Remote Networking

Reply
MVP
Posts: 748
Registered: ‎03-25-2009

issues with NAT-T on a watchguard firebox?

Trying to set up remote APs at a customer. This customer is using a Watchguard Firebox firewall.

When I have the RAP connect from inside the LAN to the controllers LAN interface the RAP is able to connect and set up its tunnel.

When I have a RAP connect from the internet to a public ip address of the firewall which is in turn forwarded to the controllers LAN ip address however we get nothing.
The RAP reports failure RC_ERROR_IKEP1. From what I gather this basically means it does not get a reponse the IKE phase 1, meaning it either can't connect to the controller or doesn't receive a response.

When logging udp 4500 traffic on said firewall however we do not get ANY hits even though a policy has been created to allow this traffic to the controller.
No VPNs are being terminated on that specific external ip address (we've even tried several to make sure).
A simple ping test from the RAP does get a response from the firewall.

Anybody have some experience with this firewall and NAT-T through it? Is this per default blocked somewhere regardless of the policy that allows it? Any other reason why we would not see this udp 4500 traffic show up in the interface logging?
Anyway to troubleshoot this further? I'm no Watchguard specialist by far but can't imagin any other reason why this RAP would be unable to connect.
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: issues with NAT-T on a watchguard firebox?

You might have to establish a second public ip address to make this work properly. I heard that the watchguard firewall also expects to terminate VPN traffic, so you need a second ip to make it work.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎04-22-2009

Watchguard and Remote AP (udp 4500)

We had a customer with a Firebox X 1250e running XTM version 11.3.2.

There were three configuration changes that we had to make to allow it work function in their environment.

1) IPSEC policy (From Any-external, To Nat'd public address assigned to the Aruba device).

2) Enabled IPSEC passthrough.

3) Removed the nat'd public address from the secondary external address list.

The third step is important, otherwise the Watchguard absorbs the traffic, and does not pass it..........
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: issues with NAT-T on a watchguard firebox?


We had a customer with a Firebox X 1250e running XTM version 11.3.2.

There were three configuration changes that we had to make to allow it work function in their environment.

1) IPSEC policy (From Any-external, To Nat'd public address assigned to the Aruba device).

2) Enabled IPSEC passthrough.

3) Removed the nat'd public address from the secondary external address list.

The third step is important, otherwise the Watchguard absorbs the traffic, and does not pass it..........




BillCarrJr, thanks. We were looking for this today.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Anonymous
Posts: 0

Re: Watchguard and Remote AP (udp 4500)

I have the same issue with a WatchGuard firewall, but I cannot perform the third step. After I remove the secondary external IP address, I receive an error message and the configured policy (in step 1) is altered. The To field is changed to none.

 

Are you familiar with this problem?

Search Airheads
Showing results for 
Search instead for 
Did you mean: