• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Watchguard XTM

Started by WillowAdmin, July 09, 2014, 08:42:29 AM

Previous topic - Next topic


Hey everyone!

I have a Watchguard XTM505 with version 11.9.1 installed. According to their documentation, it now supports "Transition Tunneling (6 in 4)" so I think this will work with Tunnel Broker.

Has anyone tried using Tunnel Broker with a Watchguard system? It looks like you need to make a BOVPN virtual interface then add a IPv6 static route. I've given it a shot, but I'm not seeing any active tunnels under that interface. Perhaps my authentication method is wrong.

Either way, any help/insight would be appreciated!




Here's what I have for my BOVPN Virtual Interface configuration.
I'm sure Phase1 and Phase2 settings are completely incorrect, but I can't find any documentation as to what the heck they should be.
I'm using the "Update Key" under the "Advanced" tab under "Tunnel Details" on tunnelbroker.net as my Pre-shared key.

BOVPN Virtual Interface: HE-IPv6-4to6-Tunnel

VPN Routes

  Route 1

    Route To: 2001:****OMITTED***::/64

    Metric: 1

Dynamic Routing

    Configured: No

    Local IP Address:

    Remote IP Address:

Phase 2 Settings

  Perfect Forward Secrecy: Disabled

  IPSec Proposals

    Proposal 1

      Name: ESP-AES-SHA1

      Type: ESP

      Authentication: SHA1

      Encryption: AES (256-bit)

      Key Expiration: 128,000KB or 8 hours

Multicast Settings

  Multicast over tunnel: Disabled

  Origination IP:

  Group IP:

  Helper Addresses

BOVPN Gateway Settings

  Credential Method: Pre-shared Key


    Endpoint 1

      Local Interface: eth0

      Local ID: *****OMITTED**** (IP Address)

      Remote IP Address:

      Remote ID: (IP Address)

  Phase 1 Settings

    Mode: Aggressive

    NAT Traversal: Enabled (20 second interval)

    IKE Keep-alive: Enabled (30 second interval, 5 max failures)

    Dead Peer Detection: Disabled

    Auto Start: Yes


      Transform 1

        Authentication: SHA1

        Encryption: 3DES

        SA Lifetime: 8 hours

        Key Group: Diffie-Hellman Group2

Here's a VPN Diagnostic Report.

*** WG Diagnostic Report for Gateway "HE-IPv6-4to6-Tunnel" ***
Created On: Sat Apr  4 18:26:25 2015

[Gateway Summary]
   Gateway "HE-IPv6-4to6-Tunnel" contains "1" gateway endpoint(s).
     Gateway Endpoint #1 (name "HE-IPv6-4to6-Tunnel") Enabled
      Mode: Aggressive    PFS: Disabled    AlwaysUP: Enabled
      DPD: Disabled    Keepalive: Enabled
      Local ID<->Remote ID: {IP_ADDR(24.*ommited*.32) <-> IP_ADDR(}
      Local GW_IP<->Remote GW_IP: {24.*ommited*.32 <->}
      Outgoing Interface: eth0 (ifIndex=4)
         linkStatus=0 (0:unknown, 1:down, 2:up)
      BVPN Interface: bvpn1 (ifIndex=18)
         Local_Tun_IP<->Rem_Tun_IP: {24.*ommited*.32 <->}
         NAT-D flag=0x0 (0:none, 1:remote, 2:local, 3:both)

[Tunnel Summary]
   "1" tunnel(s) are found using the previous gateway

     Name: "HE-IPv6-4to6-Tunnel" Enabled
      PFS: "Disabled" DH-Group: "2"
      Number of Proposals: "1"
        Proposal "ESP-AES-SHA1"
           EncryptAlgo: "AES" KeyLen: "32(bytes)"
           AuthAlgo: "SHA"
           LifeTime: "28800(seconds)" LifeByte: "128000(kbytes)"
      Number of Tunnel Routes: "0"

[Run-time Info (bvpn routes)]
   dest=2001:*ommited*::/64 dev=bvpn1 metric=255 proto=static

[Run-time Info (gateway IKE_SA)]
   Name: "HE-IPv6-4to6-Tunnel" (IfStatus: 0x80000001)
     ISAKMP SAID: "0x0" State: "AM SA Wait"
     Created: Wed Dec 31 18:00:00 1969
     My Address: 24.*ommited*.32:500   Peer Address:
     InitCookie: "2364fd959d12b28e"   RespCookie: "0000000000000000"
     LifeTime: "0(seconds)" LifeByte: "0(kbtyes)" DPD: "Disabled"

[Run-time Info (tunnel IPSEC_SA)]

[Run-time Info (tunnel IPSEC_SP)]
   "1" IPSEC SP(s) are found
      Tunnel Endpoint: "24.*ommited*.32->"
      Tunnel Selector: 24.*ommited*.32/32 ->   Proto: gre
      Created On: Sat Apr  4 18:08:32 2015
      Gateway Name: "HE-IPv6-4to6-Tunnel"
      Tunnel Name: "HE-IPv6-4to6-Tunnel"

[Related Logs]
<158>Apr  4 18:26:20 iked[1201]: AlwaysUpTimerCb trigger autoStart for ikePcy(HE-IPv6-4to6-Tunnel) ipsecPcy(HE-IPv6-4to6-Tunnel)
<158>Apr  4 18:26:20 iked[1201]: AUTOSTART: RECV ipecPcy(HE-IPv6-4to6-Tunnel), ikePcy(HE-IPv6-4to6-Tunnel), ifIndex(4), tunnel_src=24.*ommited*.32, tunnel_dst=
<158>Apr  4 18:26:20 iked[1201]: (24.*ommited*.32<-> init vpnDpdSequenceNum = 457820740(Isakmp SA 0x10184638)
<158>Apr  4 18:26:20 iked[1201]: (24.*ommited*.32<-> Start (Ct=30) pcy [HE-IPv6-4to6-Tunnel]
<158>Apr  4 18:26:20 iked[1201]: (24.*ommited*.32<-> : net order spi(0000 0000 0000 0000) 
<158>Apr  4 18:26:20 iked[1201]: (24.*ommited*.32<-> phase 1 negotiation using [HE-IPv6-4to6-Tunnel] to aggressive mode
<158>Apr  4 18:26:24 iked[1201]: (<-> 1 IkeRetryTimeout:: Retrying 1st phase..(Gateway HE-IPv6-4to6-Tunnel to


Bump. I had to get a new account. Protip: Print out your QRCode and save it in a secure place if you want to use 2-factor authentication. there's no going back.

Anyone got any additional information on using WatchGuards?