[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SonicWall VPN Tunnel Issue

Posted on 2007-09-28
9
Medium Priority
?
1,523 Views
Last Modified: 2011-09-20
I am running a Sonic Wall Pro2040 and I am trying to connect to my client's network through a VPN I configured. I have verified their gateway's IP is correct, but I can't ping that address. The only setting that seems to be sticking out is that the green active indicator is only on ONE policy and not both. I just checked the log and I see "IKE Initiator: Recieved notify. NO_PROPOSAL-CHOSEN" This message is coming from the IP that I am trying to connect to.
Please any assistance is greatly appreciated?
0
Comment
Question by:Smullings
  • 4
  • 3
  • 2
9 Comments
 
LVL 2

Expert Comment

by:jeffsteffy
ID: 19982853
is this a site to site vpn between two sonicwall's? or are you using the VPN client? what firmware versions are you using?is this a new or existing tunnel?
0
 
LVL 10

Expert Comment

by:budchawla
ID: 19984609
What version of SonicOS are you running?

Are both endpoints SonicWALLs? If so, details of the other one (model, OS etc) would be useful.

"can't ping..." - this is fine, firewalls often drop incoming ICMP packets from the WAN. This does not necessarily indicate a problem

"green light" - this only comes on when the tunnel is active. Since your tunnel isn't working, I would expect there to be no green light. Which policy is the green light on for?

Have you configured the VPN IKE proposals etc identically both ends?

Use the steps from :
http://www.sonicwall.com/downloads/Site_to_Site_VPN_Using_DHCP_over_VPn__SonicOS_Enhanced_at__.pdf

and disregard the DHCP over VPN bits if they aren't relevant to you...
0
 

Author Comment

by:Smullings
ID: 19984896
The version is Firmware Version: SonicOS Standard 3.1.0.7-77s .
The green light is for a policy that is active for another client I support. Is there anything I should look for as far as that is concerned?

VPN IKE proposal =  I was told by the site admin that he shows both side's from his end that we are connected to the tunnel which would indicate that the IKE settings are correct, Am I correct?

I have verified that the shared secret is correct as well.

Oh and this would be a tunnel from My external LAN (not part of the enterprise) to their site lan.

Any Ideas?

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:Smullings
ID: 19984903
I missed one question, I don't know the exact model but they are using Cisco product. I apologize for the lack of information.
0
 
LVL 2

Expert Comment

by:jeffsteffy
ID: 19985315
in the sonicwall Recieved notify. NO_PROPOSAL-CHOSEN" means the policy does not match or not configured correctly.
on the vpn policy use IPSec Keying Mode:
IPSec Primary Gateway Name or Address: add public IP of Cisco
Specify destination networks below  add network address example 192.168.100.0
on proposal page leave defaults and uncheck Enable Perfect Forward Secrecy
make sure Encryption: and Authentication: match
on advanced page VPN Terminated at: LAN
on the VPN > Advanced VPN Settings check box for Preserve IKE Port for Pass Through Connections
0
 
LVL 2

Expert Comment

by:jeffsteffy
ID: 19985324
to allow ping create firewall access rule to allow ping from wan to private ip of sonicwall lan interface
0
 

Author Comment

by:Smullings
ID: 20018797
Here is an update. We changed where the VPN terminate's from LAN/DMZ to LAN, and immediately both tunnels negiotated instantly and connected. But I still cannot ping any Node that I need to access. The admin on the tunnel;s other end is stating that I have all the access, but I dont't think so. They are using a NETSCREEN firewall. Now what could be the issue?
0
 

Author Comment

by:Smullings
ID: 20026399
What would prevent normal traffick to flow through a site to wan VPN? Although NETBIOS traffic normally on both sides of the tunnel?
We are running a dual NIC server 1 has a static IP, another has a dynamic IP.I can ping their gateway and it replies, but that's where the problem lies. Could an outdated firmware cause this issue? We are using a SonicWall Pro 2040 & They are using  Netscreen,
0
 
LVL 10

Accepted Solution

by:
budchawla earned 2000 total points
ID: 20027087
Hi there,
There are a number of things that could cause a problem like this... they could be related to routing, NAT policies or firewall policies.
You'll need to ensure that all possible causes are looked into.

Are the destination subnets set correctly?
Is traffic being sent to the correct gateway (the NetScreen)?
Is the traffic being handled correctly by the remote gateway?

Easiest way to solve these problems is to run a packet trace on the destination gateway and see what happens when you try to establish a connection over the VPN. I'm not familiar with NetScreens so I can't give you a step by step for this, but basically you want to see if
(a) the traffic from your LAN reaches the NetScreen
(b) the traffic is handled correctly by the NetScreen - i.e. forwarded to the relevant host on the LAN.

Once you know where things are falling over then you'll have to check the relevant rules - whether routing or firewall etc.

These docs may be of use to you:

Site-to-Site VPN Tunnel is up but no traffic is passing:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=f0d40e5135d24618a49f3061e1a865d5_Site2Site_Tunnel_up___no_traffic.pdf&amsstatsid=249153

Site-to-Site VPN Troubleshooting:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=5948d7beccda4ab6adfd484723d36ec7_site_to_site_vpn_troubleshooting_Guide.pdf&amsstatsid=249153

SonicWALL VPN with Netscreen using IKE AM:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=3d9e7aa8d690483bbef75f27627c6dc3_SonicWALL_VPN_with_Netscreen_using_IKE_AM_6_4_2.pdf&amsstatsid=249153

SonicWALL VPN with Netscreen using IKE:
http://www4.nohold.net/noHoldCust301/Prod_1/KnowledgePortal/KPScripts/amsviewer.asp?docid=bd252f7971444e3581fe0ce7ea67ec4f_SonicWALL_VPN_with_Netscreen_using_IKE_6_4_2.pdf&amsstatsid=249153


 
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question