Options
VPN between watchguard with both behind NAT
Hello team,
I have run into an interesting issue, I am trying to setup a S2S between two watchguards that are both behind a NAT-T, but the interesting thing is that both the sites are inside the same subnet route (77.224.0.0/13) so when I try to setup a S2S with regular NAT-T and mapping by User ID on Domain (since they are both behind NAT devices) I unfortunately get that neither responds to the IKE-phase1 INIT packet.
Mar 15 16:12:22 2024 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
Has anyone ever faced this issue where both were in the same routing subnet?
0
This discussion has been closed.
Answers
Make sure that IPSec forwarding is enabled on both of the NATing devices in front of each firewall.
Yes, both have the IPSec forwarding enabled in front of each firewall. I even already have VPN's to these sites however between themselves, no matter what configuration we setup, it just won't come up.
You can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
Set the slider to Information or higher
In the Web UI: System -> Diagnostic Log -> VPN -> SSL.
Click the down arrow and select Information
"I even already have VPN's to these sites "
meaning client VPNs ???
Or other BOVPNs?
Just found the issue, both sites don't see each other routing wyse, when we try to tracert from one side to the other there is no routing protocol as it seems that the provider doens't have their internal routing setup properly. Will raise a ticket with the ISP provider and come back to mention what is found
Not me, but have read on a different forum where somebody else had the same issue with two different sites (same ISP) where the Internet/WAN address was in the same subnet (despite being geographically separated).
In that case the ISP had to reassign the IP address of one site so it was assigned an IP address in a different subnet to resolve the issue.
Sounds like your situation is the same.
Hey Team, at the end routing was enabled between the two sites by the ISP, but getting such a weird behaviour now.
In summary, VPN still doesnt come up, but one site says it can establish IKE phase 1, attaching the logs from both sites.
Already tried changing to IKEv1 to see if that would work but no luck whatsoever so far.
*removed attachment
Hi @the_jonathan
Check to see if your upstream NAT devices are forwarding and allowing that IPSEC traffic. Specifically ESP traffic.
There's a reason we generally recommend NAT devices not be in front of your firebox, and this is one of them.
Your logs are not sanitized (I can see the destination IPs in your logs) and I'm not going to allow a random .docx that could potentially contain a virus here.
Please consider opening a support case. This will allow the WatchGuard support rep to see your config(s) and help via a confidential channel, so that you do not have to worry about sanitizing your logs.
If you must post logs here, please ensure any personally identifiable info is removed (such as IP addresses, serial numbers, and device names.) If you must post an attachment, please use something like a plain text file, and not a Word doc that can be harboring malware.
-James Carson
WatchGuard Customer Support