Solved

Sonicwall to Sonicwall VPN

Posted on 2011-03-03
23
3,568 Views
Last Modified: 2012-08-13
Hey guys.

I have a network that has 2 locations.

Location 1: 198.176.10.x

Location 2: 10.100.102.x

Sonicwalls at both locations. I have configured a VPN and the tunnel successfully connects. I am able to ping IPs over the VPN from each location, respectively.

However, data will not transfer over the network. I can't browse to anything via IP or UNC.

What could possibly be wrong? I will include any information requested. Thanks so much.
0
Comment
Question by:tamaneri
  • 13
  • 10
23 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35031219
what happens when you do? are we talking xp to 2003 server? your vpn sounds solid.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031378
Actually, now that I take a closer look, the logs have the following:

1            03/03/2011 16:15:20.064      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
2            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
3            03/03/2011 16:15:20.064      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
4            03/03/2011 16:15:20.064      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500            
5            03/03/2011 16:15:10.016      Error      VPN IKE      Payload processing failed      68.236.208.20, 500      75.99.107.170, 500      Payload Type: SA      
6            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: IKE proposal does not match (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      VPN Policy:      
7            03/03/2011 16:15:10.016      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      68.236.208.20, 500      75.99.107.170, 500      VPN policy does not exist for peer IP address: 68.236.208.20      
8            03/03/2011 16:15:10.016      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      68.236.208.20, 500      75.99.107.170, 500      


On the other Sonicwall:


3 03/03/2011 13:13:20.272 Info VPN IKE IKE negotiation complete. Adding IPSec SA. (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; ESP:3DES; HMAC_SHA1; Lifetime=28800 secs; inSPI:0x5b3a65d2; outSPI:0x5c2eed2f  
4 03/03/2011 13:13:20.272 Info VPN IKE IKE Initiator: Accepting IPSec proposal (Phase 2) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey; Local network 198.176.10.0 / 255.255.255.0; Remote network 10.100.102.0/255.255.255.0  
5 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey  
6 03/03/2011 13:13:20.240 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey;3DES; SHA1; DH Group 2; lifetime=28800 secs  
7 03/03/2011 13:13:20.128 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 67.151.199.98, 500 75.99.107.170, 500 VPN Policy: durkinramsey
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031382
Do you see any discrepancies there?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:tamaneri
ID: 35031397
I don't understand the "source" of the errors.... I don't recognize the IP at all.

The IPs for each site are: 67.151.199.98 and 75.99.107.170

0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031474
P.S. Not able to ping. I was able to ping because we have a Point-to-Point T1 connected between the 2 sites. I have it disconnected until I can get this VPN working. Long story.

Any help would be appreciated to get this VPN connecting successully.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031478
you're failing in the phase one negotiation. review the IKE id's and make sure they match. also, review the following KB for additional troubleshooting.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7565

not being able to see your settings, i can only give you general areas to look at.  however, you log above says, "IKE Responder: IKE proposal does not match (Phase 1)  IKE Responder: Proposed IKE ID mismatch"

i'm not sure about the additional public IP address showing up.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031483
ok...the ping was confusing.  look through the KB and see if it sheds any light.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031502
also, are they both enhanced, one enhanced one standard, both standard?
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031584
They are both standard.

Any chance I can show you the settings? I'll take snapshots of each config, just not sure if i want to post it here :P


0
 
LVL 33

Expert Comment

by:digitap
ID: 35031598
no, you don't. i have particulars in my EE profile such that you can send me a non-admin login or you can email me the settings.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031625
I will shoot you an email. Taking screenshots this moment.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031627
here is a KB for setting up the site to site on standard. this might be easier.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5670
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35031695
Okay maybe they are enhanced then. How can I find out? I just shot you an email over to your gmail.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35031854
OK...looking at the screen shot i attached, it appears the Unique Firewall ID matched the VPN policy on the same sonicwall. the name of the VPN policy needs to match the Firewall ID of the sonicwall you are connecting with. it should be passing traffic now.
greenshot-2011-03-03-16-00-36.jpg
0
 
LVL 33

Expert Comment

by:digitap
ID: 35032214
no, let's leave everything the way it is.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35032288
OK...reviewing screen shots, it appears that your local destination was set to an address object that you created. i typically use LAN subnets as this can change and i don't have to modify my vpn policies.

also, your destination network address object was configured for the LAN zone. this needed to be the vpn zone.

you should be passing traffic now.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35032404
Sorry my friend, still no traffic :(
0
 
LVL 33

Expert Comment

by:digitap
ID: 35033590
double-check the gateway of the workstation. i can ping each sonicwall from the other sonicwall, so the vpn is up and is passing traffic.  please confirm.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35036250
i was thinking this morning about a new private subnet that i needed for a sonicwall and realized that your subnet 198.176.10.0/24 is not a private subnet. i think that might be why you're getting routing issues.

what i'd recommend is that you place the t1 router off an interface of your sonicwall leaving it at 198.176.10.0/24 and putting it on a separate interface on the sonicwall and putting your subnet back to 192.168.1.0/24.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35036520
Hey my friend,

I did precisely that and got rid of the 10.100.102.0 network. I modified it back to 192.168.1.0.... everything is working great now.

When we do switch over to the new T1 point-to-point, I will modify the router to be on the same network. We have our own separate internet connection here, so I need the gateway to still be the firewall....... I think as long as I have a connection to the other building through the point-to-point, I will be fine. I already have the majority of things I need mapped via the hosts file.


THANK YOU FOR ALL OF YOUR HELP.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35036551
i'd still put the t1 router on the sonicwall keeping it's current IP address. let the sonicwall route. then, configure the route to the t1 router to disable if the t1 router goes down. this will allow the vpn to act as failover.
0
 
LVL 3

Author Comment

by:tamaneri
ID: 35038289
Great idea. It would be a good idea to keep the VPN configured as a fail-over. I will do just that.

Awarding you points!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35038360
glad i could help and thanks for the points!
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question