Watchguard SSL VPN and Outlook 2010

21
2014-04
  • Andrew Flierman

    Recently I installed a watchguard xtm 21 appliance. Everything went fine until I updated from Office 2007 to Office 2010.

    Behind my watchguard appliance I've got an Exchange 2007 server, which I was able to reach with Outlook 2007 (when working remote over ssl vpn connection).

    Now with Outlook 2010, working remote over ssl vpn, I'm not able to reach my Exchange server.

    Do I need to change some settings, (port configuration?) specific for Outlook 2010 on my wachtguard appliance?

  • Answers
  • TessellatingHeckler

    Did Outlook 2010 try to autoconfigure your account when you set it up? If so, it might have picked up some not working settings for Outlook Anywhere and be trying to connect over those instead.

  • NigeH

    Be aware that Outlook 2010 will attempt to use the CAS services (autodiscover etc) even if you think it shouldn't. Chances are that you will need to allow access to your CAS servers to be able to make progress with Outlook 2010.


  • Related Question

    networking - VPN: Cisco / Watchguard: IKE lost contact with remote peer
  • DrStalker

    I'm trying to set up a lan-to-lan VPN between a Cisco ASA 5510 (7.0(5) firmware, IP 222.222.222.222) and a Watchguard X750e firewall (10.2 firmware, IP 111.111.111.111)

    Phase 1 comes up but then the message "IKE lost contact with remote peer, deleting connection" comes up in the logs and the ASa never starts Phase 2 configuration. What could be causing this?

    Log and config information follows, sorry about the ugly looking wall of text:

    From the logs at the ASA end:

    Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
    Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
    Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
    Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
    Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
    Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
    Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
    Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
    Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
    

    And at the Watchguard end:

    11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161"             Debug
    11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156"      Debug
    11:08:40 iked  Process 5/6 Msg : failed to process ID payload              Debug
    
    11:17:00 iked  Process 5/6 Msg : failed to process ID payload 4           Debug
    11:17:00 iked  Process INFO_EXCHANGE : EncryptBit set before SA created              Debug
    11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059"       Debug
    

    The config at our end looks like this:

    object-group network REMOTENETWORK
     network-object 215.12.34.0 255.255.255.0
    
    access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK 
    access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK 
    
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    
    crypto map outside_map 100 match address outside_cryptomap_100
    crypto map outside_map 100 set peer 111.111.111.111 
    crypto map outside_map 100 set transform-set ESP-3DES-SHA
    
    tunnel-group 111.111.111.111 type ipsec-l2l
    tunnel-group 111.111.111.111 ipsec-attributes
     pre-shared-key SECRETKEY
    

    Screenshots of remote Watchguard config for phase 1 and 2:

    http://www.infinitemonkeyproductions.net/wow_forum/watchguard1.jpg

    http://www.infinitemonkeyproductions.net/wow_forum/watchguard2.jpg


  • Related Answers
  • Aaron Bush

    Here is a link to some tips on IKE SA mismatches that may help (also some debug commands to look at covered):

    http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html

  • Mahriman

    Have you tried disabling DPD ? DPD between different vendors may work so-so... Is -both- devices set to use main mode? Go over settings again and again..

  • splattne

    You have to give a DNS name or an IP address to the gateway ip in phase one.

    Put the IP address in and select IP in the dropdown box under it.