Pix woes

[reinstalled]

Hi,

Usual issues here with setting up a BOVPN to a pix 501
It appears that Watchguard and Cisco still aren't playing nice on the playground. Since Watchguard's support has turned to ^%#$&^% I thought I'd throw this to the community here.

Watchguard Firebox X-Core X550 to a Pix 501 Cisco
Phase 1 completes just fine. Failing out on phase two with error messages I don't quite understand. (especially "not preferred IKE gateway") Everything is in sync on both ends but still get the same phase two. Switched from MD5 to SHA1 3DES with a 24 hr sa timeout. Tried with pfs on and off.


2007-12-07 08:30:16 iked Phase 2 started by peer with message(id 2e569dac) from x.x.x.x:500 quick mode

2007-12-07 08:30:16 iked WARNING: Rejected phase 2 negotiation from x.x.x.x due to not preferred IKE gateway (multi-WAN)

2007-12-07 08:30:16 iked Rejected QM first message from x.x.x.x:500 to 64.140.67.41 cookies i=e3dc3c86 fa04fb18 r=aa134ec2 995ffdeb

2007-12-07 08:30:16 iked Sending NO_PROPOSAL_CHOSEN message to 24.39.93.74:500

Thanks in advance!!!

 

[joopdog]

Check out

http://www.watchguard.com/forum/default.asp.

You’ll get some great help here.

You’ll to create a username and password, but once you do that, the help will be endless.

In the “Phase 1” setup, make the Key Group (Diffie-Hellman Group1) match at both ends.

In the “Phase 2” setup, make that the Type (ESP), the Authentication (SHA1) and the Encryption (3DES) match on both sides.

 

[Helenp1983]

Hi,

I have the same problem with a bpvpn to a cisco asa.

apparently if you upgrade to fireware version 9 it works ok

 

[sgalper]

With some Pix firewalls, you need to inactivate NAT-T (Nat Traversal). You need to manually edit the .cfg file to do that, instructions are on the Watchguard site.