PIX to Soniwall Site to Site VPN

[liorz66]

Hello Guys
I'm tryin to configure Site2Site VPN between Sonicwall to Cisco PIX and nothing happens! I don't get a log error on my Sonic! (the PIX is not under my responsibilty and I know nothing about it - it is maintained by the ISP)
it started with no compatible Phase 2 configuration. The Sonic for example has ESP DES HMAC MD5 while the PIX doesn't have anything similar to HMAC. we tried almost every option (except AES options I have in the Sonic)
can anyone tell me how to configure them???

thanks

LI

 

[dopehead]

Hmm, sure it does, the pix has support for DES/3DES/AES MD5/HMAC AH and so on. It's just a matter of configuring it.

get the vpn config from the pix and post it and we can help you so much easier.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[soulofmischief]

Im in a similar situation. Our cisco 3005 concentrator decided to die, and we already have a sonicwall pro 2040.
trying to get 2 site to site vpns from the sonicwall to pix 506e's. log on the sonicwall reads "IKE negotiation aborted due to timeout" and i dont see the pix trying to connect. pix is offsite, but there is someone there to load a config today. we've spent a very good amount of time on this already.

vpn enabled and configured on the sonicwall w/ doing IKE shared secret,(phase 1 w/ main mode, group 2, 3des, sha1; phase 2 doing esp, 3des, sha1), enable keep alive w/ try to bring up all possible tunnels both checked.

pix config

chi-firewall01(config)# show config
: Saved
: Written by enable_15 at 11:30:05.136 CDT Wed Mar 16 2005
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password rthIKig84sUsr7Nn encrypted
passwd jHAm44P5QhLqYEGT encrypted
hostname chi-firewall01
domain-name corp.myname.com
clock timezone CDT -6
fixup protocol dns maximum-length 584
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.64.1 private
name (PIXexternal ip) public
access-list tunnel permit ip 192.168.64.0 255.255.255.0 192.168.128.0 255.255.25
5.0
access-list tunnel permit ip 192.168.64.0 255.255.255.0 192.168.254.0 255.255.25
5.0
access-list tunnel permit ip 192.168.64.0 255.255.255.0 10.0.128.0 255.255.255.0

access-list tunnel permit ip 192.168.64.0 255.255.255.0 192.168.96.0 255.255.255
.0
access-list internet permit icmp any any
access-list outbound permit ip 192.168.64.0 255.255.255.0 192.168.128.0 255.255.
255.0
access-list outbound permit ip 192.168.64.0 255.255.255.0 192.168.254.0 255.255.
255.0
access-list outbound permit ip 192.168.64.0 255.255.255.0 10.0.128.0 255.255.255
.0
access-list outbound permit ip 192.168.64.0 255.255.255.0 165.212.0.0 255.255.0.
0
access-list outbound permit tcp 192.168.64.0 255.255.255.0 host 129.41.63.238 eq
8000
access-list outbound permit tcp 192.168.64.0 255.255.255.0 host 63.252.23.4 eq 3
389
access-list outbound permit tcp 192.168.64.0 255.255.255.0 host 63.252.23.4 eq 5
900
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq 20000
access-list outbound permit udp 192.168.64.0 255.255.255.0 any eq ntp
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq pptp
access-list outbound permit udp 192.168.64.0 255.255.255.0 any eq domain
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq domain
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq https
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq 81
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq ftp
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq pop3
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq ssh
access-list outbound permit udp 192.168.64.0 255.255.255.0 any eq 4500
access-list outbound permit udp 192.168.64.0 255.255.255.0 any eq 10000
access-list outbound permit udp 192.168.64.0 255.255.255.0 any eq isakmp
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq telnet
access-list outbound permit tcp 192.168.64.0 255.255.255.0 any eq nntp
access-list outbound permit udp 192.168.64.0 255.255.255.0 any eq 119
access-list pixtosw permit ip 192.168.64.0 255.255.255.0 192.168.128.0 255.255.2
55.0
pager lines 24
logging on
logging buffered notifications
logging trap notifications
logging host inside 192.168.64.27
icmp deny any echo outside
mtu outside 1500
mtu inside 1500
ip address outside public 255.255.255.
ip address inside private 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 (pix external ip) netmask 255.255.255.
nat (inside) 1 192.168.64.0 255.255.255.0 0 0
access-group internet in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 (pix external ip) 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address tunnel
crypto map vpn 10 set peer (sonicwall WAN ip)
crypto map vpn 10 set security-association lifetime seconds 28800 kilobytes 46
08000
crypto map tosonicwall 9 ipsec-isakmp
crypto map tosonicwall 9 match address nonat
crypto map tosonicwall 9 set peer (sonicwall WAN ip)
crypto map tosonicwall 9 set transform-set strongsha
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address (sonicwall WAN ip) netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet 192.168.64.0 255.255.255.0 inside
telnet 192.168.128.248 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username name password * encrypted privilege 15
terminal width 80


rather than list everything ive tried, can anyone see a problem in the config

 

[soulofmischief]

somehow missed some of my acl's in the config above during copy and paste....

access-list nonat permit ip 192.168.64.0 255.255.255.0 192.168.128.0 255.255.255
.0
access-list nonat permit ip 192.168.64.0 255.255.255.0 192.168.254.0 255.255.255
.0
access-list nonat permit ip 192.168.64.0 255.255.255.0 10.0.128.0 255.255.255.0
access-list nonat permit ip 192.168.64.0 255.255.255.0 192.168.96.0 255.255.255.
0

 

[themut]

The link below should help you out:

http://www.sonicwall.com/support/pd...between_sonicos30e_and_cisco_pix_firewall.pdf

 

[soulofmischief]

thanks for the link, but im still having issues.

im running SonicOS Standard 3.0.0.3-39s, which should be the latest for the 2040. someone else upgraded it while i was working in Chicago.

in the link it says to add network objects (under the network tab)... i dont have a network objects selection..

also it shows 4 tabs under the vpn policy settings, i dont have a network tab there.

I have been getting some headway tho..

the sonic log now shows:

51 03/16/2005 15:39:30.736 Failed payload verification after decryption. Possible preshared key mismatch x.x.x.x, 500 x.x.x.x, 500
52 03/16/2005 15:42:41.160 IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 x.x.x.x, 62465

ive triple checked the shared secret, its good.

debug isakmp on the pix shows alot of stuff:

ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src public, dst ip
ISADB: reaper checking SA 0xf9fc2c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for ip/500 not found - peers:0

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:ip, destublic spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 9 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:ip, destublic spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:ip, destublic spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:ip, destublic spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:ip, destublic spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src, destublic spt:500 dpt:500
ISAKMP: error, msg not encrypted

i think i might have found something tho... be back after i give it a whir..

 

[dopehead]

did you try to disable keepalives and if possible disable perfect forward secrecy (pfs)


Network Systems Engineer
CCNA/CQS/CCSP/Infosec