Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2049
Views
5
Helpful
3
Replies

Aggressive VPN between Sonicwall and Cisco ASA 5505

Abhijeet Kumar
Level 1
Level 1

‎05-28-2017 01:33 AM

Hi All,

I am having trouble getting Aggressive mode vpn to work between Sonicwall TZ 600 and Cisco ASA 5505. I have tried to search support forums and work accordingly but it simply never gets up. The problem is Sonicall requires an IKE string to connect in Aggressive mode, I am using firewall identifier in this case. There is no documentation in Cisco as to where I configure that string. That being said, the strings should match between Sonicwall and Cisco to establish the connection. Please note that the Sonicwall has a static WAN IP as to Cisco ASA has a Dynamic IP (runs on PPPOE). Please check the configuration below on both ends:

Sonicwall:

Outside Interface. 10.10.1.30/255.255.255.252 Gateway - 10.10.1.29

Inside Interface. 173.41.199.0/24

VPN settings:

Security Policy:

Policy type: Site to Site

Authentication Method: IKE using Preshared Secret

Name: VPN to Cisco

IPsec Primary gateway name or address: 0.0.0.0

IKE Authentication:

Shared secret: mypassword@1

Confirm Shared Secret: mypassword@1

Local IKE ID: (Firewall Identifier) Sonicwall

Peer IKE ID: (Firewall Identifier) Cisco

Local Network: 173.41.199.0/24

Remote Network: 192.168.12.1/24

IKE (Phase 1) Proposal

Exchange: Aggressive Mode

DH Group: Group 2

Encryption: 3DES

Authentication: SHA1

Lifetime: 28800

Ipsec (Phase 2) Proposal

Protocol: ESP

Encryption: 3DES

Authentication: SHA1

Lifetime: 28800

No PFS

Policy bound to outside interface

For online emulator for Sonicwall you can click https://tz600.demo.sonicwall.com/main.html

Reference guide from Sonicwall to configure Aggressive VPN: https://support.sonicwall.com/kb/sw4834

I have basic configuration in Cisco as of yet as it's out of the box.

ASA Version: 9.2(3)

ASDM 771-151

Licensing is attached to this post

outside interface set as PPPOE, default route using PPPOE

inside interface 173.41.199.0/24

As for Address translation I am using PAT

NOTE: I have one more Aggressive VPN configured from this Sonicwall TZ600 to TZ SOHO and it works flawless.

Any help would be more that appreciated.

Thank you.

Labels:
Preview file
24 KB
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-29-2017 06:52 AM

The Firewall identifier should be your IKE ID. In the case of the ASA, it is usually the IP address of the interface where the crypto map is applied. 

Since you have set the IKE Id set to the String "Sonicwall", you would need to create a tunnel-group (or connection profile) with the name Sonicwall and have the IKE preshared key defined under it. 

A good explanation of the ASA matches tunnel-groups to identity is given here:

http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/

You can also change what the ASA uses as IKE ID using the command "crypto isakmp identity"

Abhijeet Kumar
Level 1
Level 1
In response to Rahul Govindan

‎06-05-2017 04:55 PM

Hi Rahul,

Thank you for your response and I apologize for the delay. I spent 2-3 days figuring this out but still it was a no-go. At this point I am thinking to change my ISP and get few static IP's but I want to give it a final shot.

Could you please give me the exact configuration that I have to do? I know I am asking a lot but I am left with no choice.

Thank you.

0 Helpful

afoard
Level 1
Level 1
In response to Abhijeet Kumar

‎01-14-2020 05:51 PM

This thread is old but for others in the future here was my solution:

 

I had to force aggressive mode for the phase-1 negotitaion since the sonicwall requires aggressive mode configuration as the hub. Here is my configuration:

 

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer **.**.**.**
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 864000
crypto map outside_map interface outside

tunnel-group **.**.**.** type ipsec-l2l
tunnel-group **.**.**.** ipsec-attributes
 ikev1 pre-shared-key *****

crypto isakmp identity key-id **** (matches sonicwall)
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 864000

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents