Watchgaurd Firebox 1000 and Cisco Concentrator 3015
Hi I am trying to create a site to site vpn tunnel between the 2 appliances above. On the cisco concentrator I am getting the following message
26720 08/12/2008 16:11:42.780 SEV=5 IKE/35 RPT=3593 126.96.36.199 Group [188.8.131.52] Received remote IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Im guessing this is the info sent from the watchgaurd, what I dont understand is why the source address is showing as 0.0.0.0
Re: Watchgaurd Firebox 1000 and Cisco Concentrator 3015
Wow I'm sure you've figured this out by now seeing as this was posted on 8/12/2008. however for the record what you're seeing is phase2 information and that's the proxy id that your far end is showing 0/0.Did you make sure your ipsec sa's matched?
- If you need clarification, ask it in the comment box above.
- Better answers use proper spelling and grammar.
- Provide details, support with references or personal experience.
Tell us some more! Your answer needs to include more details to help people.You can't post answers that contain an email address.Please enter a valid email address.The email address entered is already associated to an account.Login to postPlease use English characters only.
Tip: The max point reward for answering a question is 15.
Port #1 on primary router <---> VPN server
Port #2 on primary router <--> Load Balancer
Load Balancer <--> web-server #1
Load Balancer <--> web-server #2
Load Balancer <--> web-server #3
VPN traffic enters your network, through the router to the VPN server, and then VPN-server back through the router to your internal servers. Web-traffic goes through the Load Balancer, for distribution to the collection of servers.
It could be a missing route... are the file server and email server on the same subnet? If they are then it is possibly not a routing issue.
Also it would be worth checking the tunneling settings for the VPNs... if you have specifed either only the fileserver subnet or specifically the file server address, then this could be the reason they can get to nothing else.
/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:"Times New Roman";
Obtain the serial number for your security appliance by
entering the following command:
hostname# show activation-key
Access one of the following URLs.
Use the following website if you are a registered user of
Use the following website if you are not a registered user
Enter the following information, when prompted:
Product Authorization Key (if you have multiple keys, enter
one of the keys first. You have to enter
each key as a separate process.)
The serial number of your security appliance
Your email address
An activation key is automatically generated and sent to the
email address that you provide. This key
includes all features you have registered so far for
permanent licenses. For VPN Flex licenses, each
license has a separate activation key.
If you have additional Product Authorization Keys, repeat
Step 3 for each Product Authorization Key.
After you enter all of the Product Authorization Keys, the
final activation key provided includes all of
the permanent features you registered
1. Pix does not like class A address, make sure you are using B or C.
2. The VPN subnet always has to be differant to the LAN.
3. Has to have a working DNS server.
4. Add static route, and last resort to main ethernet port that has the DNS & R62. (or 2 if on differant sub)
The key with any VPN solution is to make sure that the configurations on both ends match. I am not very familiar with this particular product, but it looks like you need to have the proper VPN licenses installed first.
There are two types of VPN you can do.
1) Site to Site - This is where the are two static boxes that you want to create an encrypted tunnel between
2) Remote User access - This is where mobile users connect to a central site over an encrypted tunnel from their home or on the road.
Next, take a looks at the User Guide PDF here:
Chapter 10 tells how to configure the VPN on the Firebox side. You would just duplicate your settings if your doing option #1.
Chapter 11 tells how to configure the VPN on the client side. This section would tell you how to configure the client software for option #2.
Hope this helps.