Solved

site2site UC520 to Sonicwall

Posted on 2010-11-08
4
657 Views
Last Modified: 2012-05-10
Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30 <- Set this for sonicwall
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 
crypto isakmp key 6 PASS address [WANIP1]
crypto isakmp key 6 PASS address [WANIP2] no-xauth
crypto isakmp key PASS address [WANIP3]
crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall


crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 
!
crypto ipsec profile NAME
 set transform-set TransSet2 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp 
 set peer [WANIP1]
 set transform-set TSET 
 match address 110

 crypto map VPN 2 ipsec-isakmp 
  set peer [WANIP3]
 set transform-set TransSet1 
 match address 107

 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall
 set peer [WANIP4]
 set transform-set ESP-3DES-SHA 
 match address 116

interface Tunnel20
  ip address 10.88.49.2 255.255.255.252
 ip nbar protocol-discovery
 tunnel source Dialer0
 tunnel destination [WANIP2]
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile NAME

interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ####
 ppp chap password 7 ####
 ppp pap sent-username ####
 ppp ipcp dns request
 crypto map VPN

Open in new window

0
Comment
Question by:Eirejp
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34084314
you might review these KB articles for Cisco/Sonicwall best practices

Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5723

Also, reviewing your settings, I can't see what you've got your Life Time settings on the Cisco.  Cisco's defaults are different from the sonicwall which are 28800.  you might check there.  also, make sure your local/peer IKE ID information is blank.  i usually don't change the defaults which are IP Address for both.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 34088550
Hi Digitap,

Thanks for the great links!

I will have a read and let you know.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34088883
Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34126052
thanks for the points!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
home router to use as repeater  (signal extender) 10 35
Failover VPN Question Sonicwall 5 48
Setting up static routes to  sonicwll 4 73
IPSec Site to Site VPN Topology 6 43
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question