pix 515 to sonicwall vpn issue

Unanswered Question
May 31st, 2007
User Badges:

Good afternoon,


I'm having some trouble getting a site-to-site vpn setup between a pix 515 running 6.3(5) and a sonicwall. We've verified the phase1&2 settings and reset the pre-shared key. On the sonicwall they are getting a message stating that the pix doesn't support nat traversal. I didn't have it on at first, so I turned it on. But it didn't help the issue. Has anyone seen this issue with the sonicwall's? When I run a debug on the pix side and generate traffic I get an error message stating unauthenticated SA.


Thanks,


Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Thu, 05/31/2007 - 12:16
User Badges:
  • Cisco Employee,

Chris,


If you could enable the debugs "deb cry isa" & " deb cry ipsec" on the PIX. Then do " clear cry isa sa" & " cle cry ipsec sa" -


Send interesting traffic after that, collect the debugs and send it to me.


Thanks

Gilbert

ccsmith Fri, 06/01/2007 - 05:32
User Badges:

I worked with the far side some more. They found an article where the sonicwall had problems with smaller ip blocks than was on the inside interface. We opened our acl's up and now we are getting slightly different messages. Here's the debug that I'm getting.


Thanks,


Chris



ggilbert Fri, 06/01/2007 - 06:21
User Badges:
  • Cisco Employee,

Chris,


Seems like there is retransmission of Phase 2 occurring and the tunnel doesn't get established.



ISAKMP (0): retransmitting phase 2 (9/3)... mess_id 0x11f4d1d4


ISAKMP (0): retransmitting phase 2 (3/3)... mess_id 0x1ec3c7a6


Can you check the Access-list on your end and make sure the access-list on their end is mirror image of each other.


Thanks

Gilbert

ccsmith Fri, 06/01/2007 - 07:41
User Badges:

I just double-checked with the far end admin and he confirmed that they are indeed the reciprocal of each other.


He stated earlier that he keeps getting a message on his sonicwall that the far end (pix) isn't supporting nat traversal. I'm sure that's sonic-speak for something else. But I'm not sure what the option would be. I do have nat traversal on, but we aren't trying to nat inside of the tunnel.


Thanks,


Chris

ggilbert Fri, 06/01/2007 - 09:23
User Badges:
  • Cisco Employee,

Can you send the output of


sh run | in isakmp


Thanks

Gilbert

ccsmith Fri, 06/01/2007 - 09:33
User Badges:

Here it is. I've changed the public IP's of the peers, but the peer I'm working with on this one is the last one (


crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp enable outside

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 2.3.4.5 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 3.4.5.6 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 4.5.6.7 netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400


Thanks again,


Chris

ggilbert Fri, 06/01/2007 - 10:05
User Badges:
  • Cisco Employee,

Chris,


If we are not going through a NAT device, and if the Sonic wall is complaining about the NAT-T, have you tried to take out "isakmp nat-traversal 20" from the config and see if it works.


If not, can you please copy and paste the exact error message from the sonicwall - let me do some searching on the error message.


Thanks

Gilbert

ccsmith Fri, 06/01/2007 - 11:34
User Badges:

This is the messages they are seeing:


12 06/01/2007 14:21:31.208 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.2.3.4, 500 5.6.7.8, 500

13 06/01/2007 14:21:31.160 IKE Initiator: Start Main Mode negotiation (Phase 1) 1.2.3.4, 500 5.6.7.8, 500



Thanks,


Chris


ccsmith Fri, 06/08/2007 - 06:47
User Badges:

We got this resolved. Thanks for all of your help. The issue turned out to be that the identity was set to hostname instead of address. We changed that one value on the pix and the tunnel started passing traffic.


Thanks again,


Chris Smith

Actions

This Discussion