Solved

Site to Site VPN with TZ170 & TELE3

Posted on 2009-05-15
7
1,055 Views
Last Modified: 2012-05-07
I have a TZ 170 Standard w/SonicOS Standard 3.1.5.0-2s firmware that I created a VPN to connect to  a TELE3 (CPU: Toshiba 3927 H2 / 133 Mhz) w/6.6.3.0-3s firmware. I am not able to ping anything from either side.  When viewing the tunnel statistics this is what I see

TZ170
VPN Tunnel Statistics
 
Description Value
Create Time 05/15/2009 06:08:11
Tunnel valid until 05/15/2009 14:08:11
Packets In 0
Packets Out 3
Bytes In 0
Bytes Out 234
Fragmented Packets In 0
Fragmented Packets Out 0


TELE3
VPN Tunnel Statistics

  Description Value
Create Time 05/15/2009 03:56:42
Tunnel valid until 05/15/2009 11:56:42
Packets In 3
Packets Out 0
Bytes In 234
Bytes Out 0
Fragmented Packets In 0
Fragmented Packets Out 0

Under the TZ170 log
ICMP Packet dropped       ICMP Dest Unreachable, Code: 3
IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN

UNder TELE3 Log
IKE Responder: IPSec proposal does not match (Phase 2)
IKE Responder: No matching Phase 1 ID found for proposed remote network

I checked both of the configurations and they are the same.



0
Comment
Question by:nimdatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24396131
Based on your logs, it appears that your Phase 1 DH group, encryption algorithm or authentication settings do not match. FWIW, I typically try to stay away from using AES and MD5 proposals too.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 24396371
This is on the TZ170
IKE (Phase 1) Proposal
 
 

Exchange:  Main Mode
DH Group:  Group 2
Encryption:  DES
Authentication:  MD5  
Life Time (seconds):    

Ipsec (Phase 2) Proposal
 
Protocol:  ESP
Encryption:  DES  
Authentication:  SHA1  

DH Group:  Group 1
Life Time (seconds):    288000

this is on the TELE3
Exchange:  Main Mode
DH Group:  Group 2
Life Time (seconds):    288000
Encryption/Authentication phase1:  DES & MD5
Encryption/Authentication phase 2:  Encryption and Authenticate (ESP DES HMAC SHA1)
Phase 2 DH Group:  Group 1


Its funny because I have another VPN that seems to be working on the TELE3.
what would be the difference between them. Origanilly I had created the new VPN based on the working VPN.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24396689
are the Life Times the same on each firewall?... not to mention that 288000 is 80 hours.

Also check to see that you have defined the address object for the remote networks in each firewall
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 
LVL 1

Author Comment

by:nimdatx
ID: 24396809
The lifetimes are the same between them and dont think I can add address objects  on either side. The only think I can add is a static route and that didnt work.
I know I am almost there but I just can  not figure what I am missing between the two.

What about change the exchange mode to aggressive? What would that do?
0
 
LVL 13

Accepted Solution

by:
Ugo Mena earned 500 total points
ID: 24396929
Sorry address objects are only avail. in the Enhanced OS version..
What are you using to ID the local and remote peer  (IP address, FQDN, SonicWall ID)?
 
I would change the mode to aggressive... here is the long definition...

In IKE v1, there are two modes of exchanging authentication information: Main Mode and Aggressive Mode.

Main Mode: The node or gateway initiating the VPN queries the node or gateway on the receiving end, and they exchange authentication methods, public keys, and identity information. This usually requires six messages back and forth.

Aggressive Mode: To reduce the number of messages exchanged during authentication by half, the negotiation of which cryptographic algorithm to use is eliminated. The initiator proposes one algorithm and the responder replies if it supports that algorithm:
0
 
LVL 1

Author Comment

by:nimdatx
ID: 24397331
I swiched it to Aggressive mode and the TELE3 crashed.  I guess I am going to switch it back to main mode.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24397964
So did you get this VPN working?

you may want to change your phase 1 to 3DES/SHA1. If I remember correctly MD5 while more secure, also takes a lot more CPU... may be why the Tele3 crashed.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question