cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1479
Views
5
Helpful
3
Replies
Abhijeet Kumar
Beginner

Aggressive VPN between Sonicwall and Cisco ASA 5505

Hi All,

I am having trouble getting Aggressive mode vpn to work between Sonicwall TZ 600 and Cisco ASA 5505. I have tried to search support forums and work accordingly but it simply never gets up. The problem is Sonicall requires an IKE string to connect in Aggressive mode, I am using firewall identifier in this case. There is no documentation in Cisco as to where I configure that string. That being said, the strings should match between Sonicwall and Cisco to establish the connection. Please note that the Sonicwall has a static WAN IP as to Cisco ASA has a Dynamic IP (runs on PPPOE). Please check the configuration below on both ends:

Sonicwall:

Outside Interface. 10.10.1.30/255.255.255.252 Gateway - 10.10.1.29

Inside Interface. 173.41.199.0/24

VPN settings:

Security Policy:

Policy type: Site to Site

Authentication Method: IKE using Preshared Secret

Name: VPN to Cisco

IPsec Primary gateway name or address: 0.0.0.0

IKE Authentication:

Shared secret: mypassword@1

Confirm Shared Secret: mypassword@1

Local IKE ID: (Firewall Identifier) Sonicwall

Peer IKE ID: (Firewall Identifier) Cisco

Local Network: 173.41.199.0/24

Remote Network: 192.168.12.1/24

IKE (Phase 1) Proposal

Exchange: Aggressive Mode

DH Group: Group 2

Encryption: 3DES

Authentication: SHA1

Lifetime: 28800

Ipsec (Phase 2) Proposal

Protocol: ESP

Encryption: 3DES

Authentication: SHA1

Lifetime: 28800

No PFS

Policy bound to outside interface

For online emulator for Sonicwall you can click https://tz600.demo.sonicwall.com/main.html

Reference guide from Sonicwall to configure Aggressive VPN: https://support.sonicwall.com/kb/sw4834

I have basic configuration in Cisco as of yet as it's out of the box.

ASA Version: 9.2(3)

ASDM 771-151

Licensing is attached to this post

outside interface set as PPPOE, default route using PPPOE

inside interface 173.41.199.0/24

As for Address translation I am using PAT

NOTE: I have one more Aggressive VPN configured from this Sonicwall TZ600 to TZ SOHO and it works flawless.

Any help would be more that appreciated.

Thank you.

3 REPLIES 3
Rahul Govindan
Advocate

The Firewall identifier should be your IKE ID. In the case of the ASA, it is usually the IP address of the interface where the crypto map is applied. 

Since you have set the IKE Id set to the String "Sonicwall", you would need to create a tunnel-group (or connection profile) with the name Sonicwall and have the IKE preshared key defined under it. 

A good explanation of the ASA matches tunnel-groups to identity is given here:

http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/

You can also change what the ASA uses as IKE ID using the command "crypto isakmp identity"

Hi Rahul,

Thank you for your response and I apologize for the delay. I spent 2-3 days figuring this out but still it was a no-go. At this point I am thinking to change my ISP and get few static IP's but I want to give it a final shot.

Could you please give me the exact configuration that I have to do? I know I am asking a lot but I am left with no choice.

Thank you.

This thread is old but for others in the future here was my solution:

 

I had to force aggressive mode for the phase-1 negotitaion since the sonicwall requires aggressive mode configuration as the hub. Here is my configuration:

 

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer **.**.**.**
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 864000
crypto map outside_map interface outside

tunnel-group **.**.**.** type ipsec-l2l
tunnel-group **.**.**.** ipsec-attributes
 ikev1 pre-shared-key *****

crypto isakmp identity key-id **** (matches sonicwall)
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 864000

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac


 

Content for Community-Ad