Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!



Sonicwall Site to Site

By rlynch@lockhartcadillac. ·
I am trying to setup a site to site vpn between a tz150 and pro2040. Both have a static wan ip. The tz150 is running standard OS and the 2040 enhanced OS. Im having trouble getting the connection up after following all the steps. I was wondering if there is something like an access rule that must be in place on both before even beginning the process of a site to site setup? Also, do the sonicwalls need any certain extra license for a site to site work? They both have cfs licenes, global vpn client licenses, ect... i didnt think there was any extra license needed for a site to site config. I continue to get a invalid cookie error when I look into the logs. Thanks in advance for the help.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Re: site to site VPN

by christianshiflet In reply to Sonicwall Site to Site

Can you tell which phase you are getting the error in? From both devices, if you go into the specific VPN Policy configuration on teh Advanced tab, is the "Suppress automatic access rule creation" box unchecked (2040 only)(there are access rules that need to exist for the VPN, but the divice will usually add them for you if you let it)? Lastly, from each device go to the System - Licenses area and check to ensure that VPN, Global VPN Client, and VPN SA are all licensed/enabled.

Let me know if this helps or you have further questions. Thanks.

Collapse -

Cookie Error

by rlynch@lockhartcadillac. In reply to Re: site to site VPN

Thanks for getting back so quickly. i will paste the errors below. both devices have those licenses and are enabled. What is the vpn sa license for anyway? Here is the log in order from the tz150 after configuring the site to site...
Received unencrypted packet while crypto active

RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x497289679842819f, MsgI 0x596D92B9) (NOTIFY:INVALID_COOKIE)

Received notify: INVALID_COOKIES

IKE Initiator: No response - remote party timeout

Collapse -

Re: cookie error

by christianshiflet In reply to Cookie Error

Okay, I would begin by verifying that the VPN proposal phases are identical. If they are, I would delete the policy on the TZ 150 and re-create it to match the 2040's. What authentication mode are you using, anyway (IKE/Pre-shared key, certificate...)? Start out by being more open (if using IKE, leave the local and peer IKE id's as blank IP addresses (means any IP with matching credentials can connect). Let me know if you continue to get the same error, a different error, or it works.

And, since you asked, the VPN SA is the Security Association for the VPN. It outlines how the device will build and utilize relationships with other devices.

I hope that helps.

Collapse -


by rlynch@lockhartcadillac. In reply to Re: cookie error

That does help. I did notice something else in the log of the main site 2040. The log showed a message about the connection dropping due to a route configured on the 2040 overiding the vpn policy. I am guessing this route was put in place when the two stores connected via point to point t1. that route is configured with the same subnet as the new site to site vpn policy that im trying to get up and running. I am going to delete that route this evening and see if that is my problem. Here is the log by the way from the remote site. Thanks again for the help.

IKE Initiator: Start Main Mode negotiation (Phase 1)

SENDING>>>> ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgI 0x0) (SA, VID)

RECEIVED<<< ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgI 0x0) (SA, VID, VID)

SENDING>>>> ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgI 0x0) (KE, NATD, NATD, NON, VID, VID, VID)

RECEIVED<<< ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgI 0x0) (KE, NATD, NATD, NON, VID, VID, VID)

NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways

SENDING>>>> ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgI 0x0) *(ID, HASH)

RECEIVED<<< ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgI 0x0) *(ID, HASH, NOTIFY:INITIAL_CONTACT)

IKE Initiator: Main Mode complete (Phase 1)

IKE Initiator: Start Quick Mode (Phase 2).

SENDING>>>> ISAKMP OAK QM (InitCookie 0xf861373a2d9eec6a, MsgI 0xF2CF5EC4) *(HASH, SA, NON, ID, ID)

RECEIVED<<< ISAKMP OAK INFO (InitCookie 0xf861373a2d9eec6a, MsgI 0x76729296) *(HASH, NOTIFY:INVALID_ID_INFO)

Received notify: INVALID_ID_INFO

Related Discussions

Related Forums