Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 15094 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site IPSec VPN with SonicWALL

Igal100
I'm trying to connect an Sophos Sophos ASG220 appliance v8.3.11 with a SonicWALL TZ 215

For some reason that escapes me the tunnel, named "Dev-VPN" fails to establish.

Perhaps someone here can make sense of the log:

[FONT="Courier New"]
    21:43:05 Sophos: "S_Dev-VPN" #1291: starting keying attempt 70 of an unlimited number
    21:43:05 Sophos: "S_Dev-VPN" #1296: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #1291 {using isakmp#1294}
    21:43:05 Sophos: "S_Dev-VPN" #1294: Informational Exchange message must be encrypted
    21:43:11 Sophos: "S_Dev-VPN" #1289: Informational Exchange message must be encrypted
    21:43:11 Sophos: "S_Dev-VPN" #1294: Informational Exchange message must be encrypted
    21:43:13 Sophos: "S_Dev-VPN" #1292: Informational Exchange message must be encrypted
    21:43:15 Sophos: "S_Dev-VPN" #1294: Informational Exchange message must be encrypted
    21:43:17 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [5b362bc820f60008]
    21:43:17 Sophos: packet from {Sonicwall-Public-IP}:500: received Vendor ID payload [RFC 3947]
    21:43:17 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    21:43:17 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    21:43:17 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    21:43:17 Sophos: "S_Dev-VPN" #1297: responding to Main Mode
    21:43:17 Sophos: "S_Dev-VPN" #1297: ignoring Vendor ID payload [404bf439522ca3f6]
    21:43:17 Sophos: "S_Dev-VPN" #1297: received Vendor ID payload [XAUTH]
    21:43:17 Sophos: "S_Dev-VPN" #1297: ignoring Vendor ID payload [da8e937880010000]
    21:43:17 Sophos: "S_Dev-VPN" #1297: received Vendor ID payload [Dead Peer Detection]
    21:43:17 Sophos: "S_Dev-VPN" #1297: NAT-Traversal: Result using RFC 3947: no NAT detected
    21:43:17 Sophos: "S_Dev-VPN" #1297: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    21:43:17 Sophos: "S_Dev-VPN" #1297: Peer ID is ID_IPV4_ADDR: '{Sonicwall-Public-IP}'
    21:43:17 Sophos: "S_Dev-VPN" #1297: Dead Peer Detection (RFC 3706) enabled
    21:43:17 Sophos: "S_Dev-VPN" #1297: sent MR3, ISAKMP SA established
    21:43:17 Sophos: "S_Dev-VPN" #1298: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
    21:43:17 Sophos: "S_Dev-VPN" #1298: sending encrypted notification NO_PROPOSAL_CHOSEN to {Sonicwall-Public-IP}:500
    21:43:29 Sophos: "S_Dev-VPN" #1287: Informational Exchange message must be encrypted
    21:43:35 Sophos: "S_Dev-VPN" #1294: Informational Exchange message must be encrypted
    21:43:38 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [5b362bc820f60008]
    21:43:38 Sophos: packet from {Sonicwall-Public-IP}:500: received Vendor ID payload [RFC 3947]
    21:43:38 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    21:43:38 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    21:43:38 Sophos: packet from {Sonicwall-Public-IP}:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    21:43:38 Sophos: "S_Dev-VPN" #1299: responding to Main Mode
    21:43:38 Sophos: "S_Dev-VPN" #1299: ignoring Vendor ID payload [404bf439522ca3f6]
    21:43:38 Sophos: "S_Dev-VPN" #1299: received Vendor ID payload [XAUTH]
    21:43:38 Sophos: "S_Dev-VPN" #1299: ignoring Vendor ID payload [da8e937880010000]
    21:43:38 Sophos: "S_Dev-VPN" #1299: received Vendor ID payload [Dead Peer Detection]
    21:43:38 Sophos: "S_Dev-VPN" #1299: NAT-Traversal: Result using RFC 3947: no NAT detected
    21:43:38 Sophos: "S_Dev-VPN" #1299: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    21:43:38 Sophos: "S_Dev-VPN" #1299: Peer ID is ID_IPV4_ADDR: '{Sonicwall-Public-IP}'
    21:43:38 Sophos: "S_Dev-VPN" #1299: Dead Peer Detection (RFC 3706) enabled
    21:43:38 Sophos: "S_Dev-VPN" #1299: sent MR3, ISAKMP SA established
    21:43:38 Sophos: "S_Dev-VPN" #1300: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION
    21:43:38 Sophos: "S_Dev-VPN" #1300: sending encrypted notification NO_PROPOSAL_CHOSEN to {Sonicwall-Public-IP}:500
    21:43:41 Sophos: "S_Dev-VPN" #1294: Informational Exchange message must be encrypted
    21:43:41 Sophos: "S_Dev-VPN" #1289: Informational Exchange message must be encrypted
    21:43:43 Sophos: "S_Dev-VPN" #1292: Informational Exchange message must be encrypted
    21:43:47 Sophos: "S_Dev-VPN" #1297: Informational Exchange message must be encrypted
    21:43:59 Sophos: "S_Dev-VPN" #1287: DPD: Phase1 state #1287 has been superseded by #1299 - timeout ignored
    21:44:04 Sophos: "S_Dev-VPN" #1299: Informational Exchange message must be encrypted
    21:44:11 Sophos: "S_Dev-VPN" #1289: DPD: Phase1 state #1289 has been superseded by #1299 - timeout ignored
    21:44:11 Sophos: "S_Dev-VPN" #1294: Informational Exchange message must be encrypted
    21:44:13 Sophos: "S_Dev-VPN" #1292: Informational Exchange message must be encrypted
    21:44:15 Sophos: "S_Dev-VPN" #1296: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal[/FONT]

In the SonicWALL log I see messages like:

[FONT="Courier New"]
    Sophos >> SonicWALL: RECEIVED> Sophos: IKE Initiator: Start Main Mode negotiation (Phase 1)
    SonicWALL >> Sophos: NAT Discovery : No NAT/NAPT device detected between IPsec Security gateways
    SonicWALL >> Sophos: IKE Initiator: Main Mode complete (Phase 1)
    SonicWALL >> Sophos: IKE Initiator: Start Quick Mode (Phase 2).
    Sophos >> SonicWALL: *Warning* Received notify. NO_PROPOSAL_CHOSEN[/FONT]


This thread was automatically locked due to age.
  • 0
    Click on [Go Advanced] below and attach pictures of the Edit of the IPsec Policy in use in the UTM and of the Phase 2 configuration in the Sonicwall.

    Confirm that you have the correct PSK on both sides.  If the Remote Gateway in the UTM is "Respond only," select 'Enable probing of preshared keys' on the 'Advanced' tab.

    Any luck with any of that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Bob,

    Thank you for replying.  I confirmed that the PSK is the same.  Gateway type is set to "Initiate Connection".

    Please note that the Dev-Public-IP (Sonicwall) is resolved via dynamic dns, but since the routers seem to find each other (per logs) I don't think that this is related.  Just thought I'd throw it in.

    Please see attached screenshots.

    Thank you,


    Igal
  • 0
    Igal, try editing the UTM IPsec Policy.  Save it again and see if you can get the "Group 2" to be replaced by "(None)" in the 'IPsec Settings'.  Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML