Options

Site-to-Site VPN between Mikrotik and Wathguard

Rodrigo_CardosoRodrigo_Cardoso
in Firebox - VPN Branch Office

Hello!

I'm trying to create an IPSec VPN between a Firebox T40 and a Mikrotik RB750GR3 HEX, using the following documentation:

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Mikrotik VPN_firebox.html

However, on the Firebox side, the error message "No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints." and on the Mikrotik side the message "no phase2" always appears.

I've already reviewed the entire configuration on both sides and everything appears to be OK, but the tunnel doesn't establish.

Can you help me or at least give me a direction?

Best Answers

  • Options
    Bruce_BriggsBruce_Briggs
    Answer ✓

    What Fireware version are you running?
    Prior to V12.9.3? Perhaps this?
    BoVPN initiated from the wrong external IP address when interface is DHCP and has static secondary addresses
    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000Bc4TSAS&lang=en_US

    If you have a support contract on your firewall, you should open a support case on this, to get help from a WG rep.

    You can turn on diagnostic logging for IKE which may show something more to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    Set the slider to Information or higher

    In the Web UI: System -> Diagnostic Log -> VPN -> IKE
    Click the down arrow and select Information

    Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.

    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

    There is no real other help we can provide without more info, such as some diagnostic logs.

  • Options
    Bruce_BriggsBruce_Briggs
    edited December 2023 Answer ✓

    For security reasons, please delete your posted logs and re-post them without the full IP addrs on each end, such as xxx.xxx.104.42

  • Options
    Bruce_BriggsBruce_Briggs
    Answer ✓

    Nothing obvious here.

    "Resending IKE_SA_INIT request message" indicates that the other end is not responding to a session initiation packet, but there is no way to know why.
    If the remote IP addr is correct on your end and your IP addr is correct on their end, then logs from the other end are needed.

Answers

  • Options
    Rodrigo_CardosoRodrigo_Cardoso
    edited December 2023

    Hi Bruce!

    Thank you for the answer.

    I'm running V12.10.

    I'll try a little bit more and open a case if I have no success.

    I turned on the debug logs and got this:

    _*** WG Diagnostic Report for Gateway "XXX.XXX.XXX" ***
    Created On: Thu Dec 14 14:10:13 2023

    [Conclusion]
    Error Messages for Gateway Endpoint #1(name "XXX.XXX.XXX")
    Dec 14 14:10:05 2023 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.

    [Gateway Summary]
    Gateway "XXX.XXX.XXX" contains "1" gateway endpoint(s). IKE Version is IKEv2.
    Gateway Endpoint #1 (name "XXX.XXX.XXX") Enabled
    PFS: Disabled AlwaysUp: Disabled
    DPD: Enabled Keepalive: Disabled
    Local ID<->Remote ID: {IP_ADDR(XXX.XXX.104.42) <-> IP_ADDR(XXX.XXX.56.170)}
    Local GW_IP<->Remote GW_IP: {XXX.XXX.104.42 <-> XXX.XXX.56.170}
    Outgoing Interface: eth2 (ifIndex=129)
    ifMark=0x10002
    linkStatus=2 (0:unknown, 1:down, 2:up)
    Stored user messages:
    Dec 14 14:10:05 2023 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.

    [Tunnel Summary]
    "1" tunnel(s) are found using the previous gateway

      Name: "tunnel.franca.teste" Enabled
    PFS: "Enabled" DH-Group: "14"
    Number of Proposals: "1"
      Proposal "ESP-AES256-SHA256"
        ESP:
          EncryptAlgo: "AES" KeyLen: "32(bytes)"
          AuthAlgo: "SHA2-256" 
          LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
    Number of Tunnel Routes: "1"
        #1
          Direction: "BOTH"
          "XXX.XXX.88.X/24<->XXX.XXX.88.X/24"

    [Run-time Info (gateway IKE_SA)]

    [Run-time Info (tunnel IPSEC_SA)]
    "0" IPSEC SA(s) are found under tunnel "tunnel.franca.teste"

    [Run-time Info (tunnel IPSEC_SP)]
    "1" IPSEC SP(s) are found under tunnel "tunnel.franca.teste"
    #1
    Tunnel Endpoint: "XXX.XXX.104.42->XXX.XXX.56.170"
    Tunnel Selector: XXX.XXX.88.X/24 -> XXX.XXX.88.X/24 Proto: ANY
    Created On: Thu Dec 14 12:57:08 2023
    Gateway Name: "XXX.XXX.XXX"
    Tunnel Name: "tunnel.franca.teste"

    [Address Pairs in Firewalld]
    Address Pairs for tunnel "tunnel.franca.teste"
    Direction: BOTH
    XXX.XXX.88.X/24 <-> XXX.XXX.88.X/24

    [Policy checker result]
    Tunnel name: tunnel.franca.teste
    #1 tunnel route XXX.XXX.88.X/24<->XXX.XXX.88.X/24
    No policy checker results for this tunnel(no P2SA found or some other error)

    [Related Logs]
    <158>Dec 14 14:09:57 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Resending IKE_SA_INIT request message (id=0) from XXX.XXX.104.42:500 to XXX.XXX.56.170:500. Gateway-Endpoint:'XXX.XXX.XXX'
    <158>Dec 14 14:10:02 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Resending IKE_SA_INIT request message (id=0) from XXX.XXX.104.42:500 to XXX.XXX.56.170:500. Gateway-Endpoint:'XXX.XXX.XXX'
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Resending IKE_SA_INIT request message (id=0) from XXX.XXX.104.42:500 to XXX.XXX.56.170:500. Gateway-Endpoint:'XXX.XXX.XXX'
    <155>Dec 14 14:10:05 iked[3056]: msg_id="021A-001B" (XXX.XXX.104.42<->XXX.XXX.56.170)IKEv2 exchange from XXX.XXX.104.42:500 to XXX.XXX.56.170:500 failed. Gateway-Endpoint='XXX.XXX.XXX'. Reason=No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)stop the given request retry object(0x94a9e28, name="IKE_SA_INIT request", msgId=0)
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)ike2_P1StatusChange: notify ikePcy(XXX.XXX.XXX ver#2)'s status becomes "DOWN" (ikeSA=0x94aa7c8)
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)MWAN-Failover notify ikePcy=0x8ce3ac8(XXX.XXX.XXX ver#2), mwanFlags:0x00000000 p1said=0x0 DOWN continuous-fails:4
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Deleting ikeSA(obj=0x94aa7c8) state=SA_INIT_I actions:0x00000012 gateway-endpoint=XXX.XXX.XXX, caller=ike2_MsgRetryFail, reason="No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints."
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)no need to delete the child SAs for ikeSA(0x94aa7c8 state:SA_INIT_I)
    <158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Free ikeSA(obj=0x94aa7c8 state=IKESA_DELETED)_

Sign In to comment.