Can't get past Building IPSec Tunnel

[gknight1]

Setup
SonicWall TZ170 Enhanced
5610 phone
IPO 4.2

I am able to exchange keys and pass Phase 1, the phone times out on Phase 2. I get the following 2 errors...

IKE Phase 2 no response
Errorcode:3997700:0
Module: IKEMPD:353

and

IKE Phase 2 no response
Errorcode:3997700:0
Module:IKECFG:1148

i cant find anything on these error codes, so what are those error codes good/used for???(thats besides the point)

I am using the Juniper w/ Xauth profile on the VPN phone with the following settings...

server:79.43.xxx.xxx(public ip address of the sonicwall)
username:vpnphone(user setup in the sonicwall)
password:vpnphone
group name:WAN
Group PSK: xxxxxxxxxxxxxxxx(PSK setup in sonicwall)
VPN Start Mode:Boot
password type:save in flash
encapsulation:RFC(have tried all other options as well)
IKE Parameters...
IKE ID Type:IP Address
DH Group:2
Encrytpion Alg:3DES
Authentication Alg:SHA1
IKE Xchg Mode:Aggressive
IKE Config Modeisabled(tried enabled as well)
Xauth:Enabled
IPSec Parameters...
Encryption Alg:3DES
Authentication Alg:SHA1
DH Group:2
Protected Nets...
Virtual IP:192.168.21.54(local ip address of the phone)


Now something i noticed is in the sonicwall configuration under the IPSec Proposal setup there is a protocol that is set to ESP that can NOT be changed. Well, in the VPN phone i do not have a setting for IPSec protocol. Is this because ESP is a standard so i do not need to change it on the phone.

Any help would be greatly appreciated.

 

[iposcn]

gknight, I had the same issue when setting up mine. Without looking at my set up I vaguely recall having to use the Cisco-XAuth (or is there a generic one?) to make this work. Make sure that "Require Authentication via XAuth" is checked on the Sonicwall and that the specified group is Trusted Users.

It took me forever to get a config working properly with a very similar setup, I wish I would have documented it better at the time.

 

[gknight1]

yeah, i have tried the Cisco Xauth and the generic one. The thing with the generic is it is not Xauth, and i need it to be.

it shouldnt be a user issue, becuas in the sonicwall log i can see the successful login of "vpnphone" and when it doesnt reach the phase two it logsout the "vpnphone" user.

 

[brainey1]

Use generic on the phone. I had the same problem and it was because I have my IPO on a different subnet. The following is based on a TZ 170.
IP Office Core Software 4.0.7
Sonicwall TZ170 Standard Mode 3.1.3.0-6s
Sonicwall VPN License Yes
Sonicwall TZ170 Enhanced Mode 3.2.3.0-6e
IP Phone Model 5610
IP Phone Firmware 2.3.249
IP Office IP Address 192.168.2.5
TFTP/File Server 192.168.2.10
IP Phone IP Address DHCP
IP Phone CallSV 192.168.2.5
IP Phone CallSVPort 1719 [Default]
IP Phone Router DHCP
IP Phone Mask DHCP
IP Phone FileSv 192.168.2.10
IP Phone 802.1Q Auto
IP Phone VLAN ID 0

Password used during testing 1234567890
Remote ID used for Standard Mode test GroupVPN
Remote ID used for Enhanced Mode test GroupVPN

Notes
1. The IP Phones may require a Virtual IP Address to be configured in the VPN settings. Please take care in choosing a Virtual IP Range. Consider where the phone is most likely to be used and ensure that the Virtual IP Range selected will not conflict. For instance, many VPN IP Phones may be installed at user’s homes. Typically a Home Router uses 192.168.0.x or 192.168.1.x as its internal network range therefore it is recommended that this is not used as a Virtual IP Address Range.
2. IMPORTANT: Many VPN Routers will not allow a direct media path to be established between two VPN Endpoints. It will be necessary to uncheck the Direct Media Path checkbox in the Extension Configuration in IP Office. Failure to do so will result in No Speech path when two VPN extensions try and establish a call.
3. Review the Sample 46vpnsetting.txt file for simplifying configuration settings on the IP Phones.
4. While the defaults for Encryption are set at 4500-4500 and these settings are preferred, there may be instances where (depending on what the Home router supports) the user may need to either disable this setting, or change to one of the other options.
5. If manually configuring a Virtual IP Address on the IP Hard-phone, ensure that accurate records are kept of IP Address allocations to avoid IP Address conflicts.

Sonicwall Tz170 VPN Router VPN Configuration settings
Important Note: Please note that the Sonicwall TZ170 Enhanced Mode has additional configuration options that need to be set. Please ensure that correct settings guidelines are followed.
Once logged into the Router, Select the VPN Option, then Select Settings
Global Settings
Enable VPN Checked
Unique Firewall Identifier Default Firewall Identifier
VPN Policies
GroupVPN (Standard) Enable (Disabled by default)
WAN GroupVPN (Enhanced) Enable (Disabled by default)
Select the Edit Icon to modify the VPN Policy
General Tab
Security Policy
IPSec Keying Mode IKE using Preshared Secret
Name Standard GroupVPN
Name Enhanced WAN GroupVPN
Shared Secret 1234567890

Proposals Tab
IKE (Phase 1) Proposal
DH Group 2
Encryption 3Des
Authentication SHA1
Life Time (seconds) 28800

IPSEC (Phase 2) Proposal
Protocol ESP
Encryption ALG 3DES
Authentication ALG SHA1
Enable Perfect Forward Secrecy Checked
DH Group 2
Life Time (seconds) 28800

Advanced Tab
Advanced Settings
Enable Windows Networking (Netbios) Broadcast Unchecked
Apply NAT and Firewall Rules Unchecked (Standard)
Forward packets to remote VPNs Unchecked (Standard)
Management via this SA HTTP/HTTPS – Unchecked (Enhanced)
Default Gateway 0.0.0.0
VPN Terminated at LAN (Standard)
Client Authentication
Require Authentication of VPN Clients via XAUTH Unchecked
Allow Unauthenticated VPN Client Access LAN Primary Subnet (Enhanced)

Client Tab
User Name and Password Caching
Cache XAUTH User name and password on Client Never
Client Connections
Virtual Adapter settings DHCP Lease or Manual Configuration
Allow Connections to Split Tunnels
Set Default Route as this Gateway Unchecked
Require Global Security Client for this connection Unchecked
Client Initial Provisioning
Use Default Key for Simple Client Provisioning Unchecked

Select the Advanced VPN Settings Page and ensure the following options are enabled (usually enabled by default)
Advanced VPN Settings
Enable IKE Dead Peer Detection Enabled
Dead Peer Detection Interval (seconds) 60
Failure Trigger Level (missed heartbeats) 3
Enable Fragmented Packet Handling Enabled
Ignore DF (don’t fragment) Bits Enabled
Enable NAT Traversal Enabled

If your IPO is not on your primary subnet, change the Allow Unauthenticated VPN Client Access LAN Primary Subnet (Enhanced) to Lan Subnets.

 

[gknight1]

thanks brainey, but thats what i had when i first tested it and it did work.

This is my situation...
we have 3 or 4 people that have global vpn client software on their laptops which require them to login with their username and password for the firewall. now if i uncheck the Require Authentication of VPN clients via XAuth, i wont be able to login with the global client software.

please let me know if i am thinking too much about this. i think i need the Require Authentication of VPN clients via XAuth to be checked in order for login on global client software.

 

[iposcn]

gknight, you are exaclty correct about the needing the XAuth to be on. I had the exact same issue that you are experiencing, but I cannot remember exact what I did to make it work. If I have a few minutes tonight I will take a look at my setup. It is something minor that you have to edit on the phone if I recall.

 

[gknight1]

I sure do hope so...

 

[iposcn]

gknight, I took some pictures of my phone so that you could try and match yours to mine. I have attached it to this post. A couple of notes here however...

1. I remember having to configure the phone with a script to get the VPN Group Name entered because I could not enter a space (at least I couldn't figure out how to do it). Your firewall may just use GroupVPN for the name so this would not apply to you.

2. I am using the Cisco_With_XAuth config

3. Look at each screen carefully, I can't remember which setting it was, but I believe it was the Encapsulation setting, or something in the IKE Parameters settings.

Good luck, and let me know if you get yours working and what setting it was and I will document it.

 

[iposcn]

gknight, It has been a while but I was tasked with doing this again and came cross the setting that made it work for me. It was changing the "IKE Config Mode" under IKE Parameters Screen to "Disabled" instead of the default "Enabled".

Hope this helps!