?
Solved

Setting up Netscreen to Sonicwall VPN

Posted on 2011-04-27
19
Medium Priority
?
2,055 Views
Last Modified: 2012-05-11
We are trying to setup a VPN between a Netscreen NS25 and a Sonicwall TZ 210. However, I am not having luck getting any traffic to pass. Has anyone been able to setup a VPN between a Netscreen and Sonicwall?
0
Comment
Question by:aando
  • 10
  • 8
19 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35475403
What kind of VPN are you configuring on the netscreen side? If you could provide more details i am sure we can get this working for you. For example; does the tunnel actually connect but no traffic pass. or is the tunnel failing phase1/phase2 negotiation?

let us know.
0
 

Author Comment

by:aando
ID: 35475449
Policy based VPN. It is failing in phase 1. Here is what the netscreen log is saying: Rejected an IKE packet on ethernet4 from 93.38.27.164:500 to 66.187.218.226:500 with cookies 7a12fba321e41ee5 and 0e59cd060121cf22 because there were no acceptable Phase 1 proposals.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35475514
on the sonic wall side. What phase 1 proposals are configured? These need to be the same on the juniper. Policy based VPN is the way to go when creating tunnels between dissimilar devices so you are on the right track. I am not to familiar with sonicwall side of the setup, but if you get the info i can help with the juniper end of things.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:aando
ID: 35477358
Attached is the setup on the Sonicwall. I set it up to mimic a person who said they got it working with these settings.
Capture.JPG
0
 

Author Comment

by:aando
ID: 35477485
I changed the settings around in the proposal now and I'm getting: Warning VPN IKE Received packet retransmission. Drop duplicate packet

Sonicwall:
1) Main Mode
    Goup 2
    3DES
    SHA1
    28800
2) ESP
    3DES
    SHA1
    3600

Netscreen
1) pre-g2-3des-sha
2) nopfs-esp-3des-sha
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35477498
ok when configuring the gateway (VPNs > AutoKey Advanced > Gateway > Edit)
go to the advanced section and set your Security level to custom: phase1 proposal=pre-g2-3des-sha

And when configuring the Autokey (VPNs > AutoKey IKE > Edit)
go to the advanced section and agin choose cutom security level as: g2-esp-3des-sha

That shoul make the juniper phase 1 and 2 proposals match the sonciwall.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35477519
you beat me to the punch, i would use g2-esp-3des-sha for the phase 2 proposal. Also if you juniper does not have a static ip for its public address, you should use Aggressive mode instead of main mode.
0
 

Author Comment

by:aando
ID: 35477591
I'm getting the following on the Sonicwall logs:
IKE Initiator: Start Main Mode negotiation (Phase 1)

VPN IKE NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal VPN IKE
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35477625
Is you juniper netscreen configured with a public ip on its untrust/wan interface?
0
 

Author Comment

by:aando
ID: 35477642
Yes it has a static public IP.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35477660
If the sonic wall has a static public IP as well then this should not be an issue. I am not too familiar with the sonic wall setup, but from what i can see through a quick google search, you might have NAT traversal enabled on the sonicwall

http://help.mysonicwall.com/sw/eng/general/ui1/6600/VPN/NAT_Traversal.htm
0
 

Author Comment

by:aando
ID: 35477788
I disabled NAT traversal on the sonicwall.

Netscreen log:
2011-04-27 12:57:40 info Rejected an IKE packet on ethernet4 from 196.38.57.14:500 to 118.127.208.56:500 with cookies 38b5f8e14338a452 and d99a1735c964d084 because Phase 1 negotiations failed. (The preshared keys might not match.).
2011-04-27 12:57:39 info IKE<196.38.57.14> Phase 1: Responder starts MAIN mode negotiations.

Sonicwall log:
3  04/27/2011 12:34:20.400 Warning VPN IKE Received packet retransmission. Drop duplicate packet 118.127.208.56, 500, .bellsouth.net 196.38.57.14, 500 VPN Policy: FaS  
4  04/27/2011 12:34:19.272 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. 196.38.57.14, 500 118.127.208.56, 500, .bellsouth.net VPN Policy: FaS
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35477876
When you are configuring the gateway on the juniper did you input the same pre-shared key as is configured on the sonicwall?

on the juniper: VPNs > AutoKey Advanced > Gateway > Edit

At the bottom of the screen is where the pre-shared key is setup.
0
 

Author Comment

by:aando
ID: 35477949
Yes I have checked it several times just to be sure.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35478569
Other than the items we addressed in previous entries, i can not see anything else that needs to be corrected on the netscreen. I am going to reach out to a colleague that uses predominatly sonciwall equipment and see if he can provide some new insights into what may be wrong.
0
 

Author Comment

by:aando
ID: 35478580
Awesome thanks... Let me know if you need any more info. I'd be glad to take screen shots, etc. Thanks again...
0
 

Accepted Solution

by:
aando earned 0 total points
ID: 35793715
Never could get this working. I ended up asking the customer to just purchase a new Sonicwall so everything would be compatible.
0
 

Author Closing Comment

by:aando
ID: 35821599
Didn't solve... Customer had to buy another firewall.
0
 
LVL 1

Expert Comment

by:hindsight
ID: 36581682
We had a similar issue with a 5gt and a NSA 2400.
on 5 gt created a custom p2 proposal that we called sonicwall
Perfect Forward Secret - DH Group2
3DES-CBC
SHA-1
MD5
--on NSA 2400
IKE Phase 1
Aggressive
Group2
3DES
SHA-1
28800
Phase2
ESP, 3DES, SHA-1, Enable Perfect Secret, Group 2, 28800
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question