troubleshooting Question
Cisco Router to Cisco Router Site-to-Site tunnel behind SonicWall
jplagens
asked on
asked on
I'm having trouble establishing a site to site VPN tunnel between two cisco routers (UC560 and UC540) with the UC560 side sitting behind a Sonicwall firewall.
I've configured the Sonicwall to pass all services on a specific IP address to the outside interface of the Sonicwall. I confirmed that piece is working with Sonicwall tech support.
The setup is:
UC560 (outside IP: 10.0.1.2) to
Sonicwall X0 inside port (10.0.1.1) to
Sonicwall x1 outside (216.x.x.x) to
Internet to
UC540 (outside IP: 71.x.x.x)
UC560 LAN subnets: 172.19.0.x/24 and 172.19.1.x/24
UC540 LAN subnets: 172.20.0.x/24 and 172.20.1.x/24
It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP. I've tried adding "no-xauth" on the pre-shared key. I've tried adding the public IP as a secondary IP on the outside interface. I've checked the pre-shared keys. I can't seem to bring the tunnel up.
A show crypto isakmp sa shows:
UC560_HOU#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE (deleted)
A debug crypto ipsec and debug crypto isakmp shows:
UC560#
001344: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001345: Jan 2 22:55:42.987: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001346: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001347: Jan 2 22:55:42.987: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001348: Jan 2 22:55:42.987: ISAKMP:(0):Sending an IKE IPv4 Packet.
UC560#
001349: Jan 2 22:55:52.987: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.0.1.2:0, remote= 71.x.x.x:0,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
001350: Jan 2 22:55:52.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001351: Jan 2 22:55:52.987: ISAKMP:(0):peer does not do paranoid keepalives.
001352: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
001353: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
UC560#
001354: Jan 2 22:55:52.987: ISAKMP: Unlocking peer struct 0x8B461C70 for isadb_mark_sa_deleted(), count 0
001355: Jan 2 22:55:52.987: ISAKMP: Deleting peer node by peer_reap for 71.x.x.x: 8B461C70
001356: Jan 2 22:55:52.987: ISAKMP:(0):deleting node 364849820 error FALSE reason "IKE deleted"
001357: Jan 2 22:55:52.987: ISAKMP:(0):deleting node -2026412144 error FALSE reason "IKE deleted"
001358: Jan 2 22:55:52.987: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001359: Jan 2 22:55:52.987: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
001360: Jan 2 22:55:52.987: IPSEC(key_engine): got a queue event with 1 KMI message(s)
UC560#
001361: Jan 2 22:55:54.931: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.1.2:500, remote= 71.x.x.x:500,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001362: Jan 2 22:55:54.931: ISAKMP:(0): SA request profile is (NULL)
001363: Jan 2 22:55:54.931: ISAKMP: Created a peer struct for 71.x.x.x, peer port 500
001364: Jan 2 22:55:54.931: ISAKMP: New peer created peer = 0x8B45C130 peer_handle = 0x8000003A
001365: Jan 2 22:55:54.931: ISAKMP: Locking peer struct 0x8B45C130, refcount 1 for isakmp_initiator
001366: Jan 2 22:55:54.931: ISAKMP: local port 500, remote port 500
001367: Jan 2 22:55:54.931: ISAKMP: set new node 0 to QM_IDLE
001368: Jan 2 22:55:54.931: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8B45FEAC
001369: Jan 2 22:55:54.931: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001370: Jan 2 22:55:54.931: ISAKMP:(0):found peer pre-shared key matching 71.x.x.x
001371: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001372: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-07 ID
001373: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-03 ID
001374: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-02 ID
001375: Jan 2 22:55:54.935: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001376: Jan 2 22:55:54.935: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
001377: Jan 2 22:55:54.935: ISAKMP:(0): beginning Main Mode exchange
001378: Jan 2 22:55:54.935: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001379: Jan 2 22:55:54.935: ISAKMP:(0):Sending an IKE IPv4 Packet.
001380: Jan 2 22:55:54.967: ISAKMP (0): received packet from 71.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
001381: Jan 2 22:55:54.967: ISAKMP:(0):Notify has no hash. Rejected.
001382: Jan 2 22:55:54.967: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
001383: Jan 2 22:55:54.967: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001384: Jan 2 22:55:54.967: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
UC560#
001385: Jan 2 22:55:54.967: %CRYPTO-6-IKMP_MODE_FAILUR
--------------------------
UC560 VPN Config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 71.x.x.x
!
!
crypto ipsec transform-set UC560toUC540 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 71.x.x.x
set security-association lifetime seconds 86400
set transform-set UC560toUC540
match address 150
access-list 150 permit ip 172.19.0.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 172.19.1.0 0.0.0.255 172.20.1.0 0.0.0.255
--------------------------
UC540 VPN Config
rypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 216.x.x.x no-xauth
!
!
crypto ipsec transform-set UC540toUC560 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 216.x.x.x
set security-association lifetime seconds 86400
set transform-set UC540toUC560
match address 150
access-list 150 permit ip 172.20.0.0 0.0.0.255 172.19.0.0 0.0.0.255
access-list 150 permit ip 172.20.1.0 0.0.0.255 172.19.1.0 0.0.0.255
I've configured the Sonicwall to pass all services on a specific IP address to the outside interface of the Sonicwall. I confirmed that piece is working with Sonicwall tech support.
The setup is:
UC560 (outside IP: 10.0.1.2) to
Sonicwall X0 inside port (10.0.1.1) to
Sonicwall x1 outside (216.x.x.x) to
Internet to
UC540 (outside IP: 71.x.x.x)
UC560 LAN subnets: 172.19.0.x/24 and 172.19.1.x/24
UC540 LAN subnets: 172.20.0.x/24 and 172.20.1.x/24
It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP. I've tried adding "no-xauth" on the pre-shared key. I've tried adding the public IP as a secondary IP on the outside interface. I've checked the pre-shared keys. I can't seem to bring the tunnel up.
A show crypto isakmp sa shows:
UC560_HOU#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE (deleted)
A debug crypto ipsec and debug crypto isakmp shows:
UC560#
001344: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001345: Jan 2 22:55:42.987: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001346: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001347: Jan 2 22:55:42.987: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001348: Jan 2 22:55:42.987: ISAKMP:(0):Sending an IKE IPv4 Packet.
UC560#
001349: Jan 2 22:55:52.987: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.0.1.2:0, remote= 71.x.x.x:0,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
001350: Jan 2 22:55:52.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001351: Jan 2 22:55:52.987: ISAKMP:(0):peer does not do paranoid keepalives.
001352: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
001353: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
UC560#
001354: Jan 2 22:55:52.987: ISAKMP: Unlocking peer struct 0x8B461C70 for isadb_mark_sa_deleted(), count 0
001355: Jan 2 22:55:52.987: ISAKMP: Deleting peer node by peer_reap for 71.x.x.x: 8B461C70
001356: Jan 2 22:55:52.987: ISAKMP:(0):deleting node 364849820 error FALSE reason "IKE deleted"
001357: Jan 2 22:55:52.987: ISAKMP:(0):deleting node -2026412144 error FALSE reason "IKE deleted"
001358: Jan 2 22:55:52.987: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001359: Jan 2 22:55:52.987: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
001360: Jan 2 22:55:52.987: IPSEC(key_engine): got a queue event with 1 KMI message(s)
UC560#
001361: Jan 2 22:55:54.931: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.1.2:500, remote= 71.x.x.x:500,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001362: Jan 2 22:55:54.931: ISAKMP:(0): SA request profile is (NULL)
001363: Jan 2 22:55:54.931: ISAKMP: Created a peer struct for 71.x.x.x, peer port 500
001364: Jan 2 22:55:54.931: ISAKMP: New peer created peer = 0x8B45C130 peer_handle = 0x8000003A
001365: Jan 2 22:55:54.931: ISAKMP: Locking peer struct 0x8B45C130, refcount 1 for isakmp_initiator
001366: Jan 2 22:55:54.931: ISAKMP: local port 500, remote port 500
001367: Jan 2 22:55:54.931: ISAKMP: set new node 0 to QM_IDLE
001368: Jan 2 22:55:54.931: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8B45FEAC
001369: Jan 2 22:55:54.931: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001370: Jan 2 22:55:54.931: ISAKMP:(0):found peer pre-shared key matching 71.x.x.x
001371: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001372: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-07 ID
001373: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-03 ID
001374: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-02 ID
001375: Jan 2 22:55:54.935: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001376: Jan 2 22:55:54.935: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
001377: Jan 2 22:55:54.935: ISAKMP:(0): beginning Main Mode exchange
001378: Jan 2 22:55:54.935: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001379: Jan 2 22:55:54.935: ISAKMP:(0):Sending an IKE IPv4 Packet.
001380: Jan 2 22:55:54.967: ISAKMP (0): received packet from 71.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
001381: Jan 2 22:55:54.967: ISAKMP:(0):Notify has no hash. Rejected.
001382: Jan 2 22:55:54.967: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
001383: Jan 2 22:55:54.967: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001384: Jan 2 22:55:54.967: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
UC560#
001385: Jan 2 22:55:54.967: %CRYPTO-6-IKMP_MODE_FAILUR
--------------------------
UC560 VPN Config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 71.x.x.x
!
!
crypto ipsec transform-set UC560toUC540 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 71.x.x.x
set security-association lifetime seconds 86400
set transform-set UC560toUC540
match address 150
access-list 150 permit ip 172.19.0.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 172.19.1.0 0.0.0.255 172.20.1.0 0.0.0.255
--------------------------
UC540 VPN Config
rypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 216.x.x.x no-xauth
!
!
crypto ipsec transform-set UC540toUC560 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 216.x.x.x
set security-association lifetime seconds 86400
set transform-set UC540toUC560
match address 150
access-list 150 permit ip 172.20.0.0 0.0.0.255 172.19.0.0 0.0.0.255
access-list 150 permit ip 172.20.1.0 0.0.0.255 172.19.1.0 0.0.0.255
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 9 Comments.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.