WSM / Managed VPN

Dear all,
I'm planning to redesign my VPN network with 55 Watchguards and 1 M670 Cluster.
My tests with managed VPN are fine but I'm wondering why they come up in
"Agressive Mode" instead of "Main Mode". All boxes does have fix IP. BUG?

I'm on 12.7.2p2 on all boxes.

Thanks and best regards


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Veloso

    Main vs Aggressive mode for IKEv1 basically means that the firewall isn't checking the inbound IP against what it's expecting, and will accept IKE traffic from any host.

    IKEv1 (IPSec) Mobile VPN will always be aggressive mode.
    IKEv1 Site to Site (BOVPN) can be either. If you have multiple sites with no static IP, you can only use main mode for the first one, and must use aggressive mode for any after that.

    IKEv2 doesn't use Main/Aggressive mode -- if you are looking to get away from aggressive mode, I'd suggest migrating to IKEv2 as you can.

    -James Carson
    WatchGuard Customer Support

  • Options

    Good Morning. Not to hijack and I know this thread is a little dated, however there was no confirmation on the resolution here and we're running into the
    same issue. I'm hoping James you might have some insight.

    We are failing PCI scans due to VPN Config. We use BOVPN Virtual Interfaces and I've recently swapped them all over to IKEv2 in an attempt to (as you mentioned above) eliminate aggressive mode, however the PCI DSS scan still fails. We have had mobile VPN with IPsec configured previously, however we depreciated use of it and the IP addresses in the configuration were old and no longer valid from our present internet circuits. We now use the SSLVPN instead on some non-standard port for obscurity purposes - so I've just recently eliminated the mobile VPN with IPsec configuration altogether.

    I want to validate: According to your comment above, with my BOVPN config all using IKEv2 the watchguard should not be responding to any aggressive mode type VPN requests.
    My question is: could it have been the leftover mobile VPN with IPsec configuration that was still responding to aggressive mode scans? Having since eliminated the Mobile...IPsec config should we now be Aggressive mode free?
    Is there any other ancillary configuration that could cause the watchguard to respond to aggressive mode traffic aside from what is mentioned above?

    The only other approach I can think of would be to go back to IKEv1 with Main mode only selected, however I'm hoping my current setup (now that we've eliminated Mobile VPN with IPsec) should be OK for not responding to Aggressive Mode scans and passing the PCI scan.
    (All Gateways have Static public IP addresses.)

    Much appreciate any insight,
    Thank you,

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    The firewall will still respond to requests but with an appropriate message for the IKE version type, usually outlining that the request did not match a configured SA.

    The built in policy will attempt to interrogate any IPSec traffic that comes to it.

    If you do not want the firewall responding to any request, you'll need to turn off the built-in IPSec policy and create an IPSec policy from the IPs you want to responses to and TO firebox.

    -James Carson
    WatchGuard Customer Support

  • Options
    edited January 2023

    To disable:
    In WSM Policy Manager: unselect VPN -> VPN Settings -> Enable built-in IPSec policy
    In the Web UI: VPN -> Global Settings

Sign In to comment.