Solved

Sonicwall to Sonicwall VPN

Posted on 2011-03-03
23
3,529 Views
Last Modified: 2012-08-13
Hey guys.

I have a network that has 2 locations.

Location 1: 198.176.10.x

Location 2: 10.100.102.x

Sonicwalls at both locations. I have configured a VPN and the tunnel successfully connects. I am able to ping IPs over the VPN from each location, respectively.

However, data will not transfer over the network. I can't browse to anything via IP or UNC.

What could possibly be wrong? I will include any information requested. Thanks so much.
0
Comment
Question by:tamaneri
  • 13
  • 10
23 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35031219
what happens when you do? are we talking xp to 2003 server? your vpn sounds solid.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031378
Actually, now that I take a closer look, the logs have the following:

1            03/03/2011 16:15:20.064      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
2            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
3            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
4            03/03/2011 16:15:20.064      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500            
5            03/03/2011 16:15:10.016      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
6            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
7            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
8            03/03/2011 16:15:10.016      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      


On the other Sonicwall:


3 03/03/2011 13:13:20.272 Info VPN IKE IKE negotiation complete. Adding IPSec SA. (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; ESP:3DES; HMAC_SHA1; Lifetime=28800 secs; inSPI:0x5b3a65d2; outSPI:0x5c2eed2f  
4 03/03/2011 13:13:20.272 Info VPN IKE IKE Initiator: Accepting IPSec proposal (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; Local network 198.176.10.0 / 255.255.255.0; Remote network 10.100.102.0/255.255.255.0  
5 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey  
6 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey;3DES; SHA1; DH Group 2; lifetime=28800 secs  
7 03/03/2011 13:13:20.128 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031382
Do you see any discrepancies there?
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031397
I don't understand the "source" of the errors.... I don't recognize the IP at all.

The IPs for each site are: 67.151.199.98 and 75.99.107.170

0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031474
P.S. Not able to ping. I was able to ping because we have a Point-to-Point T1 connected between the 2 sites. I have it disconnected until I can get this VPN working. Long story.

Any help would be appreciated to get this VPN connecting successully.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031478
you're failing in the phase one negotiation. review the IKE id's and make sure they match. also, review the following KB for additional troubleshooting.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7565

not being able to see your settings, i can only give you general areas to look at.  however, you log above says, "IKE Responder: IKE proposal does not match (Phase 1)  IKE Responder: Proposed IKE ID mismatch"

i'm not sure about the additional public IP address showing up.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031483
ok...the ping was confusing.  look through the KB and see if it sheds any light.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031502
also, are they both enhanced, one enhanced one standard, both standard?
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031584
They are both standard.

Any chance I can show you the settings? I'll take snapshots of each config, just not sure if i want to post it here :P


0
 
LVL 33

Expert Comment

by:digitap
ID: 35031598
no, you don't. i have particulars in my EE profile such that you can send me a non-admin login or you can email me the settings.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031625
I will shoot you an email. Taking screenshots this moment.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:digitap
ID: 35031627
here is a KB for setting up the site to site on standard. this might be easier.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5670
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031695
Okay maybe they are enhanced then. How can I find out? I just shot you an email over to your gmail.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031854
OK...looking at the screen shot i attached, it appears the Unique Firewall ID matched the VPN policy on the same sonicwall. the name of the VPN policy needs to match the Firewall ID of the sonicwall you are connecting with. it should be passing traffic now.
greenshot-2011-03-03-16-00-36.jpg
0
 
LVL 33

Expert Comment

by:digitap
ID: 35032214
no, let's leave everything the way it is.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35032288
OK...reviewing screen shots, it appears that your local destination was set to an address object that you created. i typically use LAN subnets as this can change and i don't have to modify my vpn policies.

also, your destination network address object was configured for the LAN zone. this needed to be the vpn zone.

you should be passing traffic now.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35032404
Sorry my friend, still no traffic :(
0
 
LVL 33

Expert Comment

by:digitap
ID: 35033590
double-check the gateway of the workstation. i can ping each sonicwall from the other sonicwall, so the vpn is up and is passing traffic.  please confirm.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35036250
i was thinking this morning about a new private subnet that i needed for a sonicwall and realized that your subnet 198.176.10.0/24 is not a private subnet. i think that might be why you're getting routing issues.

what i'd recommend is that you place the t1 router off an interface of your sonicwall leaving it at 198.176.10.0/24 and putting it on a separate interface on the sonicwall and putting your subnet back to 192.168.1.0/24.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35036520
Hey my friend,

I did precisely that and got rid of the 10.100.102.0 network. I modified it back to 192.168.1.0.... everything is working great now.

When we do switch over to the new T1 point-to-point, I will modify the router to be on the same network. We have our own separate internet connection here, so I need the gateway to still be the firewall....... I think as long as I have a connection to the other building through the point-to-point, I will be fine. I already have the majority of things I need mapped via the hosts file.


THANK YOU FOR ALL OF YOUR HELP.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35036551
i'd still put the t1 router on the sonicwall keeping it's current IP address. let the sonicwall route. then, configure the route to the t1 router to disable if the t1 router goes down. this will allow the vpn to act as failover.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35038289
Great idea. It would be a good idea to keep the VPN configured as a fail-over. I will do just that.

Awarding you points!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35038360
glad i could help and thanks for the points!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate Cisco ASA 5510 and 5515 K9? 12 61
printer shows as offline while connected to vpn 13 75
Network Infrastructure for Branch Office 16 91
Office 365 vs. In-House 4 80
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now