I'm having some trouble getting a site-to-site vpn setup between a pix 515 running 6.3(5) and a sonicwall. We've verified the phase1&2 settings and reset the pre-shared key. On the sonicwall they are getting a message stating that the pix doesn't support nat traversal. I didn't have it on at first, so I turned it on. But it didn't help the issue. Has anyone seen this issue with the sonicwall's? When I run a debug on the pix side and generate traffic I get an error message stating unauthenticated SA.
If you could enable the debugs "deb cry isa" & " deb cry ipsec" on the PIX. Then do " clear cry isa sa" & " cle cry ipsec sa" -
Send interesting traffic after that, collect the debugs and send it to me.
I worked with the far side some more. They found an article where the sonicwall had problems with smaller ip blocks than was on the inside interface. We opened our acl's up and now we are getting slightly different messages. Here's the debug that I'm getting.
Seems like there is retransmission of Phase 2 occurring and the tunnel doesn't get established.
ISAKMP (0): retransmitting phase 2 (9/3)... mess_id 0x11f4d1d4
ISAKMP (0): retransmitting phase 2 (3/3)... mess_id 0x1ec3c7a6
Can you check the Access-list on your end and make sure the access-list on their end is mirror image of each other.
I just double-checked with the far end admin and he confirmed that they are indeed the reciprocal of each other.
He stated earlier that he keeps getting a message on his sonicwall that the far end (pix) isn't supporting nat traversal. I'm sure that's sonic-speak for something else. But I'm not sure what the option would be. I do have nat traversal on, but we aren't trying to nat inside of the tunnel.
Here it is. I've changed the public IP's of the peers, but the peer I'm working with on this one is the last one (
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp enable outside
isakmp key ******** address 22.214.171.124 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 126.96.36.199 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 188.8.131.52 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 184.108.40.206 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
If we are not going through a NAT device, and if the Sonic wall is complaining about the NAT-T, have you tried to take out "isakmp nat-traversal 20" from the config and see if it works.
If not, can you please copy and paste the exact error message from the sonicwall - let me do some searching on the error message.
This is the messages they are seeing:
12 06/01/2007 14:21:31.208 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 220.127.116.11, 500 18.104.22.168, 500
13 06/01/2007 14:21:31.160 IKE Initiator: Start Main Mode negotiation (Phase 1) 22.214.171.124, 500 126.96.36.199, 500
We got this resolved. Thanks for all of your help. The issue turned out to be that the identity was set to hostname instead of address. We changed that one value on the pix and the tunnel started passing traffic.