11-08-2020 12:09 AM
Hello, when building IPSEC VPN across CSR1000 on Azure to SonicWALL firewall, with IKEV2, getting below error, from previous blogs and support manuals, I have verified that both side IPSEC proposals are correct + ACLs on both sides allows the traffic too + tried with other IPSEC settings, but SA is not forming due to below error, appreciate feedback
*****************************************
*Nov 6 16:21:37.564: IKEv2:(SESSION ID = 4,SA ID = 4):Check for existing active SA
*Nov 6 16:21:37.564: IKEv2:(SESSION ID = 4,SA ID = 4):Delete all IKE SAs
*Nov 6 16:21:37.565: IKEv2:(SESSION ID = 5,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.
*Nov 6 16:21:37.565: IKEv2-ERROR:(SESSION ID = 5,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN
11-08-2020 12:28 AM
Please provide your configuration of the CSR and screenshots of the Sonicwall, can you also provide the full debug output.
What ACL are you referring to? If you are using a VTI they don't use an ACL to permit traffic over the VPN tunnel.
HTH
11-25-2020 07:18 AM
Thanks for the response, Yes I am aware ACLS have significance with Crypto map, I intend to say even with having ACLS, IKEV2 is failing
11-08-2020 09:00 AM - edited 11-08-2020 09:00 AM
Using Acces-Lists to define interesting traffic is only supported using Crypto Maps and not VTI. In Crypto Map based deployments the SA's are established based on the content of the ACL while in a VTI deployment the Proxy ID will always be From/To 0.0.0.0, and interesting traffic is determined based on Static/Dynamic routing.
As per the article below it seems like Sonicwall is able to support VTI
Example on VTI Config for IOS Routers can be found here
https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
11-25-2020 07:17 AM
thanks for the feedback, I was across this SonicWALL article, did everything as like this article, but did not work
also the Cisco link shared is for IKEV1, I am looking at IKEV2, there are few steps common but IKEV2 has more configuration required under Crypto IKEV2
11-08-2020 01:55 PM
esn Must config under ipsec IKEv2
otherwise not work
11-25-2020 07:13 AM
can't find any ESN for CSR 1000 with ikev2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide