05-31-2007 12:02 PM - edited 02-21-2020 03:05 PM
Good afternoon,
I'm having some trouble getting a site-to-site vpn setup between a pix 515 running 6.3(5) and a sonicwall. We've verified the phase1&2 settings and reset the pre-shared key. On the sonicwall they are getting a message stating that the pix doesn't support nat traversal. I didn't have it on at first, so I turned it on. But it didn't help the issue. Has anyone seen this issue with the sonicwall's? When I run a debug on the pix side and generate traffic I get an error message stating unauthenticated SA.
Thanks,
Chris
05-31-2007 12:16 PM
Chris,
If you could enable the debugs "deb cry isa" & " deb cry ipsec" on the PIX. Then do " clear cry isa sa" & " cle cry ipsec sa" -
Send interesting traffic after that, collect the debugs and send it to me.
Thanks
Gilbert
06-01-2007 05:32 AM
06-01-2007 06:21 AM
Chris,
Seems like there is retransmission of Phase 2 occurring and the tunnel doesn't get established.
ISAKMP (0): retransmitting phase 2 (9/3)... mess_id 0x11f4d1d4
ISAKMP (0): retransmitting phase 2 (3/3)... mess_id 0x1ec3c7a6
Can you check the Access-list on your end and make sure the access-list on their end is mirror image of each other.
Thanks
Gilbert
06-01-2007 07:41 AM
I just double-checked with the far end admin and he confirmed that they are indeed the reciprocal of each other.
He stated earlier that he keeps getting a message on his sonicwall that the far end (pix) isn't supporting nat traversal. I'm sure that's sonic-speak for something else. But I'm not sure what the option would be. I do have nat traversal on, but we aren't trying to nat inside of the tunnel.
Thanks,
Chris
06-01-2007 09:23 AM
Can you send the output of
sh run | in isakmp
Thanks
Gilbert
06-01-2007 09:33 AM
Here it is. I've changed the public IP's of the peers, but the peer I'm working with on this one is the last one (
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp enable outside
isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 2.3.4.5 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 3.4.5.6 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 4.5.6.7 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
Thanks again,
Chris
06-01-2007 10:05 AM
Chris,
If we are not going through a NAT device, and if the Sonic wall is complaining about the NAT-T, have you tried to take out "isakmp nat-traversal 20" from the config and see if it works.
If not, can you please copy and paste the exact error message from the sonicwall - let me do some searching on the error message.
Thanks
Gilbert
06-01-2007 11:34 AM
This is the messages they are seeing:
12 06/01/2007 14:21:31.208 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.2.3.4, 500 5.6.7.8, 500
13 06/01/2007 14:21:31.160 IKE Initiator: Start Main Mode negotiation (Phase 1) 1.2.3.4, 500 5.6.7.8, 500
Thanks,
Chris
06-08-2007 06:47 AM
We got this resolved. Thanks for all of your help. The issue turned out to be that the identity was set to hostname instead of address. We changed that one value on the pix and the tunnel started passing traffic.
Thanks again,
Chris Smith
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide