Solved

site2site UC520 to Sonicwall

Posted on 2010-11-08
4
658 Views
Last Modified: 2012-05-10
Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30 <- Set this for sonicwall
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 
crypto isakmp key 6 PASS address [WANIP1]
crypto isakmp key 6 PASS address [WANIP2] no-xauth
crypto isakmp key PASS address [WANIP3]
crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall


crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 
!
crypto ipsec profile NAME
 set transform-set TransSet2 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp 
 set peer [WANIP1]
 set transform-set TSET 
 match address 110

 crypto map VPN 2 ipsec-isakmp 
  set peer [WANIP3]
 set transform-set TransSet1 
 match address 107

 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall
 set peer [WANIP4]
 set transform-set ESP-3DES-SHA 
 match address 116

interface Tunnel20
  ip address 10.88.49.2 255.255.255.252
 ip nbar protocol-discovery
 tunnel source Dialer0
 tunnel destination [WANIP2]
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile NAME

interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ####
 ppp chap password 7 ####
 ppp pap sent-username ####
 ppp ipcp dns request
 crypto map VPN

Open in new window

0
Comment
Question by:Eirejp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34084314
you might review these KB articles for Cisco/Sonicwall best practices

Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5723

Also, reviewing your settings, I can't see what you've got your Life Time settings on the Cisco.  Cisco's defaults are different from the sonicwall which are 28800.  you might check there.  also, make sure your local/peer IKE ID information is blank.  i usually don't change the defaults which are IP Address for both.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 34088550
Hi Digitap,

Thanks for the great links!

I will have a read and let you know.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34088883
Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34126052
thanks for the points!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question