PIX to SonicWall vpn

kholst · ‎09-15-2004

I have problems making a vpb site to site between a pix and a sonicwall.

Here output fom debug cry isakmp :

ISAKMP (0): Checking ISAKMP transform 1 against priority 51 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 29

ISAKMP (0): Total payload length: 33

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 18 protocol 1

spi 0, message ID = 1369704645

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:213.187.170.246, dest:80.199.68.50 spt:500 dpt:500

ISAKMP: error, msg not encrypted

Anyone know what it means when msg not encrypted and how to solve the problem

/Kim

jmia · ‎09-15-2004

Kim,

Have read of the following article (pdf file):

http://www.sonicguard.com/Datasheet/SonicWALLVPN_with_Cisco_PIX_using_IKE.pdf

Hope this helps

Jay

piseli · ‎09-15-2004

The only diffrence that I have seen was the:

isakmp lifetime of 86400, Sonicwall uses 28800.

here is an example VPN config that I configured a few weeks before.

access-list acl_outside permit udp host SONICWALL-PUB-IP host PIXPUBOUTSIDE-IP eq isakmp

access-list acl_outside permit esp host SONICWALL-PUB-IP host PIXPUBOUTSIDE-IP

access-list acl_outside permit ah host SONICWALL-PUB-IP host PIXPUBOUTSIDE-IP

access-list NONAT permit ip 192.168.1.0 255.255.255.0 REMOTESINCWALL-LAN 255.255.255.0

access-list VPN permit ip 192.168.1.0 255.255.255.0 REMOTESINCWALL-LAN 255.255.255.0

global (outside) 1 YOUR-PAT-ADDRESS netmask 255.255.255.240

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 YOUR-DEFAULT-GATEWAY-IP

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS esp-des esp-md5-hmac

crypto map SONICWALL 10 ipsec-isakmp

crypto map SONICWALL 10 match address VPN

crypto map SONICWALL 10 set peer SONICWALL-PUB-IP

crypto map SONICWALL 10 set transform-set TRANS

crypto map SONICWALL interface outside

isakmp enable outside

isakmp key ******** address SONICWALL-PUB-IP netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

If you want to be able to route between VPN on the Sonicwall add the other networks in to the access-list VPN and NONAT and enable that fonction on the Sonicwall Firewall.

hopr it helps

Patrick

kholst · ‎09-15-2004

Hi Patrick

I didn't have the "isakmp identity address"

My VPN connections to other PIX'es runs fine without, but apparently it's neede when connecting to a SonicWall.

Tnx for your help.