TechRepublic|Forums|Networks

Networks

Question

  • Creator
    Topic
  • January 20, 2010 at 11:47 am #2196366

    Sonicwall Site to Site

    Locked

    by rlynch2 · about 13 years, 4 months ago

    Hello,
    I am trying to setup a site to site vpn between a tz150 and pro2040. Both have a static wan ip. The tz150 is running standard OS and the 2040 enhanced OS. Im having trouble getting the connection up after following all the steps. I was wondering if there is something like an access rule that must be in place on both before even beginning the process of a site to site setup? Also, do the sonicwalls need any certain extra license for a site to site work? They both have cfs licenes, global vpn client licenses, ect… i didnt think there was any extra license needed for a site to site config. I continue to get a invalid cookie error when I look into the logs. Thanks in advance for the help.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • January 20, 2010 at 11:47 am #2836635

      Clarifications

      by rlynch2 · about 13 years, 4 months ago

      In reply to Sonicwall Site to Site

      Clarifications

    • January 20, 2010 at 12:02 pm #2836627

      Re: site to site VPN

      by pshiflet-24 · about 13 years, 4 months ago

      In reply to Sonicwall Site to Site

      Can you tell which phase you are getting the error in? From both devices, if you go into the specific VPN Policy configuration on teh Advanced tab, is the “Suppress automatic access rule creation” box unchecked (2040 only)(there are access rules that need to exist for the VPN, but the divice will usually add them for you if you let it)? Lastly, from each device go to the System – Licenses area and check to ensure that VPN, Global VPN Client, and VPN SA are all licensed/enabled.

      Let me know if this helps or you have further questions. Thanks.

      • January 20, 2010 at 12:16 pm #2836624

        Cookie Error

        by rlynch2 · about 13 years, 4 months ago

        In reply to Re: site to site VPN

        Thanks for getting back so quickly. i will paste the errors below. both devices have those licenses and are enabled. What is the vpn sa license for anyway? Here is the log in order from the tz150 after configuring the site to site…
        Received unencrypted packet while crypto active

        RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x497289679842819f, MsgID: 0x596D92B9) (NOTIFY:INVALID_COOKIE) Received notify: INVALID_COOKIES IKE Initiator: No response - remote party timeout

        • January 21, 2010 at 9:35 am #2836408

          Re: cookie error

          by pshiflet-24 · about 13 years, 4 months ago

          In reply to Cookie Error

          Okay, I would begin by verifying that the VPN proposal phases are identical. If they are, I would delete the policy on the TZ 150 and re-create it to match the 2040’s. What authentication mode are you using, anyway (IKE/Pre-shared key, certificate…)? Start out by being more open (if using IKE, leave the local and peer IKE id’s as blank IP addresses (means any IP with matching credentials can connect). Let me know if you continue to get the same error, a different error, or it works.

          And, since you asked, the VPN SA is the Security Association for the VPN. It outlines how the device will build and utilize relationships with other devices.

          I hope that helps.

        • January 21, 2010 at 12:47 pm #2836364

          Thanks

          by rlynch2 · about 13 years, 4 months ago

          In reply to Re: cookie error

          That does help. I did notice something else in the log of the main site 2040. The log showed a message about the connection dropping due to a route configured on the 2040 overiding the vpn policy. I am guessing this route was put in place when the two stores connected via point to point t1. that route is configured with the same subnet as the new site to site vpn policy that im trying to get up and running. I am going to delete that route this evening and see if that is my problem. Here is the log by the way from the remote site. Thanks again for the help.

          IKE Initiator: Start Main Mode negotiation (Phase 1)

          SENDING>>>> ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgID: 0x0) (SA, VID)

          RECEIVED<<< ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgID: 0x0) (SA, VID, VID) SENDING>>>> ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID)

          RECEIVED<<< ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID) NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways SENDING>>>> ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgID: 0x0) *(ID, HASH)

          RECEIVED<<< ISAKMP OAK MM (InitCookie 0xf861373a2d9eec6a, MsgID: 0x0) *(ID, HASH, NOTIFY:INITIAL_CONTACT) IKE Initiator: Main Mode complete (Phase 1) IKE Initiator: Start Quick Mode (Phase 2). SENDING>>>> ISAKMP OAK QM (InitCookie 0xf861373a2d9eec6a, MsgID: 0xF2CF5EC4) *(HASH, SA, NON, ID, ID)

          RECEIVED<<< ISAKMP OAK INFO (InitCookie 0xf861373a2d9eec6a, MsgID: 0x76729296) *(HASH, NOTIFY:INVALID_ID_INFO) Received notify: INVALID_ID_INFO

  • Author
    Replies
Viewing 1 reply thread