troubleshooting Question

site2site UC520 to Sonicwall

Avatar of Eirejp
EirejpFlag for Japan asked on
VPNRoutersHardware Firewalls
4 Comments1 Solution691 ViewsLast Modified:
Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30 <- Set this for sonicwall
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 
crypto isakmp key 6 PASS address [WANIP1]
crypto isakmp key 6 PASS address [WANIP2] no-xauth
crypto isakmp key PASS address [WANIP3]
crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall


crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 
!
crypto ipsec profile NAME
 set transform-set TransSet2 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp 
 set peer [WANIP1]
 set transform-set TSET 
 match address 110

 crypto map VPN 2 ipsec-isakmp 
  set peer [WANIP3]
 set transform-set TransSet1 
 match address 107

 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall
 set peer [WANIP4]
 set transform-set ESP-3DES-SHA 
 match address 116

interface Tunnel20
  ip address 10.88.49.2 255.255.255.252
 ip nbar protocol-discovery
 tunnel source Dialer0
 tunnel destination [WANIP2]
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile NAME

interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ####
 ppp chap password 7 ####
 ppp pap sent-username ####
 ppp ipcp dns request
 crypto map VPN
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros