We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
11 days, 5 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Cisco Router to Cisco Router Site-to-Site tunnel behind SonicWall
Posted on 2013-01-02
I'm having trouble establishing a site to site VPN tunnel between two cisco routers (UC560 and UC540) with the UC560 side sitting behind a Sonicwall firewall.
I've configured the Sonicwall to pass all services on a specific IP address to the outside interface of the Sonicwall. I confirmed that piece is working with Sonicwall tech support.
The setup is:
UC560 (outside IP: 10.0.1.2) to
Sonicwall X0 inside port (10.0.1.1) to
Sonicwall x1 outside (216.x.x.x) to
Internet to
UC540 (outside IP: 71.x.x.x)
UC560 LAN subnets: 172.19.0.x/24 and 172.19.1.x/24
UC540 LAN subnets: 172.20.0.x/24 and 172.20.1.x/24
It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP. I've tried adding "no-xauth" on the pre-shared key. I've tried adding the public IP as a secondary IP on the outside interface. I've checked the pre-shared keys. I can't seem to bring the tunnel up.
A show crypto isakmp sa shows:
UC560_HOU#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE (deleted)
A debug crypto ipsec and debug crypto isakmp shows:
UC560#
001344: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001345: Jan 2 22:55:42.987: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001346: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001347: Jan 2 22:55:42.987: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001348: Jan 2 22:55:42.987: ISAKMP:(0):Sending an IKE IPv4 Packet.
UC560#
001349: Jan 2 22:55:52.987: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.0.1.2:0, remote= 71.x.x.x:0,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
001350: Jan 2 22:55:52.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001351: Jan 2 22:55:52.987: ISAKMP:(0):peer does not do paranoid keepalives.
001352: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
001353: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
UC560#
001354: Jan 2 22:55:52.987: ISAKMP: Unlocking peer struct 0x8B461C70 for isadb_mark_sa_deleted(), count 0
001355: Jan 2 22:55:52.987: ISAKMP: Deleting peer node by peer_reap for 71.x.x.x: 8B461C70
001356: Jan 2 22:55:52.987: ISAKMP:(0):deleting node 364849820 error FALSE reason "IKE deleted"
001357: Jan 2 22:55:52.987: ISAKMP:(0):deleting node -2026412144 error FALSE reason "IKE deleted"
001358: Jan 2 22:55:52.987: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001359: Jan 2 22:55:52.987: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
001360: Jan 2 22:55:52.987: IPSEC(key_engine): got a queue event with 1 KMI message(s)
UC560#
001361: Jan 2 22:55:54.931: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.1.2:500, remote= 71.x.x.x:500,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001362: Jan 2 22:55:54.931: ISAKMP:(0): SA request profile is (NULL)
001363: Jan 2 22:55:54.931: ISAKMP: Created a peer struct for 71.x.x.x, peer port 500
001364: Jan 2 22:55:54.931: ISAKMP: New peer created peer = 0x8B45C130 peer_handle = 0x8000003A
001365: Jan 2 22:55:54.931: ISAKMP: Locking peer struct 0x8B45C130, refcount 1 for isakmp_initiator
001366: Jan 2 22:55:54.931: ISAKMP: local port 500, remote port 500
001367: Jan 2 22:55:54.931: ISAKMP: set new node 0 to QM_IDLE
001368: Jan 2 22:55:54.931: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8B45FEAC
001369: Jan 2 22:55:54.931: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001370: Jan 2 22:55:54.931: ISAKMP:(0):found peer pre-shared key matching 71.x.x.x
001371: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001372: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-07 ID
001373: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-03 ID
001374: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-02 ID
001375: Jan 2 22:55:54.935: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001376: Jan 2 22:55:54.935: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
001377: Jan 2 22:55:54.935: ISAKMP:(0): beginning Main Mode exchange
001378: Jan 2 22:55:54.935: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001379: Jan 2 22:55:54.935: ISAKMP:(0):Sending an IKE IPv4 Packet.
001380: Jan 2 22:55:54.967: ISAKMP (0): received packet from 71.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
001381: Jan 2 22:55:54.967: ISAKMP:(0):Notify has no hash. Rejected.
001382: Jan 2 22:55:54.967: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
001383: Jan 2 22:55:54.967: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001384: Jan 2 22:55:54.967: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
UC560#
001385: Jan 2 22:55:54.967: %CRYPTO-6-IKMP_MODE_FAILUR
--------------------------
UC560 VPN Config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 71.x.x.x
!
!
crypto ipsec transform-set UC560toUC540 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 71.x.x.x
set security-association lifetime seconds 86400
set transform-set UC560toUC540
match address 150
access-list 150 permit ip 172.19.0.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 172.19.1.0 0.0.0.255 172.20.1.0 0.0.0.255
--------------------------
UC540 VPN Config
rypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 216.x.x.x no-xauth
!
!
crypto ipsec transform-set UC540toUC560 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 216.x.x.x
set security-association lifetime seconds 86400
set transform-set UC540toUC560
match address 150
access-list 150 permit ip 172.20.0.0 0.0.0.255 172.19.0.0 0.0.0.255
access-list 150 permit ip 172.20.1.0 0.0.0.255 172.19.1.0 0.0.0.255
I've configured the Sonicwall to pass all services on a specific IP address to the outside interface of the Sonicwall. I confirmed that piece is working with Sonicwall tech support.
The setup is:
UC560 (outside IP: 10.0.1.2) to
Sonicwall X0 inside port (10.0.1.1) to
Sonicwall x1 outside (216.x.x.x) to
Internet to
UC540 (outside IP: 71.x.x.x)
UC560 LAN subnets: 172.19.0.x/24 and 172.19.1.x/24
UC540 LAN subnets: 172.20.0.x/24 and 172.20.1.x/24
It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP. I've tried adding "no-xauth" on the pre-shared key. I've tried adding the public IP as a secondary IP on the outside interface. I've checked the pre-shared keys. I can't seem to bring the tunnel up.
A show crypto isakmp sa shows:
UC560_HOU#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE
71.x.x.x 10.0.1.2 MM_NO_STATE 0 ACTIVE (deleted)
A debug crypto ipsec and debug crypto isakmp shows:
UC560#
001344: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001345: Jan 2 22:55:42.987: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001346: Jan 2 22:55:42.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001347: Jan 2 22:55:42.987: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001348: Jan 2 22:55:42.987: ISAKMP:(0):Sending an IKE IPv4 Packet.
UC560#
001349: Jan 2 22:55:52.987: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.0.1.2:0, remote= 71.x.x.x:0,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
001350: Jan 2 22:55:52.987: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001351: Jan 2 22:55:52.987: ISAKMP:(0):peer does not do paranoid keepalives.
001352: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
001353: Jan 2 22:55:52.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 71.x.x.x)
UC560#
001354: Jan 2 22:55:52.987: ISAKMP: Unlocking peer struct 0x8B461C70 for isadb_mark_sa_deleted(), count 0
001355: Jan 2 22:55:52.987: ISAKMP: Deleting peer node by peer_reap for 71.x.x.x: 8B461C70
001356: Jan 2 22:55:52.987: ISAKMP:(0):deleting node 364849820 error FALSE reason "IKE deleted"
001357: Jan 2 22:55:52.987: ISAKMP:(0):deleting node -2026412144 error FALSE reason "IKE deleted"
001358: Jan 2 22:55:52.987: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001359: Jan 2 22:55:52.987: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
001360: Jan 2 22:55:52.987: IPSEC(key_engine): got a queue event with 1 KMI message(s)
UC560#
001361: Jan 2 22:55:54.931: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.1.2:500, remote= 71.x.x.x:500,
local_proxy= 172.19.0.0/255.255.255.0/0
remote_proxy= 172.20.0.0/255.255.255.0/0
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001362: Jan 2 22:55:54.931: ISAKMP:(0): SA request profile is (NULL)
001363: Jan 2 22:55:54.931: ISAKMP: Created a peer struct for 71.x.x.x, peer port 500
001364: Jan 2 22:55:54.931: ISAKMP: New peer created peer = 0x8B45C130 peer_handle = 0x8000003A
001365: Jan 2 22:55:54.931: ISAKMP: Locking peer struct 0x8B45C130, refcount 1 for isakmp_initiator
001366: Jan 2 22:55:54.931: ISAKMP: local port 500, remote port 500
001367: Jan 2 22:55:54.931: ISAKMP: set new node 0 to QM_IDLE
001368: Jan 2 22:55:54.931: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8B45FEAC
001369: Jan 2 22:55:54.931: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001370: Jan 2 22:55:54.931: ISAKMP:(0):found peer pre-shared key matching 71.x.x.x
001371: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001372: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-07 ID
001373: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-03 ID
001374: Jan 2 22:55:54.935: ISAKMP:(0): constructed NAT-T vendor-02 ID
001375: Jan 2 22:55:54.935: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001376: Jan 2 22:55:54.935: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
001377: Jan 2 22:55:54.935: ISAKMP:(0): beginning Main Mode exchange
001378: Jan 2 22:55:54.935: ISAKMP:(0): sending packet to 71.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
001379: Jan 2 22:55:54.935: ISAKMP:(0):Sending an IKE IPv4 Packet.
001380: Jan 2 22:55:54.967: ISAKMP (0): received packet from 71.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
001381: Jan 2 22:55:54.967: ISAKMP:(0):Notify has no hash. Rejected.
001382: Jan 2 22:55:54.967: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
001383: Jan 2 22:55:54.967: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
001384: Jan 2 22:55:54.967: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
UC560#
001385: Jan 2 22:55:54.967: %CRYPTO-6-IKMP_MODE_FAILUR
--------------------------
UC560 VPN Config
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 71.x.x.x
!
!
crypto ipsec transform-set UC560toUC540 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 71.x.x.x
set security-association lifetime seconds 86400
set transform-set UC560toUC540
match address 150
access-list 150 permit ip 172.19.0.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 172.19.1.0 0.0.0.255 172.20.1.0 0.0.0.255
--------------------------
UC540 VPN Config
rypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <keygoeshere> address 216.x.x.x no-xauth
!
!
crypto ipsec transform-set UC540toUC560 esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 216.x.x.x
set security-association lifetime seconds 86400
set transform-set UC540toUC560
match address 150
access-list 150 permit ip 172.20.0.0 0.0.0.255 172.19.0.0 0.0.0.255
access-list 150 permit ip 172.20.1.0 0.0.0.255 172.19.1.0 0.0.0.255
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
3
- +1
9 Comments
Neither of those commands are supported on the router IOS. I think those are for PIX and ASA devices.
UC560(config)#crypto isakmp nat-?
% Unrecognized command
UC560(config)#crypto isakmp nat-?
% Unrecognized command
Active 4 days ago
Dear,
your connection is as follows;
UC560--->SNA------->ISP>--
if above is correct then you should not get private ip on UC540 interface,,
"It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP"
i would like to know how many public ip you have on both sides + what is the current configuration of SNA..
your connection is as follows;
UC560--->SNA------->ISP>--
if above is correct then you should not get private ip on UC540 interface,,
"It seems the issue is that the UC560 side is sending the source address as 10.0.1.2 instead of the public IP"
i would like to know how many public ip you have on both sides + what is the current configuration of SNA..
Yes that is the correct connection.
On the UC560 side they have 5 usable IPs. The first usable is assigned to the WAN port of the Sonicwall. The second usable was added to the Sonicwall and all services were forwarded to the UC560 at 10.0.1.2.
On the UC540 side they only have 1 usable IP.
I've attached the configs for the Cisco equipment.
UC540-Config.txt
UC560-Config.txt
On the UC560 side they have 5 usable IPs. The first usable is assigned to the WAN port of the Sonicwall. The second usable was added to the Sonicwall and all services were forwarded to the UC560 at 10.0.1.2.
On the UC540 side they only have 1 usable IP.
I've attached the configs for the Cisco equipment.
UC540-Config.txt
UC560-Config.txt
Active 4 days ago
Dear,
if "On the UC560 side they have 5 usable IPs. The first usable is assigned to the WAN port of the Sonicwall" why you are forwading traffic to UC560 from SNA???
Create one Zone simply use L2Bridge and use Public ip on UC560 on wan interface...
if "On the UC560 side they have 5 usable IPs. The first usable is assigned to the WAN port of the Sonicwall" why you are forwading traffic to UC560 from SNA???
Create one Zone simply use L2Bridge and use Public ip on UC560 on wan interface...
Thanks for the helpful info. Right now the WAN interface is 10.0.1.2 connecting to the Sonicwall X0 10.0.1.1. A route is setup on the Sonic wall to send the subnets (172.19.0.1 and 172.19.1.1) back to 10.0.1.2.
If I assign a public IP to the WAN interface wouldn't I just remove the sonic wall and plug the Cisco router into the ISP Router?
If I assign a public IP to the WAN interface wouldn't I just remove the sonic wall and plug the Cisco router into the ISP Router?
Active 4 days ago
no my dear...
the connection should be as follows;
ISP
|
SNA
|
|---------------|---------
X0 X1 X2 (or any other free interface)
LAN WAN L2BRIDGE Interface
|---------------WAN (Public IP)-----Cisco-------------
the connection should be as follows;
ISP
|
SNA
|
|---------------|---------
X0 X1 X2 (or any other free interface)
LAN WAN L2BRIDGE Interface
|---------------WAN (Public IP)-----Cisco-------------
Featured Post
The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Secure VPN Connection terminated locally by the Client.
Reason 442: Failed to enable Virtual Adapter.
If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month11 days, 5 hours left to enroll
632 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.