Link to home
Create AccountLog in
Avatar of tim freese
tim freeseFlag for United States of America

asked on

NSA 240, VPN Connection Issue

we have a sonicwall nsa 240.  we are trying to enable the vpn side of the appliance.

our mobile device (iPhone) can establish a vpn connection within the office using our wlan.  however, when we try to connect from outside of the office using a public IP, we can't establish a connection.

i examined the log file and this is what the sonicwall device is reporting:

warning vpn ike ike responder:  proposed ike id mismatch [xxx.xxx.xx.xxx]

warning vpn ike ike responder:  ike proposal does not match (phase 1) [xxx.xxx.xx.xxx] - vpn policy does not existing for peer ip address [xxx.xxx.xx.xxx]

error vpn ike payload processing failed [xxx.xxx.xx.xxx]  payload type:  SA


why can i connect internally and not externally?  

any help is appreciated.   thanks.
Avatar of digitap
digitap
Flag of United States of America image

do you have other clients who are accessing the network externally via the GVC?  when your iphone connects internally, they are terminating to the WLAN group vpn.  when you try to connect externally, they are terminating to the WAN group vpn.  from the errors above, it doesn't appear you have the WAN group vpn configured.  if you do, then your iphone isn't configured to connect to the WAN group vpn.  you'll need to configure that.  here is the first section from the SW KB on setting up IPSec traffic for a WLAN...notice the last sentence.

"WiFiSec Enforcement is the ability to require that all traffic that enters into the WLAN Zone interface be either IPSec traffic, WPA traffic, or both. With WiFiSec Enforcement enabled, all non-guest wireless clients connected to SonicPoints (SonicWALL Wireless Devices) attached to an interface belonging to a Zone on which WiFiSec is enforced are required to use the strong security of IPSec. The VPN connection inherent in WiFiSec terminates at the “WLAN GroupVPN”, which you can configure independently of “WAN GroupVPN” or other Zone GroupVPN instances."

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4881



if you want your iphone to access your network externally, you'll need to enable the ssl-vpn functionality of your 240.  here is a KB explaining that with a link on the steps.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3996


let us know if you have any other questions on that.
Avatar of tim freese

ASKER

both WAN and WLAN policies are enabled and defined.

i'll take a look at the ssl-vpn but i'm not clear as to why that is necessary.

thanks.
hmmm, do you have two connection policies configured on the iphone?
yes - i have three VPN configurations:

1.  Microsoft VPN (using public IP) - works great.
2.  Sonicwall VPN (using private IP) - works great.
3.  Sonicwall public IP - doesn't work.

what sonicwall client are you using on the iphone?  how do you have .3 configured?
yes - #3 is configured on the iphone.  the server is our public IP address.  

we are using L2TP and have it enabled on the sonicwall device too.

the VPN policies on the sonicwall device for both WAN and WLAN are identical.  i checked the firewall rules for VPN > WAN and VPN > WLAN and they seem correct too.  for fun, i added a new firewall rule with my phone's mac address that didn't seem to fix it either (i also tried the public IP address).

other than the server's IP address, the settings are the same on the iphone for the sonicwall VPN (internal vs external).
did the iphone external sonicwall vpn connect ever connect successfully?  did you recently update the iphone.  here are a couple more KBs.

configuring l2tp on iphone:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6579

connecting to l2tp on iphone fails after OS upgrade:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8260
thanks - i used these docs to setup the iphone initially.  there is another doc that i followed to configure the vpn on the sonicwall device using l2tp.



i acquired a netbook - i'll see if a standard windows machine can connect to the sonicwall.  i'll try to rule out the iphone.
ASKER CERTIFIED SOLUTION
Avatar of digitap
digitap
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
same thing...
fair enough, digitap... thanks for the help.
sure.  let us know how the ssl-vpn config goes or if you have any questions.
i got the SSLVPN to work; however, the VNC viewer needs java.  something i can't get mobile devices to run!

any way, i'll accept your solution (sslvpn) as it establishes a VPN connection and the VNC viewer works great with a desktop environment.  i still can't fathom why i can get a vpn connection within the wlan but not with the lan... very frustrating.

the iPhone works great within the MS environment - i can't get Android phones to use VPN within the sonicwall device as it won't run java applets.  the android phone won't establish a vpn connection within our MS box (has to do with the encryption).
yes, i just did a review of that and see challenges with the android.  sorry about that.  i don't know why the l2tp isn't working, sorry about that too.

did you see this for the android?

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8559
by the way, thanks for the points!
you're welcome... i'll look at the android document - i wasn't aware of it.

thanks again for the help - have a good one.