Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 13553 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-site\IPsec: Sophos & Watchguard

orbi
Hello,

I am struggling putting up a tunnel (Site-to-site\IPsec) between UTM9 and a Watchguard box. 

I read various posts but I yet to see if anyone has actually succeeded.

NAT Traversal is disabled on UTM9 and Watchguard.

I have attached screen-shots of my setting so that you can see what I have done from the UTM9 side. Similar policy settings is in place on the Watchguard.

Additionally this is the log I see

2012:08:15-14:45:41 SophosUTM9-1 pluto[22074]: "S_ADSL" #1093: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:45:44 SophosUTM9-1 pluto[22074]: "S_ADSL" #1093: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:46:46 SophosUTM9-1 pluto[22074]: "S_ADSL" #1093: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
2012:08:15-14:46:46 SophosUTM9-1 pluto[22074]: "S_ADSL" #1093: starting keying attempt 1094 of an unlimited number 
2012:08:15-14:46:46 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: initiating Main Mode to replace #1093 
2012:08:15-14:46:47 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: received Vendor ID payload [XAUTH] 
2012:08:15-14:46:47 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: received Vendor ID payload [Dead Peer Detection] 
2012:08:15-14:46:49 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:46:52 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:46:55 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:47:57 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
2012:08:15-14:47:57 SophosUTM9-1 pluto[22074]: "S_ADSL" #1094: starting keying attempt 1095 of an unlimited number 
2012:08:15-14:47:57 SophosUTM9-1 pluto[22074]: "S_ADSL" #1095: initiating Main Mode to replace #1094 
2012:08:15-14:47:57 SophosUTM9-1 pluto[22074]: "S_ADSL" #1095: received Vendor ID payload [XAUTH] 
2012:08:15-14:47:57 SophosUTM9-1 pluto[22074]: "S_ADSL" #1095: received Vendor ID payload [Dead Peer Detection] 
2012:08:15-14:48:00 SophosUTM9-1 pluto[22074]: "S_ADSL" #1095: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:48:04 SophosUTM9-1 pluto[22074]: "S_ADSL" #1095: discarding duplicate packet; already STATE_MAIN_I3 
2012:08:15-14:48:06 SophosUTM9-1 pluto[22074]: "S_ADSL" #1095: discarding duplicate packet; already STATE_MAIN_I3[/I]

Any idea anyone?

Regards
orbi


This thread was automatically locked due to age.
Parents
  • 0
    Hi orbi, are you in any way able to verify the transmissions reach the watchguard as well? Our side looks like basically it cannot find / isn't talking at all to the watchguard. What do they have on that side message -wise? Is this your first VPN on this connection? The ASG is the gateway device and you can ping the public ip of the watchguard from say the ASG command line / your desktop? Looks like a pure connectivity problem between the two.
  • 0 in reply to AngeloC
    Hi Angelo,

    Thanks for the feedback.

    The VPN in place are: RED which is up and Remote Access VPN in place which are both fine.

    I've attached a new set of logs from UTM9 and the configuration of the Watchguard + its logs.

    Indeed the external interfaces of each device can be ping'ed from either side.

    Cheers
    Orbi
Reply Children
No Data