Connecting to WG X500 Branch Office VPN

mjutras · July 19, 2012, 2:55pm

I have a Watchguard X500 setup for Branch Office VPN and a Mikrotik RB751G V5.17 connected and running fine.(configuration was done by someone else unreachable at the moment)

I have configured a second BO on the X500 and tested using a remote WG XTM21 successfully so I figured the X500 side is ok.

I bought a new RB751G V5.11 and I tried to mimic the configuration of the one already connected with of course a different set of local IPs as I am at a different location.
I copied the info from Menu IP > IPsec
Except for my local IP/network I replicated Policies, Peers and Proposal.
I could not do anything in the Remote Peers or Installed SAs as from what I can see these will update automatically (I could be wrong)

After a while in the remote Peers the info appeared with the exception that Side=Initiator while the working Mikrotik indicated Side=Responder.
And I still had nothing in the Installed SAs.

I then upgraded to V5.19 but now the Remote Peers is empty.

I have done the above using Webfig and Winbox.

I would appreciate some guidance on the above.

Mike

mjutras · July 20, 2012, 11:45am

Just to make it more clear here are a few thousand words.
On the WG side:

On the Mikrotik side:
IP> IPsec> Policies (the other running 751G have SA Src. Address = 0.0.0.0. I also tried my public IP with no difference)

IP> IPsec> Peers (Secret have the same velue as Preshared Key on WG)

IP> IPsec> Proposals

IP> IPsec> Remote Peers and Installed SAs are blank and no sings in the log that anything is trying to connect to anything.
My Dinamic DNS have the right IP.

mjutras · July 20, 2012, 4:54pm

I seem to be talking to myself here but since I started this thread I will continue for the sake of those having the same issue.

I was able to get a connection established. IP > IPsec > Remote Peers and Installed SAs have finely populated.
All I did was to click on the Flush button within IP > IPsec > Installed SAs although there was nothing to flush.

Looking at the WG I see my Branch Office Connection as Active and vice versa.

Now I am left with one last issue… I cannot ping between local and remote networks

The only difference I can see and am unable to change in the configuration is IP > IPsec > Remote Peers > Side = Initiator
My other working 751G at a different location can ping both ways and its setting for Side is Responder.

Mike

mjutras · July 21, 2012, 1:55pm

I finely figured it out.

I created a NAT with my 2 subnet

and then I drag the new entry to the top

And bingo.

Thank you to myself for my responses.

Mike

JanezFord · July 21, 2012, 9:33pm

this is the same as the last step in example on ipsec manual wiki

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_Bypass