Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sonicwall to ASA 5510 VPN

Ok, I'm hoping that someone can help me figure this little problem out. I have an ASA 5510 at the office and am attmepting to use to Sonicwall SOHO3 to create an IKE VPN into the office. Everytime that I go to connect, I get the following errors. I'm new to the ASA, so I'm sure that there is something simple that I am missing, but whatever it is, it keeps alluding me and at this time, I feel like I'm just running around in circles. Any direction or hints that anyone might be able to provide would be much appreciated.

ASA - IP: 66.57.x.x, Header Invalid, missing SA Payload! (Next Payload = 4)

SOHO3 - 11/13/2006 10:25:20.512 IKE Initiator: No response - remote party timeout 66.57.x.x, 500 204.117.x.x, 500

11/13/2006 10:25:11.464 Received notify: INVALID_COOKIES 204.117.x.x 66.57.x.x

11/13/2006 10:25:11.464 RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x631a62xxxxxxx, MsgID: 0x0) (NOTIFY:INVALID_COOKIE) 204.117.x.x, 500 66.57.x.x, 500

My ASA config for the VPN is as follows:

crypto ipsec transform-set ESP-3DES esp-3des esp-none

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map WAN_dyn_map 1 set transform-set ESP-3DES

crypto dynamic-map WAN_dyn_map 1 set reverse-route

crypto map WAN_map 20 match address WAN_20_cryptomap

crypto map WAN_map 20 set pfs

crypto map WAN_map 20 set peer 66.57.x.x

crypto map WAN_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map interface WAN

crypto map management_map 20 match address management_20_cryptomap

crypto map management_map 20 set pfs

crypto map management_map 20 set connection-type answer-only

crypto map management_map 20 set peer 66.57.x.x

crypto map management_map 20 set transform-set ESP-3DES-SHA

crypto map management_map interface management

crypto isakmp identity address

crypto isakmp enable LAN

crypto isakmp enable WAN

crypto isakmp enable management

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group 004010167704 type ipsec-l2l

tunnel-group 004010167704 ipsec-attributes

pre-shared-key *

tunnel-group-map enable rules

no tunnel-group-map enable ou

tunnel-group-map default-group 004010167704

telnet timeout 5

ssh timeout 5

console timeout 0

management-access LAN

SonicWall SOHO Config:

Exchange: Main Mode

Phase 1 DH Group: Group 2

SA Life Time: 86400

Phase 1 Encryp/Auth: 3DES & SHA1

Phase 2 Encryp/Auth: ESP 3DES HMAC SHA1

Enable Keep Alives: Yes

Enable Perfect Forward Security: Yes

Phase 2 DH Group: Group 2

Again, if anyone could shed some light on this, I would greatly appreciate it.

Thanks!

Mike Bausley, MCP

Network Engineer

Raymond Handling Solutions, Inc.

3 REPLIES
Cisco Employee

Re: Sonicwall to ASA 5510 VPN

Hi,

Can you change:

tunnel-group 004010167704 type ipsec-l2l

tunnel-group 004010167704 ipsec-attributes

pre-shared-key *

To:

tunnel-group 66.57.x.x type ipsec-l2l

tunnel-group 66.57.x.x ipsec-attributes

pre-shared-key *

and then try to bring up the tunnel.

Let me know if it helps.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: Sonicwall to ASA 5510 VPN

ok, that along with enabling perfect forward security solved my connection issue. now I'm having problems routing on the office lan. my IPSec Connection is up and running, but I can't connect to anything in the office via the VPN. do I need to add a route somewhere, or is it a policy problem? (I'm not seeing any log entries about traffic being denied across the connection, so I am kind of stumped.)

Thanks for your help!

New Member

Re: Sonicwall to ASA 5510 VPN

I figured out that my lingering problem was due to a NAT exemption rule that I needed to work out. I've not got my VPN up and running without any problems. Thanks for you help!

4525
Views
4
Helpful
3
Replies