Monday, February 11, 2019

WatchGuard IPsec tunnels

Hey guys,

One of our customers recently changed their public IP addresses for two locations which caused their IPsec tunnel to break; when trying to get it back up again, one of the firewalls refuses to pick up the tunnel and its routes even though settings are the same across both firewalls and I feel like I need a sanity check.

Firewall 1:

BOVPN Gateway Settings: Customer Tunnels: Customer Tunnel IKE Version: IKEv1 Credential Method: Pre-shared Key Endpoints Endpoint 1 Local Interface: External Local ID: *.*.*.112 (IP Address) Remote IP Address: *.*.*.113 Remote ID: *.*.*.113 (IP Address) Phase 1 Settings Mode: Main NAT Traversal: Enabled (20 second interval) IKE Keep-alive: Disabled Dead Peer Detection: Enabled (20 second timeout, 5 max retries) Auto Start: Yes Transforms Transform: 1 Authentication: SHA2-256 Encryption: AES (256-bit) SA Life: 8 hours Key Group: Diffie-Hellman Group 14 BOVPN Tunnel Settings: Customer Tunnel BOVPN Gateway: Customer Name Tunnel Routes Route 1 Local: 10.80.7.0/24 Remote: 192.168.100.0/24 Direction: bi-directional Allow Broadcast: No Phase 2 Settings Perfect Forward Secrecy: Perfect Forward Secrecy: Enabled (Diffie-Hellman Group 14) IPSec Proposals Proposal 1 Name: ESP-AES-SHA1 Type: ESP Authentication: SHA1 Encryption: AES (256-bit) Key Expiration: 128,000KB or 8 hours

Firewall 2:

BOVPN Gateway Settings: Customer Tunnels: tunnel.1 <-- Default name of a tunnel that doesn't exist. Credential Method: Pre-shared Key Endpoints Endpoint 1 Local Interface: External Local ID: *.*.*.113 (IP Address) Remote IP Address: *.*.*.112 Remote ID: *.*.*.112 (IP Address) Phase 1 Settings Mode: Main NAT Traversal: Enabled (20 second interval) IKE Keep-alive: Disabled Dead Peer Detection: Enabled (20 second timeout, 5 max retries) Auto Start: Yes Transforms Transform: 1 Authentication: SHA2-256 Encryption: AES (256-bit) SA Life: 8 hours Key Group: Diffie-Hellman Group 14

On Firewall 2 that's the only output I get and as you can see it chooses a default tunnel name; that tunnel doesn't exist in my firewall and if I create it, the above output changes to "tunnel.2". A debug on both firewalls claim that there's no problem accepting or disallowing traffic in either direction. Essentially nothing has changed today except the change of the public IP addresses, anyone wiser than I that could possibly know what the issue is?

Thanks for your time!



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)