ZyWALL 110 <-> SonicWALL NSA 3500 - Unable to establish tunnel

vgjpc
vgjpc Posts: 5  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
Below are my settings. My error is after the Phase 1 is established.

Sonicwall Firmware:
SonicOS Enhanced 5.8.1.15-71o
ZyWALL Firmware: V4.25(AAAA.1) / 2017-07-13 10:36:33

Log on ZyWALL:
IKE_LOG Tunnel [Zywall-Sonicwall] Sending IKE request
IKE_LOG Send Main Mode request to [207.xxx.xxx.xxx]
IKE_LOG Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
IKE_LOG The cookie pair is : 0x2b1b9fe7c7519123 / 0x53e1e2216d4ac13f [count=4]
IKE_LOG Recv:[SA][VID][VID]
IKE_LOG The cookie pair is : 0x53e1e2216d4ac13f / 0x2b1b9fe7c7519123 [count=4]
IKE_LOG Send:[KE][NONCE][PRV][PRV]
IKE_LOG Recv:[KE][PRV][PRV][NONCE][VID][VID][VID]
IKE_LOG Send:[ID][HASH][NOTIFY:INITIAL_CONTACT]
IKE_LOG Recv:[ID][HASH]
IKE_LOG Phase 1 IKE SA process done
IKE_LOG Send:[HASH][SA][NONCE][ID][ID]
IKE_LOG Recv:[HASH][NOTIFY:INVALID_ID_INFORMATION]


IKE_LOG The cookie pair is : 0x53e1e2216d4ac13f / 0x2b1b9fe7c7519123 [count=6]
IKE_LOG Send:[HASH][DEL] [count=3]
IKE_LOG ISAKMP SA [Zywall-Sonicwall] is disconnected

Sonicwall Configuration:


VPN Policy
General:

Security Policy
-Policy Type: Site to Site
-Authentication Method: IKE using Preshared Secret
-Name: VPN_to_ZyWALL
-IPsec Primary Gateway: ZyWALL Public IP
-IPsec Secondary Gateway: 0.0.0.0

IKE Authentication
-Shared Secret: ABCDEFGHI
-Local IKE ID: IP ADDRESS: 10.0.0.0
-Peer IKE IDL: IP ADDRESS: 192.168.100.0

Network:

Local Networks
-Choose Local network from list: X0 Subnet (10.0.0.0/22)

Remote Networks
-Choose destination network from list: ZyWALL Net (Object is 192.168.100.0/24)

Proposals:

IKE Phase 1 Proposal

-Exchange: Main Mode
-DH Group: Group 2
-Encryption: AES-256
-Authentication: SHA1
-Life Time: 86400

IPsec Phase 2 Proposal

-Protocol: ESP
-Encryption: AES-128
-Authentication: SHA1
-Enable Perfect Forward Secrecy: Disabled

ZyWALL Configuration -> VPN Connection:

General Settings:
-Enable: Checked
-Connection Name: Zywall-Sonicwall
-Nailed-up: Checked
-MSS Adjustment: Auto

VPN Gateway:
-Application Scenario: Site-to-Site
-VPN Gateway: Sonicwall Public IP

Policy:
-Local Policy: 192.168.100.0/24
-Remote Policy: 10.0.0.0/22

Phase 2 Settings:
-SA Life Time: 86400
-Active Protocal: ESP
-Encapsulation: Tunnel
-Proposal:
--#: 1
--Encryption: AES128 
--Authentication: SHA1
-Perfect Forward Secrecy: none

Related Settings:
-Zone: IPSec_VPN

ZyWALL Configuration -> VPN Gateway:

General Settings:
-Enable: Checked
-VPN Gateway Name: Zywall-Sonicwall
-IKE Version: IKEv1

Gateway Settings:
My Address
-Interface: wan1 (static -- mypublicip/mask)

Peer Gateway Address
-Static Address: Primary: 207.237.159.126

Authentication:
-Pre-Shared Key: ABCDEFGHI
-Local ID Type: IPv4
-Content: 192.168.100.0
-Peer ID Type: IPv4
-Content: 10.0.0.0

Phase 1 Settings
-SA Life Time: 86400
-Negotiation Mode: Main
-Proposal:
--#: 1
--Encryption: AES256
--Authentication: SHA1
-Key Group: DH2
-NAT Traversal: Checked
-Dead Peer Detection: Checked

(That was annoying to type :) )


Comments

  • vgjpc
    vgjpc Posts: 5  Freshman Member
    First Comment Friend Collector
    Fixed formatting
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @vgjpc,
    The configuration seems good to us. the VPN connection phase 1 is done, but fail on phase 2 , it indicated that “INVALID_ID_INFORMATION”, is it okay to paste Sonicwall VPN connection log for cross checking?
  • vgjpc
    vgjpc Posts: 5  Freshman Member
    First Comment Friend Collector
    Here is the syslog for the sonicwall. (It's in reverse)


    msg="Received IKE SA delete request" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL"

    msg="IKE Responder: IPSec proposal does not match (Phase 2)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL"

    msg="IKE Responder: Route table overrides VPN policy" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL; Local network 10.0.0.0 / 255.255.252.0; Remote network 192.168.100.0/255.255.255.0"

    msg="IKE Responder: Received Quick Mode Request (Phase 2)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL"

    msg="IKE Responder: Main Mode complete (Phase 1)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL;AES-256; SHA1; DH Group 2; lifetime=86400 secs"

    msg="NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL"

    msg="IKE Responder: Received Main Mode request (Phase 1)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx

  • vgjpc
    vgjpc Posts: 5  Freshman Member
    First Comment Friend Collector
    Hi @Zyxel_Cooldia

    Forgot the add you to the content.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @vgjpc,
    Is one of the site firewall behind a NAT router ? it looks like sending with incorrect public IP address(or mismatch on phase 2).
  • vgjpc
    vgjpc Posts: 5  Freshman Member
    First Comment Friend Collector
    @Zyxel_Cooldia

    Both are front facing and not behind any router. I fixed it by deleting a custom route that i had in the routing table. 
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @vgjpc,
    Thanks for sharing the information. It looks like adding static route on both site for VPN connection subnet, caused the tunnel fail to establish the VPN connection in phase 2, right?

Security Highlight