Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1853
Views
0
Helpful
6
Replies

VTI with IKEV2 between CSR1000 to SonicWALL TZ350

vsuresh8
Level 1
Level 1

‎11-08-2020 12:09 AM

Hello, when building IPSEC VPN across CSR1000 on Azure to SonicWALL firewall, with IKEV2, getting below error, from previous blogs and support manuals, I have verified that both side IPSEC proposals are correct + ACLs on both sides allows the traffic too + tried with other IPSEC settings, but SA is not forming due to below error, appreciate feedback

*****************************************

*Nov 6 16:21:37.564: IKEv2:(SESSION ID = 4,SA ID = 4):Check for existing active SA
*Nov 6 16:21:37.564: IKEv2:(SESSION ID = 4,SA ID = 4):Delete all IKE SAs
*Nov 6 16:21:37.565: IKEv2:(SESSION ID = 5,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

*Nov 6 16:21:37.565: IKEv2-ERROR:(SESSION ID = 5,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎11-08-2020 12:28 AM

@vsuresh8 

Please provide your configuration of the CSR and screenshots of the Sonicwall, can you also provide the full debug output.

 

What ACL are you referring to? If you are using a VTI they don't use an ACL to permit traffic over the VPN tunnel.

 

HTH

0 Helpful

vsuresh8
Level 1
Level 1
In response to Rob Ingram

‎11-25-2020 07:18 AM

Thanks for the response, Yes I am aware ACLS have significance with Crypto map, I intend to say even with having ACLS, IKEV2 is failing

0 Helpful

Nicolai Borchorst
Level 1
Level 1

‎11-08-2020 09:00 AM - edited ‎11-08-2020 09:00 AM

Using Acces-Lists to define interesting traffic is only supported using Crypto Maps and not VTI. In Crypto Map based deployments the SA's are established based on the content of the ACL while in a VTI deployment the Proxy ID will always be From/To 0.0.0.0, and interesting traffic is determined based on Static/Dynamic routing. 

As per the article below it seems like Sonicwall is able to support VTI

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-tunnel-interface-vpn-route-based-vpn-between-two-sonicwalls/170505880843761/

Example on VTI Config for IOS Routers can be found here

https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html 

Best Regards
Nicolai Borchorst
CCIE Security #65775
0 Helpful

vsuresh8
Level 1
Level 1
In response to Nicolai Borchorst

‎11-25-2020 07:17 AM

thanks for the feedback, I was across this SonicWALL article, did everything as like this article, but did not work 

also the Cisco link shared is for IKEV1, I am looking at IKEV2, there are few steps common but IKEV2 has more configuration required under Crypto IKEV2

0 Helpful

MHM Cisco World
VIP
VIP

‎11-08-2020 01:55 PM

esn Must config under ipsec IKEv2 

otherwise not work 

0 Helpful

vsuresh8
Level 1
Level 1
In response to MHM Cisco World

‎11-25-2020 07:13 AM

can't find any ESN for CSR 1000 with ikev2

0 Helpful
Customers Also Viewed These Support Documents