Solved

Sonicwall To Cisco GRE VPN connection

Posted on 2013-11-28
3
4,245 Views
Last Modified: 2013-12-02
Hi,

I've been working on this issue for past 2 days. Not enough sleep is also making it worse :( Anyways, I have a new sonicwall 3600 to connect to our cisco 1811 router vpn in the Data center. I can't figure out why its not working. I manage to make the vpn work but I can't ping or see anything on the remote network at the data center. Please help.

So far this is what I did.
Policy type: tunnel interface
authentication: IKE and Pre-shared

Proposal Tab
Phase1 IKE
Exchange: Main Mode
 DH Group: Group 2
Encryption: 3Des
Authentication: md5
Life Time : 86400

IPsec Phase 2
Protocol: ESP
Encryption: 3des
Authentication MD5
Life Time: 86400

Advanced Tab:
Enable Keep alive
Allow advanced Routing
Enable Transport Mode
VPN Policy bount to: Int X1

I can see the vpn up but its not showing the internal network. I looked at the data center configuration of the vpn and below is what I see associated for that connection:

crypto isakmp policy 40
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key xxxxdsadasdscsa address 212.93.119.5 no-xauth
crypto isakmp key dadawadsdsfacs address 212.93.119.6 no-xauth
crypto isakmp key sasadsasssaaacc address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
!

crypto ipsec transform-set niceconfig esp-3des esp-md5-hmac
 mode transport

crypto map vpn 10 ipsec-isakmp
 set peer 212.93.119.6
 set transform-set niceconfig
 match address unused-used
crypto map vpn 11 ipsec-isakmp
 set peer 212.93.119.5
 set transform-set goodenough
 match address dead-alive

interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication
 ip ospf authentication-key 7 xxxxxzxSdasxaxsxxzxxz
 ip ospf mtu-ignore
 tunnel source FastEthernet0
 tunnel destination 212.93.119.5
!

interface FastEthernet0
 ip address 23.25.55.139 255.255.255.248
 ip access-group internet-in in
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 crypto map vpn
!

router ospf 1123
 log-adjacency-changes
 redistribute connected
 redistribute static subnets
 passive-interface FastEthernet0
 passive-interface Vlan15
 network 172.16.0.0 0.15.255.255 area 0
 network 192.168.0.0 0.0.255.255 area 0
 default-information originate
!

ip access-list extended dead-alive
 permit gre host 23.25.55.139 host 212.93.119.5

ip access-list extended internet-in
 permit ip 212.93.119.0 0.0.0.255 any
 permit ip 23.25.55.136 0.0.0.7 any
 permit ip any any
0
Comment
Question by:SuperRoot
3 Comments
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
Comment Utility
Hi SuperRoot,

SonicWALL has been tested VPN interoperability with Cisco IOS SonicOS Standard and Enhanced using the following VPN Security Association information. I'd set it up like this verify it as your baseline, then improve on the security methods used from there:

Keying Mode: IKE
IKE Mode: Main Mode with No PFS (perfect forward secrecy)
SA Authentication Method: Pre-Shared key
Keying Group: DH (Diffie Hellman) – Group 1
ID_Type: IP
Encryption and Data Integrity: ESP DES with MD5
ESP 3DES with MD5
ESP DES with SHA1
ESP 3DES with SHA1
 
SonicWALL
WAN: IP 10.0.31.102 (example - set yours accordingly)
LAN:  192.168.170.1/24 (example - set yours accordingly)

Cisco IOS
WAN: 10.0.31.132 (example - set yours accordingly)
LAN: IP 192.168.132.1/24 (example - set yours accordingly)

SonicWALL Configuration

First, on the SonicWALL, you must create an address object for the remote network.
Log into the SonicWALL.
Browse to Network, then Address Objects
Create a new Address Object for the network on the Cisco end you wish to reach (Cisco LAN).
Next, on the SonicWALL you must create an SA.
1) Browse to VPN, then Settings (default view for VPN).
2) Ensure that “Enable VPN” is selected.
3) Click Add.
4) Change the Authentication Method to “IKE using pre-shared secret”.
5) Name the SA, in this example “CiscoIOS”.
6) Enter the WAN IP of the Cisco for “IPSec Primary Gateway Name or Address:”.
7) Enter your shared secret, in this example “password”
NETWORK Tab
1) Select the “Network” tab.
2) Select “LAN Subnets” for Local Networks from the drop down box.
3) Select the address object previously created for the destination network.

PROPOSALS tab
1) Select the “Proposals” tab.
2) Change DH group under IKE Phase 1 to “Group 1”.
3) Change authentication for IKE Phase 1 to “MD5”.
4) Change the authentication for IPSec Phase 2 to “MD5”
5) Do not enable Perfect Forward Secrecy.
ADVANCED tab
1) Select “Advanced” tab.
2) Ensure that keep alive is enabled on only one end of the tunnel.
3) Select “Enable Windows Networking (NetBIOS) Broadcast” if you would like to pass NetBIOS across the VPN.
---------------------------------------------

COMMANDS FOR CISCO IOS

Do not forget to issue the command “write memory” or “copy running-config startup-config” when configuration is complete.

Task: Set ACCESS LIST
Description: Specify the inside and destination networks. This permits the IP network traffic you want to protect to pass through the router.
Command:
Access-list 101 permit ip 192.168.132.0 0.0.0.255 192.168.170.0 0.0.0.255

Open in new window


Task: Define IKE parameters
Description: Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode.)
Command:
crypto isakmp policy 15

Open in new window

Description: To specify the encryption algorithm
Command:
encryption 3des

Open in new window

Description: To specify the hash algorithm
Command:
hash md5

Open in new window

Description: To specify the authentication
Command:
authentication pre-share

Open in new window

Description: To specify the Diffe-Hellman group identifier
Command:
group 1

Open in new window

Description: Specify the security association’s lifetime
Command:
lifetime 3600

Open in new window

Description: To exit the config-isakmp command mode
Command:
exit

Open in new window

Description: To configure a pre-shared authentication key. In this case the pre-shared secret is “password”
Command:
crypto isakmp key password address 10.0.31.102

Open in new window


Task: Define IPSEC parameters
Description: Configure a transform-set. This identifies the encryption and authentication methods you want to use.
Command:
crypto ipsec transform-set strong esp-3des esp-md5-hmac

Open in new window

Description: Create a crypto map that binds together elements of the IPSec configuration. (This command puts you into the crypto map command mode.)
Command:
crypto map tosonicwall 15 ipsec-isakmp

Open in new window

Description: To specify an extended access list for a crypto map entry
Command:
match address 101

Open in new window

Description: To specify which transform sets can be used with the crypto map entry
Command:
set transform-set strong

Open in new window

Description: To specify an IPSec peer in a crypto map entry
Command:
set peer 10.0.31.102

Open in new window

Description: To exit the crypto map command mode
Command:
exit

Open in new window


Task: Apply Crypto Map to an Interface
Description: Specify an interface on which to apply the crypto map. (This command puts you into the interface command mode). Please note, you need to specify the interface that you have defined as external (your WAN interface).
Command:
interface fastethernet0/1

Open in new window

Description: Apply the previously defined crypto map set to an interface
Command:
crypto map tosonicwall

Open in new window

Description: Exit the interface command mode
Command:
exit

Open in new window

Description: Exit the global configuration mode
Command:
exit

Open in new window

Let me know how it goes!
0
 
LVL 1

Author Closing Comment

by:SuperRoot
Comment Utility
I tried what you said but still no luck because there should be a tunnel interface route on both end and traffic should be using ospf. I ended up setting up another router to do just VPN and the firewall will block all other not needed traffic.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now