Avaya VPN 5610 and Sonicwall TZ210

[kolob4all]

COMMUNITY!!! NEED HELP!!!

Trying to install VPN phone with TZ-210. Have done it many times with Junipers and Netgears but doing it first time with Sonicwall.
I followed TechTip 190 but Phase2 has "no response"

I know that it's possible.

If you have working config please share.

 

[kholladay]

Phase 1 no response usually means that there isn't a matching IKE configuration for the request. You can look at this in the SonicWALL log. This is usually because you have either set the SonicWALL to allow split tunneling and not act as the default gateway in the Group VPN policy but the phone has the protected net set to 0.0.0.0/0 or the reverse. You do have the SonicWALL set as the default gateway but there is a real protected net in the phone which would suggest split tunneling.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[kolob4all]

OK. Here is my config. What should I change.
Please give advises if you have TZ-210 set up and working.
I know VPN and IP Office very well. And I'm tiered tricking it for TZ-210
Phase1 has no issues. I can see tunnel on the Sonicwall but Phase 2 failing

Sonicwall:

VPN Global Settings

Enable VPN - Checked
WAN GroupVPN - Checked

General Tab
Security Policy
IPSec Keying Mode - IKE using Preshared Secret
Name - WAN GroupVPN
Shared Secret - ******

Proposals Tab
IKE (Phase 1) Proposal
DH Group - 2
Encryption - 3Des
Authentication - SHA1
Life Time (seconds) - 28800

IPSEC (Phase 2) Proposal
Protocol - ESP
Encryption ALG - 3DES
Authentication ALG - SHA1
Enable Perfect Forward Secrecy - Checked
DH Group - 2
Life Time (seconds) - 28800


Advanced Tab
Advanced Settings
All unchecked
Gateway 0.0.0.0
Client Authentication
Require authentication of VPN clients by XAUTH - unchecked
Allow Unauthenticated VPN Client Access: Lan subnets

Client Tab
Cache XAUTH User Name and Password on Client:Never
Virtual Adapter settings: DCHP or Manual
Allow Connections to: Split Tunnels
All other unchecked

Advanced VPN Settings:
Checked:
Enable IKE Dead Peer Detection
Enable Fragmented Packet Handling
Ignore DF (Don't Fragment) Bit
Enable NAT Traversal

All other are Unchecked.

VPN PHONE SETTINGS:
VPN Profile - Generic PSK
Server - 71.10.10.4
IKE ID - GroupVPN
PSK – ***

IKE Parameters
IKE ID Type - FQDN
Diffie Hellman Group - 2
Encryption ALG - 3Des
Authentication ALG - Sha1
IKE Xchange Mode - Aggressive
IKE Config Mode - Disabled
XAUTH - Disable
Cert Expiry Check - Disabled
Cert DN Check - Disabled

IPSEC Parameters
Encryption ALG - 3DES
Authentication ALG - Sha1
Diffie Hellman Group - 2

VPN Start Mode - Boot
Password Type - N/A
Encapsulation - 4500 – 4500
Protected Nets
Virtual IP
172.16.22.5
Remote Net #1
192.168.2.0/24

Copy TOS - No
Connectivity Check - Always
QTEST - Disabled

 

[kholladay]

What is the IP address used on the remote network?

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[kolob4all]

I VPN to 192.168.20.x from 192.168.10.x

 

[kholladay]

This all looks correct. You are getting phase one no response? What does the log in the SonicWALL say?

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[kolob4all]

Logs say:
IKE negotiation complete. Adding IPSec SA. (Phase 2
VPN Policy: WAN GroupVPN; ESP:3DES; HMAC_SHA1; Group 2; Lifetime=28800 secs; inSPI:0x102dacc1; outSPI:0xd27353e

IKE Responder: IPSec proposal does not match (Phase 2)

 

[kholladay]

IPSec so that is phase 2 unfortunately which can be many more things than phase 1.

Your settings appear to match so I would try this. On the sonicwall change the Client tab from Split Tunnels to All Protected Gateways and there should be a check box for making this the default gateway. Then on the Advanced tab put the IP address of the IP Office in the gateway box.

On the phone remove the protected network and set it to 0.0.0.0/0. The phone doesn't split tunnels anyway. Unless you are using this for something other than phones this will not have any impact on regular users.

If that doesn't work try setting the Advanced tab gateway to the IP address of the LAN interface of the sonicwall.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[kholladay]

Also you might get better performance using AES-128 and SHA1 and unless you are some super secret government agency or very worried about someone listening to your calls there is no need for the extra overhead that you get from 3DES. Personally I would also turn off the phase 2 (IPSec) Perfect Forward Secrecy but that is just me.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[kolob4all]

Tried that was suggested.Changing 3des to AES-128 didn't help and made no differences.
Changing default GW to IPO didn't work at all.
Disabling PFC didn't work as well.

Returned all settings back to original (see above) and changed Protected Gateway to Router IP. VPN goes through on both Phases.
I'm getting ...

IKE negotiation complete. Adding IPSec SA. (Phase 2)

...from firewall. And then in 20 seconds ...

Received IPSec SA delete request

... from outSPI:0x52c7b12.

Then phone changes Encapsulation mode and repeat both phases.

After 4 cycles, when phone have tried all Enc. modes it goes to
"Failed to reach known host" message.

Tried to disable Encapsulation on the phone but it made no difference.

 

[amriddle01]

Sonicwalls are notorious here for being stubborn and a pain to work with, I would consider a different router to save headaches

ACSS (SME)
APSS (SME)

http://www.ipoffice.tel

"I'm just off to Hartlepool to buy some exploding trousers

 

[kolob4all]

To amriddle01:

The Thread name is "How to connect" not "How to replace

 

[nbfd731]

I ran into somthing simmular not to log ago. I removed th e "WAN" in WAN GroupVPN to GroupVPN in the tz210. It removed the phase 1 error. I even got it to pass through the phase 2 settings. Your setting apper right if your useing avaya tech tip. I could not get it to discover the IPO when it finally passthrough the router. I purchursed 9630G and performed this with Xauth enabled and it works great
good luck

 

[telecomuser]

I am unable to remove the (WAN) from WAN GroupVPN, I cant change the name to take the space out. I created a VPN Policy but there is no client tab... Is the vpn supposed to be site to site or tunnel?

 

[kolob4all]

TO telecomuser:

If you trying to connect VPN to Linksys then don't waist your time.
Get Netgear that recommended by Avaya (don't remember model) but you will need to reboot it time to time.

Juniper SSG and SRX are working fine without any problems. Require few twicks but Juniper support is very helpful.

I opened this thread hoping that somebody has working configuration for TZ-210 and can share it because Sonicwall Support had no idea what to do.

 

[tlpeter]

I have done one ssg5 and a couple of netgear 336 and i must say that the ssg5 is way more stable.
But i have beta firmware for the 336 which seems to be stable too.
As long as you do not touch the netgear it works

BAZINGA!

I'm not insane, my mother had me tested!