Link to home
Create AccountLog in
Avatar of Thor2923
Thor2923Flag for United States of America

asked on

I need advice setting up Sonicwall VPN

This will probably take a few posts, but I am trying to get assistance setting up a VPN with our main corporate network. Supposedly all the settings are completed on the corporate side and it is up to me to figure out this older Sonicwall that does not have support. The firmware version is SonicOS Enhanced 5.6.0.10-52o.

I have been tasked with configuring site to site VPN with a shared secret. I am convinced I have all the settings correct such as Main Mode, Group 2, SHA1 and renegotiation intervals. I am pointing to an IP address that already has several VPNs configured on it, but none are Sonicwalls. Each time I try to enable, I just something like the errors below, "remote party timeout" . Does the error below mean I am not even hitting? It looks like I am not even past phase 1 and I know I have some work to do, but all suggestions welcome on how to trouble shoot...thanks


3  03/30/2015 17:36:05.112 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. xxx.xxx.xxx.xxx, 500 xxx.xxx.xxx.xxx, 500 VPN Policy: MMCo B2B VPN Tunnel  
4  03/30/2015 17:35:46.112 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. xxx.xxx.xxx.xxx, 500 xxx.xxx.xxx.xxx, 500 VPN Policy: MMCo B2B VPN Tunnel  
5  03/30/2015 17:35:35.112 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. xxx.xxx.xxx.xxx, 500 xxx.xxx.xxx.xxx, 500 VPN Policy: MMCo B2B VPN Tunnel  
6  03/30/2015 17:35:28.288 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) xxx.xxx.xxx.xxx, 500 xxx.xxx.xxx.xxx, 500 VPN Policy: MMCo B2B VPN Tunnel
Avatar of John
John
Flag of Canada image

You need:

Different internal IP address ranges on each end. Static external IP on each end.

Phase 1:  3 DES or comparable, DH Group 2, SHA1
No PFS
Phase 2:  3DES or your choice above, SHA1
Pre-shared Key: you must know it or change the corporate end.
Possibly NAT Traversal.

Phase 1 and 2 mirrored at each end.

There are numerous settings but these are the basics.
Avatar of Thor2923

ASKER

I am getting the following errors in my logs. It appears to be hitting the IP I want to connect to which I have modified to 168.245.65.1 to show in this example, but I am getting a "delete request"   Does that give any clue? Does it look like there is some kind of communication, just a configuration problem?

03/31/2015 08:06:18.128 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel  
2  03/31/2015 08:06:18.128 Info VPN IKE Received IKE SA delete request 168.245.65.1, 500 208.255.188.234, 500 VPN Policy: MMCo B2B VPN Tunnel  
3  03/31/2015 08:06:18.128 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN 168.245.65.1, 500 208.255.188.234, 500  
4  03/31/2015 08:06:18.064 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel  
5  03/31/2015 08:06:18.064 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel;AES-256; SHA1; DH Group 2; lifetime=86400 secs  
6  03/31/2015 08:06:17.816 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel  
7  03/31/2015 08:06:17.816 Info VPN IKE Received IKE SA delete request 168.245.65.1, 500 208.255.188.234, 500 VPN Policy: MMCo B2B VPN Tunnel  
8  03/31/2015 08:06:17.816 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN 168.245.65.1, 500 208.255.188.234, 500
Did you check your settings at both ends?  It appears you are not getting past Phase 1 above. You need to check that Phase 2 settings are using the same variables as Phase 1 where appropriate and then mirror the settings at both ends.
my main issue is I cannot get to the other end...I have to schedule an appointment with our corporate office and that could take forever. I need to make sure I have done as much as I can on my end before I go that way. I made a change and I am appearing to get to phase 2. Does this look like I am getting further now?

03/31/2015 08:06:18.128 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel  
2  03/31/2015 08:06:18.128 Info VPN IKE Received IKE SA delete request 168.245.65.1, 500 208.255.188.234, 500 VPN Policy: MMCo B2B VPN Tunnel  
3  03/31/2015 08:06:18.128 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN 168.245.65.1, 500 208.255.188.234, 500  
4  03/31/2015 08:06:18.064 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel  
5  03/31/2015 08:06:18.064 Info VPN IKE IKE Initiator: Main Mode complete (Phase 1) 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel;AES-256; SHA1; DH Group 2; lifetime=86400 secs  
6  03/31/2015 08:06:17.816 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 208.255.188.234, 500 168.245.65.1, 500 VPN Policy: MMCo B2B VPN Tunnel  
7  03/31/2015 08:06:17.816 Info VPN IKE Received IKE SA delete request 168.245.65.1, 500 208.255.188.234, 500 VPN Policy: MMCo B2B VPN Tunnel  
8  03/31/2015 08:06:17.816 Warning VPN IKE Received notify. NO_PROPOSAL_CHOSEN 168.245.65.1, 500 208.255.188.234, 500
You keep posting logs and they are not of much use past what I said.

This is a problem:  NO_PROPOSAL_CHOSEN   and in my experience, it means the end points are not the same.

You are using Main mode (good). Are you using NAT Traversal?
well I was much closer then I thought. I tweaked a protocol setting and BINGO a green dot! The dot looks nice but I still cannot hit the required webpage at the other end of the VPN. I am assuming it is a firewall setting or rule that has to be opened up. When I try to browse from behind the Sonicwall to the webpage I need the Sonicwall displays;

 "03/31/2015 09:55:19.336 Notice Network Access Web access request dropped 192.168.1i.185, 60245, X0 166.74.68.129, 80, X1 TCP HTTP"


Does that appear to be a firewall rule??
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I finally got it!! to be honest I had modified the IP addresses for security reasons and did not realize I put an alphabetic character in one. Good spot though. I know I came in here with a real vague problem and gave you some vague logs and vague descriptions,  By doing so it allowed me to think it out and work through it. I thank you for your time and effort
I gave this poor guy some real vague logs and descriptions but he helped me think it out so I want to award all the points
@Thor2923  - Thank you. I am glad you got it fixed and I was happy to help.