• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1576
  • Last Modified:

SonicWall VPN Tunnel Issue

I am running a Sonic Wall Pro2040 and I am trying to connect to my client's network through a VPN I configured. I have verified their gateway's IP is correct, but I can't ping that address. The only setting that seems to be sticking out is that the green active indicator is only on ONE policy and not both. I just checked the log and I see "IKE Initiator: Recieved notify. NO_PROPOSAL-CHOSEN" This message is coming from the IP that I am trying to connect to.
Please any assistance is greatly appreciated?
0
Smullings
Asked:
Smullings
  • 4
  • 3
  • 2
1 Solution
 
jeffsteffyCommented:
is this a site to site vpn between two sonicwall's? or are you using the VPN client? what firmware versions are you using?is this a new or existing tunnel?
0
 
budchawlaCommented:
What version of SonicOS are you running?

Are both endpoints SonicWALLs? If so, details of the other one (model, OS etc) would be useful.

"can't ping..." - this is fine, firewalls often drop incoming ICMP packets from the WAN. This does not necessarily indicate a problem

"green light" - this only comes on when the tunnel is active. Since your tunnel isn't working, I would expect there to be no green light. Which policy is the green light on for?

Have you configured the VPN IKE proposals etc identically both ends?

Use the steps from :
http://www.sonicwall.com/downloads/Site_to_Site_VPN_Using_DHCP_over_VPn__SonicOS_Enhanced_at__.pdf

and disregard the DHCP over VPN bits if they aren't relevant to you...
0
 
SmullingsAuthor Commented:
The version is Firmware Version: SonicOS Standard 3.1.0.7-77s .
The green light is for a policy that is active for another client I support. Is there anything I should look for as far as that is concerned?

VPN IKE proposal =  I was told by the site admin that he shows both side's from his end that we are connected to the tunnel which would indicate that the IKE settings are correct, Am I correct?

I have verified that the shared secret is correct as well.

Oh and this would be a tunnel from My external LAN (not part of the enterprise) to their site lan.

Any Ideas?

0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
SmullingsAuthor Commented:
I missed one question, I don't know the exact model but they are using Cisco product. I apologize for the lack of information.
0
 
jeffsteffyCommented:
in the sonicwall Recieved notify. NO_PROPOSAL-CHOSEN" means the policy does not match or not configured correctly.
on the vpn policy use IPSec Keying Mode:
IPSec Primary Gateway Name or Address: add public IP of Cisco
Specify destination networks below  add network address example 192.168.100.0
on proposal page leave defaults and uncheck Enable Perfect Forward Secrecy
make sure Encryption: and Authentication: match
on advanced page VPN Terminated at: LAN
on the VPN > Advanced VPN Settings check box for Preserve IKE Port for Pass Through Connections
0
 
jeffsteffyCommented:
to allow ping create firewall access rule to allow ping from wan to private ip of sonicwall lan interface
0
 
SmullingsAuthor Commented:
Here is an update. We changed where the VPN terminate's from LAN/DMZ to LAN, and immediately both tunnels negiotated instantly and connected. But I still cannot ping any Node that I need to access. The admin on the tunnel;s other end is stating that I have all the access, but I dont't think so. They are using a NETSCREEN firewall. Now what could be the issue?
0
 
SmullingsAuthor Commented:
What would prevent normal traffick to flow through a site to wan VPN? Although NETBIOS traffic normally on both sides of the tunnel?
We are running a dual NIC server 1 has a static IP, another has a dynamic IP.I can ping their gateway and it replies, but that's where the problem lies. Could an outdated firmware cause this issue? We are using a SonicWall Pro 2040 & They are using  Netscreen,
0
 
budchawlaCommented:
Hi there,
There are a number of things that could cause a problem like this... they could be related to routing, NAT policies or firewall policies.
You'll need to ensure that all possible causes are looked into.

Are the destination subnets set correctly?
Is traffic being sent to the correct gateway (the NetScreen)?
Is the traffic being handled correctly by the remote gateway?

Easiest way to solve these problems is to run a packet trace on the destination gateway and see what happens when you try to establish a connection over the VPN. I'm not familiar with NetScreens so I can't give you a step by step for this, but basically you want to see if
(a) the traffic from your LAN reaches the NetScreen
(b) the traffic is handled correctly by the NetScreen - i.e. forwarded to the relevant host on the LAN.

Once you know where things are falling over then you'll have to check the relevant rules - whether routing or firewall etc.

These docs may be of use to you:

Site-to-Site VPN Tunnel is up but no traffic is passing:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=f0d40e5135d24618a49f3061e1a865d5_Site2Site_Tunnel_up___no_traffic.pdf&amsstatsid=249153

Site-to-Site VPN Troubleshooting:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=5948d7beccda4ab6adfd484723d36ec7_site_to_site_vpn_troubleshooting_Guide.pdf&amsstatsid=249153

SonicWALL VPN with Netscreen using IKE AM:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=3d9e7aa8d690483bbef75f27627c6dc3_SonicWALL_VPN_with_Netscreen_using_IKE_AM_6_4_2.pdf&amsstatsid=249153

SonicWALL VPN with Netscreen using IKE:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=bd252f7971444e3581fe0ce7ea67ec4f_SonicWALL_VPN_with_Netscreen_using_IKE_6_4_2.pdf&amsstatsid=249153


 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now