• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3688
  • Last Modified:

Sonicwall to Sonicwall VPN

Hey guys.

I have a network that has 2 locations.

Location 1: 198.176.10.x

Location 2: 10.100.102.x

Sonicwalls at both locations. I have configured a VPN and the tunnel successfully connects. I am able to ping IPs over the VPN from each location, respectively.

However, data will not transfer over the network. I can't browse to anything via IP or UNC.

What could possibly be wrong? I will include any information requested. Thanks so much.
0
tamaneri
Asked:
tamaneri
  • 13
  • 10
1 Solution
 
digitapCommented:
what happens when you do? are we talking xp to 2003 server? your vpn sounds solid.
0
 
tamaneriAuthor Commented:
Actually, now that I take a closer look, the logs have the following:

1            03/03/2011 16:15:20.064      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
2            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
3            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
4            03/03/2011 16:15:20.064      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500            
5            03/03/2011 16:15:10.016      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
6            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
7            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
8            03/03/2011 16:15:10.016      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      


On the other Sonicwall:


3 03/03/2011 13:13:20.272 Info VPN IKE IKE negotiation complete. Adding IPSec SA. (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; ESP:3DES; HMAC_SHA1; Lifetime=28800 secs; inSPI:0x5b3a65d2; outSPI:0x5c2eed2f  
4 03/03/2011 13:13:20.272 Info VPN IKE IKE Initiator: Accepting IPSec proposal (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; Local network 198.176.10.0 / 255.255.255.0; Remote network 10.100.102.0/255.255.255.0  
5 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey  
6 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey;3DES; SHA1; DH Group 2; lifetime=28800 secs  
7 03/03/2011 13:13:20.128 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey
0
 
tamaneriAuthor Commented:
Do you see any discrepancies there?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
tamaneriAuthor Commented:
I don't understand the "source" of the errors.... I don't recognize the IP at all.

The IPs for each site are: 67.151.199.98 and 75.99.107.170

0
 
tamaneriAuthor Commented:
P.S. Not able to ping. I was able to ping because we have a Point-to-Point T1 connected between the 2 sites. I have it disconnected until I can get this VPN working. Long story.

Any help would be appreciated to get this VPN connecting successully.
0
 
digitapCommented:
you're failing in the phase one negotiation. review the IKE id's and make sure they match. also, review the following KB for additional troubleshooting.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7565

not being able to see your settings, i can only give you general areas to look at.  however, you log above says, "IKE Responder: IKE proposal does not match (Phase 1)  IKE Responder: Proposed IKE ID mismatch"

i'm not sure about the additional public IP address showing up.
0
 
digitapCommented:
ok...the ping was confusing.  look through the KB and see if it sheds any light.
0
 
digitapCommented:
also, are they both enhanced, one enhanced one standard, both standard?
0
 
tamaneriAuthor Commented:
They are both standard.

Any chance I can show you the settings? I'll take snapshots of each config, just not sure if i want to post it here :P


0
 
digitapCommented:
no, you don't. i have particulars in my EE profile such that you can send me a non-admin login or you can email me the settings.
0
 
tamaneriAuthor Commented:
I will shoot you an email. Taking screenshots this moment.
0
 
digitapCommented:
here is a KB for setting up the site to site on standard. this might be easier.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5670
0
 
tamaneriAuthor Commented:
Okay maybe they are enhanced then. How can I find out? I just shot you an email over to your gmail.
0
 
digitapCommented:
OK...looking at the screen shot i attached, it appears the Unique Firewall ID matched the VPN policy on the same sonicwall. the name of the VPN policy needs to match the Firewall ID of the sonicwall you are connecting with. it should be passing traffic now.
greenshot-2011-03-03-16-00-36.jpg
0
 
digitapCommented:
no, let's leave everything the way it is.
0
 
digitapCommented:
OK...reviewing screen shots, it appears that your local destination was set to an address object that you created. i typically use LAN subnets as this can change and i don't have to modify my vpn policies.

also, your destination network address object was configured for the LAN zone. this needed to be the vpn zone.

you should be passing traffic now.
0
 
tamaneriAuthor Commented:
Sorry my friend, still no traffic :(
0
 
digitapCommented:
double-check the gateway of the workstation. i can ping each sonicwall from the other sonicwall, so the vpn is up and is passing traffic.  please confirm.
0
 
digitapCommented:
i was thinking this morning about a new private subnet that i needed for a sonicwall and realized that your subnet 198.176.10.0/24 is not a private subnet. i think that might be why you're getting routing issues.

what i'd recommend is that you place the t1 router off an interface of your sonicwall leaving it at 198.176.10.0/24 and putting it on a separate interface on the sonicwall and putting your subnet back to 192.168.1.0/24.
0
 
tamaneriAuthor Commented:
Hey my friend,

I did precisely that and got rid of the 10.100.102.0 network. I modified it back to 192.168.1.0.... everything is working great now.

When we do switch over to the new T1 point-to-point, I will modify the router to be on the same network. We have our own separate internet connection here, so I need the gateway to still be the firewall....... I think as long as I have a connection to the other building through the point-to-point, I will be fine. I already have the majority of things I need mapped via the hosts file.


THANK YOU FOR ALL OF YOUR HELP.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
digitapCommented:
i'd still put the t1 router on the sonicwall keeping it's current IP address. let the sonicwall route. then, configure the route to the t1 router to disable if the t1 router goes down. this will allow the vpn to act as failover.
0
 
tamaneriAuthor Commented:
Great idea. It would be a good idea to keep the VPN configured as a fail-over. I will do just that.

Awarding you points!
0
 
digitapCommented:
glad i could help and thanks for the points!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now