Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

site2site UC520 to Sonicwall

Posted on 2010-11-08
4
Medium Priority
?
662 Views
Last Modified: 2012-05-10
Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30 <- Set this for sonicwall
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
 
crypto isakmp key 6 PASS address [WANIP1]
crypto isakmp key 6 PASS address [WANIP2] no-xauth
crypto isakmp key PASS address [WANIP3]
crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall


crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 
!
crypto ipsec profile NAME
 set transform-set TransSet2 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp 
 set peer [WANIP1]
 set transform-set TSET 
 match address 110

 crypto map VPN 2 ipsec-isakmp 
  set peer [WANIP3]
 set transform-set TransSet1 
 match address 107

 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall
 set peer [WANIP4]
 set transform-set ESP-3DES-SHA 
 match address 116

interface Tunnel20
  ip address 10.88.49.2 255.255.255.252
 ip nbar protocol-discovery
 tunnel source Dialer0
 tunnel destination [WANIP2]
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile NAME

interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip access-group 104 in
 ip mtu 1452
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname ####
 ppp chap password 7 ####
 ppp pap sent-username ####
 ppp ipcp dns request
 crypto map VPN

Open in new window

0
Comment
Question by:Eirejp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 34084314
you might review these KB articles for Cisco/Sonicwall best practices

Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5723

Also, reviewing your settings, I can't see what you've got your Life Time settings on the Cisco.  Cisco's defaults are different from the sonicwall which are 28800.  you might check there.  also, make sure your local/peer IKE ID information is blank.  i usually don't change the defaults which are IP Address for both.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 34088550
Hi Digitap,

Thanks for the great links!

I will have a read and let you know.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34088883
Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34126052
thanks for the points!
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question