![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
altivoGotta go do chores in a few minutes because we're going to dinner and then to an Irish music performance and lecture.
Still I need to vent about lousy documentation, on three sides: Windows (nothing new there), Linux (you mean there even IS documentation?) and Watchguard Systems (no excuse there guys, people pay big bucks for your trash.)
A couple of years ago, I had VPN working from home to the Watchguard Firebox II at work. This let me log in over an encrypted tunnel to tweak things or check on a problem if someone called me, rather than having to drive 15 miles to work on my day off.
Last year the Firebox was upgraded to an X700. VPN has never worked since. I figured it was because the consultants never put my definitions back in, and didn't get around to it for a while because it's a tortuous process only partly described by Watchguard's documents. However, I finally decided I do need it, so this week I've been trying to reinstate it.
No joy. I've followed Watchguard's instructions step by step, defining the connection, enabling it, defining the user, loading all to the firewall box. Since they only provide client setup for Windows, I set up my test client at home on my mate's Windows XP. According to both Microsoft and Watchguard, everything is set up properly. Except, it won't connect. There's a negotiation all right, the Firebox opens a connection when requested, but after a couple of packets are exchanged, it shuts down. So far nothing appears in the log there. The debugging logs on the client station indicate that the connect request is acknowledged, a handshake is exchanged, and then the server closes the connection. I can't see that they even get as far as the authentication sequence. I thought the Norton Firewall on Gary's machine was perhaps interfering, so I disabled it briefly, but with the same result.
Windows produces an error number 619, which is supposed to mean that the port was not available. This makes no sense, because I can see the connection take place and then break. A port unavailable yields either no response or a single denial message.
The Linux VPN client (pptp-client) is messy to set up, but I do understand how it is supposed to work. It doesn't, though. Again, the debug log indicates that the server acknowledges the connection but then closes the socket before asking for authentication. Who knows what Watchguard is doing? I don't. I'm not sure they do either.
I've turned on the debug logging at the server end, but haven't been back there yet to see if it says anything. I don't have high expectations though. I can find several other people over the past two or three years posting similar questions on various linux and security forums. I have found no case where an answer was provided, or where the original poster came back and said he/she got it to work and here's how. As far as I can determine, Watchguard's RUVPN is just broken and doesn't work at all.
Still I need to vent about lousy documentation, on three sides: Windows (nothing new there), Linux (you mean there even IS documentation?) and Watchguard Systems (no excuse there guys, people pay big bucks for your trash.)
A couple of years ago, I had VPN working from home to the Watchguard Firebox II at work. This let me log in over an encrypted tunnel to tweak things or check on a problem if someone called me, rather than having to drive 15 miles to work on my day off.
Last year the Firebox was upgraded to an X700. VPN has never worked since. I figured it was because the consultants never put my definitions back in, and didn't get around to it for a while because it's a tortuous process only partly described by Watchguard's documents. However, I finally decided I do need it, so this week I've been trying to reinstate it.
No joy. I've followed Watchguard's instructions step by step, defining the connection, enabling it, defining the user, loading all to the firewall box. Since they only provide client setup for Windows, I set up my test client at home on my mate's Windows XP. According to both Microsoft and Watchguard, everything is set up properly. Except, it won't connect. There's a negotiation all right, the Firebox opens a connection when requested, but after a couple of packets are exchanged, it shuts down. So far nothing appears in the log there. The debugging logs on the client station indicate that the connect request is acknowledged, a handshake is exchanged, and then the server closes the connection. I can't see that they even get as far as the authentication sequence. I thought the Norton Firewall on Gary's machine was perhaps interfering, so I disabled it briefly, but with the same result.
Windows produces an error number 619, which is supposed to mean that the port was not available. This makes no sense, because I can see the connection take place and then break. A port unavailable yields either no response or a single denial message.
The Linux VPN client (pptp-client) is messy to set up, but I do understand how it is supposed to work. It doesn't, though. Again, the debug log indicates that the server acknowledges the connection but then closes the socket before asking for authentication. Who knows what Watchguard is doing? I don't. I'm not sure they do either.
I've turned on the debug logging at the server end, but haven't been back there yet to see if it says anything. I don't have high expectations though. I can find several other people over the past two or three years posting similar questions on various linux and security forums. I have found no case where an answer was provided, or where the original poster came back and said he/she got it to work and here's how. As far as I can determine, Watchguard's RUVPN is just broken and doesn't work at all.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-03-15 09:47 pm (UTC)no subject
Date: 2007-03-15 10:06 pm (UTC)I'm irritated at the poor quality of documentation for this particular Linux add-on (pptp-client) but the thing isn't much more than a beta that has been released too soon. They obviously tested it mostly against Linux servers, perhaps entirely so. Oddly enough, Watchguard runs Linux internally (as do most firewall appliances) but on the surface they only support Windows, and they try not to admit that they have a Linux kernel hidden under the red paint.
Microsoft's own firewall, with which I had some experience a few years ago, was incomprehensible. I never want to see that one again.
My own firewall at home, built entirely using iptables, is so much easier to understand and modify... Not only that, but it works perfectly. Of course you couldn't sell it as a "product" because 1) in order to use it, you have to actually understand what a firewall does, and how, and why; 2) you have to use command lines to construct or modify it; and 3) it's open source, and they give it away for free, so it couldn't possibly compare with something top secret, patented, trademarked, and that requires a $750 per year fee to keep operating. I'll never get mob psychology.
no subject
Date: 2007-03-15 10:29 pm (UTC)no subject
Date: 2007-03-16 12:27 am (UTC)It appears that I'll have to upgrade the software on the firewall itself by at least a level or two. It's a known bug at the version that is installed.
no subject
Date: 2007-03-16 01:32 am (UTC)Sounds like something is seeing it make the connection then shutting it off
A security feature one of the machines?
no subject
Date: 2007-03-16 02:20 am (UTC)It appears from Watchguard's support database that this is a known problem with the version of software currently running on our unit. The fix is to install the next release. I guess I'll have to do that. Ugh.
no subject
Date: 2007-03-16 02:07 am (UTC)no subject
Date: 2007-03-16 02:21 am (UTC)no subject
Date: 2007-03-16 04:04 am (UTC)no subject
Date: 2007-03-16 08:49 am (UTC)