VPN Woes - Unable to Ping

I am admittedly a Watchguard newbie. I have inherited a client with a T10 and t30 in each of two locations. They had a VPN setup, but did not know the passwords for the firewalls, so we ended up resetting and starting over. I ran the wizard for the BOVPN and it was successful, i could ping across to one IP address, but no others. I tried setting up routes, policies etc, no avail. Today I deleted the BOVPN and setup a BOVPN Virtual, same result, i can ping a single address but not any other. Trace route shows the ping getting to the remote router, but it dies there.

Any suggestions?

Comments

  • What do you see in Traffic Monitor on the remote firewall when the ping is tried?

    What/where is the single IP addr that you can ping ?
    Is there a single trusted subnet at each end?

    What policy/policies have you added at the remote firewall to allow the ping and any other BOVPN traffic?

  • Also, a tracert will show you the path that packets take, and is a better tool to use than ping to debug possible routing issues.

  • Thanks for piping in Bruce. I can ping in either direction to the remote WG, there is a printer on one end that I can ping but no other addresses. If i tracert to the printer, it hits the local WG, the remote public ip, then the printer. Tracing to another valid IP the trace hits the remote WG's Public IP but stops there. I have pasted below

    Not sure where to find trafficc monitor but I will have a look in the morning when i return to the office

    C:\Users\Ken>tracert 192.168.100.180

    I have changed the IP addresses for privacy.

    Tracing route to HPB357E6 [192.168.123.180]
    over a maximum of 30 hops:

    1 <1 ms 1 ms <1 ms 192.168.133.100
    2 22 ms 18 ms 20 ms 179-12-214-201-LakeCounty.hfc.comcastbusiness.net [179.12.214.201]
    3 22 ms 20 ms 20 ms HPB357E6 [192.168.123.180]

    Trace complete.

    C:\Users\Ken>tracert 192.168.123.127

    Tracing route to 192.168.123.127 over a maximum of 30 hops

    1 <1 ms 1 ms <1 ms 192.168.133.100 2 18 ms 18 ms 18 ms 179-12-214-201-LakeCounty.hfc.comcastbusiness.net [123.12.214.201] 3 * * * Request timed out. 4 * * * Request timed out. 5 ^C C:\Users\Ken>


    VPN Diagnostic
    *** WG Diagnostic Report for Gateway "H-O1" ***
    Created On: Thu Jan 12 17:19:33 2023

    [Conclusion]
    Tunnel Name: H-O1
    Incoming VPN traffic was detected for this tunnel after the diagnostic report started.
    Outgoing VPN traffic was detected for this tunnel after the diagnostic report started.
    The firewall policy "BOVPN-Allow.out-00" is matched for the outgoing traffic.
    The firewall policy "BOVPN-Allow.in-00" is matched for the incoming traffic.

    [Gateway Summary]
    Gateway "H-O1" contains "1" gateway endpoint(s). IKE Version is IKEv1.
    Gateway Endpoint #1 (name "H-O1") Enabled
    Mode: Main
    PFS: Disabled AlwaysUp: Enabled
    DPD: Enabled Keepalive: Disabled
    Local ID<->Remote ID: {IP_ADDR(123.163.254.225) <-> IP_ADDR(123.12.214.201)}
    Local GW_IP<->Remote GW_IP: {123.163.254.225 <-> 123.12.214.201}
    Outgoing Interface: eth0 (ifIndex=2)
    ifMark=0x10000
    linkStatus=2 (0:unknown, 1:down, 2:up)
    BVPN Interface: bvpn1 (ifIndex=11)
    Remote Endpoint Type: Firebox
    NAT-D flag=0x0 (0:none, 1:remote, 2:local, 3:both)

    [Tunnel Summary]
    "1" tunnel(s) are found using the previous gateway

      Name: "H-O1" Enabled
        PFS: "Enabled" DH-Group: "14"
        Number of Proposals: "1"
          Proposal "ESP-AES256-SHA256"
            ESP:
              EncryptAlgo: "AES" KeyLen: "32(bytes)"
              AuthAlgo: "SHA2-256" 
              LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
        Number of Tunnel Routes: "0"
    

    [Run-time Info (bvpn routes)]
    dest=192.168.123.0/24 dev=bvpn1 metric=1 proto=static

    [Run-time Info (gateway IKE_SA)]
    Name: "H-O1" (IfStatus: 0x80000002)
    IKE SAID: "0xbc547deb" State: "SA Mature"
    Created: Thu Jan 12 11:42:33 2023
    My Address: 123.163.254.225:500 Peer Address: 123.12.214.201:500
    InitCookie: "cd6f848a40797c7b" RespCookie: "902080e7bb5d4315"
    LifeTime: "86403(seconds)" LifeByte: "0(kbtyes)" DPD: "Enabled"
    Serial Number: 0
    msgIdSend: 0 msgIdRecv: 0

    [Run-time Info (tunnel IPSEC_SA)]
    "2" IPSEC SA(s) are found under tunnel "H-O1"
    #1 "OUTBOUND"
    SPI: 0x62c01aa4 ISAKMP SA ID: 0xbc547deb
    Created on: Thu Jan 12 11:42:35 2023
    Last Used on: Thu Jan 12 17:19:31 2023
    Bytes Sent: "652435" Packets Sent: "7342"
    Errors: replay: "0" replay_win: "0" integrity: "0" hw_ctx: "0"
    HwCryptoCtx: currErr: "0" ctxState: "0"
    Tunnel Endpoint: "123.163.254.225->123.12.214.201"
    Tunnel Selector: "123.163.254.225 -> 123.12.214.201 Proto: gre"
    AUTH: "hmac(sha256)" KeyLen: "32(bytes)"
    CRYPT: "cbc(aes)" KeyLen: "32(bytes)"
    Gateway Name: "H-O1"
    Tunnel Name: "H-O1"
    Owner Id: "D0FA08E230621"
    IFMARK: "0x10000(2)" DPD: "Enabled"
    Number of Rekeys: "0"
    #2 "INBOUND"
    SPI: 0x53a374b5 ISAKMP SA ID: 0xbc547deb
    Created on: Thu Jan 12 11:42:35 2023
    Last Used on: Thu Jan 12 17:19:29 2023
    Bytes Sent: "730266" Packets Sent: "6280"
    Errors: replay: "0" replay_win: "0" integrity: "0" hw_ctx: "0"
    HwCryptoCtx: currErr: "0" ctxState: "0"
    Tunnel Endpoint: "123.12.214.201->123.163.254.225"
    Tunnel Selector: "123.12.214.201 -> 123.163.254.225 Proto: gre"
    AUTH: "hmac(sha256)" KeyLen: "32(bytes)"
    CRYPT: "cbc(aes)" KeyLen: "32(bytes)"
    Gateway Name: "H-O1"
    Tunnel Name: "H-O1"
    Owner Id: "D0FA08E230621"
    IFMARK: "0x10000(2)" DPD: "Enabled"
    Number of Rekeys: "0"

    [Run-time Info (tunnel IPSEC_SP)]
    "1" IPSEC SP(s) are found under tunnel "H-O1"
    #1
    Tunnel Endpoint: "123.163.254.225->123.12.214.201"
    Tunnel Selector: 123.163.254.225 -> 123.12.214.201 Proto: gre
    Created On: Thu Jan 12 11:40:32 2023
    Last Used On: Thu Jan 12 17:19:31 2023
    Gateway Name: "H-O1"
    Tunnel Name: "H-O1"

    [Policy checker result]
    Tunnel name: H-O1
    OUTBOUND traffic (src=192.168.133.1 dst=192.168.123.1 proto=tcp)
    Found policy: BOVPN-Allow.out-00
    Action: Allowed Outif: bvpn1
    INBOUND traffic (src=192.168.123.1 dst=192.168.133.1 proto=tcp)
    Found policy: BOVPN-Allow.in-00
    Action: Allowed Outif: Trusted

    [Related Logs]
    <158>Jan 12 17:19:13 iked[1696]: (123.163.254.225<->123.12.214.201)******** RECV an IKE packet at 123.163.254.225:500(socket=13 ifIndex=2) from Peer 123.12.214.201:500 ********
    <158>Jan 12 17:19:13 iked[1696]: (123.163.254.225<->123.12.214.201)IKE SA[0x1028aa74 socket:13 state:'SA Mature' MyAddr:123.163.254.225:500 PeerAddr:123.12.214.201:500]
    <158>Jan 12 17:19:13 iked[1696]: (123.163.254.225<->123.12.214.201)Received DPD R_U_THERE_ACK message from 123.12.214.201:500 for H-O1 gateway. Seq=515822862 DataSz=4
    <158>Jan 12 17:19:13 iked[1696]: (123.163.254.225<->123.12.214.201)IkeInNotifyProcess: peer gateway is UP (peerIp=123.12.214.201:500, ifIdx=2, pcyName=H-O1)
    <158>Jan 12 17:19:13 iked[1696]: (123.163.254.225<->123.12.214.201)ike_p1_status_chg: ikePcyName=H-O1, status=UP

  • You may wish to check your Tunnel Addresses and see if they are set up with the correct IP ranges.
    Local Remote
    10.0.0.0/24 <==> 10.0.1.0/24
    10.0.1.0/24 <==> 10.0.0.0/24

    As an example.

    Check your PING policy that it includes BOVPN tunnels also.

    It's usually something simple.

  • You can turn on Logging on the BOVPN-Allow.in-00 policy on the remote site.
    That should show allowed packets in Traffic Monitor on the remote site.

    What tool are you using to manage the firewall?
    If WSM Policy Manager - Traffic Monitor is part of WSM Firebox System Manager.
    If the Web UI - Traffic Monitor is part of it, under Dashboard.

    On your virtual BOVPN setup, what have you set for the VPN Routes section on the local firewall ?
    Usually Type = Network IPv4, and the subnet mask after the slash "/" is 24.

  • shaazaminator; I am using the virutal VPN which uses routing and the routes are setup correctly using the tunnel. I can ping either firewall via the VPN.

    Bruce, I am using the web interface. Yes, the routes are setup using /24.
    The weird thing is I can ping the one printer or the remote WG, but no other addresses. It is like the remote device is receiving the traffic but does not know what to do with it, suggesting a routing issue, but the issue is occuring after the packets traverse the vpn...... to make it more interesting, it happens in either direction. The trace gets to the public IP of the remote side then fails.

    So i found the log and started monitoring, i do not see the traffic incoming either way, the successful ping or not... I get a successful ping to the WG where I am monitoring but nothing in the traffic monitor....

  • By default, allowed packets are not logged, so you need to turn on Logging on desired policies to see packets allowed by them in Traffic Monitor.

    Turn on Logging on the BOVPN-Allow.in-00 & BOVPN-Allow.out-00 policies, and depending on the To: field of the ping policy (Any???) it also.
    Do this on both firewalls.

    Anything downstream from the firewalls which may be blocking packets from the other end?

  • it is a really basic setup, small cafe with the T30, the owner has a T10 at his home so he can watch the cameras. Not much else going on except two PCs and one POS system at the cafe, printer and PC at the house.

    So here is the log from the remote when pinging the unreachable ip address
    2023-01-13 14:31:21 Allow 192.168.123.107 192.168.133.127 icmp O-H1 Trusted Allowed 60 126 (BOVPN-Allow.in-00) proc_id="firewall" rc="100" msg_id="3000-0148"

    It is allowing the connection, but does nothing with it so the ping fails.

    Gets even weirder, there is an ip on the remote end, .220 that the local log shows the local pc connecting to as "allowed". I cannot ping that device from the remote WG or the local, but in the log it shows it allowing it via the vpn.

    2023-01-13 14:34:01 Allow 192.168.123.107 192.168.133.220 dns/udp 56334 53 O-H1 Trusted Allowed 68 126 (BOVPN-Allow.in-00) proc_id="firewall" rc="100" msg_id="3000-0148"

    When i try to ping the .220 i get a destentiaion unreachable..

    I'm pretty good with Fortinet OS, and setting up firewalls and VPNs, but this is a head scratcher!

  • What software is on those PCs which would block incoming from the 192.168.123.x subnet?

    Are the remote PCs on?

    Clearly the BOVPN is working as set up.

Sign In to comment.