IPSEC VPN to Watchguard firewall



  • Hi,

    I replaced Watchguard x1000 with Watchguard x700 running pfSense 2.0. Old x1000 used to run IPSEC VPN connecting to another site, where is Watchguard firewall is running as well.
    X700 with pfSense connects to other site with no problem (green arrow on status). Tunnel is "there", but no connectivity between local and remote private ranges.
    From IPSec logs: (within 23 minutes)

    Jan 4 15:04:01 racoon: [to live]: INFO: respond new phase 2 negotiation: 62.xx.31.242[500]<=>146.xx.136.27[500]
    Jan 4 15:04:01 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=51860520(0x3175428)
    Jan 4 15:04:01 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=3792641347(0xe20f1d43)
    Jan 4 15:09:00 racoon: ERROR: failed to get sainfo.
    Jan 4 15:14:01 racoon: [to live]: INFO: respond new phase 2 negotiation: 62.xx.31.242[500]<=>146.xx.136.27[500]
    Jan 4 15:14:01 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=202406467(0xc107a43)
    Jan 4 15:14:01 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=3809454206(0xe30fa87e)
    Jan 4 15:14:26 racoon: ERROR: failed to get sainfo.
    Jan 4 15:18:03 racoon: [to live]: INFO: respond new phase 2 negotiation: 62.xx.31.242[500]<=>146.xx.136.27[500]
    Jan 4 15:18:04 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=136173896(0x81dd948)
    Jan 4 15:18:04 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=3826234402(0xe40fb422)
    Jan 4 15:19:51 racoon: ERROR: failed to get sainfo.
    Jan 4 15:21:50 racoon: ERROR: failed to get sainfo.
    Jan 4 15:25:08 racoon: [to live]: INFO: respond new phase 2 negotiation: 62.xx.31.242[500]<=>146.xx.136.27[500]
    Jan 4 15:25:08 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=166001285(0x9e4fa85)
    Jan 4 15:25:08 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=3843000584(0xe50f8908)
    Jan 4 15:26:18 racoon: [to live]: INFO: respond new phase 2 negotiation: 62.xx.31.242[500]<=>146.xx.136.27[500]
    Jan 4 15:26:18 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=105096275(0x643a453)
    Jan 4 15:26:18 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=3859801663(0xe60fe63f)
    Jan 4 15:27:10 racoon: [to live]: INFO: respond new phase 2 negotiation: 62.xx.31.242[500]<=>146.xx.136.27[500]
    Jan 4 15:27:11 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=48909967(0x2ea4e8f)
    Jan 4 15:27:11 racoon: [to live]: INFO: IPsec-SA established: ESP 62.xx.31.242[500]->146.xx.136.27[500] spi=3876558966(0xe70f9876)
    Jan 4 15:27:16 racoon: ERROR: failed to get sainfo.

    Has one managed to get it working with Watchguard?

    TIA

    Martin



  • I happen to be having this EXACT same issue!

    I had a pfsense desktop running using the full version of pfsense and the tunnel to a watchguard X1250e worked just fine.

    But the minute I put the embedded firmware on a X700 and re-established my tunnel I get no connectivity.

    I do get a green light in the status - ipsec and the logs do show it is connected on both ends but just no traffic going between one or the other.

    Version:
    2.0.1-RELEASE (i386)
    built on Mon Dec 12 19:00:03 EST 2011

    Platform:
    nanobsd (2g)

    with:
    Hardware crypto SafeNet SafeXcel-1141 rng des/3des aes md5 sha1 null



  • Did you solve it somehow?



  • Nope. I tried tons of things and did not get anywhere so I figured I would add to your post with my specs and see if someone could help us.

    do you have the Hardware Crypto card in yours?

    Thanks.

    Luc



  • Right… I had the same setup with my X700 version 10.2 with a VPN to a Pfsense 2.0.1 box and it works perfectly! The watchguard end... what modem/router is connecting you to the internet? Have you rebooted it?



  • In my case the Watchguard IS my router with pfsense on it. It has been flashed to PfSense.

    On the other end it is a Watchguard as well but with real watchguard software.

    I was using an old desktop with pfsense and that worked fine but the X700 with pfsense does not like it.

    So bascially: X700 (pfsense) –>DSL--->ISP--->work ISP--->ISP gear (Fibre and juniper switch)--->Watchguard x1250e with latest firmware (watchguard)

    I used to use: Dell optiplex with pfsense --->DSL-->ISP--->Work ISP--->ISP Gear---> Watchguard X1250e and it was just peachy.

    Luc



  • did you sort this?
    I was having the same issue as well.  I changed from sha-1 to MD5 and then everything worked.

    Was just wondering whether you guys had it working with sha-1.

    What is your tunnel config settings?

    I did wonder whether it's to do with the crypto card in the pfsense(watchguard) not working as expected…  ???


Log in to reply