Watchguard SSL VPN and Outlook 2010

24
2014-07
  • Andrew Flierman

    Recently I installed a watchguard xtm 21 appliance. Everything went fine until I updated from Office 2007 to Office 2010.

    Behind my watchguard appliance I've got an Exchange 2007 server, which I was able to reach with Outlook 2007 (when working remote over ssl vpn connection).

    Now with Outlook 2010, working remote over ssl vpn, I'm not able to reach my Exchange server.

    Do I need to change some settings, (port configuration?) specific for Outlook 2010 on my wachtguard appliance?

  • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    networking - VPN: Cisco / Watchguard: IKE lost contact with remote peer
  • DrStalker

    I'm trying to set up a lan-to-lan VPN between a Cisco ASA 5510 (7.0(5) firmware, IP 222.222.222.222) and a Watchguard X750e firewall (10.2 firmware, IP 111.111.111.111)

    Phase 1 comes up but then the message "IKE lost contact with remote peer, deleting connection" comes up in the logs and the ASa never starts Phase 2 configuration. What could be causing this?

    Log and config information follows, sorry about the ugly looking wall of text:

    From the logs at the ASA end:

    Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
    Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
    Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
    Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
    Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
    Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
    Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
    Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
    Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
    

    And at the Watchguard end:

    11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161"             Debug
    11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156"      Debug
    11:08:40 iked  Process 5/6 Msg : failed to process ID payload              Debug
    
    11:17:00 iked  Process 5/6 Msg : failed to process ID payload 4           Debug
    11:17:00 iked  Process INFO_EXCHANGE : EncryptBit set before SA created              Debug
    11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059"       Debug
    

    The config at our end looks like this:

    object-group network REMOTENETWORK
     network-object 215.12.34.0 255.255.255.0
    
    access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK 
    access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK 
    
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    
    crypto map outside_map 100 match address outside_cryptomap_100
    crypto map outside_map 100 set peer 111.111.111.111 
    crypto map outside_map 100 set transform-set ESP-3DES-SHA
    
    tunnel-group 111.111.111.111 type ipsec-l2l
    tunnel-group 111.111.111.111 ipsec-attributes
     pre-shared-key SECRETKEY
    

    Screenshots of remote Watchguard config for phase 1 and 2:

    http://www.infinitemonkeyproductions.net/wow_forum/watchguard1.jpg

    http://www.infinitemonkeyproductions.net/wow_forum/watchguard2.jpg


  • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.