IPSEC to WatchGuard Firebox not working in 1.2.2

  • When establishing an IPSEC tunnel from pfSense to a WatchGuard Firebox X1000, I can't get traffic to pass using 1.2.2.  The exact same configuration (a backup/restore, in fact) works perfectly in 1.2-RELEASE, but under 1.2.2, the tunnel is established but no traffic passes.  Both pfSense (in the RRD graph) and the Firebox (in its packet counter) show that they're sending packets through the tunnel, but both sides show that they're receiving zero packets.  I haven't tried every possible combination of encryption and authentication schemes, but I tried a few and saw the same behavior from all.

    Personally I'm perfectly happy to run 1.2 for the time being, but I figured the developers (and any other users who might have been getting as frustrated as I was) might want to be aware.

  • Rebel Alliance Developer Netgate

    I have one customer using a pfSense to Firebox IPSec tunnel on 1.2.2, and it works just fine for them. It is a different model though: X5 Edge I think, but I haven't ever seen it, just connected remotely for a brief time while setting up the tunnel.

    I had similar symptoms on my setup, but it turned out to be a config problem (typo on my part) I had one side set to x.x.x.0/24, and the other set to x.x.x.1/24.

    They started out with 1.2.2, so I am not sure if 1.2 handled things any differently. You might want to double check every setting to make sure they absolutely match up.

  • Well, I backed up the 1.2.2 configuration to an XML file using the web interface, reinstalled with 1.2, and restored that same configuration again using the web interface, and it immediately worked, without me having to change a thing.  So I'm fairly certain there wasn't just a typo in the PSKs or anything.  ;D

    FWIW, this X1000 is running Fireware 9.1.

    Personally, I'm not really broken up about this.  I'm trying to get the boxes to talk because my boss is finally listening to me after nearly a year of telling him to dump WatchGuard for pfSense, but wants to deploy at our branch office first as a test before deploying here at the main office.  Assuming it goes well we'll install pfSense here as well and it'll be pf-pf tunneling instead of pf-Fireware.  Even as slow as things tend to move here, I'm hoping that'll be before 2.0 releases, so I'll be able to upgrade without worrying about compatibility testing.

  • I'm having this exact issue with a firebox and 1.2.2. Any update on it?


  • Ok, I've downgraded my pfsense to 1.2 and, like you, it works fine.


  • Anyone try removing the minipci card?

    UPDATE: tried this, didn't make a difference

  • I have a watchguard II 700 I am trying to setup a VPN IPSEC connection with PFsense, the connection seems to work, whereby I can RDP into the remote site via lan ip address and I can ping the Watchgaurd site from the PFsense side, but when I try to ping from the watchguard side to the PFsense side, or try any type of communication I get no response, I have tried so many rule changes and I can't figure this out I have alos downgraded to 1.2 and still no luck.  Was this a similar problem you guys were experiencing?

Log in to reply