09-15-2004 04:23 AM - edited 02-21-2020 01:20 PM
I have problems making a vpb site to site between a pix and a sonicwall.
Here output fom debug cry isakmp :
ISAKMP (0): Checking ISAKMP transform 1 against priority 51 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 29
ISAKMP (0): Total payload length: 33
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 1369704645
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500
ISAKMP: error, msg not encrypted
Anyone know what it means when msg not encrypted and how to solve the problem
/Kim
09-15-2004 04:55 AM
Kim,
Have read of the following article (pdf file):
http://www.sonicguard.com/Datasheet/SonicWALLVPN_with_Cisco_PIX_using_IKE.pdf
Hope this helps
Jay
09-15-2004 06:07 AM
The only diffrence that I have seen was the:
isakmp lifetime of 86400, Sonicwall uses 28800.
here is an example VPN config that I configured a few weeks before.
access-list acl_outside permit udp host SONICWALL-PUB-IP host PIXPUBOUTSIDE-IP eq isakmp
access-list acl_outside permit esp host SONICWALL-PUB-IP host PIXPUBOUTSIDE-IP
access-list acl_outside permit ah host SONICWALL-PUB-IP host PIXPUBOUTSIDE-IP
access-list NONAT permit ip 192.168.1.0 255.255.255.0 REMOTESINCWALL-LAN 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 REMOTESINCWALL-LAN 255.255.255.0
global (outside) 1 YOUR-PAT-ADDRESS netmask 255.255.255.240
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 YOUR-DEFAULT-GATEWAY-IP
sysopt connection permit-ipsec
crypto ipsec transform-set TRANS esp-des esp-md5-hmac
crypto map SONICWALL 10 ipsec-isakmp
crypto map SONICWALL 10 match address VPN
crypto map SONICWALL 10 set peer SONICWALL-PUB-IP
crypto map SONICWALL 10 set transform-set TRANS
crypto map SONICWALL interface outside
isakmp enable outside
isakmp key ******** address SONICWALL-PUB-IP netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
If you want to be able to route between VPN on the Sonicwall add the other networks in to the access-list VPN and NONAT and enable that fonction on the Sonicwall Firewall.
hopr it helps
Patrick
09-15-2004 10:23 PM
Hi Patrick
I didn't have the "isakmp identity address"
My VPN connections to other PIX'es runs fine without, but apparently it's neede when connecting to a SonicWall.
Tnx for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide