Re: Problems with SonicWALL to PIX VPN establishment

ramiro · ‎04-03-2003

During the establishment of a channel VPN between SonicWALL Firewall and PIX Firewall, I obtain the following message in the PIX executing the debug option:

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 830869750

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)

I am using IP NAT in both sides of the connection, but the VPN is not established.

I am grateful for the help that they can give me in the matter.

Thanks in advance,

R.a.M.

afakhan · ‎04-03-2003

Hi,

your ipsec phase II is failing, make sure that you dont have PFS turned on Sonic Wall side or any other IKE II parameter mismatching.

Thx

Afaq

gfullage · ‎04-03-2003

This (ISAKMP: IPSec policy invalidated proposal) generally means your crypto access-lists aren't the exact opposite of each other. The sonicwall is trying to bring up a tunnel for a specific traffic pattern, which doesn't match wht the PIX is configured for. Make sure the crypto traffic is the exact opposite of each other on either end.

ramiro · ‎04-04-2003

Ok!, here I send the configuration in both sides of the VPN:

PIX Firewall

access-list 20 permit tcp host host eq telnet

access-list vpn-name permit ip host host

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto map NAME 3 ipsec-isakmp

crypto map NAME 3 match address vpn-name

crypto map NAME 3 set peer

crypto map NAME 3 set transform-set strong

crypto map NAME 3 set security-association lifetime seconds 86400

crypto map NAME interface outside

isakmp enable outside

isakmp key ######## address netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

SonicWALL

Security Association: NAME

IPSec Keying Mode: IKE using Preshared Secret

Name: NAME

IPSec Gateway Address:

Phase 1 DH Group: Group 1

SA Life time (secs): 86000

Phase 1 Encryp/Auth.: DES & MD5

Phase 2 Encryp/Auth.: Encrypt for CheckPoint (ESP DES HMAC MD5)

Shared Secret: ###########

Specify destination networks below

Network: Subnet Mask:

x.x.x.x 255.255.255.0

Thanks again!

R.a.M.

sclawson · ‎04-14-2003

We were trying to connect a SonicWall to a Cisco VPN3000 concentrator with similar problems. Upgrading to Sonicwall firmware 6.4.0.1 did the trick.

ramiro · ‎04-21-2003

With the upgrading of Sonicwall firmware the encryption work also?. What version it had the Sonicwall appliance before updating it?.

Thanks again,

R.a.M.

sclawson · ‎04-30-2003

Previous version was 6.3.1.4. Upgraded to 6.40.01. The Sonicwall is at a different company than mine, so that's all I can tell you.

ramiro · ‎04-30-2003

Ok!, thanks for your help!

R.a.M.