Problem: Site-to-Site VPN ISA2004 and Sonicwall

Problem: Site-to-Site VPN ISA2004 and Sonicwall (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN

Message

brenmcg57 -> Problem: Site-to-Site VPN ISA2004 and Sonicwall (20.Jan.2005 10:06:00 PM)
I am trying to create an IPSEC tunnel between ISA2004 and a Sonicwall SOHO3. From the ISA network, when I ping the Sonicwall network, I get "Negotiating IP Security". In the Sonicwall's logs I see the following: 111.111.111.111 = ISA Server Public IP 222.222.222.222 = Remote Sonicwall Public IP 888.888.888.888 = ISA Network Internal Scheme 999.999.999.999 = Remote Sonicwall Network Internal Scheme The log from the Sonicwall: 01/20/2005 15:00:34.128 IKE Responder: Received Main Mode request (Phase 1) 111.111.111.111 222.222.222.222 01/20/2005 15:00:34.560 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 111.111.111.111 222.222.222.222 01/20/2005 15:00:34.656 IKE Responder: Main Mode complete (Phase 1) 111.111.111.111 222.222.222.222 3DES SHA1 Group 2 lifeSeconds=28800 01/20/2005 15:00:34.816 IKE Responder: Received Quick Mode Request (Phase 2) 111.111.111.111 222.222.222.222 01/20/2005 15:00:35.160 IKE Responder: No match for proposed remote network address 111.111.111.111 222.222.222.222 111.111.111.111/32 01/20/2005 15:00:35.160 IKE Responder: IPSec proposal does not match (Phase 2) 111.111.111.111 222.222.222.222 111.111.111.111/32 -> 999.999.999.999/24 All settings appear to match correctly. It looks like Phase II is always Group 2 on ISA2004. I have tried with PFS on and off on both ends. Any tips?

ClintD -> RE: Problem: Site-to-Site VPN ISA2004 and Sonicwall (21.Jan.2005 12:46:00 AM)
When you test connectivity from the ISA Server, it sources from it's external IP address 111.111.111.111. Does the Sonicwall have this address in it's list of address for the IPSec Tunnel Mode config? I've explained this in the past and here's a copy/paste of the description - sorry for the length. SubnetA -- ISA-A -- Internet -- Sonicwall -- SubnetB ISA-A has a Remote Site for SubnetB that contains the addresses of that subnet. This results in ISA-A having an IPSec Filter List of A1 - SubnetA û SubnetB A2 - SubnetB - SubnetA A3 - ISA-A - SubnetB A4 - SubnetB - ISA-A Sonicwall has a IPSec Tunnel Mode policy for SubnetA that contains the addresses of that subnet. This results in Sonicwall having an IPSec Filter List of B1 - SubnetB - SubnetA B2 - SubnetA - SubnetB It's a subtle problem, but when you PING from ISA-A to SubnetB, the traffic sources from ISA-A's external IP address. Because of this, ISA-A has a matching filter for the traffic (A3 above) but the Sonicwall doesn't have a matching filter for this (B1 through B2 don't match the traffic). As a result, ISA-A continue trying to negotiate IP Security with ISA-B but this will never complete as there is not a match for the traffic on ISA-B. To fix this, on ISA-A, you'll need to add the SonicwallÆs external IP address into the Addresses tab of the Remote Site. On the Sonicwall, you'll need to add ISA-A's external IP address. What happens is now ISA and the Sonicwall will now have the following filters... ISA-A A1 SubnetA - SubnetB A2 SubnetB - SubnetA A3 ISA-A - SubnetB A4 SubnetB - ISA-A A5 ISA-B - SubnetA A6 SubnetA - ISA-B Sonicwall B1 SubnetB - SubnetA B2 SubnetA - SubnetB B3 ISA-B - SubnetA B4 SubnetA - ISA-B B5 ISA-A - SubnetB B6 SubnetB - ISA-A With this setup, when ISA-A tries to communicate with SubnetB, A3 now matches B5 and A4 matches B6 and the Security Associations can come online. [ January 21, 2005, 12:55 AM: Message edited by: ClintD ]

henryhoang -> RE: Problem: Site-to-Site VPN ISA2004 and Sonicwall (10.May2011 9:57:50 PM)
I think ISA should have IPSec protocol with port 4500. It'll be matched with IPSec of Sonicwall. - create new IPsec protocol with port 4500 - apply that protocol to remote site - check IPSec setting of ISA and Sonicwall.

Page: [1]