Sonicwall to Azure - Site to Site VPN

Webcc
Webcc used Ask the Experts™
on
Hello,

Trying to create a Site to Site between our TZ215 and Azure:
VNET1 - Address Space     = 10.1.0.0/16
               Subnet  range      = 10.1.0.0/24

GatewaySubnet                  = 10.1.1.0/24

Virtual Net Gateway           = VPN
                                               = Policy-based
                                               = VNET1
                                               = VNET1GWIP  (created Public IP)

Local Net Gateway             = RP_OFFICE
                                              = Public IP address of SonicWALL
                                              = 192.168.250.0/24 (LAN network on SonicWALL)

Connection                          = Site-to-Site (IPsec)
                                               = Virtual Net Gateway
                                               = RP_OFFICE
                                               = Shared key that matches what's configured in the SonicWALL

SonicWALL:
 General Tab                         = Site to Site, IKE using Preshared , IPsec Primary = Public IP of Azure, IPsec Secondary = 0.0.0.0, Local & 
                                                   Peer IKE ID = IPv4 address
Network Tab                         = LAN Subnets, Azure LAN network
Proposals Tab                       = Main Mode, Group 2, AES-256, SHA1, 28800, ESP, AES-256, SHA1, 3600
             
Seeing the following in the SonicWALL log:
  SENDING>>>> ISAKMP OAK INFO (InitCookie:0xd430fb5101e352da RespCookie:0x5e44d1cba51a6c9e, MsgID: 0x71CA63B5) *(HASH, DEL)      (SonicWALL IP), 500      (AZURE IP), 500      udp            Show DetailsClick to disable this kind of events
13:18:49 Aug 05      171      VPN      Debug      SENDING>>>> ISAKMP OAK INFO (InitCookie:0xd430fb5101e352da RespCookie:0x5e44d1cba51a6c9e, MsgID: 0xD0CE2CFC) *(HASH, NOTIFY: NO_PROPOSAL_CHOSEN)

Any help would be greatly appreciated, going to attempt a Point to Site VPN while I await a response.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Hi Webcc,

Here are a fine housekeeping items to check:
  • Reboot the SonicWALL if you haven't already.
  • What is your SonicOS version?
  • I'd changed the Phase 2 Proposal from AES-256 to 3DES just for testing purposes.
  • In the Advanced tab of the VPN make sure under IKEv2 Settings that the "Do not send trigger packet during IKE SA negotiations" is checked.
  • Double-check the Network Objects you created for the Azure Network to make sure there are no typos & everything is correct. You can do that in the SonicWALL by going to Network > Address Objects.
  • To test, go to the Azure management portal, navigate to Networks and click on your virtual network to go to its Dashboard page. At the bottom of this page, click on CONNECT.

SonicWALL is compatible with Windows Azure in both of policy-based (Static routing) and route-based (Dynamic routing) VPN but not both as the same time.  What is referred to as Dynamic Routing over VPN in SonicWall (OSPF etc.) is not supported in Azure. And for authentication, only Pre-shared Key (PSK) is currently supported; Azure does not yet support certificate based site-to-site (S2S) VPNs. It depends on the type of gateway you select while configuring the VPN in Azure.

In the event you have selected Dynamic Routing then only a tunnel interface type VPN on your SonicWALL would be able to connect. If you have selected Static Routing on the Azure side then only a S2S VPN would be able to connect from your SonicWALL. So what is the type of Gateway you selected in Azure? (it looks like policy-based/static routing but double-check)

If under Gateway type it shows Dynamic, then you'll need to change it to Static Routing. Here is some more on Azure Gateways settings: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

Let me know how it goes!
WebccPresident

Author

Commented:
Thank you for your response.

I removed the S2S VPN and have replaced it with a P2S VPN which I have working.   Need to rebuild the S2S, but it looks as though I need to create a new Virtual Network because you cannot have two Gateway Subnets?   Is there a seamless connection then between Virtual Networks because I have provisioned resources in the first VN?  Have time today to attempt another stab at it, once I receive your response.

Appreciate your assistance!
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
My Pleasure!

What is your SonicOS version?

You can connect multiple sites to the same VNET, but only through the same gateway, you can't have multiple gateways on a single VNET. This is currently true for both Classic & ARM deployments.

REF: https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-multi-site
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

WebccPresident

Author

Commented:
SonicOS = 5.9.1.5-16o

See the latest is 5.9.1.8-10o, should I upgrade?
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
It is always a good practice to upgrade to the latest firmware and maintain the latest firmware to protect and take advantage of the latest bug fixes and new features.

5.9.x is where you want to be though. Unless they have specified specific changes to Azure in the Release Notes which you can read prior to firmware upgrade - i doubt this will fix the issue.

On a side note: I'd actually recommend upgrading the firewall to at least a SonicWALL TZ300, which will protect you from Ransomware and the latest threats.
WebccPresident

Author

Commented:
I totally agree, I have provided a quote for a TZ400 waiting for approval.

Need to proceed with the process of getting the S2S working.

So I can use that same gateway subnet that I'm currently utilizing for the P2S.

Sorry new to Azure!
Last Knight
Distinguished Expert 2018
Commented:
So now that you are mixing connection models (S2S & P2S) you need to consider some other items. So, you can add a S2S connection to a VNet that already has a S2S connection, P2S (Point-to-Site) connection, or VNet-to-VNet connection. There are some limitations when adding connections though. Verify the following:
  1. You are not creating an ExpressRoute/S2S coexisting connection.
  2. You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
  3. The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  4. None of the address ranges overlap for any of the VNets that this VNet is connecting to.
  5. You have an externally facing public IP address for your SonicWALL VPN. This IP address cannot be located behind a NAT.

Do you need further assistance in setting up the SonicWALL for a Route-based VPN policy?
WebccPresident

Author

Commented:
Using the virtual network gateway that I had setup for the P2S, went in and added a S2S connection.  Don't see static or dynamic routing option, but it is set to route based.  Does the SKU matter (set to Basic).   Tried changing Proposal 2 on the Sonicwall to "3DES"  here is the log entry from the Sonicwall:

SENDING>>>> ISAKMP OAK IKE_SA_INIT (InitCookie:0x239d19127aca7dd8 RespCookie:0x0000000000000000, MsgID: 0x0) (NOTIFY: Invalid Syntax)      

RECEIVED<<< ISAKMP OAK IKE_SA_INIT (InitCookie:0x538b6d8aa20bbb32 RespCookie:0x0000000000000000&#44; MsgID: 0x0) (SA&#44; KE&#44; NONCE&#44; NOTIFY: NATD Source IP&#44; NOTIFY: NATD Destination IP&#44; VID&#44; VID&#44; VID&#44; VID)
WebccPresident

Author

Commented:
1.  Did not create an ExpressRoute.
2. Not sure about the RM deployment model - going through the portal and accessing the existing resource group...
3. It is route based.
4. Using the gateway subnet from Azure (10.1.1.0/24) to setup the remote network access on the Sonicwall and have configured the Sonicwall's LAN subnet (192.168.250.0/24) in the Local Network Gateway on Azure.
5. Do have a public facing IP, it's not behind a NAT.  Have S2S setup to another office Sonicwall that is working fine and can connect using Global VPN client as well.
6. Have verified all IP's on both sides.
LOG FILE PROVIDED ABOVE.

Any thoughts?
WebccPresident

Author

Commented:
BST,

Ended up contacting MS support.  We walked through and made several changes on the SW to get the S2S to work.  Some of the documentation floating around is inaccurate or dated.

Thanks for your contribution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial