Hey everyone!
I have a Watchguard XTM505 with version 11.9.1 installed. According to their documentation, it now supports "Transition Tunneling (6 in 4)" so I think this will work with Tunnel Broker.
Has anyone tried using Tunnel Broker with a Watchguard system? It looks like you need to make a BOVPN virtual interface then add a IPv6 static route. I've given it a shot, but I'm not seeing any active tunnels under that interface. Perhaps my authentication method is wrong.
Either way, any help/insight would be appreciated!
Thanks!
Also trying to set this up. This is all the information I have found so far.
http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/bovpn/manual/bovpn_vif_routes_c.html (http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/bovpn/manual/bovpn_vif_routes_c.html)
Here's what I have for my BOVPN Virtual Interface configuration.
I'm sure Phase1 and Phase2 settings are completely incorrect, but I can't find any documentation as to what the heck they should be.
I'm using the "Update Key" under the "Advanced" tab under "Tunnel Details" on tunnelbroker.net as my Pre-shared key.
============================================
BOVPN Virtual Interface: HE-IPv6-4to6-Tunnel
VPN Routes
Route 1
Route To: 2001:****OMITTED***::/64
Metric: 1
Dynamic Routing
Configured: No
Local IP Address:
Remote IP Address:
Phase 2 Settings
Perfect Forward Secrecy: Disabled
IPSec Proposals
Proposal 1
Name: ESP-AES-SHA1
Type: ESP
Authentication: SHA1
Encryption: AES (256-bit)
Key Expiration: 128,000KB or 8 hours
Multicast Settings
Multicast over tunnel: Disabled
Origination IP:
Group IP:
Helper Addresses
BOVPN Gateway Settings
Credential Method: Pre-shared Key
Endpoints
Endpoint 1
Local Interface: eth0
Local ID: *****OMITTED**** (IP Address)
Remote IP Address: 216.66.22.2
Remote ID: 24.214.54.32 (IP Address)
Phase 1 Settings
Mode: Aggressive
NAT Traversal: Enabled (20 second interval)
IKE Keep-alive: Enabled (30 second interval, 5 max failures)
Dead Peer Detection: Disabled
Auto Start: Yes
Transforms
Transform 1
Authentication: SHA1
Encryption: 3DES
SA Lifetime: 8 hours
Key Group: Diffie-Hellman Group2
==================================
Here's a VPN Diagnostic Report.
==================================
*** WG Diagnostic Report for Gateway "HE-IPv6-4to6-Tunnel" ***
Created On: Sat Apr 4 18:26:25 2015
[Gateway Summary]
Gateway "HE-IPv6-4to6-Tunnel" contains "1" gateway endpoint(s).
Gateway Endpoint #1 (name "HE-IPv6-4to6-Tunnel") Enabled
Mode: Aggressive PFS: Disabled AlwaysUP: Enabled
DPD: Disabled Keepalive: Enabled
Local ID<->Remote ID: {IP_ADDR(24.*ommited*.32) <-> IP_ADDR(24.214.54.32)}
Local GW_IP<->Remote GW_IP: {24.*ommited*.32 <-> 216.66.22.2}
Outgoing Interface: eth0 (ifIndex=4)
ifMark=0x10000
linkStatus=0 (0:unknown, 1:down, 2:up)
BVPN Interface: bvpn1 (ifIndex=18)
Local_Tun_IP<->Rem_Tun_IP: {24.*ommited*.32 <-> 216.66.22.2}
NAT-D flag=0x0 (0:none, 1:remote, 2:local, 3:both)
[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway
Name: "HE-IPv6-4to6-Tunnel" Enabled
PFS: "Disabled" DH-Group: "2"
Number of Proposals: "1"
Proposal "ESP-AES-SHA1"
ESP:
EncryptAlgo: "AES" KeyLen: "32(bytes)"
AuthAlgo: "SHA"
LifeTime: "28800(seconds)" LifeByte: "128000(kbytes)"
Number of Tunnel Routes: "0"
[Run-time Info (bvpn routes)]
dest=2001:*ommited*::/64 dev=bvpn1 metric=255 proto=static
[Run-time Info (gateway IKE_SA)]
Name: "HE-IPv6-4to6-Tunnel" (IfStatus: 0x80000001)
ISAKMP SAID: "0x0" State: "AM SA Wait"
Created: Wed Dec 31 18:00:00 1969
My Address: 24.*ommited*.32:500 Peer Address: 216.66.22.2:500
InitCookie: "2364fd959d12b28e" RespCookie: "0000000000000000"
LifeTime: "0(seconds)" LifeByte: "0(kbtyes)" DPD: "Disabled"
[Run-time Info (tunnel IPSEC_SA)]
[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found
#1
Tunnel Endpoint: "24.*ommited*.32->216.66.22.2"
Tunnel Selector: 24.*ommited*.32/32 -> 216.66.22.2/32 Proto: gre
Created On: Sat Apr 4 18:08:32 2015
Gateway Name: "HE-IPv6-4to6-Tunnel"
Tunnel Name: "HE-IPv6-4to6-Tunnel"
[Related Logs]
<158>Apr 4 18:26:20 iked[1201]: AlwaysUpTimerCb trigger autoStart for ikePcy(HE-IPv6-4to6-Tunnel) ipsecPcy(HE-IPv6-4to6-Tunnel)
<158>Apr 4 18:26:20 iked[1201]: AUTOSTART: RECV ipecPcy(HE-IPv6-4to6-Tunnel), ikePcy(HE-IPv6-4to6-Tunnel), ifIndex(4), tunnel_src=24.*ommited*.32, tunnel_dst=216.66.22.2
<158>Apr 4 18:26:20 iked[1201]: (24.*ommited*.32<->216.66.22.2)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 457820740(Isakmp SA 0x10184638)
<158>Apr 4 18:26:20 iked[1201]: (24.*ommited*.32<->216.66.22.2)AggrMode: Start (Ct=30) pcy [HE-IPv6-4to6-Tunnel]
<158>Apr 4 18:26:20 iked[1201]: (24.*ommited*.32<->216.66.22.2)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Apr 4 18:26:20 iked[1201]: (24.*ommited*.32<->216.66.22.2)Starting phase 1 negotiation using [HE-IPv6-4to6-Tunnel] to 216.66.22.2:500 aggressive mode
<158>Apr 4 18:26:24 iked[1201]: (24.214.54.32<->216.66.22.2)Phase 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway HE-IPv6-4to6-Tunnel to 216.66.22.2:500)
Bump. I had to get a new account. Protip: Print out your QRCode and save it in a secure place if you want to use 2-factor authentication. there's no going back.
Anyone got any additional information on using WatchGuards?