[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..
Title: RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox.. Hi.
Well, as you said, after a lot of trial and error, we
got this working. I was aware already of the hardcoded phase-1
negotiation, and this was already set. As I wasn't actually in front of
the Watchguard, I'm not 100% certain what the engineer was changing on his end,
so I only have my 'take' on it....
The Watchguard will not establish a VPN to a whole
subnet, by the looks of things - you must define individual hosts for the
endpoint behind the FW-1, and an individual VPN to each of them from the
Watchguard point of view (I believe that this had been posted
already.)
I hindsight I don't think that there are too many
problems setting this up, except that the Watchguard is almost an out of the box
product, and isn't the most configurable firewall around. The Firewall-1 was
configured as you would for any standard VPN. All the changes that we made
to the VPN configuration were done at the Watchguard, like you said - with lots
of trial and error!
Sorry that I can't offer any more!
James.
I
have built a VPN successfully with a Watchguard and a Check Point 4.1.
I've got beyond the "no response from peer" error you're seeing through a lot
of trial and error. One thing I found out which I was unaware of is that
Phase 1 is _hard-coded_ on the Watchguard, and can ONLY be DES and SHA1.
Once I made the changes on my config to reflect this, the VPN negotiation
worked fine. However, I have a new problem: when I try to get
packets back and forth between the two networks I've defined, I get an
"encryption failure: gateway connected to both endpoints scheme: IKE" error
message. I've looked at everything I can think of to resolve this, no
luck. Any thoughts on my problem? Oh and hey, let me know if what
I've put down above re: the hard-coded Phase 1 values solves your
problems!
Dave
Millier, CISSP
|