Site-to-Site VPN between Mikrotik and Wathguard
Hello!
I'm trying to create an IPSec VPN between a Firebox T40 and a Mikrotik RB750GR3 HEX, using the following documentation:
However, on the Firebox side, the error message "No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints." and on the Mikrotik side the message "no phase2" always appears.
I've already reviewed the entire configuration on both sides and everything appears to be OK, but the tunnel doesn't establish.
Can you help me or at least give me a direction?
Best Answers
-
What Fireware version are you running?
Prior to V12.9.3? Perhaps this?
BoVPN initiated from the wrong external IP address when interface is DHCP and has static secondary addresses
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000Bc4TSAS&lang=en_USIf you have a support contract on your firewall, you should open a support case on this, to get help from a WG rep.
You can turn on diagnostic logging for IKE which may show something more to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
Set the slider to Information or higherIn the Web UI: System -> Diagnostic Log -> VPN -> IKE
Click the down arrow and select InformationBesides Diagnostic Logging, you have 2 other options when the session is trying to connect, and you should see something to help understand this.
1) Web UI -> System Status -> VPN Statistics, click the Debug button
2) in FSM -> Traffic Monitor -> right click -> Diagnostic Tasks -> VPN tabThere is no real other help we can provide without more info, such as some diagnostic logs.
0 -
For security reasons, please delete your posted logs and re-post them without the full IP addrs on each end, such as xxx.xxx.104.42
0 -
Nothing obvious here.
"Resending IKE_SA_INIT request message" indicates that the other end is not responding to a session initiation packet, but there is no way to know why.
If the remote IP addr is correct on your end and your IP addr is correct on their end, then logs from the other end are needed.0
Answers
Hi Bruce!
Thank you for the answer.
I'm running V12.10.
I'll try a little bit more and open a case if I have no success.
I turned on the debug logs and got this:
_*** WG Diagnostic Report for Gateway "XXX.XXX.XXX" ***
Created On: Thu Dec 14 14:10:13 2023
[Conclusion]
Error Messages for Gateway Endpoint #1(name "XXX.XXX.XXX")
Dec 14 14:10:05 2023 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
[Gateway Summary]
Gateway "XXX.XXX.XXX" contains "1" gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name "XXX.XXX.XXX") Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Enabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(XXX.XXX.104.42) <-> IP_ADDR(XXX.XXX.56.170)}
Local GW_IP<->Remote GW_IP: {XXX.XXX.104.42 <-> XXX.XXX.56.170}
Outgoing Interface: eth2 (ifIndex=129)
ifMark=0x10002
linkStatus=2 (0:unknown, 1:down, 2:up)
Stored user messages:
Dec 14 14:10:05 2023 ERROR 0x021a001b No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway
[Run-time Info (gateway IKE_SA)]
[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "tunnel.franca.teste"
[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "tunnel.franca.teste"
#1
Tunnel Endpoint: "XXX.XXX.104.42->XXX.XXX.56.170"
Tunnel Selector: XXX.XXX.88.X/24 -> XXX.XXX.88.X/24 Proto: ANY
Created On: Thu Dec 14 12:57:08 2023
Gateway Name: "XXX.XXX.XXX"
Tunnel Name: "tunnel.franca.teste"
[Address Pairs in Firewalld]
Address Pairs for tunnel "tunnel.franca.teste"
Direction: BOTH
XXX.XXX.88.X/24 <-> XXX.XXX.88.X/24
[Policy checker result]
Tunnel name: tunnel.franca.teste
#1 tunnel route XXX.XXX.88.X/24<->XXX.XXX.88.X/24
No policy checker results for this tunnel(no P2SA found or some other error)
[Related Logs]
<158>Dec 14 14:09:57 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Resending IKE_SA_INIT request message (id=0) from XXX.XXX.104.42:500 to XXX.XXX.56.170:500. Gateway-Endpoint:'XXX.XXX.XXX'
<158>Dec 14 14:10:02 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Resending IKE_SA_INIT request message (id=0) from XXX.XXX.104.42:500 to XXX.XXX.56.170:500. Gateway-Endpoint:'XXX.XXX.XXX'
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Resending IKE_SA_INIT request message (id=0) from XXX.XXX.104.42:500 to XXX.XXX.56.170:500. Gateway-Endpoint:'XXX.XXX.XXX'
<155>Dec 14 14:10:05 iked[3056]: msg_id="021A-001B" (XXX.XXX.104.42<->XXX.XXX.56.170)IKEv2 exchange from XXX.XXX.104.42:500 to XXX.XXX.56.170:500 failed. Gateway-Endpoint='XXX.XXX.XXX'. Reason=No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints.
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)stop the given request retry object(0x94a9e28, name="IKE_SA_INIT request", msgId=0)
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)ike2_P1StatusChange: notify ikePcy(XXX.XXX.XXX ver#2)'s status becomes "DOWN" (ikeSA=0x94aa7c8)
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)MWAN-Failover notify ikePcy=0x8ce3ac8(XXX.XXX.XXX ver#2), mwanFlags:0x00000000 p1said=0x0 DOWN continuous-fails:4
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Deleting ikeSA(obj=0x94aa7c8) state=SA_INIT_I actions:0x00000012 gateway-endpoint=XXX.XXX.XXX, caller=ike2_MsgRetryFail, reason="No response for IKE_SA_INIT request message. Check the connection between the local and remote gateway endpoints."
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)no need to delete the child SAs for ikeSA(0x94aa7c8 state:SA_INIT_I)
<158>Dec 14 14:10:05 iked[3056]: (XXX.XXX.104.42<->XXX.XXX.56.170)Free ikeSA(obj=0x94aa7c8 state=IKESA_DELETED)_