Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with SonicWALL to PIX VPN establishment

During the establishment of a channel VPN between SonicWALL Firewall and PIX Firewall, I obtain the following message in the PIX executing the debug option:

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending INITIAL_CONTACT notify

crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 830869750

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)

ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

crypto_isakmp_process_block: src remote peer (SonicWALL), dest local peer (PIX Firewall)

I am using IP NAT in both sides of the connection, but the VPN is not established.

I am grateful for the help that they can give me in the matter.

Thanks in advance,

R.a.M.

  • Other Security Subjects
7 REPLIES
Bronze

Re: Problems with SonicWALL to PIX VPN establishment

Hi,

your ipsec phase II is failing, make sure that you dont have PFS turned on Sonic Wall side or any other IKE II parameter mismatching.

Thx

Afaq

Cisco Employee

Re: Problems with SonicWALL to PIX VPN establishment

This (ISAKMP: IPSec policy invalidated proposal) generally means your crypto access-lists aren't the exact opposite of each other. The sonicwall is trying to bring up a tunnel for a specific traffic pattern, which doesn't match wht the PIX is configured for. Make sure the crypto traffic is the exact opposite of each other on either end.

New Member

Re: Problems with SonicWALL to PIX VPN establishment

Ok!, here I send the configuration in both sides of the VPN:

PIX Firewall

access-list 20 permit tcp host host eq telnet

access-list vpn-name permit ip host host

crypto ipsec transform-set strong esp-des esp-md5-hmac

crypto map NAME 3 ipsec-isakmp

crypto map NAME 3 match address vpn-name

crypto map NAME 3 set peer

crypto map NAME 3 set transform-set strong

crypto map NAME 3 set security-association lifetime seconds 86400

crypto map NAME interface outside

isakmp enable outside

isakmp key ######## address netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

SonicWALL

Security Association: NAME

IPSec Keying Mode: IKE using Preshared Secret

Name: NAME

IPSec Gateway Address:

Phase 1 DH Group: Group 1

SA Life time (secs): 86000

Phase 1 Encryp/Auth.: DES & MD5

Phase 2 Encryp/Auth.: Encrypt for CheckPoint (ESP DES HMAC MD5)

Shared Secret: ###########

Specify destination networks below

Network: Subnet Mask:

x.x.x.x 255.255.255.0

Thanks again!

R.a.M.

New Member

Re: Problems with SonicWALL to PIX VPN establishment

We were trying to connect a SonicWall to a Cisco VPN3000 concentrator with similar problems. Upgrading to Sonicwall firmware 6.4.0.1 did the trick.

New Member

Re: Problems with SonicWALL to PIX VPN establishment

With the upgrading of Sonicwall firmware the encryption work also?. What version it had the Sonicwall appliance before updating it?.

Thanks again,

R.a.M.

New Member

Re: Problems with SonicWALL to PIX VPN establishment

Previous version was 6.3.1.4. Upgraded to 6.40.01. The Sonicwall is at a different company than mine, so that's all I can tell you.

New Member

Re: Problems with SonicWALL to PIX VPN establishment

Ok!, thanks for your help!

R.a.M.

276
Views
0
Helpful
7
Replies
This widget could not be displayed.