Solved

site2site UC520 to Sonicwall

Posted on 2010-11-08
4
653 Views
Last Modified: 2012-05-10
Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

!

crypto isakmp policy 20

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 30 <- Set this for sonicwall

 encr 3des

 authentication pre-share

 group 2

 lifetime 28800

 

crypto isakmp key 6 PASS address [WANIP1]

crypto isakmp key 6 PASS address [WANIP2] no-xauth

crypto isakmp key PASS address [WANIP3]

crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall





crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 

crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 

!

crypto ipsec profile NAME

 set transform-set TransSet2 

!

crypto ipsec profile SDM_Profile1

 set transform-set ESP-3DES-SHA 

 set isakmp-profile sdm-ike-profile-1

!

!

crypto map VPN 1 ipsec-isakmp 

 set peer [WANIP1]

 set transform-set TSET 

 match address 110



 crypto map VPN 2 ipsec-isakmp 

  set peer [WANIP3]

 set transform-set TransSet1 

 match address 107



 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall

 set peer [WANIP4]

 set transform-set ESP-3DES-SHA 

 match address 116



interface Tunnel20

  ip address 10.88.49.2 255.255.255.252

 ip nbar protocol-discovery

 tunnel source Dialer0

 tunnel destination [WANIP2]

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile NAME



interface Dialer0

 description $FW_OUTSIDE$

 mtu 1492

 ip address negotiated

 ip access-group 104 in

 ip mtu 1452

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname ####

 ppp chap password 7 ####

 ppp pap sent-username ####

 ppp ipcp dns request

 crypto map VPN

Open in new window

0
Comment
Question by:Eirejp
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34084314
you might review these KB articles for Cisco/Sonicwall best practices

Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5723

Also, reviewing your settings, I can't see what you've got your Life Time settings on the Cisco.  Cisco's defaults are different from the sonicwall which are 28800.  you might check there.  also, make sure your local/peer IKE ID information is blank.  i usually don't change the defaults which are IP Address for both.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 34088550
Hi Digitap,

Thanks for the great links!

I will have a read and let you know.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34088883
Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34126052
thanks for the points!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now