cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1955
Views
0
Helpful
9
Replies

pix 515 to sonicwall vpn issue

ccsmith
Level 1
Level 1

Good afternoon,

I'm having some trouble getting a site-to-site vpn setup between a pix 515 running 6.3(5) and a sonicwall. We've verified the phase1&2 settings and reset the pre-shared key. On the sonicwall they are getting a message stating that the pix doesn't support nat traversal. I didn't have it on at first, so I turned it on. But it didn't help the issue. Has anyone seen this issue with the sonicwall's? When I run a debug on the pix side and generate traffic I get an error message stating unauthenticated SA.

Thanks,

Chris

9 Replies 9

ggilbert
Cisco Employee
Cisco Employee

Chris,

If you could enable the debugs "deb cry isa" & " deb cry ipsec" on the PIX. Then do " clear cry isa sa" & " cle cry ipsec sa" -

Send interesting traffic after that, collect the debugs and send it to me.

Thanks

Gilbert

I worked with the far side some more. They found an article where the sonicwall had problems with smaller ip blocks than was on the inside interface. We opened our acl's up and now we are getting slightly different messages. Here's the debug that I'm getting.

Thanks,

Chris

Chris,

Seems like there is retransmission of Phase 2 occurring and the tunnel doesn't get established.

ISAKMP (0): retransmitting phase 2 (9/3)... mess_id 0x11f4d1d4

ISAKMP (0): retransmitting phase 2 (3/3)... mess_id 0x1ec3c7a6

Can you check the Access-list on your end and make sure the access-list on their end is mirror image of each other.

Thanks

Gilbert

I just double-checked with the far end admin and he confirmed that they are indeed the reciprocal of each other.

He stated earlier that he keeps getting a message on his sonicwall that the far end (pix) isn't supporting nat traversal. I'm sure that's sonic-speak for something else. But I'm not sure what the option would be. I do have nat traversal on, but we aren't trying to nat inside of the tunnel.

Thanks,

Chris

Can you send the output of

sh run | in isakmp

Thanks

Gilbert

Here it is. I've changed the public IP's of the peers, but the peer I'm working with on this one is the last one (

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp enable outside

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 2.3.4.5 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 3.4.5.6 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 4.5.6.7 netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

Thanks again,

Chris

Chris,

If we are not going through a NAT device, and if the Sonic wall is complaining about the NAT-T, have you tried to take out "isakmp nat-traversal 20" from the config and see if it works.

If not, can you please copy and paste the exact error message from the sonicwall - let me do some searching on the error message.

Thanks

Gilbert

This is the messages they are seeing:

12 06/01/2007 14:21:31.208 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.2.3.4, 500 5.6.7.8, 500

13 06/01/2007 14:21:31.160 IKE Initiator: Start Main Mode negotiation (Phase 1) 1.2.3.4, 500 5.6.7.8, 500

Thanks,

Chris

We got this resolved. Thanks for all of your help. The issue turned out to be that the identity was set to hostname instead of address. We changed that one value on the pix and the tunnel started passing traffic.

Thanks again,

Chris Smith

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: