Avatar of TBTNetworks
TBTNetworks
Flag for United States of America asked on

Sonicwall VPN issue

I have our corporate location that has a managed Cisco router/firewall (managed by the ISP) and all of our remote locations that are managed by us and have Sonicwalls.

I had our ISP add another VPN tunnel with a specific shared secret, and gave them the destination public and private IP addresses. However the tunnel isn't coming up.

Here are the settings on the new site/sonicwall/vpn:

Policy Type: Site to Site
Authentication Method: IKE using Preshared Secret
IPsec Primary Gateway name or address: <Public IP of our corp office>
IPsec Secondary gateway name or address: 0.0.0.0

Shared Secret: <The shared secret I gave them>
Local IKE and Peer IKE: both blank

Choose local network from list: Lan Subnets
Choose destination network from list (remote networks): <the group of IP's on the remote network>

IKE Phase 1
Exchange: main mode
DH group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

Phase 2:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800

Enabled Keep Alive
VPN Policy bound to ZONE WAN

The VPN Settings on another one of our site locations (older sonicwall):
Ipsec Keying Mode: IKE using Preshared Secret
Ipsec Primary gateway: <Public IP of corp office>
Ipsec Secondary: 0.0.0.0
Shared Secret: <our shared secret>

Destination networks is "specified below" so instead of an address object its manually typed it with a network/netmask of the corp office network

IKE Phase 1
Exchange: main mode
DH group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

Phase 2:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800

Enabled Keep Alive
VPN Terminated at LAN

Here is what I see in the log of my remote site:
IKE Initiator: Start Main Mode Negotiation (Phase 1)
IKE Initiator: Main Mode Complete (Phase 1)
IKE Initiator: Start Quick Mode (Phase 2)
Received IKE SA delete request
IPSecTunnel status changed     Tunnel Down
<repeats>
<repeats>
<repeats>

On my working remote sites I see:
IKE Initiator: Start Main Mode Negotiation (Phase 1)
NAT Discovery: Peer IPSec Security Gateway doesnt support VPN NAT Transversal
IKE Initiator: Main Mode Complete (Phase 1)
IKE Initiator: Received Quick Mode Request (Phase 2)
IKE Responder: Accepting IPSec Proposal (Phase 2)
IKE Negotiation Complete: Adding IPSec SA (Phase 2)
<Tunnel is up>

Thoughts? Unfortunately not having admin access to the managed Cisco devices on the other end may limit what we can do, but looking forward to what you all think.
Hardware FirewallsVPNNetworking

Avatar of undefined
Last Comment
Syed_M_Usman

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Syed_M_Usman

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck