OT - Watchguard Firewall (and setting up VPN)

From: David White 
This is a bit off topic, but if there's anyone in my network who would know
anything about this, it would be one of you guys.

I wrote a question on ServerFault about an issue I'm having setting up a
VPN on a Watchguard Firewall. Does anyone have any experience with this?


- David

David White
Founder & CEO
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide

=============================================================== From: Joe Freeman ------------------------------------------------------ I highly dislike watchguards, but for what it's worth- Are you attempting a site-to-site VPN via SSL? I see this in the log- no data channel send key available: That has me wondering if you have a valid cert or key configured on your end of the connection. Joe

=============================================================== From: David White ------------------------------------------------------ No, but I AM attempting an SSL VPN from the client (a windows 7 laptop). I was able to accept the ssl cert from the server (although it was obviously a self-signrd cert). I have never used Watchguard before this (and I inherited the system), so I still don't have much of an opininon about it.

=============================================================== From: Joe Freeman ------------------------------------------------------ Are you using the Watchguard client or trying to do it native Windows7?

=============================================================== From: David White ------------------------------------------------------ I'm using the Watchguard Client.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When did Windows 7 get a native SSL-VPN client? Which vendors' VPN-SSL concentrator is it compatible with? Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR2zAqAAoJEMP+wtEOVbcdbNYH/0AuWBN9SqVTcqRBut7X6as1 m4P5TYHcLytOzm0bO8DOE6h2VpGA0EoTVx4Z0rLFXkzb2jQ9Ti3CFnUkEGZeqtkT fQ0T1wLF8BVXP4XZ8uqG+1NeR8ObZNpriBunEu6M+QIeG4sLGXg3cRSo8S4cn6xP rMHXEx0UTRfvU7JzKutmLtz4t6Z45rtB3h/S4j44twgz1fXcp0NCrMrNU9c6HPsJ nGQJkoh+hlO1C/kPsTgF/QSYpJiV+kKOHdO7jDYxWTA2dS316kSgcreHQSb/VzX6 DSoq+5v9J8yzE9hHxeN1hllO2Gk4G+7S4/06N3IxkVKBE1TPIfx+ktYKg78fHCM= =InmX -----END PGP SIGNATURE-----

=============================================================== From: Sudo Bash ------------------------------------------------------ What model of Watchguard? I have an x550e I just converted to pfSense and it supports OpenVPN... I have some Watchguards with the XTM firmware though, I may be able to help you out, but I've only ever setup OpenVPN Server's under pfSense. I honestly recommend installing pfSense on these units, and I have the CF cards to update the BIOS to display over serial, which also allows you to boot larger CF cards. I also have a spare CF Card with pfSense already on it, you can pop it in and boot.

=============================================================== From: Sudo Bash ------------------------------------------------------ Let me know if you are interested, I really hate the XTM firmware but I adore pfSense and it's based on FreeBSD with OpenBSD's TCP stack...

=============================================================== From: David White ------------------------------------------------------ I use pfSense as my home firewall. I love it. This is a client's box and I think I'd have a hard time convincing them to move.

=============================================================== From: Sudo Bash ------------------------------------------------------ Read some where that pfsense is now considered a fully capable commercial solution.

=============================================================== From: David White ------------------------------------------------------ Oh, I completely agree. Its not my box and not my decision. I will talk with them about it though.