Options
T40 Branch Office VPN wont connect, driving me CRAZZYYYYY
Hi all, spent ages on this today. Gave up eventually after it ruined my day, and installed the Mobile Client on each PC instead. Not ideal and I could really use your help fixing.
We've a T40 at the main HQ (192.168.1.254), and at the minute, site 1 (10.1.1.1) dials in perfectly via a Draytek Lan To Lan.
I just cannot get site 2 (192.168.10.1) to connect, and I'm pretty sure I've mirrored all the settings, as they're both similar draytek models.
Please see attached pictures of the various tunnels and what-not. Hopefully I'm just being a dumb arse and have missed a simple setting.
I've tried various reboots and different firmwares too.
Thanks in advance.
0
Sign In to comment.
Comments
Not that this is likely the issue - but it is recommended to not use DPD and IKE keep-alive on the same tunnel.
DPD is preferred if it is supported by the other end.
If there is nothing to help understand this in your firewall logs/Traffic Monitor, you can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
Set the slider to Information or higher
In the Web UI: System -> Diagnostic Log -> VPN -> IKE
Click the down arrow and select Information or Debug
Thanks for the prompt reply. I have disabled Keep-Alive on this tunnel, and have amended the log settings. Where can one download the log files?
If I can't get this working, can I set up an SSL VPN Tunnel temporarily to test?
I get these errors now...
Look in Traffic Monitor for the current logs.
In the Web US it is under Dashboard.
For historical logs, you need to set up a log server, such as WG Dimension, or a syslog server, and the set up logging to it.
About Firebox Logging and Notification
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/logging_and_logfiles_about_c.html
There are free syslog servers which run on Windows and other OSes.
Dimension runs on a VM and requires a current support license for Dimension to accept logs from a firewall.
I run my Dimension on VMware Workstation which while not officially supported by WG, works fine for a small site.
Set Up & Administer Dimension
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/about-dimension_d.html
SSLVPN client connections from behind 1 firewall to a WG firewall should work.
Invalid main mode ID - check the settings on the Gateway setup for this tunnel.
OK so this morning I deleted the tunnel and gateway, and added them from scratch. Still no joy
As time is against me now, I quickly set up a PPTP test tunnel from both Drayteks, and has connected instantly.
Far from ideal, but at least I have a tunnel for Monday and it buys me a bit of time though.
Check your Traffic Monitor logs when you try to get this tunnel going
Check your ISP equipment to see if there is any ESP or IKE ALG enabled. The logs suggest the main mode (tunnel ID) is incorrect, which is a thing ESP-ALGs will try to change.
-James Carson
WatchGuard Customer Support