the following setup:
> BEFSX41 client: Has a dyndns.org domain name
> X1000 server: static IP
>
> The X1000 is set up to use a "Domain Name" for the Remote Gatway type
> and specifies the dyndns.org domain name for the BEFSX41.
>
> If I use the remote gateway id type as IP address, and specify the IP
> address, the VPN is established right away. However, when I use the
> domain name as the remote gateway, IT NEVER WORKS.
>
> I have been working with the Watchguard LiveSecurity folks for 3 days
> with no progress. They have given up and told me that there is
> something wrong on the Linksys but cannot identify anything. Based on
> talking to the Watchguard pre-sales tech people as well as looking
> through manuals, as well as letting watchguard livesecurity connect to
> and verify my settings, all indicate that all settings are right.
>
> I will greatly appreciate any tips on how this can be achieved and a
> VPN can be established with the BEFSX41 not requiring a static IP and
> working with the domain name.
>
> I have included some additional details below.
>
>
> Thank You.
>
>
>
>
>
>
> Some logs:
> BEFSX41 client
> 2006-03-16 17:23:49 IKE[1] Tx >> AG_I1 : <x1000-ip> SA, KE, Nonce, ID
> 2006-03-16 17:23:50 IKE[1] Rx << AG_I1 : <x1000-ip> SA, KE, NONCE, ID,
> VID, VID
> 2006-03-16 17:23:50 IKE[1] ISAKMP SA CKI=[ad73e4e 1edbc632] CKR=[xxxxx]
> 2006-03-16 17:23:50 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
> 2006-03-16 17:23:50 IKE[1] Tx >> AG_R1 : <x1000-ip> SA, KE, Nonce, ID,
> HASH
> 2006-03-16 17:23:56 IKE[1] Rx << AG_I1 : <x1000-ip> SA, KE, NONCE, ID,
> VID, VID
> 2006-03-16 17:23:56 IKE[1] ISAKMP SA CKI=[xxxxx] CKR=[xxxxx]
> 2006-03-16 17:23:56 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
> 2006-03-16 17:23:56 IKE[1] Tx >> AG_R1 : <x1000-ip> SA, KE, Nonce, ID,
> HASH
>
> X1000 server
> iked WARNING: Rejected phase 1 aggressive mode from <befsx41-ip> (no
> matching policy) cookies i=<xxx> <yyy> r=0000000000 000000000
> (multiple times)
>
> Some settings for the VPN connection:
> Encryption DES
> Authentication MD5
>
> Key Mgmt
> -----------
> Auto. (IKE)
> PFS Disabled
> Key Lifetime: 3600 secs
> Advanced settings
> ---------------------
> Phase 1
> Op mode: Aggressive mode
> Proposal 1
> Encryption: DES
> Authentication: MD5
> Group: 768-bit
>
> Phase 2
> Proposal:
> Encrpytion: DES, Auth: MD5, PFS OFF
> Group 768-bit
> Key Lifetime: 3600 secs
>
> NetBIOS broadcast: OFF
> Anti-replay: OFF
> Keep-Alive: ON
>
>
>
> I have tested Main Mode, and also switching between User domain name
> and domain name, but none of that helps.
>
I had a couple of these boxes , used for office to home hardware vpn.
They worked well for 6-9 months, then needed to be restarted a lot. They
ended up being temperature sensitive and even with a fan on them, they
both had trouble. Eventually I ditched them and bought the similar SMC box.
gr
Received on Mon May 1 00:59:27 2006