Hi,
Having a hard time getting a vpn up and running. THe other side is a Sonicwall(which we don’t/can’t control).
We seem to get most of the connection up, but we see the following, and no traffic flows:
/ip ipsec remote-peers print
0 local-address=1.1.1.1 remote-address=2.2.2.2 state=established side=initiator established=6m30s
> /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0 src-address=1.1.1.1 dst-address=2.2.2.2 auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s
1 E spi=0x34B00AB src-address=2.2.2.2 dst-address=1.1.1.1 auth-algorithm=none enc-algorithm=none replay=0 state=larval
add-lifetime=0s/30s
turning logging on the console, we show the following, once we clear the ‘my ID user FQDN’ value, which based on what I’ve been able to find, should send the IP. On the sonicwall, leaving that blank, should also set the IP to be the default.
echo: ipsec,debug fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
echo: ipsec,debug,packet notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=0c431bd2(size=4).
/ip ipsec policy print shows:
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 src-address=192.168.110.0/24 src-port=any dst-address=10.7.1.22/32 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 proposal=sonicwall-asa priority=0
/ip ipsec peer shows:
address=2.2.2.2/32 passive=no port=500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal
echo: ipsec IPsec-SA expired: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=234896348(0xe003bdc
Also have the NAT rule to bypass.
0 chain=srcnat action=accept src-address=192.168.110.0/24 dst-address=10.7.1.22
The other side claims that it’s a NAT issue on our side based on what they see in the logs:
4 11/14/2013 08:09:49.512 Warning VPN IKE IKE Responder: Peer's network does not match VPN policy's Network 1.1.1.1, 500 2.2.2.2, 500 VPN Policy: AAA;
Peer 10.7.1.22->192.168.110.0/255
.255.255.0;Local:10.7.1.22 ->10.8
1.25.0 / 255.255.255.0
5 11/14/2013 08:09:49.496 Info VPN IKE IKE Responder: Received Quick Mode Request (Phase 2) 1.1.1.1, 500 2.2.2.2, 500 VPN Policy: AAA
6 11/14/2013 08:09:39.144 Warning VPN IKE IKE Responder: IPSec proposal does not match (Phase 2) 1.1.1.1, 500 2.2.2.2, 500 VPN Policy: AAA
Based on this, it would seem that the IPSec proposal isn’t matching, but as far as I can tell from the information they’ve sent, it does. The only thing I’ve noticed and tried both ways is the ipsec (phase2) doesn’t seem to have a definition for DH group 2, but not sure if that would have an effect or if it carries over from phase 1…
Any thoughts?
Thanks in advance,
Carlos.