Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
7
Replies

VPN to Sonicwall from Cisco C1111

InSysProllc
Level 1
Level 1

‎05-19-2021 12:46 PM - edited ‎05-19-2021 12:48 PM

Hello,

I have been trying to create a VPN connection from a Cisco c111 to a remote Sonicwall. The Sonicwall belongs to another company so I'm not fully able to see their side. 

the VPN is coming from a VLAN with the network of 10.2.1.46/27 to 10.0.0.0/24. On my side I have:

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key PASSWORD address X.X.X.X (Sonicwall External)
crypto isakmp aggressive-mode disable

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map VPN 15 ipsec-isakmp
set peer X.X.X.X
set transform-set VPN
set pfs group1
match address 101

 

ACLs:

 

access-list 101 permit ip 10.2.1.32 0.0.0.15 10.0.0.0 0.0.0.255
access-list 102 deny ip 10.2.1.32 0.0.0.15 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.2.1.32 0.0.0.15 any

 

Phase 1 of the tunnel goes through but in the Phase 2 it's failing out:

 

*May 19 20:13:42.891: ISAKMP-PAK: (1004):received packet from X.X.X.X dport 500 sport 500 Global (R) QM_IDLE
*May 19 20:13:42.891: ISAKMP: (1004):set new node 2620365568 to QM_IDLE
*May 19 20:13:42.891: ISAKMP: (1004):processing HASH payload. message ID = 2620365568
*May 19 20:13:42.891: ISAKMP: (1004):processing SA payload. message ID = 2620365568
*May 19 20:13:42.891: ISAKMP: (1004):Checking IPSec proposal 1
*May 19 20:13:42.892: ISAKMP: (1004):transform 1, ESP_3DES
*May 19 20:13:42.892: ISAKMP: (1004): attributes in transform:
*May 19 20:13:42.892: ISAKMP: (1004): SA life type in seconds
*May 19 20:13:42.892: ISAKMP: (1004): SA life duration (basic) of 28800
*May 19 20:13:42.892: ISAKMP: (1004): encaps is 1 (Tunnel)
*May 19 20:13:42.892: ISAKMP: (1004): authenticator is HMAC-MD5
*May 19 20:13:42.892: ISAKMP: (1004):atts are acceptable.
*May 19 20:13:42.892: IPSEC(validate_proposal_request): proposal part #1
*May 19 20:13:42.893: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= LOCAL IP, remote= REMOTE IP,
local_proxy= LOCAL WAN/255.255.255.255/256/0,
remote_proxy= REMOTE WAN /255.255.255.255/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 19 20:13:42.893: ISAKMP-ERROR: (1004):IPSec policy invalidated proposal with error 32
*May 19 20:13:42.894: ISAKMP-ERROR: (1004):phase 2 SA policy not acceptable! (local LOCAL WAN remote REMOTE WAN)
*May 19 20:13:42.894: ISAKMP: (1004):set new node 1586175618 to QM_IDLE
*May 19 20:13:42.894: ISAKMP: (1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 547283658012, message ID = 1586175618
*May 19 20:13:42.894: ISAKMP-PAK: (1004):sending packet to 12.133.76.34 my_port 500 peer_port 500 (R) QM_IDLE
*May 19 20:13:42.894: ISAKMP: (1004):Sending an IKE IPv4 Packet.
*May 19 20:13:42.894: ISAKMP: (1004):purging node 1586175618
*May 19 20:13:42.895: ISAKMP-ERROR: (1004):deleting node 2620365568 error TRUE reason "QM rejected"
*May 19 20:13:42.895: ISAKMP: (1004):Node 2620365568, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 19 20:13:42.895: ISAKMP: (1004):Old State = IKE_QM_READY New State = IKE_QM_READY
*May 19 20:13:42.895: ISAKMP: (1004):set new node 998375488 to QM_IDLE
*May 19 20:13:42.896: ISAKMP-PAK: (1004):sending packet to REMOTE WAN my_port 500 peer_port 500 (R) QM_IDLE
*May 19 20:13:42.896: ISAKMP: (1004):Sending an IKE IPv4 Packet.
*May 19 20:13:42.896: ISAKMP: (1004):purging node 998375488
*May 19 20:13:42.896: ISAKMP: (1004):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*May 19 20:13:42.896: ISAKMP: (1004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

 

From the information that the remote site has sent, everything matches. I believe it's in the interesting traffic for the tunnel but I'm having some difficulty understanding it on the 1111's. the route to the remote network is also not showing in my tables. 

Does the C1111 require a tunnel interface to route it and are the ACL's necessary for the tunnel? I'm currently on:

Cisco IOS XE Software, Version 16.08.01

Any assistance would be greatly appreciated!!

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎05-19-2021 12:58 PM - edited ‎05-19-2021 12:59 PM

@InSysProllc 

Do the phase 2 settings below match exactly the settings on the sonicwall? Can you provide a screenshot of the sonicwall config?

 

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
mode tunnel

Aside from that you should consider using AES encryption and SHA hashing at a minimum, and stronger DH and PFS groups. On newer Cisco OS they are depreciating weaker ciphers.

0 Helpful

InSysProllc
Level 1
Level 1
In response to Rob Ingram

‎05-19-2021 01:30 PM

Hi Rob,

 

Thanks for the help!

 

On their side they have:Sonicwall.jpg2021-04-09 15_08_04-OBERON - ConnectWise Control - Connected.png

According the the remote side, they can't support higher. I've gone through a few remote sessions, but they just have a standard setup. the only other item I've noticed is under sh crypto tech-support, there are some error I haven't been able to find anything on:

IPSEC-EVENT:IPSEC-PROPOSAL-ERROR: Session
ID: 0, Proxies Not Supported for Proxies :
local_proxy: LOCAL WAN
, remote_proxy: REMOTE WAN
local: LOCAL WAN, remote: REMOTE WAN.

0 Helpful

Rob Ingram
VIP
VIP
In response to InSysProllc

‎05-19-2021 02:28 PM

The sonicwall doesnt have "Enable Perfect Forward Secrecy" ticked, but you have that configured on the router. Remove it and test again.

 

crypto map VPN 15 ipsec-isakmp
 no set pfs group1

 

0 Helpful

InSysProllc
Level 1
Level 1
In response to Rob Ingram

‎05-19-2021 02:58 PM

Hi Rob,

 

I've removed the pfs group and cleared the session but it's still the same error. The only other thing I can attribute is possibly something in my route tables. 

#sho crypto route
No VPN routes to display

Does the C1111 require an interface to route the VPN traffic?

 

Thanks again for the help.

0 Helpful

Rob Ingram
VIP
VIP
In response to InSysProllc

‎05-19-2021 03:09 PM

You just need a default route via the outside interface.....and you wouldn't have got this far otherwise.

Provide the ipsec debugs - "debug crypto ipsec 255" in addition to isakmp debugs.

0 Helpful

InSysProllc
Level 1
Level 1
In response to Rob Ingram

‎05-19-2021 03:34 PM - edited ‎05-20-2021 06:03 AM

Hi Rob,

 

I cleared the logging and have enabled IPSEC, ISAKMP, and Interface

Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Crypto Interface debugging is on

 

I've tried sending traffic across but it's the same.

 

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


Console logging: level debugging, 53238 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 53238 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 94 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (4096 bytes):
PEER, IKE_QM_EXCH
*May 19 23:19:34.804: ISAKMP: (1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*May 19 23:19:34.805: ISAKMP: (1006):set new node 1800706150 to QM_IDLE
*May 19 23:19:34.805: ISAKMP-PAK: (1006):sending packet to REMOTE IP my_port 500 peer_port 500 (R) QM_IDLE
*May 19 23:19:34.805: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*May 19 23:19:34.805: ISAKMP: (1006):purging node 1800706150
*May 19 23:19:34.805: ISAKMP: (1006):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*May 19 23:19:34.805: ISAKMP: (1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 19 23:20:24.797: ISAKMP: (1006):purging node 1350965696
*May 19 23:20:24.801: ISAKMP: (1006):purging node 1776290091
*May 19 23:20:39.799: ISAKMP-PAK: (1006):received packet from REMOTE IP dport 500 sport 500 Global (R) QM_IDLE
*May 19 23:20:39.799: ISAKMP: (1006):set new node 772179705 to QM_IDLE
*May 19 23:20:39.802: ISAKMP: (1006):processing HASH payload. message ID = 772179705
*May 19 23:20:39.802: ISAKMP: (1006):deleting node 772179705 error FALSE reason "Informational (in) state 1"
*May 19 23:20:39.802: ISAKMP: (1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 19 23:20:39.802: ISAKMP: (1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 19 23:20:39.802: ISAKMP-PAK: (1006):received packet from REMOTE IP dport 500 sport 500 Global (R) QM_IDLE
*May 19 23:20:39.803: ISAKMP: (1006):set new node 3414865070 to QM_IDLE
*May 19 23:20:39.803: ISAKMP: (1006):processing HASH payload. message ID = 3414865070
*May 19 23:20:39.803: ISAKMP: (1006):processing SA payload. message ID = 3414865070
*May 19 23:20:39.803: ISAKMP: (1006):Checking IPSec proposal 1
*May 19 23:20:39.803: ISAKMP: (1006):transform 1, ESP_3DES
*May 19 23:20:39.803: ISAKMP: (1006): attributes in transform:
*May 19 23:20:39.804: ISAKMP: (1006): SA life type in seconds
*May 19 23:20:39.804: ISAKMP: (1006): SA life duration (basic) of 28800
*May 19 23:20:39.804: ISAKMP: (1006): encaps is 1 (Tunnel)
*May 19 23:20:39.804: ISAKMP: (1006): authenticator is HMAC-MD5
*May 19 23:20:39.804: ISAKMP: (1006):atts are acceptable.
*May 19 23:20:39.804: IPSEC(validate_proposal_request): proposal part #1
*May 19 23:20:39.804: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= LOCALIP:0, remote= REMOTE IP:0,
local_proxy= LOCAL WAN/255.255.255.255/256/0,
remote_proxy= REMOTE WAN/255.255.255.255/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 19 23:20:39.805: ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 32
*May 19 23:20:39.806: ISAKMP-ERROR: (1006):phase 2 SA policy not acceptable! (local LOCAL WAN remote REMOTE WAN)
*May 19 23:20:39.806: ISAKMP: (1006):set new node 2351961457 to QM_IDLE
*May 19 23:20:39.806: ISAKMP: (1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 547283658012, message ID = 2351961457
*May 19 23:20:39.807: ISAKMP-PAK: (1006):sending packet to REMOTE WAN my_port 500 peer_port 500 (R) QM_IDLE
*May 19 23:20:39.807: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*May 19 23:20:39.809: ISAKMP: (1006):purging node 2351961457
*May 19 23:20:39.809: ISAKMP-ERROR: (1006):deleting node 3414865070 error TRUE reason "QM rejected"
*May 19 23:20:39.809: ISAKMP: (1006):Node 3414865070, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 19 23:20:39.809: ISAKMP: (1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*May 19 23:20:39.810: ISAKMP: (1006):set new node 3705960609 to QM_IDLE
*May 19 23:20:39.810: ISAKMP-PAK: (1006):sending packet to REMOTE WAN my_port 500 peer_port 500 (R) QM_IDLE
*May 19 23:20:39.810: ISAKMP: (1006):Sending an IKE IPv4 Packet.
*May 19 23:20:39.810: ISAKMP: (1006):purging node 3705960609
*May 19 23:20:39.811: ISAKMP: (1006):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*May 19 23:20:39.811: ISAKMP: (1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

 

From the logs they have sent:

Error Log.png

Thanks!!

 

0 Helpful
Customers Also Viewed These Support Documents