I am having trouble getting Aggressive mode vpn to work between Sonicwall TZ 600 and Cisco ASA 5505. I have tried to search support forums and work accordingly but it simply never gets up. The problem is Sonicall requires an IKE string to connect in Aggressive mode, I am using firewall identifier in this case. There is no documentation in Cisco as to where I configure that string. That being said, the strings should match between Sonicwall and Cisco to establish the connection. Please note that the Sonicwall has a static WAN IP as to Cisco ASA has a Dynamic IP (runs on PPPOE). Please check the configuration below on both ends:
Outside Interface. 10.10.1.30/255.255.255.252 Gateway - 10.10.1.29
Inside Interface. 18.104.22.168/24
Policy type: Site to Site
Authentication Method: IKE using Preshared Secret
Name: VPN to Cisco
IPsec Primary gateway name or address: 0.0.0.0
Shared secret: mypassword@1
Confirm Shared Secret: mypassword@1
Local IKE ID: (Firewall Identifier) Sonicwall
Peer IKE ID: (Firewall Identifier) Cisco
Local Network: 22.214.171.124/24
Remote Network: 192.168.12.1/24
IKE (Phase 1) Proposal
Exchange: Aggressive Mode
DH Group: Group 2
Ipsec (Phase 2) Proposal
Policy bound to outside interface
For online emulator for Sonicwall you can click https://tz600.demo.sonicwall.com/main.html
Reference guide from Sonicwall to configure Aggressive VPN: https://support.sonicwall.com/kb/sw4834
I have basic configuration in Cisco as of yet as it's out of the box.
ASA Version: 9.2(3)
Licensing is attached to this post
outside interface set as PPPOE, default route using PPPOE
inside interface 126.96.36.199/24
As for Address translation I am using PAT
NOTE: I have one more Aggressive VPN configured from this Sonicwall TZ600 to TZ SOHO and it works flawless.
Any help would be more that appreciated.
The Firewall identifier should be your IKE ID. In the case of the ASA, it is usually the IP address of the interface where the crypto map is applied.
Since you have set the IKE Id set to the String "Sonicwall", you would need to create a tunnel-group (or connection profile) with the name Sonicwall and have the IKE preshared key defined under it.
A good explanation of the ASA matches tunnel-groups to identity is given here:
You can also change what the ASA uses as IKE ID using the command "crypto isakmp identity"
Thank you for your response and I apologize for the delay. I spent 2-3 days figuring this out but still it was a no-go. At this point I am thinking to change my ISP and get few static IP's but I want to give it a final shot.
Could you please give me the exact configuration that I have to do? I know I am asking a lot but I am left with no choice.
This thread is old but for others in the future here was my solution:
I had to force aggressive mode for the phase-1 negotitaion since the sonicwall requires aggressive mode configuration as the hub. Here is my configuration:
crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer **.**.**.** crypto map outside_map 1 set ikev1 phase1-mode aggressive crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA crypto map outside_map 1 set security-association lifetime seconds 864000 crypto map outside_map interface outside tunnel-group **.**.**.** type ipsec-l2l tunnel-group **.**.**.** ipsec-attributes ikev1 pre-shared-key ***** crypto isakmp identity key-id **** (matches sonicwall) crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 864000 crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac