Question : IPSec VPN to Watchguard XTM 505 behind Draytek 2820

I have the following configuration:

Internal Lan<->Watchguard XTM 505<->Draytek 2820<->Internet.

I want to configure an IPSec Mobile VPN connection to the internal network.

I have enabled VPN passthrough and opened ports 1723(PPTP), 500(IPSec/ESP) & 1701(L2TP) just to be on the safe side on the Draytek 2820.

I have run the Mobile VPN with IPSec Wizard on the Watchguard XTM 505 and saved the profile to the XTM 505 and saved the client configuration (*.wgx) files to export to the clients.

I have downloaded and installed the Watchguard Mobile VPN client and imported my configuration (*.wgx) file to the client.

My Internet access is via a home Broadband router and I am wirelessly attached to that, with no problems browsing the Internet.

When I run the client and attempt a VPN connection to my remote network it fails.

The log shows the following entries before dying:

19/05/2010 16:38:25IPSec: Start building connection
19/05/2010 16:38:25IpsDial: Generate avaliable provider users - media avaliable is = 2202
19/05/2010 16:38:25Ike: Outgoing connect request AGGRESSIVE mode - gateway=xxx.xxx.xxx.xxx : Redwood-IPSec-Group
19/05/2010 16:38:25Ike: XMIT_MSG1_AGGRESSIVE - Redwood-IPSec-Group
19/05/2010 16:38:27Ike: RECV_MSG2_AGGRESSIVE - Redwood-IPSec-Group
19/05/2010 16:38:27Ike: IKE phase I: Setting LifeTime to 28800 seconds
19/05/2010 16:38:27Ike: Turning on XAUTH mode - Redwood-IPSec-Group
19/05/2010 16:38:27Ike: IkeSa negotiated with the following properties -
19/05/2010 16:38:27  Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0
19/05/2010 16:38:27IPSec: Final Tunnel EndPoint is:xxx.xxx.xxx.xxx
19/05/2010 16:38:27Ike: Redwood-IPSec-Group ->Support for NAT-T version - 2
19/05/2010 16:38:27Ike: Turning on NATD mode - Redwood-IPSec-Group - 3
19/05/2010 16:38:27Ike: XMIT_MSG3_AGGRESSIVE - Redwood-IPSec-Group
19/05/2010 16:38:27Ike: IkeSa negotiated with the following properties -
19/05/2010 16:38:27  Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=1,KeyLen=0
19/05/2010 16:38:27Ike: Turning on DPD mode - Redwood-IPSec-Group
19/05/2010 16:38:27Ike: phase1:name(Redwood-IPSec-Group) - connected
19/05/2010 16:38:27SUCCESS: IKE phase 1 ready
19/05/2010 16:38:27IPSec: Phase1 is Ready - IkeIndex=4,AltRekey=1
19/05/2010 16:40:14IPSec: AUTOMEDIA DETECT - Tried all avaliable media types
19/05/2010 16:40:14IPSec: Disconnected from Redwood-IPSec-Group on channel 1.

So it looks like it's getting through Phase 1 without a problem and I'm assuming my Draytek passthrough is working OK.

I recently tried to install a Netgear VPN client which I paid good money for and eventually gave up as it was not fit for purpose and I'm hoping the Watchguard Mobile VPN Client isn't going to go the same way!

Please can someone out there offer advise on where I may be going wrong?

Thanks

Answer : IPSec VPN to Watchguard XTM 505 behind Draytek 2820

As you are using IPSec you also need to forward IP protocol number 50/51 [depending you are using ESP or AH; please note these are not ports but IP protocol numbers]. Further you should also forward UDP port 4500 for NAT-T.

Please make these changes and post updated logs.

Thank you.
Random Solutions  
 
programming4us programming4us