Cisco_Sonicwall - VPN policy's Destination Network (Phase 2) Mismatch

Unanswered Question
Mar 31st, 2009

Hello everybody,

I need your help with a VPN that's driving me crazy.

I have to establish a tunnel between a Cisco C837 and a SonicWALL PRO 4100.

- The Cisco router has a dynamic public IP.

- Cisco local network: 172.16.41.24/29

- The SW has a static public IP.

- SW local network: 172.16.40.0/26

Aggressive Mode Phase 1 completes OK, but in Phase 2 SonicWALL log says:

"IKE Responder: Peer's local network does not match VPN policy's Destination Network"

"VPN Policy: pruebasdhcp; Proposed network: 0.0.0.0/0.0.0.0"

As the SW works fine with many other VPNs (to other routers with dynamic or static public IPs) I think the problem is located in the Cisco ACLs (I've also been able to establish a VPN between these two devices... but in Main Mode with static IPs), because trying to establish connection is up to one or two code lines --though it fails at Phase 2--.

I'll put some code to explain the situation:

--

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp peer address XXX.XXX.XXX.XXX

set aggressive-mode password XXX

set aggressive-mode client-endpoint user-fqdn [email protected]

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set sonicwall esp-3des esp-sha-hmac

!

crypto map sonicwallmap 20 ipsec-isakmp

description Tunel

set peer XXX.XXX.XXX.XXX

set transform-set sonicwall

match address 120

interface Ethernet0

ip address 172.16.41.25 255.255.255.248

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

hold-queue 100 out

interface ATM0

no ip address

ip nat outside

ip virtual-reassembly

no atm ilmi-keepalive

dsl operating-mode auto

pvc 8/32

pppoe-client dial-pool-number 1

!

interface Dialer1

ip address negotiated

ip access-group ext_fw in

ip mtu 1404

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname XXX

ppp chap password 7 XXX

ppp pap sent-username XXX

ppp ipcp dns request

ppp ipcp wins request

crypto map sonicwallmap

hold-queue 224 in

ip route 0.0.0.0 0.0.0.0 Dialer1

ip nat inside source list 120 interface Dialer1 overload

ip nat inside source route-map nonat interface Dialer1 overload

ip access-list extended ext_fw

deny icmp any any redirect

permit tcp any any established

permit udp any any gt 1023

permit udp any any eq isakmp

permit icmp any any

permit ahp any any

permit esp any any

access-list 100 deny ip 172.16.41.24 0.0.0.7 172.16.40.0 0.0.0.63

access-list 100 permit ip 172.16.41.24 0.0.0.7 any

access-list 120 permit ip 172.16.41.24 0.0.0.7 172.16.40.0 0.0.0.63

route-map nonat permit 10

match ip address 100

--

With the configuration shown above, SW doesn't know there's a router trying to establish a VPN connection.

It only starts negotiating if I add the line:

access-list 120 permit icmp any any

But it has the following consequences:

- Ping isn't allowed anymore from Cisco router.

- "show crypto ipsec sa" shows first tunnel as:

interface: Dialer1

Crypto map tag: sonicwallmap, local addr XXX.XXX.XXX.XXX

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

current_peer XXX.XXX.XXX.XXX port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

But, if I remove that line (access-list 120 permit icmp any any), I can see:

protected vrf: (none)

local ident (addr/mask/prot/port): (172.16.41.24/255.255.255.248/0/0)

remote ident (addr/mask/prot/port): (172.16.40.0/255.255.255.192/0/0)

But nothing happens (neither phase 1 tries to start).

Any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Tue, 03/31/2009 - 13:41

Hi, I wonder why do you force the router to start the vpn tunnel as aggressive mode. The router indeed has a dynamic ip address, but as far as the SW supports the establishment of tunnels with a dynamic ip addres you should not use aggressive mode. As well i would like to know why do you have the following NAT line:

ip nat inside source list 120 interface Dialer1 overload

This line is using the same acl that match address on the crypto statements so pretty much you are overloading the whole network to the dialer when going to the tunnel.. I would get rid of it.

themachine Mon, 04/06/2009 - 06:03

I got it!!!

Thanks for your advices, imartino. I removed some unnecesary lines and finally got it working in aggressive mode... obviously without the conflictive line:

access-list 120 permit icmp any any

that was making mismatch both ends.

So, basically it was well configured. The problem was located in the way of making negotiation start. I was pinging from the router and today I realized that traffic had to come from the very end, that is, the computer.

And it works.

Kevin Porter Tue, 04/28/2009 - 08:09

Hi. I am trying to get a Cisco 871 to VPN connect to a Sonicwall and we are failing Phase 1. The router is using DHCP on the WAN. The Sonicwall is static. The router will not start Agressive Mode, which appears to be a problem at the Sonicwall. Any thoughts on what to check on the Sonicwall and the router would be greatly appreciated...

Ivan Martinon Tue, 04/28/2009 - 08:45

Yes, does your router have configuration to connect to a static vpn or does it have configuration of an aggressive mode setup?

Kevin Porter Tue, 04/28/2009 - 09:14

I am connecting to the Sonicwall's Static IP. The router is set for DHCP. Since I don't have a static IP for the Router, I'm assuming that I cannot use Aggressive Mode, since the "crypto isakmp peer X.X.X.X" command is looking for my Routers static IP...

Ivan Martinon Tue, 04/28/2009 - 09:16

Good, what are the debugs you get when the router tries to connect for isakmp and ipsec?

Kevin Porter Tue, 04/28/2009 - 09:29

First question on my response...Should the initial design actually work (Sonicwall in Aggressive Mode and router with "standard" IPSEC config and using DHCP for the WAN)?

My Sonicwall rep says that the Cisco router will not run in Aggressive Mode unless there is a Static IP Assigned to the WAN and is referenced in the ISAKMP PEER to set aggressive mode....

Funny thing is that the Sonicwall will not run Main Mode unless a peer Address is entered into the configuration page...

My debugs look fine as the router is building the ISAKMP connection. The failure is at the Sonicwall that won't dynamically switch to Main Mode.

If we switch the Sonicwall to Main Mode, use the PAT address of my Firewall (which is where the router is getting sent to the internet and something that I can't do in production), and take out the Aggressive-mode stuff from the router, the Tunnel comes all the way up except for no receive decrypted packets...

Ivan Martinon Tue, 04/28/2009 - 09:31

Wrong, the router will work without having a static ip address assigned to the wan the config needed is dynamic to static vpn, your router should have a static crypto map configured and your SonicWall will only need to allocate this as a dynamic connection

Kevin Porter Tue, 04/28/2009 - 09:38

OK.

Here's my config, do you see anything wrong with it? If not, I don't think that I am getting good assistance on the Sonicwall...

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.97.1 192.168.97.200

ip dhcp excluded-address 192.168.197.1 192.168.197.200

!

ip dhcp pool DATA

network 192.168.97.0 255.255.255.0

default-router 192.168.97.1

dns-server 192.168.1.5 192.168.1.6

domain-name cvistl.com

!

ip dhcp pool VOICE

network 192.168.197.0 255.255.255.0

default-router 192.168.197.1

dns-server 192.168.1.5 192.168.1.6

option 150 ip 192.168.101.5

domain-name cvistl.com

!

!

ip domain name cvistl.com

!

!

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key Interior2009 address 63.252.122.130

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set CVI_VPN_SET esp-3des esp-sha-hmac

!

crypto map CVI_VPN 10 ipsec-isakmp

set peer 63.252.122.130

set transform-set CVI_VPN_SET

match address 110

!

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

!

class-map match-any VoIP-Control

match ip precedence 3

class-map match-any VoIP-RTP

match ip precedence 5

!

!

policy-map WAN-QOS-POLICY

class VoIP-RTP

priority percent 40

class VoIP-Control

bandwidth percent 25

class class-default

fair-queue

!

!

!

!

interface FastEthernet0

switchport voice vlan 2

spanning-tree portfast

!

interface FastEthernet1

switchport voice vlan 2

spanning-tree portfast

!

interface FastEthernet2

switchport voice vlan 2

spanning-tree portfast

!

interface FastEthernet3

switchport voice vlan 2

spanning-tree portfast

!

interface FastEthernet4

description WAN Interface

bandwidth 500

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1350

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map CVI_VPN

service-policy output WAN-QOS-POLICY

!

interface Vlan1

description DATA VLAN

ip address 192.168.97.1 255.255.255.0

!

interface Vlan2

description VOICE VLAN

ip address 192.168.197.1 255.255.255.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 102 permit udp host 63.252.122.130 any eq 10000

access-list 102 permit udp host 63.252.122.130 any eq non500-isakmp

access-list 102 permit udp host 63.252.122.130 any eq isakmp

access-list 102 permit esp host 63.252.122.130 any

access-list 102 permit ahp host 63.252.122.130 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip any any log

access-list 110 permit ip 192.168.97.0 0.0.0.255 any

access-list 110 permit ip 192.168.197.0 0.0.0.255 any

!

!

!

control-plane

!

!

line con 0

exec-timeout 60 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 60 0

logging synchronous

no login

!

scheduler max-task-time 5000

ntp server 192.168.101.2

end

GW-871-ROB_K-01#

Ivan Martinon Tue, 04/28/2009 - 09:40

Debugs from your router will be useful, however I can tell that your match address has any as the destination, are you certain the sonicwall has the same any as the source? Are you certain the sonicwall has the correct settings for both p1 and p2? What error message you get from the sonicwall?

Kevin Porter Tue, 04/28/2009 - 10:07

In the "Dynamic" mode, the Sonicwall won't complete phase 1 do to the failure in setting up as Aggressive mode.

According to the gent working on the Sonicwall end, there was no way to configure a "source network", but only a Destination Network...

Ivan Martinon Tue, 04/28/2009 - 10:22

In min experience I have always seen sonic wall working with Cisco... can you disable aggressive mode on your sonic wall? and make the appropriate changes to reflect that?

Kevin Porter Tue, 04/28/2009 - 11:15

We have switched the Sonicwall to Main Mode, set the IP to what my 871 hits the Internet with and Phase 1 and Phase 2 complete. We can't do this in production since the production site does not have any Static, Public IP's...

Ivan Martinon Tue, 04/28/2009 - 11:19

Set the SonicWall to main mode and leave the 800 to be dynamic, I doubt there is no option on the SW that will let you put the tunnel as dynamic, you know sometimes some people confuse the fact that it uses aggressive mode with the fact that it will accept dynamic tunnel.

Kevin Porter Tue, 04/28/2009 - 11:41

The SW guy said that to run in Main Mode, he had to build the Tunnels with a Peer IP Address and we won't have a "static" ip at the 871 end...

Alan Chin Tue, 04/28/2009 - 13:41

Kporter,

I understand your frustration. I ran into the same issue that you are having a few months ago and I was able to get my remote workers to connect between 871w and SonicWall 2040.

Forget about creating VPN policies on your SonicWall, it will not work with any of the modes since your remote 871 is using dynamic WAN IP. Try below.

SonicWall Settings.

Use the default GroupVPN policies and set to use IKE preshare secret.

Phase1- Group2, 3DES, SHA1, 28800.

Phase2- ESP, 3DES, SHA1

Turn off PFS

Unchecked all advanced settings

Enable your GroupVPN policy

871 Settings.

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key Interior2009 address 63.252.122.130 no-xauth

let me know how it goes. Good luck.

Kevin Porter Tue, 04/28/2009 - 14:31

Thanks much for your reply. I will try this out and will repost the results...

Kevin Porter Wed, 04/29/2009 - 13:55

No joy! I cannot confirm 100% that the SW is configured as you suggested since I am not allowed to touch it. Looks like Phase 1 is not completing now, since the router is doing a lot of "retransmitting phase 1 MM_KEY_EXCHANGE" messages...

Ivan Martinon Wed, 04/29/2009 - 14:01

Key exchange means the preshare key or the identity is wrong, can you check if you can enable this on the router Crypto isakmp identity address

Kevin Porter Wed, 04/29/2009 - 14:11

The ID Payload was sending the Address of the WAN port that is using DHCP. Does the SW need to know the Identity of the 871 Router? If so, I would think that using the Hostname would be preferred, since that would never change...

Ivan Martinon Wed, 04/29/2009 - 14:14

It is a dynamic ip address hence the SW should have a wildcard preshared key

Actions

This Discussion