INSL
asked on
Cisco IOS to Sonic Wall IPSEC VPN Phase 2 Fails
I administer a Cisco 2800 series router with IOS 124-22.T that I am having difficulty connecting via IPSec Tunnel to a Sonic Wall Pro3060 (Firmware: 4.0.0.2-51E) that I do not administer. Phase 2 negotiations fail as seen in the attached Debug (debug crypto isakmp). Please help!!!
*Note: Public IP addresses and security keys have been removed!
************************** ********** ********** ********** ****
Cisco Configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address [Sonic Wall WAN IP]
!
crypto ipsec transform-set ESP-3DES-SHA esp-d3es esp-sha-hmac
!
crypto map RDA-VPN 10 ipsec-isakmp
set peer [Sonic Wall WAN IP]
set transform-set ESP-3DES-SHA
match address VPN-To-SonicWall
!
ip access-list extended VPN-To-SonicWall
permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
Router# show crypto map
Crypto Map "RDA-VPN" 10 ipsec-isakmp
Peer = [sonic wall wan ip]
Extended IP access list VPN-To-Abbotsford
access-list VPN-To-Abbotsford permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
Current peer: [sonic wall wan ip]
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA: { esp-3des esp-sha-hmac } ,
}
************************** ********** ********** ********** ****
Sonic Wall Config from screen shots sent to me.
Source Network: 192.168.0.0-192.168.1.255
Destination Network: 10.3.0.0-10.3.7.255
IKE (Phase 1) Proposal
Exchange: Mail Mode
DH Group: 2
Encryption: 3DES
Authentication: SHA1
Lifetime: 86400
IPSec (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
PFS: No
DH Group: 2
Lifetime: 86400 Seconds
I have been working on this for about 2 weeks now. Note: There are other IPSec VPNs running on both the Cisco and the SonicWall. therefore we know both of these appliances work.
*Note: Public IP addresses and security keys have been removed!
**************************
Cisco Configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address [Sonic Wall WAN IP]
!
crypto ipsec transform-set ESP-3DES-SHA esp-d3es esp-sha-hmac
!
crypto map RDA-VPN 10 ipsec-isakmp
set peer [Sonic Wall WAN IP]
set transform-set ESP-3DES-SHA
match address VPN-To-SonicWall
!
ip access-list extended VPN-To-SonicWall
permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
Router# show crypto map
Crypto Map "RDA-VPN" 10 ipsec-isakmp
Peer = [sonic wall wan ip]
Extended IP access list VPN-To-Abbotsford
access-list VPN-To-Abbotsford permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
Current peer: [sonic wall wan ip]
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA: { esp-3des esp-sha-hmac } ,
}
**************************
Sonic Wall Config from screen shots sent to me.
Source Network: 192.168.0.0-192.168.1.255
Destination Network: 10.3.0.0-10.3.7.255
IKE (Phase 1) Proposal
Exchange: Mail Mode
DH Group: 2
Encryption: 3DES
Authentication: SHA1
Lifetime: 86400
IPSec (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
PFS: No
DH Group: 2
Lifetime: 86400 Seconds
I have been working on this for about 2 weeks now. Note: There are other IPSec VPNs running on both the Cisco and the SonicWall. therefore we know both of these appliances work.
*Jul 20 17:04:46.740: ISAKMP (4047): received packet from [sonic wall wan ip] dport 500 sport 500 Global (R) QM_IDLE
*Jul 20 17:04:46.740: ISAKMP: set new node 1603190157 to QM_IDLE
*Jul 20 17:04:46.744: ISAKMP:(4047): processing HASH payload. message ID = 1603190157
*Jul 20 17:04:46.744: ISAKMP:(4047): processing SA payload. message ID = 1603190157
*Jul 20 17:04:46.744: ISAKMP:(4047):Checking IPSec proposal 1
*Jul 20 17:04:46.744: ISAKMP: transform 1, ESP_3DES
*Jul 20 17:04:46.744: ISAKMP: attributes in transform:
*Jul 20 17:04:46.744: ISAKMP: SA life type in seconds
*Jul 20 17:04:46.744: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 20 17:04:46.744: ISAKMP: encaps is 1 (Tunnel)
*Jul 20 17:04:46.744: ISAKMP: authenticator is HMAC-SHA
*Jul 20 17:04:46.744: ISAKMP:(4047):atts are acceptable.
*Jul 20 17:04:46.744: ISAKMP:(4047): IPSec policy invalidated proposal with error 32
*Jul 20 17:04:46.744: ISAKMP:(4047): phase 2 SA policy not acceptable! (local [cisco wan ip] remote [sonic wall wan ip])
*Jul 20 17:04:46.744: ISAKMP: set new node 1341071580 to QM_IDLE
*Jul 20 17:04:46.744: ISAKMP:(4047):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1212612576, message ID = 341071580
*Jul 20 17:04:46.744: ISAKMP:(4047): sending packet to [sonic wall wan ip] my_port 500 peer_port 500 (R) QM_IDLE
*Jul 20 17:04:46.744: ISAKMP:(4047):Sending an IKE IPv4 Packet.
*Jul 20 17:04:46.744: ISAKMP:(4047):purging node 1341071580
*Jul 20 17:04:46.748: ISAKMP:(4047):deleting node 1603190157 error TRUE reason "QM rejected"
*Jul 20 17:04:46.748: ISAKMP:(4047):Node 1603190157, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 20 17:04:46.748: ISAKMP:(4047):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 20 17:05:11.748: ISAKMP:(4045):purging node 1767607813
could you show the configs?
ASKER
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rda-2821
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 *******
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
!
aaa session-id common
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
ip domain name rdadvocate.com
ip inspect name RDA-FW tcp
ip inspect name RDA-FW udp
ip inspect name RDA-FW dns
ip inspect name RDA-FW ftp
ip inspect name RDA-FW pptp
ip inspect name RDA-FW ssh
ip inspect name RDA-FW icmp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
async-bootp dns-server 10.3.2.119
async-bootp nbns-server 10.3.2.119
vpdn enable
!
vpdn-group PPTP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address ********
crypto isakmp key ******** address ********
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map RDA-VPN 10 ipsec-isakmp
set peer ********
set transform-set ESP-3DES-SHA
match address VPN-To-A
crypto map RDA-VPN 20 ipsec-isakmp
set peer ********
set transform-set ESP-3DES-SHA
match address VPN-To-B
!
archive
log config
hidekeys
!
!
track timer interface 5
!
track 1 ip sla 1 reachability
delay down 5 up 3
!
!
!
!
interface Loopback0
ip address 10.255.255.1 255.255.255.0
ip virtual-reassembly
!
interface GigabitEthernet0/0
description LAN
ip address 192.9.200.2 255.255.255.0 secondary
ip address 10.3.0.7 255.255.248.0 secondary
ip address 10.3.0.8 255.255.248.0 secondary
ip address 204.209.13.1 255.255.255.0 secondary
ip address 75.154.132.1 255.255.255.0 secondary
ip address 10.3.0.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ISP1
ip address dhcp
ip access-group OutSide-Access-In in
no ip redirects
no ip unreachables
ip nat outside
ip inspect RDA-FW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1/0
description IPS2
ip address ********
ip access-group OutSide-Access-In in
no ip redirects
no ip unreachables
ip nat outside
ip inspect RDA-FW out
ip virtual-reassembly
duplex auto
speed auto
crypto map RDA-VPN
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool VPDN-Pool
compress mppc
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 chap pap
!
ip local pool VPDN-Pool 10.255.255.100 10.255.255.199
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1/0 ******** track 1
ip route 192.9.200.0 255.255.255.0 GigabitEthernet0/0 192.9.200.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 10
ip http server
no ip http secure-server
!
!
ip nat translation timeout 300
ip nat inside source route-map NAT-Fa0/1/0 interface FastEthernet0/1/0 overload
ip nat inside source route-map NAT-Gig0/1 interface GigabitEthernet0/1 overload
!
ip access-list extended NAT-Access
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 192.9.200.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip 192.9.0.0 0.0.255.255 any
ip access-list extended OutSide-Access-In
permit udp any any eq bootpc
permit esp any any
permit udp any any eq isakmp
permit tcp any any eq 22
permit tcp any any eq 1723
permit gre any any
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq telnet
permit tcp any any eq 407
permit tcp any any eq 1417
permit tcp any any eq 1418
permit tcp any any eq 1419
permit tcp any any eq 1420
permit tcp any any eq 548
permit tcp any any eq 9100
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit tcp any any eq 8080
ip access-list extended VPN-To-A
permit ip 10.0.0.0 0.0.7.255 192.168.0.0 0.0.1.255
ip access-list extended VPN-To-B
permit ip 10.3.0.0 0.0.7.255 10.3.10.0 0.0.0.255
permit ip 192.9.200.0 0.0.0.255 10.3.10.0 0.0.0.255
!
ip sla 1
icmp-echo ******** source-interface FastEthernet0/1/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
no cdp run
!
!
!
!
route-map NAT-Gig0/1 permit 10
description ISP1
match ip address NAT-Access
match interface GigabitEthernet0/1
!
route-map NAT-Fa0/1/0 permit 10
description NAT2
match ip address NAT-Access
match interface FastEthernet0/1/0
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
transport input telnet ssh
!
scheduler allocate 20000 1000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This should be deleted. It is useless
ASKER