Integrationman2
Vendor
I have spent a solid day on this issue, and hoped that if I documented my setup the issue would present itself to me... It didn't.
Can I ask that you read through my set up and point out any issues you see?
Avaya 9650 VPN Phone on IP Office 8.0 with Watchguard XTM 330
IP Office Settings:
Verify IP Endpoint license for new phone
Add route 10.0.2.0 / 255.255.255.0 / GW 10.38.20.71 (IP Office LAN GW) for connectivity to phone on remote network
Program new extension / point DID # / VM, etc
Save
Watchguard XTM330 settings
Mobile VPN with IPSEC
Enter new group xxxxxIPSEC
General Settings tab
Auth Server: Firebox-DB
Passphrase: MAC Address of phone
Confirm: MAC address of phone
Firebox IP Addresses
Primary: xxx.xxx.xxx.xxx (Primary Internet connection public static IP Address)
Backup: xxx.xxx.xxx.xxx (Secondary Internet connection public static IP Address)
Timeouts: left blank
IPSECSettings tab
Select radio button for “Use the passphrase of the end user profile as the pre-shared key”
CA IP Address – blank
Timeout: grayed out
Phase 1 Settings:
Auth: SHA-1
Encryption: AES(128-bit)
Advanced button:
SA Life: 8 hours
Key Group: Diffie-Hellman Group 2
NAT Traversal checked
Keep-alive interval: 20 seconds
Ike keep-alive: unchecked
Dead peer detection: checked
Traffic idle timeout: 90 seconds
Max retries: 5
Click Return to General Settings
Phanse 2 Settings
PFS checked
Diffie-Hellman Group 2
Click Advanced button / Phase 2 Proposal
Type: ESP
Auth: SHA-1
Encryption: AES(128-bit)
Force Key Expiration
Time checked / 8 hours
Traffic checked / 128000 kilobytes
Return to General Settings
Resources Tab
Allow All Traffic Through Tunnel checked
Allowed Resources: Any-External & 0.0.0.0/0
Choose Type: Host IP
Host IP: address field left blank
Advanced Tab
Line Management
Connect Mode: Automatic
Inactivity Timeout: 0 seconds (I assume this setting means it does not time out)
Avaya 9650 Phone
Entered craft menu
Cleared Settings
Entered craft menu
Group: 876
Entered craft menu
VPN Settings:
Page Labeled VPN Settings
VPN: Enabled
VPN Vendor: Juniper/Netscreen
Gateway Address: xxx.xxx.xxx.xxx (Primary Internet connection public static IP Addr)
External Phone IP Address: 0.0.0.0
External Router: 0.0.0.0
External Subnet Mask: 255.255.255.248 (/29 because Pub Static IP Addr is /29?)
External DNS Server: 8.8.8.8
Encapsulation: 4500-4500
Copy TOS: No
Next page to rightLabeled VPN Config. Auth Type
Auth Type: PSK with XAUTH (Can’t remember where this is in Firewall settings?)
Next page to right/Labeled User Cred.
VPN User Type: Any
VPN User: vpn_phone
Password Type: Save in Flash
Next page to right / Labeled Password Entry
User PW: MAC Address of phone (can’t remember where this is in Firewall settings?)
Next page to right / Labeled IKE PSK
IKE ID GROUP Name: xxxxxxxIPSEC
Pre-Shared Key: 309er$W@ (can’t remember where this is in Firewall settings?)
Next page to right / Labeled IKE Phase 1
IKE ID Type: KEY_ID
IKE Xchg Mode: Aggressive
IKE DH Group: 2
IKE Encryption Alg: AES-128
IKE Auth Alg: SHA-1
IKE Config Mode: Enabled
Next page to right / Labeled IKE Phase 2
IPSEC PFS DH Group: 2
IPSEC Encryption Alg: AES-128
IPSEC Auth Alg: SHA-1
Protected Network: 0.0.0.0/0
Next page to right / Labeled IKE Over TCP
IKE over TCP: Never
Next page to right / Returns to VPN Settings Page
Exit
Entered craft menu
ADDR
Phone: 0.0.0.0
Call Server: xxx.xxx.xxx.xxx (IP Address of IP Office)
Router: xxx.xxx.xxx.xxx (IP Address of Primary Static Public IP)
Mask: 255.255.255.248 (/29)
HTTP Server: xxx.xxx.xxx.xxx (IP Address of IP Office)
HTTPS Server: xxx.xxx.xxx.xxx (IP Address of IP Office)
802.1Q: Auto
VLAN ID: 0 (No VLANs in this network)
VLAN Test: 60 (default)
Press Back
Press Exit
The phone attempts to connect, I can see it go to teh Firewall's public address, then exchange keys, and that is when it fails.
I pulled a number of logs from the firewall. Here they are;
Error Messages from Watchguard
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)Phase 1 IkeRetryTimeout: IsakmpSA NOT Matured (Gateway xxxxxxxIPSEC_mu)
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)Drop negotiation to peer 66.41.90.204:2070 due to phase 1 retry timeout
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)ike_p1_status_chg: ikePcyName=xxxxxxxIPSEC_mu, status=DOWN
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)ikeMultiWanVpnFailOver: -->
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)MWAN-Failover no need to do failover for muvpn case(ikePcyName=xxxxxxxIPSEC_mu, vpntype=2)
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x101532e0 for Gateway WarehouseIPSEC_mu
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)Totally 0 Pending P2 SA Requests Got Dropped.
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: found it, remove IkeSA 0x101532e0 from IkePolicy
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: from pcy list, P1SANum created 12, active 0
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 17 peer1 0xd1178e05 peer2 0x42295acc
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)(Delete P1SA) rasUserCapacity 5 count 0
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)(Delete P1SA) maxPendingP2SARequest 128 current 0
Can anyone see what I am missing? Of course, the names have been changed to protect the innocent...
Can I ask that you read through my set up and point out any issues you see?
Avaya 9650 VPN Phone on IP Office 8.0 with Watchguard XTM 330
IP Office Settings:
Verify IP Endpoint license for new phone
Add route 10.0.2.0 / 255.255.255.0 / GW 10.38.20.71 (IP Office LAN GW) for connectivity to phone on remote network
Program new extension / point DID # / VM, etc
Save
Watchguard XTM330 settings
Mobile VPN with IPSEC
Enter new group xxxxxIPSEC
General Settings tab
Auth Server: Firebox-DB
Passphrase: MAC Address of phone
Confirm: MAC address of phone
Firebox IP Addresses
Primary: xxx.xxx.xxx.xxx (Primary Internet connection public static IP Address)
Backup: xxx.xxx.xxx.xxx (Secondary Internet connection public static IP Address)
Timeouts: left blank
IPSECSettings tab
Select radio button for “Use the passphrase of the end user profile as the pre-shared key”
CA IP Address – blank
Timeout: grayed out
Phase 1 Settings:
Auth: SHA-1
Encryption: AES(128-bit)
Advanced button:
SA Life: 8 hours
Key Group: Diffie-Hellman Group 2
NAT Traversal checked
Keep-alive interval: 20 seconds
Ike keep-alive: unchecked
Dead peer detection: checked
Traffic idle timeout: 90 seconds
Max retries: 5
Click Return to General Settings
Phanse 2 Settings
PFS checked
Diffie-Hellman Group 2
Click Advanced button / Phase 2 Proposal
Type: ESP
Auth: SHA-1
Encryption: AES(128-bit)
Force Key Expiration
Time checked / 8 hours
Traffic checked / 128000 kilobytes
Return to General Settings
Resources Tab
Allow All Traffic Through Tunnel checked
Allowed Resources: Any-External & 0.0.0.0/0
Choose Type: Host IP
Host IP: address field left blank
Advanced Tab
Line Management
Connect Mode: Automatic
Inactivity Timeout: 0 seconds (I assume this setting means it does not time out)
Avaya 9650 Phone
Entered craft menu
Cleared Settings
Entered craft menu
Group: 876
Entered craft menu
VPN Settings:
Page Labeled VPN Settings
VPN: Enabled
VPN Vendor: Juniper/Netscreen
Gateway Address: xxx.xxx.xxx.xxx (Primary Internet connection public static IP Addr)
External Phone IP Address: 0.0.0.0
External Router: 0.0.0.0
External Subnet Mask: 255.255.255.248 (/29 because Pub Static IP Addr is /29?)
External DNS Server: 8.8.8.8
Encapsulation: 4500-4500
Copy TOS: No
Next page to rightLabeled VPN Config. Auth Type
Auth Type: PSK with XAUTH (Can’t remember where this is in Firewall settings?)
Next page to right/Labeled User Cred.
VPN User Type: Any
VPN User: vpn_phone
Password Type: Save in Flash
Next page to right / Labeled Password Entry
User PW: MAC Address of phone (can’t remember where this is in Firewall settings?)
Next page to right / Labeled IKE PSK
IKE ID GROUP Name: xxxxxxxIPSEC
Pre-Shared Key: 309er$W@ (can’t remember where this is in Firewall settings?)
Next page to right / Labeled IKE Phase 1
IKE ID Type: KEY_ID
IKE Xchg Mode: Aggressive
IKE DH Group: 2
IKE Encryption Alg: AES-128
IKE Auth Alg: SHA-1
IKE Config Mode: Enabled
Next page to right / Labeled IKE Phase 2
IPSEC PFS DH Group: 2
IPSEC Encryption Alg: AES-128
IPSEC Auth Alg: SHA-1
Protected Network: 0.0.0.0/0
Next page to right / Labeled IKE Over TCP
IKE over TCP: Never
Next page to right / Returns to VPN Settings Page
Exit
Entered craft menu
ADDR
Phone: 0.0.0.0
Call Server: xxx.xxx.xxx.xxx (IP Address of IP Office)
Router: xxx.xxx.xxx.xxx (IP Address of Primary Static Public IP)
Mask: 255.255.255.248 (/29)
HTTP Server: xxx.xxx.xxx.xxx (IP Address of IP Office)
HTTPS Server: xxx.xxx.xxx.xxx (IP Address of IP Office)
802.1Q: Auto
VLAN ID: 0 (No VLANs in this network)
VLAN Test: 60 (default)
Press Back
Press Exit
The phone attempts to connect, I can see it go to teh Firewall's public address, then exchange keys, and that is when it fails.
I pulled a number of logs from the firewall. Here they are;
Error Messages from Watchguard
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)Phase 1 IkeRetryTimeout: IsakmpSA NOT Matured (Gateway xxxxxxxIPSEC_mu)
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)Drop negotiation to peer 66.41.90.204:2070 due to phase 1 retry timeout
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)ike_p1_status_chg: ikePcyName=xxxxxxxIPSEC_mu, status=DOWN
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)ikeMultiWanVpnFailOver: -->
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)MWAN-Failover no need to do failover for muvpn case(ikePcyName=xxxxxxxIPSEC_mu, vpntype=2)
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x101532e0 for Gateway WarehouseIPSEC_mu
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)Totally 0 Pending P2 SA Requests Got Dropped.
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: found it, remove IkeSA 0x101532e0 from IkePolicy
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDeleteIsakmpSA: from pcy list, P1SANum created 12, active 0
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 17 peer1 0xd1178e05 peer2 0x42295acc
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)(Delete P1SA) rasUserCapacity 5 count 0
Process=iked msg=(209.xxx.xxx.5<->66.xxx.xxx.xxx)(Delete P1SA) maxPendingP2SARequest 128 current 0
Can anyone see what I am missing? Of course, the names have been changed to protect the innocent...
