Link to home
Start Free TrialLog in
Avatar of INSL
INSLFlag for Canada

asked on

Cisco IOS to Sonic Wall IPSEC VPN Phase 2 Fails

I administer a Cisco 2800 series router with IOS 124-22.T that I am having difficulty connecting via IPSec Tunnel to a Sonic Wall Pro3060 (Firmware:  4.0.0.2-51E) that I do not administer.  Phase 2 negotiations fail as seen in the attached Debug (debug crypto isakmp).  Please help!!!
     *Note: Public IP addresses and security keys have been removed!

************************************************************
Cisco Configuration:
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******** address [Sonic Wall WAN IP]
!
crypto ipsec transform-set ESP-3DES-SHA esp-d3es esp-sha-hmac
!
crypto map RDA-VPN 10 ipsec-isakmp
 set peer [Sonic Wall WAN IP]
 set transform-set ESP-3DES-SHA
 match address VPN-To-SonicWall
!
ip access-list extended VPN-To-SonicWall
 permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255

Router# show crypto map
Crypto Map "RDA-VPN" 10 ipsec-isakmp
        Peer = [sonic wall wan ip]
        Extended IP access list VPN-To-Abbotsford
            access-list VPN-To-Abbotsford permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
        Current peer:  [sonic wall wan ip]
        Security association lifetime: 4608000 kilobytes/86400 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA:  { esp-3des esp-sha-hmac  } ,
        }


************************************************************
Sonic Wall Config from screen shots sent to me.
   Source Network:  192.168.0.0-192.168.1.255
   Destination Network:  10.3.0.0-10.3.7.255

IKE (Phase 1) Proposal
   Exchange: Mail Mode
   DH Group: 2
   Encryption:  3DES
   Authentication:  SHA1
   Lifetime:  86400

IPSec (Phase 2) Proposal
   Protocol:  ESP
   Encryption:  3DES
   Authentication:  SHA1
   PFS:  No
   DH Group: 2
   Lifetime:  86400 Seconds

I have been working on this for about 2 weeks now.  Note:  There are other IPSec VPNs running on both the Cisco and the SonicWall. therefore we know both of these appliances work.


*Jul 20 17:04:46.740: ISAKMP (4047): received packet from [sonic wall wan ip] dport 500 sport 500 Global (R) QM_IDLE
*Jul 20 17:04:46.740: ISAKMP: set new node 1603190157 to QM_IDLE
*Jul 20 17:04:46.744: ISAKMP:(4047): processing HASH payload. message ID = 1603190157
*Jul 20 17:04:46.744: ISAKMP:(4047): processing SA payload. message ID = 1603190157
*Jul 20 17:04:46.744: ISAKMP:(4047):Checking IPSec proposal 1
*Jul 20 17:04:46.744: ISAKMP: transform 1, ESP_3DES
*Jul 20 17:04:46.744: ISAKMP:   attributes in transform:
*Jul 20 17:04:46.744: ISAKMP:      SA life type in seconds
*Jul 20 17:04:46.744: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
*Jul 20 17:04:46.744: ISAKMP:      encaps is 1 (Tunnel)
*Jul 20 17:04:46.744: ISAKMP:      authenticator is HMAC-SHA
*Jul 20 17:04:46.744: ISAKMP:(4047):atts are acceptable.
*Jul 20 17:04:46.744: ISAKMP:(4047): IPSec policy invalidated proposal with error 32
*Jul 20 17:04:46.744: ISAKMP:(4047): phase 2 SA policy not acceptable! (local [cisco wan ip] remote [sonic wall wan ip])
*Jul 20 17:04:46.744: ISAKMP: set new node 1341071580 to QM_IDLE
*Jul 20 17:04:46.744: ISAKMP:(4047):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1212612576, message ID = 341071580
*Jul 20 17:04:46.744: ISAKMP:(4047): sending packet to [sonic wall wan ip] my_port 500 peer_port 500 (R) QM_IDLE
*Jul 20 17:04:46.744: ISAKMP:(4047):Sending an IKE IPv4 Packet.
*Jul 20 17:04:46.744: ISAKMP:(4047):purging node 1341071580
*Jul 20 17:04:46.748: ISAKMP:(4047):deleting node 1603190157 error TRUE reason "QM rejected"
*Jul 20 17:04:46.748: ISAKMP:(4047):Node 1603190157, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 20 17:04:46.748: ISAKMP:(4047):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Jul 20 17:05:11.748: ISAKMP:(4045):purging node 1767607813

Open in new window

Avatar of INSL
INSL
Flag of Canada image

ASKER

One more thing:  I noticed the Access-list on the Cisco does not ever recieve any hits.  I don't know if I should see Hits before or after Phase 2 completes.
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image
could you show the configs?
Avatar of INSL
INSL
Flag of Canada image

ASKER


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rda-2821
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 *******
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
!
aaa session-id common
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
ip domain name rdadvocate.com
ip inspect name RDA-FW tcp
ip inspect name RDA-FW udp
ip inspect name RDA-FW dns
ip inspect name RDA-FW ftp
ip inspect name RDA-FW pptp
ip inspect name RDA-FW ssh
ip inspect name RDA-FW icmp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
async-bootp dns-server 10.3.2.119
async-bootp nbns-server 10.3.2.119
vpdn enable
!
vpdn-group PPTP
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******** address ********
crypto isakmp key ******** address ********
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map RDA-VPN 10 ipsec-isakmp
 set peer ********
 set transform-set ESP-3DES-SHA
 match address VPN-To-A
crypto map RDA-VPN 20 ipsec-isakmp
 set peer ********
 set transform-set ESP-3DES-SHA
 match address VPN-To-B
!
archive
 log config
  hidekeys
!
!
track timer interface 5
!
track 1 ip sla 1 reachability
 delay down 5 up 3
!
!
!
!
interface Loopback0
 ip address 10.255.255.1 255.255.255.0
 ip virtual-reassembly
!
interface GigabitEthernet0/0
 description LAN
 ip address 192.9.200.2 255.255.255.0 secondary
 ip address 10.3.0.7 255.255.248.0 secondary
 ip address 10.3.0.8 255.255.248.0 secondary
 ip address 204.209.13.1 255.255.255.0 secondary
 ip address 75.154.132.1 255.255.255.0 secondary
 ip address 10.3.0.1 255.255.248.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description ISP1
 ip address dhcp
 ip access-group OutSide-Access-In in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect RDA-FW out
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 description IPS2
 ip address ********
 ip access-group OutSide-Access-In in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect RDA-FW out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map RDA-VPN
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool VPDN-Pool
 compress mppc
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2 chap pap
!
ip local pool VPDN-Pool 10.255.255.100 10.255.255.199
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1/0 ******** track 1
ip route 192.9.200.0 255.255.255.0 GigabitEthernet0/0 192.9.200.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 10
ip http server
no ip http secure-server
!
!
ip nat translation timeout 300
ip nat inside source route-map NAT-Fa0/1/0 interface FastEthernet0/1/0 overload
ip nat inside source route-map NAT-Gig0/1 interface GigabitEthernet0/1 overload
!
ip access-list extended NAT-Access
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 192.9.200.0 0.0.0.255
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
 permit ip 192.9.0.0 0.0.255.255 any
ip access-list extended OutSide-Access-In
 permit udp any any eq bootpc
 permit esp any any
 permit udp any any eq isakmp
 permit tcp any any eq 22
 permit tcp any any eq 1723
 permit gre any any
 permit tcp any any eq ftp-data
 permit tcp any any eq ftp
 permit tcp any any eq telnet
 permit tcp any any eq 407
 permit tcp any any eq 1417
 permit tcp any any eq 1418
 permit tcp any any eq 1419
 permit tcp any any eq 1420
 permit tcp any any eq 548
 permit tcp any any eq 9100
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit tcp any any eq 8080
ip access-list extended VPN-To-A
 permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
ip access-list extended VPN-To-B
 permit ip 10.3.0.0 0.0.7.255 10.3.10.0 0.0.0.255
 permit ip 192.9.200.0 0.0.0.255 10.3.10.0 0.0.0.255
!
ip sla 1
 icmp-echo ******** source-interface FastEthernet0/1/0
 timeout 1000
 frequency 5
ip sla schedule 1 life forever start-time now
no cdp run

!
!
!
!
route-map NAT-Gig0/1 permit 10
 description ISP1
 match ip address NAT-Access
 match interface GigabitEthernet0/1
!
route-map NAT-Fa0/1/0 permit 10
 description NAT2
 match ip address NAT-Access
 match interface FastEthernet0/1/0
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

ASKER CERTIFIED SOLUTION
Avatar of INSL
INSL
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sandboxtech
sandboxtech
This should be deleted. It is useless