bovpn tunnel suddenly broken; cannot repair

sjonesin1sjonesin1
in Firebox - VPN Branch Office

Good day,

I have a model t50 and t35w that have had a functioning vpn tunnel for over 3 years...never missed moment. Earlier this week, the tunnel went down. I have worked and worked, double and triple-checked my settings; deleted and re-made the gateways and tunnels, and i simply canNOT get the connection established.

most recent error: authentication failure due to mismatched ID
other errors(depending on if i configure 'main' or aggressive): Received invalid main mode id payload

I actually made a bovpn connection from MY site to both of those sites with no difficulty!?

Any thoughts appreciated and thanks in advance,

steve

Comments

  • Bruce_BriggsBruce_Briggs

    If you have a current LiveSecurity License on one of these endpoints, consider opening a support incident.
    For the record, what XTM version is on each endpoint?
    Does either/both firewalls have a static IP addr? If both, Main mode is preferred.

    Not sure if you have done this -
    You can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

    Besides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you may see something to help understand this.

    1) Web UI -> System Status -> VPN Statistics, click the Debug button
    2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tab

    Perhaps we can help if you post some of the logs related to the connection attempts.

    As a last resort, you could change to have the connections between the 2 site go via your site - hub & spoke concept - since you can create a BOVPN to both sites successfully.

  • sjonesin1sjonesin1

    Thank you Bruce,
    I captured the vpn diagnostic logs...I'll try and post them tomorrow.
    Unfortunately, I inherited this client...both devices in the mid-11's on xtm version and prior support did not renew livesecurity.
    I thought about hub and spoke, but unfortunately my internal ip scheme matches one of the sites...what luck, eh?

    thanks again,

    steve

  • Bruce_BriggsBruce_Briggs

    You can use 1-to-1 NAT on a BOVPN Tunnel setting to address the internal subnet scheme issue.

    Use 1-to-1 NAT Through a Branch Office VPN Tunnel
    https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/bovpn/manual/bovpn_use_1to1_nat_c.html?TocPath=Manual%20Branch%20Office%20VPN%20Tunnels|_____17

Sign In to comment.