troubleshooting Question

Cisco Router to Cisco Router Site-to-Site tunnel behind SonicWall

Avatar of jplagens
jplagensFlag for United States of America asked on
RoutersVPNHardware Firewalls
9 Comments1 Solution1266 ViewsLast Modified:
I'm having trouble establishing a site to site VPN tunnel between two cisco routers (UC560 and UC540) with the UC560 side sitting behind a Sonicwall firewall.

I've configured the Sonicwall to pass all services on a specific IP address to the outside interface of the Sonicwall.  I confirmed that piece is working with Sonicwall tech support.

The setup is:


UC560 (outside IP: 10.0.1.2) to
Sonicwall X0 inside port (10.0.1.1) to
Sonicwall x1 outside (216.x.x.x) to
Internet to
UC540 (outside IP: 71.x.x.x)

UC560 LAN subnets: 172.19.0.x/24 and 172.19.1.x/24
UC540 LAN subnets: 172.20.0.x/24 and 172.20.1.x/24

It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP.  I've tried adding "no-xauth" on the pre-shared key.  I've tried adding the public IP as a secondary IP on the outside interface. I've checked the pre-shared keys.  I can't seem to bring the tunnel up.




A show crypto isakmp sa shows:

UC560_HOU#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
71.x.x.x    10.0.1.2        MM_NO_STATE          0 ACTIVE
71.x.x.x    10.0.1.2        MM_NO_STATE          0 ACTIVE (deleted)

A debug crypto ipsec and debug crypto isakmp shows:

UC560#
001344: Jan  2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001345: Jan  2 22:55:42.987: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001346: Jan  2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001347: Jan  2 22:55:42.987: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001348: Jan  2 22:55:42.987: ISAKMP:(0):Sending an IKE IPv4 Packet.
UC560#
001349: Jan  2 22:55:52.987: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.0.1.2:0, remote= 71.x.x.x:0,
    local_proxy= 172.19.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.20.0.0/255.255.255.0/0/0 (type=4)
001350: Jan  2 22:55:52.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001351: Jan  2 22:55:52.987: ISAKMP:(0):peer does not do paranoid keepalives.

001352: Jan  2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
001353: Jan  2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
UC560#
001354: Jan  2 22:55:52.987: ISAKMP: Unlocking peer struct 0x8B461C70 for isadb_mark_sa_deleted(), count 0
001355: Jan  2 22:55:52.987: ISAKMP: Deleting peer node by peer_reap for 71.x.x.x: 8B461C70
001356: Jan  2 22:55:52.987: ISAKMP:(0):deleting node 364849820 error FALSE reason "IKE deleted"
001357: Jan  2 22:55:52.987: ISAKMP:(0):deleting node -2026412144 error FALSE reason "IKE deleted"
001358: Jan  2 22:55:52.987: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001359: Jan  2 22:55:52.987: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

001360: Jan  2 22:55:52.987: IPSEC(key_engine): got a queue event with 1 KMI message(s)
UC560#
001361: Jan  2 22:55:54.931: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.1.2:500, remote= 71.x.x.x:500,
    local_proxy= 172.19.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.20.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001362: Jan  2 22:55:54.931: ISAKMP:(0): SA request profile is (NULL)
001363: Jan  2 22:55:54.931: ISAKMP: Created a peer struct for 71.x.x.x, peer port 500
001364: Jan  2 22:55:54.931: ISAKMP: New peer created peer = 0x8B45C130 peer_handle = 0x8000003A
001365: Jan  2 22:55:54.931: ISAKMP: Locking peer struct 0x8B45C130, refcount 1 for isakmp_initiator
001366: Jan  2 22:55:54.931: ISAKMP: local port 500, remote port 500
001367: Jan  2 22:55:54.931: ISAKMP: set new node 0 to QM_IDLE      
001368: Jan  2 22:55:54.931: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8B45FEAC
001369: Jan  2 22:55:54.931: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001370: Jan  2 22:55:54.931: ISAKMP:(0):found peer pre-shared key matching 71.x.x.x
001371: Jan  2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001372: Jan  2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-07 ID
001373: Jan  2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-03 ID
001374: Jan  2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-02 ID
001375: Jan  2 22:55:54.935: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001376: Jan  2 22:55:54.935: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

001377: Jan  2 22:55:54.935: ISAKMP:(0): beginning Main Mode exchange
001378: Jan  2 22:55:54.935: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001379: Jan  2 22:55:54.935: ISAKMP:(0):Sending an IKE IPv4 Packet.
001380: Jan  2 22:55:54.967: ISAKMP (0): received packet from 71.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
001381: Jan  2 22:55:54.967: ISAKMP:(0):Notify has no hash. Rejected.
001382: Jan  2 22:55:54.967: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1
001383: Jan  2 22:55:54.967: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001384: Jan  2 22:55:54.967: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

UC560#
001385: Jan  2 22:55:54.967: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 71.x.x.x

--------------------------------------------

UC560 VPN Config

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <keygoeshere> address 71.x.x.x
!
!
crypto ipsec transform-set UC560toUC540 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
 set peer 71.x.x.x
 set security-association lifetime seconds 86400
 set transform-set UC560toUC540
 match address 150

access-list 150 permit ip 172.19.0.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 172.19.1.0 0.0.0.255 172.20.1.0 0.0.0.255

----------------------------------------------------------------------

UC540 VPN Config

rypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <keygoeshere> address 216.x.x.x no-xauth
!
!
crypto ipsec transform-set UC540toUC560 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
 set peer 216.x.x.x
 set security-association lifetime seconds 86400
 set transform-set UC540toUC560
 match address 150

access-list 150 permit ip 172.20.0.0 0.0.0.255 172.19.0.0 0.0.0.255
access-list 150 permit ip 172.20.1.0 0.0.0.255 172.19.1.0 0.0.0.255
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 9 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros