Avatar of Eirejp
Eirejp
Flag for Japan asked on

site2site UC520 to Sonicwall

Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30 <- Set this for sonicwall
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 
crypto isakmp key 6 PASS address [WANIP1]
crypto isakmp key 6 PASS address [WANIP2] no-xauth
crypto isakmp key PASS address [WANIP3]
crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall


crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 
!
crypto ipsec profile NAME
 set transform-set TransSet2 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp 
 set peer [WANIP1]
 set transform-set TSET 
 match address 110

 crypto map VPN 2 ipsec-isakmp 
  set peer [WANIP3]
 set transform-set TransSet1 
 match address 107

 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall
 set peer [WANIP4]
 set transform-set ESP-3DES-SHA 
 match address 116

interface Tunnel20
  ip address 10.88.49.2 255.255.255.252
 ip nbar protocol-discovery
 tunnel source Dialer0
 tunnel destination [WANIP2]
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile NAME

interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ####
 ppp chap password 7 ####
 ppp pap sent-username ####
 ppp ipcp dns request
 crypto map VPN

Open in new window

VPNRoutersHardware Firewalls

Avatar of undefined
Last Comment
digitap

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
digitap

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Eirejp

ASKER
Hi Digitap,

Thanks for the great links!

I will have a read and let you know.

digitap

Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
digitap

thanks for the points!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck