Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

9620L and Watchguard IPSEC xauth VPN 2

Status
Not open for further replies.
Jun 13, 2016
2
US
Hello,

This has been a bit challenging,

I've been asked to setup a VPN for the Avaya VOIP/VPN Phone (received documentation for a 9620L)

I'm a bit lost as to why it does not work.

I've setup the mobile vpn in our watchguard xtm26 with IPsec, setup a group, and psk. Added the user to the group, and I tested using an IPsec client on the iPhone (much less configuration!)

Where the phone system lives we have a 10.0.2.0/24 subnet (at the main office)
The VPN pool is 10.0.3.1 through 10.0.3.10

The VPN works from other devices, so I suspect I'm not filling out the form I've been given correctly (Which was taken/modified from a sonicwall user who successfully set it up)

Here is what I provided (Phase1/Phase2 are matching the Watchguard)


VPN Phone Settings
VPN- Enable
VPN Vendor- Juniper
Gateway - (EDITED)
External Phone address- 0.0.0.0
External Router- 0.0.0.0
External Subnet- 0.0.0.0
External DNS- 0.0.0.0
Encapsulation- 4500-4500
Copy tos- no
Auth Type- PSK w/ xauth
User Cred
User Type 1 user
Vpn user avaya1
Password Type Save in Flash
User Password (EDITED / Password assigned in WSM to avaya1)
IKE ID - avayavpn (Group name created in WSM, where users reside)
PSK - (PSK Password assigned to mobile IPsec vpn)

IKE Phase 1
IKE ID Type - IKE_ID
DH Group - 2
Encryption ALG - 3DES
Authentication ALG – SHA1
IKE Xchange Mode - Aggressive
IKE Config Mode - Disable

IKE Phase 2
Encryption ALG - 3DES
Authentication ALG – SHA1
DH Group - No PFS
Protected Nets 10.0.2.0/24
IKE over TCP- Auto

I receive invalid id payload / no matching tunnel route for peer proposed local: 10.0.2.0/24 remote: 10.37.1.50/32

10.0.2.0/24 is in the "allowed resources" window on the vpn policy.

Any help would be appreciated,

Thanks
 
I think if you want to dish out IP addresses locally to VPN phones then you need config mode enabled.

Other than that no experience with Watchguards.

| ACSS SME |
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top