troubleshooting Question

Sonicwall VPN issue

Avatar of TBTNetworks
TBTNetworksFlag for United States of America asked on
NetworkingVPNHardware Firewalls
1 Comment1 Solution4833 ViewsLast Modified:
I have our corporate location that has a managed Cisco router/firewall (managed by the ISP) and all of our remote locations that are managed by us and have Sonicwalls.

I had our ISP add another VPN tunnel with a specific shared secret, and gave them the destination public and private IP addresses. However the tunnel isn't coming up.

Here are the settings on the new site/sonicwall/vpn:

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
IPsec Primary Gateway name or address: <Public IP of our corp office>
IPsec Secondary gateway name or address: 0.0.0.0

Shared Secret: <The shared secret I gave them>
Local IKE and Peer IKE: both blank

Choose local network from list: Lan Subnets
Choose destination network from list (remote networks): <the group of IP's on the remote network>

IKE Phase 1
Exchange: main mode
DH group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

Phase 2:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800

Enabled Keep Alive
VPN Policy bound to ZONE WAN

The VPN Settings on another one of our site locations (older sonicwall):
Ipsec Keying Mode: IKE using Preshared Secret
Ipsec Primary gateway: <Public IP of corp office>
Ipsec Secondary: 0.0.0.0
Shared Secret: <our shared secret>

Destination networks is "specified below" so instead of an address object its manually typed it with a network/netmask of the corp office network

IKE Phase 1
Exchange: main mode
DH group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

Phase 2:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800

Enabled Keep Alive
VPN Terminated at LAN

Here is what I see in the log of my remote site:
IKE Initiator: Start Main Mode Negotiation (Phase 1)
IKE Initiator: Main Mode Complete (Phase 1)
IKE Initiator: Start Quick Mode (Phase 2)
Received IKE SA delete request
IPSecTunnel status changed     Tunnel Down
<repeats>
<repeats>
<repeats>

On my working remote sites I see:
IKE Initiator: Start Main Mode Negotiation (Phase 1)
NAT Discovery: Peer IPSec Security Gateway doesnt support VPN NAT Transversal
IKE Initiator: Main Mode Complete (Phase 1)
IKE Initiator: Received Quick Mode Request (Phase 2)
IKE Responder: Accepting IPSec Proposal (Phase 2)
IKE Negotiation Complete: Adding IPSec SA (Phase 2)
<Tunnel is up>

Thoughts? Unfortunately not having admin access to the managed Cisco devices on the other end may limit what we can do, but looking forward to what you all think.
ASKER CERTIFIED SOLUTION
Syed_M_Usman
System Administrator
Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros