×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Sonicwall VPN site to site

Sonicwall VPN site to site

Sonicwall VPN site to site

(OP)
Hi, we have two sonicwall VPN (2040, nsa2400). The VPN tunnel is up but on the logs of the nsa2400 i can see a few
IPSec (ESP) packet dropped and I cannot connect from one side to the other.


This is the config on the sonicwall 2400

IKE (Phase 1) Proposal

Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication:  SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:  ESP  
Encryption:  3DES
Authentication:  SHA1   

This is the config on the 2040pro

IKE (Phase 1) Proposal
Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication:  SHA1  
Life Time (seconds): 28800    

Ipsec (Phase 2) Proposal  
Protocol:  ESP  
Encryption:  3DES
Authentication:  SHA1  
 

RE: Sonicwall VPN site to site

what do the logs say?

RE: Sonicwall VPN site to site

(OP)
This is log on the 2400

I get some IPSec (ESP) packet dropped

05/07/2010 10:49:26.160 - Info - VPN IKE -     IKE Initiator: Start Main Mode negotiation (Phase 1) -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1
05/07/2010 10:49:33.640 - Info - VPN IKE -     IKE Initiator: Remote party timeout - Retransmitting IKE request. -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1
05/07/2010 10:49:34.944 - Info - VPN IKE -     NAT Discovery :  No NAT/NAPT device detected between IPSec Security gateways -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1
05/07/2010 10:49:35.016 - Info - VPN IKE -     IKE Initiator: Main Mode complete (Phase 1) -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1;3DES; SHA1; DH Group 2; lifetime=28800 secs
05/07/2010 10:49:35.016 - Info - VPN IKE -     IKE Initiator: Start Quick Mode (Phase 2). -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1
05/07/2010 10:49:35.048 - Info - VPN IKE -     IKE Initiator: Accepting IPSec proposal (Phase 2) -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1; Local network 10.200.2.0 / 255.255.255.0; Remote network 10.200.1.0/255.255.255.0
05/07/2010 10:49:35.048 - Info - VPN IKE -     IKE negotiation complete. Adding IPSec SA. (Phase 2) -     siteb_ip, 500 -     sitea_ip, 500, MTRLPQ02-1176251909.sdsl.bell.ca -     VPN Policy: toch1; ESP:3DES; HMAC_SHA1; Lifetime=28800 secs; inSPI:0xa34fac08; outSPI:0x70ecaa8b

RE: Sonicwall VPN site to site

(OP)
Here is a bit more information

  Model: PRO 2040 Standard
  Serial Number: 0006B1307C08
  Authentication Code: 52BV-B3HK
  Firmware Version: SonicOS Standard 3.1.5.0-2s
  ROM Version: SonicROM 3.1.0.2
  CPU (10s average): 2.33% - 800 MHz VIA C3 Processor
  Total Memory: 128MB RAM, 64MB Flash
  System Time: 05/07/2010 22:30:12
  Up Time: 41 Days 11:46:44


  Model: NSA 2400  
  Product Code: 5805  
  Serial Number: 0017C513913C  
  Authentication Code: YJTJ-HAS3  
  Firmware Version: SonicOS Enhanced 5.4.0.0-20o  
  Safemode Version:  Safemode 5.0.1.3  
  ROM Version:  SonicROM 5.0.2.4  
  CPUs: 0.21% - 2 x 500 MHz Mips64 Octeon Processor   
  Total Memory :  512 MB RAM, 512 MB Flash  
  System Time : 05/07/2010 22:31:43
  Up Time :

Is it even doable to do a site-to-site with these two model ?

RE: Sonicwall VPN site to site

But where are the dropped packet logs? When the tunnel comes up, what happens when you try to ping one side to the other? Are these NATting? Can you debug while pinging the other side?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

RE: Sonicwall VPN site to site

(OP)
Yes there are some

IPSec (ESP) packet dropped xx.xx.xx.xx, 0, 1, .sdsl.bell.ca xx.xx.xx.xx Inbound: SeqNum=16521194, SPI=0x440043

Am I correct in assuming that I do not need to add any static route or firewall policy ?

Also see attach a network diagram

RE: Sonicwall VPN site to site

(OP)
Hi I did some more testing, I took a symantec 200 and I was able to establish communication with the 2040.

But on the 2400, same issue the tunnel comes up but no traffic. So there is got to be something on the 2400 config but the vpn configuration seem identical.

Anyone got any idea ?

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close