• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5672
  • Last Modified:

Sonicwall To Cisco GRE VPN connection


I've been working on this issue for past 2 days. Not enough sleep is also making it worse :( Anyways, I have a new sonicwall 3600 to connect to our cisco 1811 router vpn in the Data center. I can't figure out why its not working. I manage to make the vpn work but I can't ping or see anything on the remote network at the data center. Please help.

So far this is what I did.
Policy type: tunnel interface
authentication: IKE and Pre-shared

Proposal Tab
Phase1 IKE
Exchange: Main Mode
 DH Group: Group 2
Encryption: 3Des
Authentication: md5
Life Time : 86400

IPsec Phase 2
Protocol: ESP
Encryption: 3des
Authentication MD5
Life Time: 86400

Advanced Tab:
Enable Keep alive
Allow advanced Routing
Enable Transport Mode
VPN Policy bount to: Int X1

I can see the vpn up but its not showing the internal network. I looked at the data center configuration of the vpn and below is what I see associated for that connection:

crypto isakmp policy 40
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key xxxxdsadasdscsa address no-xauth
crypto isakmp key dadawadsdsfacs address no-xauth
crypto isakmp key sasadsasssaaacc address no-xauth
crypto isakmp keepalive 10

crypto ipsec transform-set niceconfig esp-3des esp-md5-hmac
 mode transport

crypto map vpn 10 ipsec-isakmp
 set peer
 set transform-set niceconfig
 match address unused-used
crypto map vpn 11 ipsec-isakmp
 set peer
 set transform-set goodenough
 match address dead-alive

interface Tunnel0
 ip address
 ip nat inside
 ip virtual-reassembly
 ip ospf authentication
 ip ospf authentication-key 7 xxxxxzxSdasxaxsxxzxxz
 ip ospf mtu-ignore
 tunnel source FastEthernet0
 tunnel destination

interface FastEthernet0
 ip address
 ip access-group internet-in in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn

router ospf 1123
 redistribute connected
 redistribute static subnets
 passive-interface FastEthernet0
 passive-interface Vlan15
 network area 0
 network area 0
 default-information originate

ip access-list extended dead-alive
 permit gre host host

ip access-list extended internet-in
 permit ip any
 permit ip any
 permit ip any any
1 Solution
Blue Street TechLast KnightsCommented:
Hi SuperRoot,

SonicWALL has been tested VPN interoperability with Cisco IOS SonicOS Standard and Enhanced using the following VPN Security Association information. I'd set it up like this verify it as your baseline, then improve on the security methods used from there:

Keying Mode: IKE
IKE Mode: Main Mode with No PFS (perfect forward secrecy)
SA Authentication Method: Pre-Shared key
Keying Group: DH (Diffie Hellman) – Group 1
ID_Type: IP
Encryption and Data Integrity: ESP DES with MD5
ESP 3DES with MD5
ESP 3DES with SHA1
WAN: IP (example - set yours accordingly)
LAN: (example - set yours accordingly)

Cisco IOS
WAN: (example - set yours accordingly)
LAN: IP (example - set yours accordingly)

SonicWALL Configuration

First, on the SonicWALL, you must create an address object for the remote network.
Log into the SonicWALL.
Browse to Network, then Address Objects
Create a new Address Object for the network on the Cisco end you wish to reach (Cisco LAN).
Next, on the SonicWALL you must create an SA.
1) Browse to VPN, then Settings (default view for VPN).
2) Ensure that “Enable VPN” is selected.
3) Click Add.
4) Change the Authentication Method to “IKE using pre-shared secret”.
5) Name the SA, in this example “CiscoIOS”.
6) Enter the WAN IP of the Cisco for “IPSec Primary Gateway Name or Address:”.
7) Enter your shared secret, in this example “password”
1) Select the “Network” tab.
2) Select “LAN Subnets” for Local Networks from the drop down box.
3) Select the address object previously created for the destination network.

1) Select the “Proposals” tab.
2) Change DH group under IKE Phase 1 to “Group 1”.
3) Change authentication for IKE Phase 1 to “MD5”.
4) Change the authentication for IPSec Phase 2 to “MD5”
5) Do not enable Perfect Forward Secrecy.
1) Select “Advanced” tab.
2) Ensure that keep alive is enabled on only one end of the tunnel.
3) Select “Enable Windows Networking (NetBIOS) Broadcast” if you would like to pass NetBIOS across the VPN.


Do not forget to issue the command “write memory” or “copy running-config startup-config” when configuration is complete.

Description: Specify the inside and destination networks. This permits the IP network traffic you want to protect to pass through the router.
Access-list 101 permit ip

Open in new window

Task: Define IKE parameters
Description: Identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) (This command puts you into the config-isakmp command mode.)
crypto isakmp policy 15

Open in new window

Description: To specify the encryption algorithm
encryption 3des

Open in new window

Description: To specify the hash algorithm
hash md5

Open in new window

Description: To specify the authentication
authentication pre-share

Open in new window

Description: To specify the Diffe-Hellman group identifier
group 1

Open in new window

Description: Specify the security association’s lifetime
lifetime 3600

Open in new window

Description: To exit the config-isakmp command mode

Open in new window

Description: To configure a pre-shared authentication key. In this case the pre-shared secret is “password”
crypto isakmp key password address

Open in new window

Task: Define IPSEC parameters
Description: Configure a transform-set. This identifies the encryption and authentication methods you want to use.
crypto ipsec transform-set strong esp-3des esp-md5-hmac

Open in new window

Description: Create a crypto map that binds together elements of the IPSec configuration. (This command puts you into the crypto map command mode.)
crypto map tosonicwall 15 ipsec-isakmp

Open in new window

Description: To specify an extended access list for a crypto map entry
match address 101

Open in new window

Description: To specify which transform sets can be used with the crypto map entry
set transform-set strong

Open in new window

Description: To specify an IPSec peer in a crypto map entry
set peer

Open in new window

Description: To exit the crypto map command mode

Open in new window

Task: Apply Crypto Map to an Interface
Description: Specify an interface on which to apply the crypto map. (This command puts you into the interface command mode). Please note, you need to specify the interface that you have defined as external (your WAN interface).
interface fastethernet0/1

Open in new window

Description: Apply the previously defined crypto map set to an interface
crypto map tosonicwall

Open in new window

Description: Exit the interface command mode

Open in new window

Description: Exit the global configuration mode

Open in new window

Let me know how it goes!
SuperRootAuthor Commented:
I tried what you said but still no luck because there should be a tunnel interface route on both end and traffic should be using ospf. I ended up setting up another router to do just VPN and the firewall will block all other not needed traffic.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now