Solved

Sonicwall to Sonicwall VPN

Posted on 2011-03-03
23
3,505 Views
Last Modified: 2012-08-13
Hey guys.

I have a network that has 2 locations.

Location 1: 198.176.10.x

Location 2: 10.100.102.x

Sonicwalls at both locations. I have configured a VPN and the tunnel successfully connects. I am able to ping IPs over the VPN from each location, respectively.

However, data will not transfer over the network. I can't browse to anything via IP or UNC.

What could possibly be wrong? I will include any information requested. Thanks so much.
0
Comment
Question by:tamaneri
  • 13
  • 10
23 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
what happens when you do? are we talking xp to 2003 server? your vpn sounds solid.
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
Actually, now that I take a closer look, the logs have the following:

1            03/03/2011 16:15:20.064      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
2            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
3            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
4            03/03/2011 16:15:20.064      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500            
5            03/03/2011 16:15:10.016      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
6            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
7            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
8            03/03/2011 16:15:10.016      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      


On the other Sonicwall:


3 03/03/2011 13:13:20.272 Info VPN IKE IKE negotiation complete. Adding IPSec SA. (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; ESP:3DES; HMAC_SHA1; Lifetime=28800 secs; inSPI:0x5b3a65d2; outSPI:0x5c2eed2f  
4 03/03/2011 13:13:20.272 Info VPN IKE IKE Initiator: Accepting IPSec proposal (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; Local network 198.176.10.0 / 255.255.255.0; Remote network 10.100.102.0/255.255.255.0  
5 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey  
6 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey;3DES; SHA1; DH Group 2; lifetime=28800 secs  
7 03/03/2011 13:13:20.128 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
Do you see any discrepancies there?
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
I don't understand the "source" of the errors.... I don't recognize the IP at all.

The IPs for each site are: 67.151.199.98 and 75.99.107.170

0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
P.S. Not able to ping. I was able to ping because we have a Point-to-Point T1 connected between the 2 sites. I have it disconnected until I can get this VPN working. Long story.

Any help would be appreciated to get this VPN connecting successully.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
you're failing in the phase one negotiation. review the IKE id's and make sure they match. also, review the following KB for additional troubleshooting.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7565

not being able to see your settings, i can only give you general areas to look at.  however, you log above says, "IKE Responder: IKE proposal does not match (Phase 1)  IKE Responder: Proposed IKE ID mismatch"

i'm not sure about the additional public IP address showing up.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
ok...the ping was confusing.  look through the KB and see if it sheds any light.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
also, are they both enhanced, one enhanced one standard, both standard?
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
They are both standard.

Any chance I can show you the settings? I'll take snapshots of each config, just not sure if i want to post it here :P


0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
no, you don't. i have particulars in my EE profile such that you can send me a non-admin login or you can email me the settings.
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
I will shoot you an email. Taking screenshots this moment.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 33

Expert Comment

by:digitap
Comment Utility
here is a KB for setting up the site to site on standard. this might be easier.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5670
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
Okay maybe they are enhanced then. How can I find out? I just shot you an email over to your gmail.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...looking at the screen shot i attached, it appears the Unique Firewall ID matched the VPN policy on the same sonicwall. the name of the VPN policy needs to match the Firewall ID of the sonicwall you are connecting with. it should be passing traffic now.
greenshot-2011-03-03-16-00-36.jpg
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
no, let's leave everything the way it is.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...reviewing screen shots, it appears that your local destination was set to an address object that you created. i typically use LAN subnets as this can change and i don't have to modify my vpn policies.

also, your destination network address object was configured for the LAN zone. this needed to be the vpn zone.

you should be passing traffic now.
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
Sorry my friend, still no traffic :(
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
double-check the gateway of the workstation. i can ping each sonicwall from the other sonicwall, so the vpn is up and is passing traffic.  please confirm.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
i was thinking this morning about a new private subnet that i needed for a sonicwall and realized that your subnet 198.176.10.0/24 is not a private subnet. i think that might be why you're getting routing issues.

what i'd recommend is that you place the t1 router off an interface of your sonicwall leaving it at 198.176.10.0/24 and putting it on a separate interface on the sonicwall and putting your subnet back to 192.168.1.0/24.
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
Hey my friend,

I did precisely that and got rid of the 10.100.102.0 network. I modified it back to 192.168.1.0.... everything is working great now.

When we do switch over to the new T1 point-to-point, I will modify the router to be on the same network. We have our own separate internet connection here, so I need the gateway to still be the firewall....... I think as long as I have a connection to the other building through the point-to-point, I will be fine. I already have the majority of things I need mapped via the hosts file.


THANK YOU FOR ALL OF YOUR HELP.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i'd still put the t1 router on the sonicwall keeping it's current IP address. let the sonicwall route. then, configure the route to the t1 router to disable if the t1 router goes down. this will allow the vpn to act as failover.
0
 
LVL 3

Author Comment

by:tamaneri
Comment Utility
Great idea. It would be a good idea to keep the VPN configured as a fail-over. I will do just that.

Awarding you points!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
glad i could help and thanks for the points!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now