Ipsec vpn to sonicwall

carlosmp · Thu Nov 14, 2013 7:09 pm

Hi,

Having a hard time getting a vpn up and running. THe other side is a Sonicwall(which we don't/can't control).

We seem to get most of the connection up, but we see the following, and no traffic flows:

 /ip ipsec remote-peers print
 0 local-address=1.1.1.1 remote-address=2.2.2.2 state=established side=initiator established=6m30s

> /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs 
 0 E  spi=0 src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s 

 1 E  spi=0x34B00AB src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=none enc-algorithm=none replay=0 state=larval 
      add-lifetime=0s/30s

turning logging on the console, we show the following, once we clear the 'my ID user FQDN' value, which based on what I've been able to find, should send the IP. On the sonicwall, leaving that blank, should also set the IP to be the default.

echo: ipsec,debug fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
echo: ipsec,debug,packet notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=0c431bd2(size=4).

/ip ipsec policy print shows:

Flags: T - template, X - disabled, D - dynamic, I - inactive 
 0    src-address=192.168.110.0/24 src-port=any dst-address=10.7.1.22/32 dst-port=any protocol=all action=encrypt level=require 
      ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=sonicwall-asa priority=0

/ip ipsec peer shows:

 
     address=2.2.2.2/32 passive=no port=500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main 
     send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=8h 
     lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

/ip ipsec proposal

echo: ipsec IPsec-SA expired: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=234896348(0xe003bdc

Also have the NAT rule to bypass.

0   chain=srcnat action=accept src-address=192.168.110.0/24 dst-address=10.7.1.22

The other side claims that it's a NAT issue on our side based on what they see in the logs:

4	11/14/2013 08:09:49.512	Warning	VPN IKE	IKE Responder: Peer's network does not match VPN policy's Network	1.1.1.1, 500	2.2.2.2, 500	VPN Policy: AAA;
Peer 10.7.1.22->192.168.110.0/255
.255.255.0;Local:10.7.1.22 ->10.8
1.25.0 / 255.255.255.0
5	11/14/2013 08:09:49.496	Info	VPN IKE	IKE Responder: Received Quick Mode Request (Phase 2)	1.1.1.1, 500	2.2.2.2, 500	VPN Policy: AAA
6	11/14/2013 08:09:39.144	Warning	VPN IKE	IKE Responder: IPSec proposal does not match (Phase 2)	1.1.1.1, 500	2.2.2.2, 500	VPN Policy: AAA

Based on this, it would seem that the IPSec proposal isn't matching, but as far as I can tell from the information they've sent, it does. The only thing I've noticed and tried both ways is the ipsec (phase2) doesn't seem to have a definition for DH group 2, but not sure if that would have an effect or if it carries over from phase 1...

Any thoughts?

Thanks in advance,
Carlos.

carlosmp · Thu Nov 14, 2013 9:15 pm

Looks like they forgot to mention that they need us to NAT everything as 10.81.25.0/24. Tunnel is up now after they clarified that and we were able to netmap stuff...

Thanks.

Ipsec vpn to sonicwall

Ipsec vpn to sonicwall

Re: Ipsec vpn to sonicwall