Sonicwall VPN site to site

[elachance]

Hi, we have two sonicwall VPN (2040, nsa2400). The VPN tunnel is up but on the logs of the nsa2400 i can see a few
IPSec (ESP) packet dropped and I cannot connect from one side to the other.


This is the config on the sonicwall 2400

IKE (Phase 1) Proposal

Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1

This is the config on the 2040pro

IKE (Phase 1) Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1

 

[North323]

what do the logs say?

 

[elachance]

This is log on the 2400

I get some IPSec (ESP) packet dropped

05/07/2010 10:49:26.160 - Info - VPN IKE - IKE Initiator: Start Main Mode negotiation (Phase 1) - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1
05/07/2010 10:49:33.640 - Info - VPN IKE - IKE Initiator: Remote party timeout - Retransmitting IKE request. - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1
05/07/2010 10:49:34.944 - Info - VPN IKE - NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1
05/07/2010 10:49:35.016 - Info - VPN IKE - IKE Initiator: Main Mode complete (Phase 1) - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1;3DES; SHA1; DH Group 2; lifetime=28800 secs
05/07/2010 10:49:35.016 - Info - VPN IKE - IKE Initiator: Start Quick Mode (Phase 2). - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1
05/07/2010 10:49:35.048 - Info - VPN IKE - IKE Initiator: Accepting IPSec proposal (Phase 2) - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1; Local network 10.200.2.0 / 255.255.255.0; Remote network 10.200.1.0/255.255.255.0
05/07/2010 10:49:35.048 - Info - VPN IKE - IKE negotiation complete. Adding IPSec SA. (Phase 2) - siteb_ip, 500 - sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca - VPN Policy: toch1; ESP:3DES; HMAC_SHA1; Lifetime=28800 secs; inSPI:0xa34fac08; outSPI:0x70ecaa8b

 

[elachance]

Here is a bit more information

Model: PRO 2040 Standard
Serial Number: 0006B1307C08
Authentication Code: 52BV-B3HK
Firmware Version: SonicOS Standard 3.1.5.0-2s
ROM Version: SonicROM 3.1.0.2
CPU (10s average): 2.33% - 800 MHz VIA C3 Processor
Total Memory: 128MB RAM, 64MB Flash
System Time: 05/07/2010 22:30:12
Up Time: 41 Days 11:46:44


Model: NSA 2400
Product Code: 5805
Serial Number: 0017C513913C
Authentication Code: YJTJ-HAS3
Firmware Version: SonicOS Enhanced 5.4.0.0-20o
Safemode Version: Safemode 5.0.1.3
ROM Version: SonicROM 5.0.2.4
CPUs: 0.21% - 2 x 500 MHz Mips64 Octeon Processor
Total Memory : 512 MB RAM, 512 MB Flash
System Time : 05/07/2010 22:31:43
Up Time :

Is it even doable to do a site-to-site with these two model ?

 

[burtsbees]

But where are the dropped packet logs? When the tunnel comes up, what happens when you try to ping one side to the other? Are these NATting? Can you debug while pinging the other side?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[elachance]

Yes there are some

IPSec (ESP) packet dropped xx.xx.xx.xx, 0, 1, .sdsl.bell.ca xx.xx.xx.xx Inbound: SeqNum=16521194, SPI=0x440043

Am I correct in assuming that I do not need to add any static route or firewall policy ?

Also see attach a network diagram

 

[elachance]

Hi I did some more testing, I took a symantec 200 and I was able to establish communication with the 2040.

But on the 2400, same issue the tunnel comes up but no traffic. So there is got to be something on the 2400 config but the vpn configuration seem identical.

Anyone got any idea ?