Trying to set up a watcahguard to 3120 site to site vpn. Got the vpn and all four tunnels showing up but no traffic from any network on 3120 to any network on watchguard m370. Also noticed I can't access my 3120 via web gui which is never in my life been an issue? Does a 3120 use ikev1 or ikev2?
!
!
! ADTRAN OS version R12.3.4.E
! Boot ROM version 17.01.01.B2
! Platform: NetVanta 3120, part number 1700601G2
! Serial number LBADTN1519AM251
!
!
hostname "NetVanta3120"
enable password level 2 Inn6517pri!
enable password Inn6517pri!
!
!
ip subnet-zero
ip classless
ip default-gateway 50.76.236.102
ip routing
domain-proxy
name-server 75.75.75.75 75.75.76.76
!
!
no auto-config
!
no event-history
no logging email
!
no service password-encryption
!
username "admin" password "Inn6517pri!"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.20
ip dhcp excluded-address 192.168.11.245 192.168.11.254
ip dhcp excluded-address 192.168.12.1 192.168.12.20
ip dhcp excluded-address 192.168.12.245 192.168.12.254
!
ip dhcp pool "Private"
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.1
netbios-node-type h-node
default-router 10.10.10.1
!
ip dhcp pool "Vlan 1 192.168.11.0/24"
network 192.168.11.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
default-router 192.168.11.254
tftp-server us.ntp.pool.org
option 43 ascii id:ipphone.mitel.com;sw_tftp=192.168.2.2;call_srv=192.168.2.2;vlan=2;l2p=6;dscp=46;ipa_srv=192.168.2.2
!
ip dhcp pool "Vlan 2 192.168.12.0/24"
network 192.168.12.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
default-router 192.168.12.254
tftp-server us.ntp.pool.org
option 43 ascii id:ipphone.mitel.com;sw_tftp=192.168.2.2;call_srv=192.168.2.2;vlan=2;l2p=6;dscp=46;ipa_srv=192.168.2.2
!
!
!
ip crypto
!
crypto ike policy 100
initiate main
respond anymode
local-id address 50.76.236.97
peer 45.73.148.18
attribute 1
encryption 3des
authentication pre-share
group 2
!
crypto ike remote-id address 45.73.148.18 preshared-key Inn6517pri! ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha1-hmac esp-aes-256-cbc esp-sha1-hmac
mode tunnel
!
ip crypto map VPN 10 ipsec-ike
description 8251 to 6517
match address ip VPN-10-vpn-selectors
set peer 45.73.148.18
set transform-set esp-aes-256-cbc-esp-sha1-hmac
ike-policy 100
!
!
!
!
vlan 1
name "Default"
!
vlan 2
name "Vlan 2 192.168.12.0"
!
!
interface eth 0/1
description gig coax
ip address 50.76.236.97 255.255.255.248
ip access-policy Public
ip crypto map VPN
no shutdown
no lldp send-and-receive
!
!
interface switchport 0/1
spanning-tree edgeport
no shutdown
!
interface switchport 0/2
no shutdown
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
description 8251 vlan 1
no shutdown
!
!
!
interface vlan 1
description Vlan 1
ip address 192.168.11.254 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 2
description Vlan 2
ip address 192.168.12.254 255.255.255.0
ip mtu 1500
ip access-policy Private
no awcp
no shutdown
!
!
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended VPN-10-vpn-selectors
permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended web-acl-3
remark Admin Access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended web-acl-4
remark remote access
permit tcp any any eq https log
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended web-acl-6
permit ip any any
!
!
!
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
allow list self self
nat source list wizard-ics interface eth 0/1 overload
allow list VPN-20-vpn-selectors1 stateless
allow list VPN-10-vpn-selectors2 stateless
allow list self self
allow list web-acl-6 policy Private
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
allow list web-acl-4 self
allow list web-acl-4 self
allow reverse list VPN-20-vpn-selectors1 stateless
allow reverse list VPN-10-vpn-selectors2 stateless
allow list web-acl-3 self
!
!
ip route 0.0.0.0 0.0.0.0 50.76.236.102
!
no tftp server
no tftp server overwrite
http server
http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login
!
line telnet 0 4
login
password Inn6517pri!
no shutdown
line ssh 0 4
login local-userlist
!
sntp server us.pool.ntp.org
!
!
!
!
!
!
TThis setup was tabled for the past 6 months and now The implementation has been put back into pla. I have defaultled both devices and set it back up with basically the same results all tunnels are up but no traffic is passing in either direction. I am somewhat of a master inside of the WatchGuard and have my fair share of experience inside the adtran routers as this as what we tend to use for voice. I must say I am really disappointed that this post has been up for over six months and have not had any form Of response at all!
Well, the first thing you probably want to do now is change your passwords, enable password-encryption, disable telnet and put an ACL on the ssh lines.
Then run a debug ipsec on both ends, make sure your ACLs for protected networks are reciprocal, try to push some interesting traffic.
It's IKEv1.