BOVPN to vendor's network. T-40 <--> Cisco ASA 5525

I have a T-40 that I am trying to create a BOVPN to a vendor's Cisco ASA 5525. First I have been pointed toward two different articles on the Watchguard site. One shows a "typical" Gateway/Tunnel config and the other shows using a Virtual Interface. I am not sure what the difference is and which way is preferable.

I have been asked by the vendor to use NAT to mask my unfortunate use of 192.168.1.x and I believe I have it setup correctly. Phase 1 is negotiating correctly. Phase two will not and I am seeing a message in my VPN diagnostics that says:

Direction: "BOTH"
"192.168.1.0/24(1-1NAT Invalid Address Type(0))<->2.x.x.131-2.x.x.132"
(Vendor IP addresses masked)

I have my Tunnel set with:
Local as Network IPv4 192.168.1.0/24
Remote is a network range of 2.x.x.131-2.x.x.132
1:1 NAT is Network IPv4 172.16.11.0/24

Does anyone know what the Invalid Address type message means?

Comments

  • edited August 2022

    No idea what that means. There was one other post with this message, but no help there either.

    You can turn on diagnostic logging for IKE which may show something more to help understand this:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Logging -> Settings
    Set the slider to Information or higher

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I've only ever seen "Invalid Address Type" pop up when 1-To-1 NAT or DNAT are in use on the BOVPN tunnel. Since you're masking some of this, I'd suggest opening a support case so we can see the whole thing without the mask.

    -James Carson
    WatchGuard Customer Support

  • @thejohncarlson did you ever get this working?

  • I did. In my case it had to do with the remote network range in the tunnel. In place of the network range of two addresses, I had to create two separate tunnel routes. One for each of the addresses.

Sign In to comment.