Problems connecting with Watchguard
Opened this issue · 10 comments
Hi guys,
I am trying to connect to a watchguard ipsec server to create a site-to-site connection using openswan on centos 7, I have whitelisted the ports, did the configuration as to some tutrial and it seems when i type in "ipsec status" I am connected as it shows Total IPsec connections: loaded 1, active 1.
I have verified that probably the issue is on my end as I get
010 "evrytunnel" #20: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
010 "evrytunnel" #20: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
010 "evrytunnel" #20: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
010 "evrytunnel" #20: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
When tring to manually run the tunnel connection.
Can you guys help me verify what it is? If some logs are needed please tell me how to gather them.
I will try to send you guys the logs from the other side and try ikev2 but I dont know if the Watchguard server is capable of it.
It seems I am connected and authenticated (as it says) but I cant see anything maybe this will show you guys something I dont see.
Any ideas someone? We tried the ikev2 but the tunnel is now displaying as half open and we are getting the same message as in my first post.
Can you please run ipsec barf and provide a link to the output (via pastebin, gist, etc)?
Sure,
Now we moved to ikev2 but the problem is very similar
xxx - removed
Ok I think the tunnel is up now, but still cant ping, I have the left source and right source ip specified but I think there is no routing?
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #1: Peer ID is ID_IPV4_ADDR: '213.212.31.158'
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 ...oup=MODP2048}
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=97eb4dd9, length=28
Jul 06 02:13:14 localhost.localdomain pluto[18175]: | ISAKMP Notification Payload
Jul 06 02:13:14 localhost.localdomain pluto[18175]: | 00 00 00 1c 00 00 00 01 03 04 60 00
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #2: route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip route replace 10.10.15.0/24 via 212.91.130.193 dev em1...lid argument)
Jul 06 02:13:14 localhost.localdomain pluto[18175]: "evrytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5161f8a1 <0x56eb4a10 xfrm=AES_CBC_256-HMAC_SHA1_96 NATO...e DPD=active}
Hint: Some lines were ellipsized, use -l to show in full.
So far, you haven't posted (that I can see), any logs from the WatchGuard. Since you paid them money, why not ask them to investigate?
I havent paid them money, watchguard is used by a company we try to establish ipsec tunnel with.
However I think I have established the tunnel but I still cannot ping anything, I see the route is missing and when I try to add it I get
ip route add 10.10.15.0/24 via 212.xxx.xxx.197 dev em1 src 10.10.6.0
RTNETLINK answers: Invalid argument
Any ideas why?
I thought that maybe I need to add their ip address to the route but then I get:
ip route add 10.10.15.0/24 via 213.xxx.xxx.158 dev em1 src 10.10.6.0
RTNETLINK answers: Network is unreachable