[Openswan Users] iked (Internet Key Exchange Daemon) in Watchguard Firebox T30 Firewall Not Working Properly?

Turritopsis Dohrnii Teo En Ming tdteoenming at gmail.com
Sat Apr 6 22:43:16 EDT 2019 

Subject/Topic: iked (Internet Key Exchange Daemon) in Watchguard
Firebox T30 Firewall Not Working Properly?

Good morning from Singapore,

On the late afternoon of 4th April 2019 Thursday, our customer Teo En
Ming Aeronautics and Space Administration (TEMASA) (fictitious company
name) informed us that their site-to-site IPsec VPN tunnel was down.

Our customer Teo En Ming Aeronautics and Space Administration (TEMASA)
(fictitious company name) has a Watchguard Firebox T30 firewall in
their headquarters and a Sophos UTM (SG) firewall in the Cloud. Both
firewalls were configured for site-to-site IPsec VPN tunnel.

We checked the VPN diagnostic logs in the Watchguard firewall and
tried all possible combinations for IPsec Phase 1 and Phase 2 settings
from 5.30 PM to 9.00 PM Singapore time but to no avail. We have also
examined the firewall policies and changed the IPsec pre-shared key.

At 9.15 AM on 5th April 2019 Friday, we went on-site to our customer
TEMASA. I asked my counterpart, the Cloud Administrator, to change the
IPsec pre-shared key and also IPsec Phase 1 and Phase 2 settings in
the Sophos UTM firewall according to the Sophos UTM IPsec Phase 1 and
Phase 2 settings screenshot I sent to her. On our side, I also changed
the IPsec pre-shared key and IPsec Phase 1 and Phase 2 settings in the
Watchguard firewall to sync with the Sophos UTM firewall. The
site-to-site IPsec VPN tunnel is still down after all the changes and
fine-tuning.

At about 11.08 AM Singapore Time, I requested to reboot the Watchguard
firewall. I also dug deeper into the VPN diagnostics logs and found
out that UserSpace iked (Internet Key Exchange Daemon) had crashed
before in the year 2017, 3 years ago.

At about 1.48 PM Singapore Time (Lunch Time), we rebooted the
Watchguard firewall. The site-to-site IPsec VPN tunnel came up and
went online!

Although the iked daemon did not crash this time (4th April 2019), do
you think that the iked daemon is not working properly? Or the process
is stale? Because after we rebooted the Watchguard firewall, the
site-to-site IPsec VPN tunnel became operational again. Looking at the
VPN diagnostics logs in the Watchguard firewall, I observed that the
iked daemon is responsible for handling all the site-to-site IPsec VPN
tunnel connections.

The Watchguard firewall OS is based on Linux operating system. It is
possible to ssh into the firewall and restart the iked process,
without rebooting the firewall itself.

I am looking forward to your advice.

Thank you very much.

-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Mr. Turritopsis Dohrnii Teo En Ming's Academic
Qualifications as at 14 Feb 2019

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

More information about the Users mailing list