9608 with Sonicwall M250 5

[Trems]

I'm having a little trouble getting this to connect. We have done a bunch with TZ models in the past. Here are some screen shots from the sonicwall. and I will post my phone config as well. Please let me know if you see anything. The GroupVPN is in use for another user so the IT people built a new VPN. I am getting IKE Phase 1 No response.

ADDR
Phone 0.0.0.0
IP Office 172.30.2.99
Router 0.0.0.0
Mask 0.0.0.0
IP Office 172.30.2.99
IP Office 172.30.2.99
802.1Q Auto
VLAN ID 0
VLAN Test 60

VPN
VPN- Enable
VPN Vendor- Juniper
Gateway - 64.140.XXX.XXX
External Phone address- 0.0.0.0
External Router- 0.0.0.0
External Subnet- 0.0.0.0
External DNS- 0.0.0.0
Encapsulation- 4500-4500
Copy tos- no
Auth Type- PSK
IKE ID - VoIP Phones
PSK - XXXXXXX

IKE Phase 1
IKE ID Type - FQDN
DH Group - 2
Encryption ALG - 3DES
Authentication ALG – SHA1
IKE Xchange Mode - Aggressive
IKE Config Mode - Disable

IKE Phase 2
Encryption ALG - 3DES
Authentication ALG – SHA1
DH Group - 2
Protected Nets – (Local LAN) 172.30.2.0/24
IKE over TCP- Never

 

[Pepp77]

For Sonicwall I have always found the profile needs to be other. I also always use PSK with XAuth on Sonicwalls.

Also for Phase 2 you have set DH Group to 2, but your pics do not show PFS as active.

Attached is the basic word doc I send to people when configuring a VPN on a sonicwall.

Then the settings on the phone I would put are


General
VPN Enabled
VPN Vendor - Other
Gateway Address - Your Firewalls IP


Auth Type PSK With Xauth


User Cred
VPN User Type - Any
Username As set by you
Password As set by you

IKE PSK
IKE ID (Group Name) GroupVPN
Pre-Share Key(PSK) As set by you


IKE Parameters
IKE ID Type FQDN
IKE XChg Mode Aggressive
IKE DH Group 2
IKE Encryption Alg 3DES
IKE Authentication Alg SHA-1
IKE Config Mode Disabled


IKE Phase 2
IPSec Encryption Alg 3DES
IPSec Authentication Alg SHA-1
IPSec PFS DH Group 2
Protected Net 192.168.55.0/24


IKE Over TCP - Auto


| ACSS SME |

 

[Trems]

Thank you for the reply, I have tried Other as well with the same result. We are failind on IKE phase 1 so we are missing something very basic to even get it to communicate. We have used X-auth in the past as well as IKE with PSK. This newer NSA has some additional settings and the IT dept isn't sure about some of them. I did notice yesterday it seems he has built this tunnel as a site to site so I am waiting to hear back from him today. He can't use the GroupVPN for our phones as he is already using it for some remote connections. At least that is what he told me, I am no Sonic wall expert!

 

[Westi]

Trems
it is not a site to site VPN so that may be the big one. Also check for typos.

Pepp77
have some pink for sharing your document with the world.

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Trems]

Thanks Westi, I have asked him to reconfigure and simplify the tunnel name as well as the PSK for testing. I'll post when we get it.

 

[critchey]

Pink for Pepp77 nicely done instructions are always welcome additions to my piles of notes.

The truth is just an excuse for lack of imagination.

 

[Pepp77]

Please also find attached a spreadsheet you can send to IT companies if you do not control the firewall. It is a list of all the settings needed to be entered on the phone (with dropdowns where the options are only choosable - ie DH Group)

| ACSS SME |

 

[Trems]

Thanks Pepp77

 

[SegaMegaDave]

Pepp77 perfect post. Managed to get our phones to establish a tunnel using your guide. Can I ask what do you configure for DHCP and any additional firewall rules need creating? Our test phone connects to the VPN but then sticks at discover for the IPOffice.

9600 series handset and a TZ400

Thanks
Dave

 

[Trems]

Ours is up and running, works with both Juniper or other. The issue was the IT guy created a new tunnel and was using a site to site. Didn't catch it until he screen shot the actual tunnel page for me. Thanks for the help though!
SegaMegaDave, the only time we hang on Discover is when the IP range is the same...

 

[SegaMegaDave]

Cheers Trems thanks for the reply, our IP Office is on 192.168.32.x network, the phone is plugged into a 192.168.19.x network, the bit i dont get is if I need to configure DHCP over VPN on the Sonicwall or if i need to configure the phone with an IP for my 32 network somewhere.

 

[Trems]

in your scenario ours is be set up DHCP at .19 network protected nets set to the 32 network.

 

[Pepp77]

The DHCP for the phones is done by the local DHCP server. If you are getting discover after the VPN tunnel is created then I would check the IP routes on the IPO and the remote extension settings.

| ACSS SME |