Eirejp
asked on
site2site UC520 to Sonicwall
Hi Guys,
Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.
We have double checked out keys to make sure they are matching.
I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.
The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800
IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1
When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4 [Dialer WAN IP] MM_NO_STATE 0 ACTIVE (deleted)
It looks like a phase 1 issue but to me it looks like they match up.
Can you please help me in the right direction.
Cheers!
Need a bit of guidance with setting up a site2site vpn between a Cisco UC520 and a Sonicwall. Seem to be stuck at phase 1.
We have double checked out keys to make sure they are matching.
I have attached below the important part of the cisco config. The UC520 is running 2 IPSEC tunnels, 1 GRE IPSEC, and IPSEC clients with out issues.
The sonicwall is configured as below:
Auth Method: IKE using Preshared Secret
Sonicwall subnet; 192.168.5.0/24
Cisco subnet: 192.168.10.0/24
IKE Phase 1:
Exchange: Aggressive Mode
DH Group: Group 2
Encryption: 3DES
Auth: SHA1
Life Time: 28800
IPSEC Phase 2:
Protocol: ESP
Encryp: 3DES
Auth: SHA1
When i do a show crypto isakmp sa I can see the vpn state is in
WANIP4 [Dialer WAN IP] MM_NO_STATE 0 ACTIVE (deleted)
It looks like a phase 1 issue but to me it looks like they match up.
Can you please help me in the right direction.
Cheers!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 30 <- Set this for sonicwall
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 6 PASS address [WANIP1]
crypto isakmp key 6 PASS address [WANIP2] no-xauth
crypto isakmp key PASS address [WANIP3]
crypto isakmp key PASS address [WANIP4] <- Set this for sonicwall
crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TransSet2 esp-3des esp-md5-hmac
crypto ipsec transform-set TransSet1 esp-3des esp-sha-hmac
!
crypto ipsec profile NAME
set transform-set TransSet2
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp
set peer [WANIP1]
set transform-set TSET
match address 110
crypto map VPN 2 ipsec-isakmp
set peer [WANIP3]
set transform-set TransSet1
match address 107
crypto map VPN 3 ipsec-isakmp <- Set this for sonicwall
set peer [WANIP4]
set transform-set ESP-3DES-SHA
match address 116
interface Tunnel20
ip address 10.88.49.2 255.255.255.252
ip nbar protocol-discovery
tunnel source Dialer0
tunnel destination [WANIP2]
tunnel mode ipsec ipv4
tunnel protection ipsec profile NAME
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip access-group 104 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ####
ppp chap password 7 ####
ppp pap sent-username ####
ppp ipcp dns request
crypto map VPN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sure...the KB from Cisco is a little dated on the OS, but I'm not sure what model of sonicwall you are using.
thanks for the points!
ASKER
Thanks for the great links!
I will have a read and let you know.