I'm sure you have your Authentication Servers set to: Active Directory Make sure your search base is correct: DC=mydomain,DC=local Group String: memberOF Login Attribute: sAMAccountName Point it at a Global catalog on port 3268 - Works much better.
Also check to see if your Group name is the same in your Firebox (It's case sensitive) and the Auth Server is set to Active Directory in VPN with IPSec. Be sure to define your domain name, DNS servers (Internal DNS Server) and a WINS server (If you have one) on the Firebox's Network Configuration. The VPN Client will use these when it get's connected. Be sure your IP range you are giving your VPN clients is outside your DHCP scope (If you're providing DHCP from a windows server to your local clients). ________________________________________ From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2008 6:01 PM To: NT System Admin Issues Subject: RE: Watchguard firewall question Well, then hopefully the upgrade will help. I'm running 10.0 at the moment, and plan to upgrade to 10.2.3 in the morning... Joe Heaton Employment Training Panel From: Jim Majorowicz [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2008 3:36 PM To: NT System Admin Issues Subject: RE: Watchguard firewall question Just that getting a Firebox to actually search the right OU is a pain in the freaking ass. Of course, the two times I've configured such, I was using 9.1, so take that for what it's worth. It's suppose to just "work" in 10.2 and later, but I have not had to set that up from scratch, just updated the ones I did a year ago. From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2008 3:05 PM To: NT System Admin Issues Subject: RE: Watchguard firewall question Ok, so I've gotten a successful connection using the Firebox DB for authentication. I'd like, however, to use AD authentication, but I keep getting a PAP/CHAP error of Wrong username or password. I've created a security group, named VPN, I've put myself in the group, and I've setup the authentication server within the firebox to go to the correct OU. Any ideas on this? I haven't upgraded the firebox yet, plan to do that in the morning, but any tips I can find in here to help point me would be appreciated. By the way, I ended up checking the IPsec passthru box to get to where I am now. Joe Heaton Employment Training Panel From: Mark Boersma [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 5:16 PM To: NT System Admin Issues Subject: RE: Watchguard firewall question Actually 10.2.3 is out now. Usually the IKE errors occur if the client can't see the server, as in no internet connection. Can you ping the IP of the Firebox you are trying to connect to? Mark ------------------------------------------------- Two rules to success in life: 1. Never tell people everything you know. From: Jim Majorowicz [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 4:29 PM To: NT System Admin Issues Subject: RE: Watchguard firewall question If it's never worked before, I suggest contacting your support. You might try upgrading the firewall to 10.2.2. There were some issues with 10.0 and even 10.0.1 with certain types of MUVPNs. From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 1:07 PM To: NT System Admin Issues Subject: RE: Watchguard firewall question Fireware v.10 on the box, Yes, using Watchguard Mobile VPN client v. 10.04. Using a laptop for the connection, at the moment directly connected to the network. I do have support, I just figured I'd post here, to see if anyone had any previous experience with this general error, before I called them. Joe Heaton Employment Training Panel From: Jim Majorowicz [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 10:49 AM To: NT System Admin Issues Subject: RE: Watchguard firewall question What version of the software is installed on your Core? Are you using the Watchguard Moble Client software? What kind of PC are you connecting from? Do you get support from your reseller? From: Joe Heaton [mailto:[EMAIL PROTECTED] Sent: Friday, October 10, 2008 10:15 AM To: NT System Admin Issues Subject: Watchguard firewall question Anyone familiar with setting up VPN w/IPsec on these? I have a 750x and I keep getting an IKE error - Lost contact to peer. I have the log file, but it's not very enlightening either. I know there's a couple of Watchguard guys on here, and I figured I'd give it a shot before I call support. Thanks, Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 [EMAIL PROTECTED] ________________________________________ Please consider the environment before printing this email. ________________________________ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
