Solved

site2site UC520 to Sonicwall

Posted on 2010-11-08
4
654 Views
Last Modified: 2012-05-10
Hi Guys,

Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.

We have double checked out keys to make sure they are matching.

I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.

The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800

IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1


When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4                  [Dialer WAN IP]  MM_NO_STATE          0 ACTIVE (deleted)

It looks like a phase 1 issue but to me it looks like they match up.

Can you please help me in the right direction.

Cheers!



crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 2

!

crypto isakmp policy 20

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 30 <- Set this for sonicwall

 encr 3des

 authentication pre-share

 group 2

 lifetime 28800

 

crypto isakmp key 6 PASS address [WANIP1]

crypto isakmp key 6 PASS address [WANIP2] no-xauth

crypto isakmp key PASS address [WANIP3]

crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall





crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac 

crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac 

!

crypto ipsec profile NAME

 set transform-set TransSet2 

!

crypto ipsec profile SDM_Profile1

 set transform-set ESP-3DES-SHA 

 set isakmp-profile sdm-ike-profile-1

!

!

crypto map VPN 1 ipsec-isakmp 

 set peer [WANIP1]

 set transform-set TSET 

 match address 110



 crypto map VPN 2 ipsec-isakmp 

  set peer [WANIP3]

 set transform-set TransSet1 

 match address 107



 crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall

 set peer [WANIP4]

 set transform-set ESP-3DES-SHA 

 match address 116



interface Tunnel20

  ip address 10.88.49.2 255.255.255.252

 ip nbar protocol-discovery

 tunnel source Dialer0

 tunnel destination [WANIP2]

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile NAME



interface Dialer0

 description $FW_OUTSIDE$

 mtu 1492

 ip address negotiated

 ip access-group 104 in

 ip mtu 1452

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname ####

 ppp chap password 7 ####

 ppp pap sent-username ####

 ppp ipcp dns request

 crypto map VPN

Open in new window

0
Comment
Question by:Eirejp
  • 3
4 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34084314
you might review these KB articles for Cisco/Sonicwall best practices

Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Sonicwall:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5723

Also, reviewing your settings, I can't see what you've got your Life Time settings on the Cisco.  Cisco's defaults are different from the sonicwall which are 28800.  you might check there.  also, make sure your local/peer IKE ID information is blank.  i usually don't change the defaults which are IP Address for both.
0
 
LVL 1

Author Comment

by:Eirejp
ID: 34088550
Hi Digitap,

Thanks for the great links!

I will have a read and let you know.

0
 
LVL 33

Expert Comment

by:digitap
ID: 34088883
Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34126052
thanks for the points!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now