Problem: Site-to-Site VPN ISA2004 and Sonicwall (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


brenmcg57 -> Problem: Site-to-Site VPN ISA2004 and Sonicwall (20.Jan.2005 10:06:00 PM)

I am trying to create an IPSEC tunnel between ISA2004 and a Sonicwall SOHO3. From the ISA network, when I ping the Sonicwall network, I get "Negotiating IP Security". In the Sonicwall's logs I see the following:

111.111.111.111 = ISA Server Public IP
222.222.222.222 = Remote Sonicwall Public IP

888.888.888.888 = ISA Network Internal Scheme
999.999.999.999 = Remote Sonicwall Network Internal Scheme

The log from the Sonicwall:

01/20/2005 15:00:34.128 IKE Responder: Received Main Mode request (Phase 1) 111.111.111.111 222.222.222.222
01/20/2005 15:00:34.560 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 111.111.111.111 222.222.222.222
01/20/2005 15:00:34.656 IKE Responder: Main Mode complete (Phase 1) 111.111.111.111 222.222.222.222 3DES SHA1 Group 2 lifeSeconds=28800
01/20/2005 15:00:34.816 IKE Responder: Received Quick Mode Request (Phase 2) 111.111.111.111 222.222.222.222
01/20/2005 15:00:35.160 IKE Responder: No match for proposed remote network address 111.111.111.111 222.222.222.222 111.111.111.111/32
01/20/2005 15:00:35.160 IKE Responder: IPSec proposal does not match (Phase 2) 111.111.111.111 222.222.222.222 111.111.111.111/32 -> 999.999.999.999/24

All settings appear to match correctly. It looks like Phase II is always Group 2 on ISA2004. I have tried with PFS on and off on both ends. Any tips?




ClintD -> RE: Problem: Site-to-Site VPN ISA2004 and Sonicwall (21.Jan.2005 12:46:00 AM)

When you test connectivity from the ISA Server, it sources from it's external IP address 111.111.111.111. Does the Sonicwall have this address in it's list of address for the IPSec Tunnel Mode config?

I've explained this in the past and here's a copy/paste of the description - sorry for the length.

SubnetA -- ISA-A -- Internet -- Sonicwall -- SubnetB

ISA-A has a Remote Site for SubnetB that contains the addresses of that subnet.

This results in ISA-A having an IPSec Filter List of
A1 - SubnetA ū SubnetB
A2 - SubnetB - SubnetA
A3 - ISA-A - SubnetB
A4 - SubnetB - ISA-A

Sonicwall has a IPSec Tunnel Mode policy for SubnetA that contains the addresses of that subnet.

This results in Sonicwall having an IPSec Filter List of
B1 - SubnetB - SubnetA
B2 - SubnetA - SubnetB

It's a subtle problem, but when you PING from ISA-A to SubnetB, the traffic sources from ISA-A's external IP address. Because of this, ISA-A has a matching filter for the traffic (A3 above) but the Sonicwall doesn't have a matching filter for this (B1 through B2 don't match the traffic). As a result, ISA-A continue trying to negotiate IP Security with ISA-B but this will never complete as there is not a match for the traffic on ISA-B.

To fix this, on ISA-A, you'll need to add the SonicwallĘs external IP address into the Addresses tab of the Remote Site. On the Sonicwall, you'll need to add ISA-A's external IP address.

What happens is now ISA and the Sonicwall will now have the following filters...

ISA-A
A1 SubnetA - SubnetB
A2 SubnetB - SubnetA
A3 ISA-A - SubnetB
A4 SubnetB - ISA-A
A5 ISA-B - SubnetA
A6 SubnetA - ISA-B

Sonicwall
B1 SubnetB - SubnetA
B2 SubnetA - SubnetB
B3 ISA-B - SubnetA
B4 SubnetA - ISA-B
B5 ISA-A - SubnetB
B6 SubnetB - ISA-A

With this setup, when ISA-A tries to communicate with SubnetB, A3 now matches B5 and A4 matches B6 and the Security Associations can come online.

[ January 21, 2005, 12:55 AM: Message edited by: ClintD ]




henryhoang -> RE: Problem: Site-to-Site VPN ISA2004 and Sonicwall (10.May2011 9:57:50 PM)

I think ISA should have IPSec protocol with port 4500. It'll be matched with IPSec of Sonicwall.

- create new IPsec protocol with port 4500
- apply that protocol to remote site
- check IPSec setting of ISA and Sonicwall.




Page: [1]