Sonicwall VPN to Cisco behind NAT

Robert324 · ‎08-20-2015

We had a sonicwall to cisco vpn configured between two sites that was functioning with no issues.

The business at the cisco side decided to remove some of their public IP address's in order to save money.

This resulted in the ISP removing the public IP address we were using for the VPN.

They configured their firewall to forward the VPN connection onto an internal IP address so that the VPN connection would still function.

After a fair amount of time messing around we managed to get the configuration sorted out so that the two VPN points could see each other.

Unfortunately the VPN fails to connect properly and we are getting this error on the cisco side router:

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from xxxxxxxxx was not encrypted and it should've been.

And this error on the sonicwall side:

IKE Initiator: Proposed IKE ID mismatch

I have checked through all the settings on both ends for the authentication settings and all the appropriate settings still match, pre-shared key, authentication type, protocol etc.

It has been suggested that we may need to configure the VPN to use aggressive mode to resolve this issue but I am somewhat hesitant due to the decrease in security.

Any help with this issue would be greatly appreciated.

Robert324 · ‎08-23-2015

Debug logs

*Aug 20 05:06:19.314: ISAKMP:(2726):Send initial contact
*Aug 20 05:06:19.314: ISAKMP:(2726):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Aug 20 05:06:19.314: ISAKMP (2726): ID payload
next-payload : 8
type : 1
address : 10.7.0.2
protocol : 17
port : 0
length : 12
*Aug 20 05:06:19.318: ISAKMP:(2726):Total payload length: 12
*Aug 20 05:06:19.318: ISAKMP:(2726): sending packet to 103.21.49.129 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Aug 20 05:06:19.318: ISAKMP:(2726):Sending an IKE IPv4 Packet.
*Aug 20 05:06:19.318: ISAKMP:(2726):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 20 05:06:19.318: ISAKMP:(2726):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Aug 20 05:06:19.474: ISAKMP (2726): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:19.474: ISAKMP: set new node -59680068 to QM_IDLE
*Aug 20 05:06:19.474: ISAKMP (2726): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:19.474: ISAKMP (2726): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:19.474: ISAKMP (2726): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:19.474: ISAKMP (2726): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:19.474: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 103.21.49.129 to 10.7.0.2.
*Aug 20 05:06:29.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH...
*Aug 20 05:06:29.318: ISAKMP (2726): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Aug 20 05:06:29.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH
*Aug 20 05:06:29.318: ISAKMP:(2726): sending packet to 103.21.49.129 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Aug 20 05:06:29.318: ISAKMP:(2726):Sending an IKE IPv4 Packet.
*Aug 20 05:06:29.478: ISAKMP (2726): received packet from 103.21.49.129 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:29.478: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 103.21.49.129 was not encrypted and it should've been.
*Aug 20 05:06:29.646: ISAKMP:(2725):purging node 528257704
*Aug 20 05:06:29.646: ISAKMP:(2725):purging node -1645076965
*Aug 20 05:06:29.646: ISAKMP:(2725):purging node -265733553
*Aug 20 05:06:39.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH...
*Aug 20 05:06:39.318: ISAKMP (2726): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Aug 20 05:06:39.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH
*Aug 20 05:06:39.318: ISAKMP:(2726): sending packet to 103.21.49.129 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Aug 20 05:06:39.318: ISAKMP:(2726):Sending an IKE IPv4 Packet.
*Aug 20 05:06:39.478: ISAKMP (2726): received packet from 103.21.49.129 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:39.478: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 103.21.49.129 was not encrypted and it should've been.
*Aug 20 05:06:39.646: ISAKMP:(2725):purging SA., sa=F9DDDBC, delme=F9DDDBC
*Aug 20 05:06:49.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH...
*Aug 20 05:06:49.318: ISAKMP (2726): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Aug 20 05:06:49.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH
*Aug 20 05:06:49.318: ISAKMP:(2726): sending packet to 103.21.49.129 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Aug 20 05:06:49.318: ISAKMP:(2726):Sending an IKE IPv4 Packet.
*Aug 20 05:06:49.474: ISAKMP (2726): received packet from 103.21.49.129 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:49.474: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 103.21.49.129 was not encrypted and it should've been.
*Aug 20 05:06:54.434: ISAKMP: set new node 0 to QM_IDLE
*Aug 20 05:06:54.434: ISAKMP:(2726):SA is still budding. Attached new ipsec request to it. (local 10.7.0.2, remote 103.21.49.129)
*Aug 20 05:06:54.434: ISAKMP: Error while processing SA request: Failed to initialize SA
*Aug 20 05:06:54.434: ISAKMP: Error while processing KMI message 0, error 2.
*Aug 20 05:06:59.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH...
*Aug 20 05:06:59.318: ISAKMP (2726): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Aug 20 05:06:59.318: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH
*Aug 20 05:06:59.318: ISAKMP:(2726): sending packet to 103.21.49.129 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Aug 20 05:06:59.318: ISAKMP:(2726):Sending an IKE IPv4 Packet.
*Aug 20 05:06:59.474: ISAKMP (2726): received packet from 103.21.49.129 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Aug 20 05:06:59.474: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 103.21.49.129 was not encrypted and it should've been.
*Aug 20 05:07:09.317: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH...
*Aug 20 05:07:09.317: ISAKMP (2726): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Aug 20 05:07:09.317: ISAKMP:(2726): retransmitting phase 1 MM_KEY_EXCH
*Aug 20 05:07:09.317: ISAKMP:(2726): sending packet to 103.21.49.129 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Aug 20 05:07:09.317: ISAKMP:(2726):Sending an IKE IPv4 Packet.
*Aug 20 05:07:09.473: ISAKMP (2726): received packet from 103.21.49.129 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
*Aug 20 05:07:09.473: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 103.21.49.129 was not encrypted and it should've been.
*Aug 20 05:07:16.245: ISAKMP: quick mode timer expired.
*Aug 20 05:07:16.245: ISAKMP:(2726):src 10.7.0.2 dst 103.21.49.129, SA is not authenticated
*Aug 20 05:07:16.245: ISAKMP:(2726):peer does not do paranoid keepalives.

*Aug 20 05:07:16.245: ISAKMP:(2726):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 103.21.49.129)
*Aug 20 05:07:16.245: ISAKMP:(2726):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 103.21.49.129)
*Aug 20 05:07:16.245: ISAKMP: Unlocking peer struct 0xFA22D48 for isadb_mark_sa_deleted(), count 0
*Aug 20 05:07:16.245: ISAKMP: Deleting peer node by peer_reap for 103.21.49.129: FA22D48
*Aug 20 05:07:16.245: ISAKMP:(2726):deleting node 203523094 error FALSE reason "IKE deleted"
*Aug 20 05:07:16.245: ISAKMP:(2726):deleting node -59680068 error FALSE reason "IKE deleted"
*Aug 20 05:07:16.245: ISAKMP:(2726):deleting node -1735253087 error FALSE reason "IKE deleted"
*Aug 20 05:07:16.245: ISAKMP:(2726):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 20 05:07:16.245: ISAKMP:(2726):Old State = IKE_I_MM5 New State = IKE_DEST_SA

*Aug 20 05:07:24.433: ISAKMP:(0): SA request profile is (NULL)
*Aug 20 05:07:24.433: ISAKMP: Created a peer struct for 103.21.49.129, peer port 500
*Aug 20 05:07:24.433: ISAKMP: New peer created peer = 0x1021CF4 peer_handle = 0x80001408
*Aug 20 05:07:24.433: ISAKMP: Locking peer struct 0x1021CF4, refcount 1 for isakmp_initiator
*Aug 20 05:07:24.433: ISAKMP: local port 500, remote port 500
*Aug 20 05:07:24.433: ISAKMP: set new node 0 to QM_IDLE
*Aug 20 05:07:24.433: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2DE8AD4
*Aug 20 05:07:24.433: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Aug 20 05:07:24.433: ISAKMP:(0):found peer pre-shared key matching 103.21.49.129
*Aug 20 05:07:24.433: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Aug 20 05:07:24.433: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Aug 20 05:07:24.433: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Aug 20 05:07:24.433: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Aug 20 05:07:24.433: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Aug 20 05:07:24.433: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Aug 20 05:07:24.433: ISAKMP:(0): beginning Main Mode exchange
*Aug 20 05:07:24.433: ISAKMP:(0): sending packet to 103.21.49.129 my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 20 05:07:24.433: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Aug 20 05:07:24.589: ISAKMP (0): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_NO_STATE
*Aug 20 05:07:24.589: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 20 05:07:24.589: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Aug 20 05:07:24.589: ISAKMP:(0): processing SA payload. message ID = 0
*Aug 20 05:07:24.589: ISAKMP:(0): processing vendor id payload
*Aug 20 05:07:24.589: ISAKMP:(0): vendor ID seems Unity/DPD but major 28 mismatch
*Aug 20 05:07:24.589: ISAKMP:(0): processing vendor id payload
*Aug 20 05:07:24.589: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Aug 20 05:07:24.589: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Aug 20 05:07:24.589: ISAKMP:(0):found peer pre-shared key matching 103.21.49.129
*Aug 20 05:07:24.589: ISAKMP:(0): local preshared key found
*Aug 20 05:07:24.589: ISAKMP : Scanning profiles for xauth ...
*Aug 20 05:07:24.589: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Aug 20 05:07:24.589: ISAKMP: encryption 3DES-CBC
*Aug 20 05:07:24.589: ISAKMP: hash SHA
*Aug 20 05:07:24.589: ISAKMP: default group 2
*Aug 20 05:07:24.589: ISAKMP: auth pre-share
*Aug 20 05:07:24.589: ISAKMP: life type in seconds
*Aug 20 05:07:24.589: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 20 05:07:24.589: ISAKMP:(0):atts are acceptable. Next payload is 0
*Aug 20 05:07:24.589: ISAKMP:(0):Acceptable atts:actual life: 0
*Aug 20 05:07:24.589: ISAKMP:(0):Acceptable atts:life: 0
*Aug 20 05:07:24.589: ISAKMP:(0):Fill atts in sa vpi_length:4
*Aug 20 05:07:24.589: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Aug 20 05:07:24.589: ISAKMP:(0):Returning Actual lifetime: 86400
*Aug 20 05:07:24.593: ISAKMP:(0)::Started lifetime timer: 86400.

*Aug 20 05:07:24.593: ISAKMP:(0): processing vendor id payload
*Aug 20 05:07:24.593: ISAKMP:(0): vendor ID seems Unity/DPD but major 28 mismatch
*Aug 20 05:07:24.593: ISAKMP:(0): processing vendor id payload
*Aug 20 05:07:24.593: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Aug 20 05:07:24.593: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Aug 20 05:07:24.593: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 20 05:07:24.593: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Aug 20 05:07:24.593: ISAKMP:(0): sending packet to 103.21.49.129 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Aug 20 05:07:24.593: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Aug 20 05:07:24.593: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 20 05:07:24.593: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Aug 20 05:07:24.757: ISAKMP (0): received packet from 103.21.49.129 dport 500 sport 500 Global (I) MM_SA_SETUP
*Aug 20 05:07:24.757: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 20 05:07:24.757: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Aug 20 05:07:24.757: ISAKMP:(0): processing KE payload. message ID = 0
*Aug 20 05:07:24.773: ISAKMP:received payload type 20
*Aug 20 05:07:24.773: ISAKMP (0): NAT found, both nodes inside NAT
*Aug 20 05:07:24.773: ISAKMP:received payload type 20
*Aug 20 05:07:24.773: ISAKMP (0): My hash no match - this node inside NAT
*Aug 20 05:07:24.773: ISAKMP:(0): processing NONCE payload. message ID = 0
*Aug 20 05:07:24.773: ISAKMP:(0):found peer pre-shared key matching 103.21.49.129
*Aug 20 05:07:24.777: ISAKMP:(2727): processing vendor id payload
*Aug 20 05:07:24.777: ISAKMP:(2727): vendor ID seems Unity/DPD but major 38 mismatch
*Aug 20 05:07:24.777: ISAKMP:(2727): processing vendor id payload
*Aug 20 05:07:24.777: ISAKMP:(2727): vendor ID seems Unity/DPD but major 215 mismatch
*Aug 20 05:07:24.777: ISAKMP:(2727): vendor ID is XAUTH
*Aug 20 05:07:24.777: ISAKMP:(2727): processing vendor id payload
*Aug 20 05:07:24.777: ISAKMP:(2727): vendor ID is DPD
*Aug 20 05:07:24.777: ISAKMP:(2727):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 20 05:07:24.777: ISAKMP:(2727):Old State = IKE_I_MM4 New State = IKE_I_MM4

shaps · ‎08-25-2015

not sure if it will help but I have experienced log errors and even though everything looks right config wise the only way to get the session to come up was to delete the policies and re-add them, the ASA has some strange quirks where if anything changes on a policy it misbehaves.

may not work but worth a try

Robert324 · ‎08-25-2015

I have rebuilt the crypto policies from the ground up and it is still giving the same errors.

Thanks for the suggestion.

shaps · ‎08-26-2015

no probs, hopefully let us know if you get it sorted

Robert324 · ‎08-31-2015

So I think the issue is caused because the ISP is getting us to point the sonicwall IP address to 112.x.x.x which their firewall then pushs to our router which has been reconfigured with an 10.7.0.2 ip address instead of the old public ip address we had.

This seems to cause the IP header authentication to fail because the sonicwall is expecting a response back from 112.x.x.x but gets a response from 10.7.0.2 instead.

What options are there to resolve this?

Can we change the encryption requirements to be less strict?