Site-to-Site: TZ170 to ISA Server 2006 (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN



Message


y0sh1 -> Site-to-Site: TZ170 to ISA Server 2006 (14.Jul.2009 10:30:16 AM)

I am trying to create an IPSEC tunnel between ISA2006 sp1 (ver. 5.0.5723.502) and a Sonicwall TZ170. All settings have completed according to article:
http://www.sonicwall.com/downloads/V...erver_2004.pdf
VPN channel has established fine (as far as i can see in the monitors and logs) but there are some errors appears in the logs of SonicWall:

[log1]
2 06/26/2009 08:00:29.464IKE Responder: IPSec proposal does not match (Phase 2)190.90.90.5, gate.ourdomain.com200.50.50.6190.90.90.5/32 -> 172.15.10.0/24
3 06/26/2009 08:00:29.464IKE Responder: No match for proposed remote network address190.90.90.5, gate.ourdomain.com200.50.50.6190.90.90.5/32

AFAIK this error has appeared only when somebody trying to access to Sonicwall internal network from ISA server. For expl our proxy server (which works with external IP of ISA server) cannot forward http request to internal network of sonicwall and HTTP\HTTPS don't work from internal network of ISA to internal network of Sonicwall thus. (but connect to external ip of sonicwall [200.50.50.6] over http\https work fine from internal of ISA)

I have found some solution in the Internet: http://forums.isaserver.org/m_300048100/tm.htm It recommend to add on ISA side Sonicwall's external IP address into the Addresses tab of the Remote Site. On the Sonicwall, it's needed to add ISA's external IP address to the Addresses tab of the Remote Site. It has not solved a problem and has turned it on the other hand: vpn has established fine and i can connect to internal network of sonicwall from external ip of ISA but now i cannot connect from internal network of sonicwall to external ip of ISA (and from internal network of ISA to external ip of Sonicwall) And new log entries has appeared:

[log2]
3 07/09/2009 16:56:33.928 IKE Responder: IPSec proposal does not match (Phase 2) 190.90.90.5, gate.ourdomain.com (Admin) 200.50.50.6 190.90.90.5/32 -> 200.50.50.6/32
4 07/09/2009 16:56:33.928 IKE Responder: Tunnel terminates inside firewall but proposed local network is not inside firewall 190.90.90.5, gate.ourdomain.com (Admin)

Our networks:
190.90.90.5 = ISA Server Public IP
200.50.50.6 = Sonicwall Public IP
10.10.10.0 = ISA Internal Network
172.15.10.0 = Sonicwall Internal Network
gate.ourdomain.com = external FQDN of ISA

The questions are:
1. Is ISA 2006 compatible with sonicwall TZ170?
2. How can i fix errors?




henryhoang -> RE: Site-to-Site: TZ170 to ISA Server 2006 (10.May2011 9:41:16 PM)

I think you should create a network rule between Sonic and ISA on "netword rule" tab in ISA2k6 with "route" instead of "NAT".

In addition, please check IPSec setting on properties of VPN (remote site) in ISA is matched with IPSec in Sonicwall.




Page: [1]