cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

watchguard

Trying to set up a watcahguard to 3120 site to site vpn.  Got the vpn and all four tunnels showing up but no traffic from any network on 3120 to any network on watchguard m370.  Also noticed I can't access my 3120 via web gui which is never in my life been an issue?  Does a 3120 use ikev1 or ikev2?

!

!

! ADTRAN OS version R12.3.4.E

! Boot ROM version 17.01.01.B2

! Platform: NetVanta 3120, part number 1700601G2

! Serial number LBADTN1519AM251

!

!

hostname "NetVanta3120"

enable password level 2 Inn6517pri!

enable password Inn6517pri!

!

!

ip subnet-zero

ip classless

ip default-gateway 50.76.236.102

ip routing

domain-proxy

name-server 75.75.75.75 75.75.76.76

!

!

no auto-config

!

no event-history

no logging email

!

no service password-encryption

!

username "admin" password "Inn6517pri!"

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

ip dhcp excluded-address 192.168.11.1 192.168.11.20

ip dhcp excluded-address 192.168.11.245 192.168.11.254

ip dhcp excluded-address 192.168.12.1 192.168.12.20

ip dhcp excluded-address 192.168.12.245 192.168.12.254

!

ip dhcp pool "Private"

  network 10.10.10.0 255.255.255.0

  dns-server 10.10.10.1

  netbios-node-type h-node

  default-router 10.10.10.1

!

ip dhcp pool "Vlan 1 192.168.11.0/24"

  network 192.168.11.0 255.255.255.0

  dns-server 75.75.75.75 75.75.76.76

  default-router 192.168.11.254

  tftp-server us.ntp.pool.org

  option 43 ascii id:ipphone.mitel.com;sw_tftp=192.168.2.2;call_srv=192.168.2.2;vlan=2;l2p=6;dscp=46;ipa_srv=192.168.2.2

!

ip dhcp pool "Vlan 2 192.168.12.0/24"

  network 192.168.12.0 255.255.255.0

  dns-server 75.75.75.75 75.75.76.76

  default-router 192.168.12.254

  tftp-server us.ntp.pool.org

  option 43 ascii id:ipphone.mitel.com;sw_tftp=192.168.2.2;call_srv=192.168.2.2;vlan=2;l2p=6;dscp=46;ipa_srv=192.168.2.2

!

!

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address 50.76.236.97

  peer 45.73.148.18

  attribute 1

    encryption 3des

    authentication pre-share

    group 2

!

crypto ike remote-id address 45.73.148.18 preshared-key Inn6517pri! ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

ip crypto ipsec transform-set esp-aes-256-cbc-esp-sha1-hmac esp-aes-256-cbc esp-sha1-hmac

  mode tunnel

!

ip crypto map VPN 10 ipsec-ike

  description 8251 to 6517

  match address ip VPN-10-vpn-selectors

  set peer 45.73.148.18

  set transform-set esp-aes-256-cbc-esp-sha1-hmac

  ike-policy 100

!

!

!

!

vlan 1

  name "Default"

!

vlan 2

  name "Vlan 2 192.168.12.0"

!

!

interface eth 0/1

  description gig coax

  ip address  50.76.236.97  255.255.255.248

  ip access-policy Public

  ip crypto map VPN

  no shutdown

  no lldp send-and-receive

!

!

interface switchport 0/1

  spanning-tree edgeport

  no shutdown

!

interface switchport 0/2

  no shutdown

!

interface switchport 0/3

  no shutdown

!

interface switchport 0/4

  description 8251 vlan 1

  no shutdown

!

!

!

interface vlan 1

  description Vlan 1

  ip address  192.168.11.254  255.255.255.0

  ip access-policy Private

  no shutdown

!

interface vlan 2

  description Vlan 2

  ip address  192.168.12.254  255.255.255.0

  ip mtu 1500

  ip access-policy Private

  no awcp

  no shutdown

!

!

!

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

  permit ip 192.168.11.0 0.0.0.255  192.168.1.0 0.0.0.255

  permit ip 192.168.12.0 0.0.0.255  192.168.1.0 0.0.0.255

  permit ip 192.168.11.0 0.0.0.255  192.168.2.0 0.0.0.255

  permit ip 192.168.12.0 0.0.0.255  192.168.2.0 0.0.0.255

!

ip access-list extended VPN-10-vpn-selectors

  permit ip 192.168.11.0 0.0.0.255  192.168.1.0 0.0.0.255

  permit ip 192.168.12.0 0.0.0.255  192.168.2.0 0.0.0.255

  permit ip 192.168.12.0 0.0.0.255  192.168.1.0 0.0.0.255

  permit ip 192.168.11.0 0.0.0.255  192.168.2.0 0.0.0.255

!

ip access-list extended web-acl-3

  remark Admin Access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-4

  remark remote access

  permit tcp any  any eq https   log

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-6

  permit ip any  any

!

!

!

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

  allow list VPN-20-vpn-selectors1 stateless

  allow list VPN-10-vpn-selectors2 stateless

  allow list self self

  allow list web-acl-6 policy Private

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow list web-acl-4 self

  allow list web-acl-4 self

  allow reverse list VPN-20-vpn-selectors1 stateless

  allow reverse list VPN-10-vpn-selectors2 stateless

  allow list web-acl-3 self

!

!

ip route 0.0.0.0 0.0.0.0 50.76.236.102

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

sip udp 5060

sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

line con 0

  login

!

line telnet 0 4

  login

  password Inn6517pri!

  no shutdown

line ssh 0 4

  login local-userlist

!

sntp server us.pool.ntp.org

!

!

!

!

!

!

0 Kudos
2 Replies
Anonymous
Not applicable

Re: watchguard

TThis setup was tabled for the past 6 months and now The implementation has been put back into pla.  I have defaultled both devices and set it back up with basically the same results all tunnels are up but no traffic is passing in either direction. I am somewhat of a master inside of the WatchGuard and have my fair share of experience inside the adtran routers as this as what we tend to use for voice.  I must say I am really disappointed that this post has been up for over six months and have not had any form Of response at all!

jayh
Honored Contributor
Honored Contributor

Re: watchguard

Well, the first thing you probably want to do now is change your passwords, enable password-encryption, disable telnet and put an ACL on the ssh lines.

Then run a debug ipsec on both ends, make sure your ACLs for protected networks are reciprocal, try to push some interesting traffic.

It's IKEv1.