ZyWALL 110 <-> SonicWALL NSA 3500 - Unable to establish tunnel
Below are my settings. My error is after the Phase 1 is established.
Sonicwall Firmware: SonicOS Enhanced 5.8.1.15-71o
ZyWALL Firmware: V4.25(AAAA.1) / 2017-07-13 10:36:33
Log on ZyWALL:
Sonicwall Configuration:
VPN Policy
General:
Security Policy
-Policy Type: Site to Site
-Authentication Method: IKE using Preshared Secret
-Name: VPN_to_ZyWALL
-IPsec Primary Gateway: ZyWALL Public IP
-IPsec Secondary Gateway: 0.0.0.0
IKE Authentication
-Shared Secret: ABCDEFGHI
-Local IKE ID: IP ADDRESS: 10.0.0.0
-Peer IKE IDL: IP ADDRESS: 192.168.100.0
Network:
Local Networks
-Choose Local network from list: X0 Subnet (10.0.0.0/22)
Remote Networks
-Choose destination network from list: ZyWALL Net (Object is 192.168.100.0/24)
Proposals:
IKE Phase 1 Proposal
-Exchange: Main Mode
-DH Group: Group 2
-Encryption: AES-256
-Authentication: SHA1
-Life Time: 86400
IPsec Phase 2 Proposal
-Protocol: ESP
-Encryption: AES-128
-Authentication: SHA1
-Enable Perfect Forward Secrecy: Disabled
ZyWALL Configuration -> VPN Connection:
General Settings:
-Enable: Checked
-Connection Name: Zywall-Sonicwall
-Nailed-up: Checked
-MSS Adjustment: Auto
VPN Gateway:
-Application Scenario: Site-to-Site
-VPN Gateway: Sonicwall Public IP
Policy:
-Local Policy: 192.168.100.0/24
-Remote Policy: 10.0.0.0/22
Phase 2 Settings:
-SA Life Time: 86400
-Active Protocal: ESP
-Encapsulation: Tunnel
-Proposal:
--#: 1
--Encryption: AES128
--Authentication: SHA1
-Perfect Forward Secrecy: none
Related Settings:
-Zone: IPSec_VPN
ZyWALL Configuration -> VPN Gateway:
General Settings:
-Enable: Checked
-VPN Gateway Name: Zywall-Sonicwall
-IKE Version: IKEv1
Gateway Settings:
My Address
-Interface: wan1 (static -- mypublicip/mask)
Peer Gateway Address
-Static Address: Primary: 207.237.159.126
Authentication:
-Pre-Shared Key: ABCDEFGHI
-Local ID Type: IPv4
-Content: 192.168.100.0
-Peer ID Type: IPv4
-Content: 10.0.0.0
Phase 1 Settings
-SA Life Time: 86400
-Negotiation Mode: Main
-Proposal:
--#: 1
--Encryption: AES256
--Authentication: SHA1
-Key Group: DH2
-NAT Traversal: Checked
-Dead Peer Detection: Checked
(That was annoying to type )
Sonicwall Firmware: SonicOS Enhanced 5.8.1.15-71o
ZyWALL Firmware: V4.25(AAAA.1) / 2017-07-13 10:36:33
Log on ZyWALL:
IKE_LOG | Tunnel [Zywall-Sonicwall] Sending IKE request |
IKE_LOG | Send Main Mode request to [207.xxx.xxx.xxx] |
IKE_LOG | Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID] |
IKE_LOG | The cookie pair is : 0x2b1b9fe7c7519123 / 0x53e1e2216d4ac13f [count=4] |
IKE_LOG | Recv:[SA][VID][VID] |
IKE_LOG | The cookie pair is : 0x53e1e2216d4ac13f / 0x2b1b9fe7c7519123 [count=4] |
IKE_LOG | Send:[KE][NONCE][PRV][PRV] |
IKE_LOG | Recv:[KE][PRV][PRV][NONCE][VID][VID][VID] |
IKE_LOG | Send:[ID][HASH][NOTIFY:INITIAL_CONTACT] |
IKE_LOG | Recv:[ID][HASH] |
IKE_LOG | Phase 1 IKE SA process done |
IKE_LOG | Send:[HASH][SA][NONCE][ID][ID] |
IKE_LOG | Recv:[HASH][NOTIFY:INVALID_ID_INFORMATION] |
IKE_LOG | The cookie pair is : 0x53e1e2216d4ac13f / 0x2b1b9fe7c7519123 [count=6] |
IKE_LOG | Send:[HASH][DEL] [count=3] |
IKE_LOG | ISAKMP SA [Zywall-Sonicwall] is disconnected |
Sonicwall Configuration:
VPN Policy
General:
Security Policy
-Policy Type: Site to Site
-Authentication Method: IKE using Preshared Secret
-Name: VPN_to_ZyWALL
-IPsec Primary Gateway: ZyWALL Public IP
-IPsec Secondary Gateway: 0.0.0.0
IKE Authentication
-Shared Secret: ABCDEFGHI
-Local IKE ID: IP ADDRESS: 10.0.0.0
-Peer IKE IDL: IP ADDRESS: 192.168.100.0
Network:
Local Networks
-Choose Local network from list: X0 Subnet (10.0.0.0/22)
Remote Networks
-Choose destination network from list: ZyWALL Net (Object is 192.168.100.0/24)
Proposals:
IKE Phase 1 Proposal
-Exchange: Main Mode
-DH Group: Group 2
-Encryption: AES-256
-Authentication: SHA1
-Life Time: 86400
IPsec Phase 2 Proposal
-Protocol: ESP
-Encryption: AES-128
-Authentication: SHA1
-Enable Perfect Forward Secrecy: Disabled
ZyWALL Configuration -> VPN Connection:
General Settings:
-Enable: Checked
-Connection Name: Zywall-Sonicwall
-Nailed-up: Checked
-MSS Adjustment: Auto
VPN Gateway:
-Application Scenario: Site-to-Site
-VPN Gateway: Sonicwall Public IP
Policy:
-Local Policy: 192.168.100.0/24
-Remote Policy: 10.0.0.0/22
Phase 2 Settings:
-SA Life Time: 86400
-Active Protocal: ESP
-Encapsulation: Tunnel
-Proposal:
--#: 1
--Encryption: AES128
--Authentication: SHA1
-Perfect Forward Secrecy: none
Related Settings:
-Zone: IPSec_VPN
ZyWALL Configuration -> VPN Gateway:
General Settings:
-Enable: Checked
-VPN Gateway Name: Zywall-Sonicwall
-IKE Version: IKEv1
Gateway Settings:
My Address
-Interface: wan1 (static -- mypublicip/mask)
Peer Gateway Address
-Static Address: Primary: 207.237.159.126
Authentication:
-Pre-Shared Key: ABCDEFGHI
-Local ID Type: IPv4
-Content: 192.168.100.0
-Peer ID Type: IPv4
-Content: 10.0.0.0
Phase 1 Settings
-SA Life Time: 86400
-Negotiation Mode: Main
-Proposal:
--#: 1
--Encryption: AES256
--Authentication: SHA1
-Key Group: DH2
-NAT Traversal: Checked
-Dead Peer Detection: Checked
(That was annoying to type )
0
Comments
-
Fixed formatting0
-
Hi @vgjpc,
The configuration seems good to us. the VPN connection phase 1 is done, but fail on phase 2 , it indicated that “INVALID_ID_INFORMATION”, is it okay to paste Sonicwall VPN connection log for cross checking?
1 -
Here is the syslog for the sonicwall. (It's in reverse)
msg="Received IKE SA delete request" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL"msg="IKE Responder: IPSec proposal does not match (Phase 2)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL" msg="IKE Responder: Route table overrides VPN policy" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL; Local network 10.0.0.0 / 255.255.252.0; Remote network 192.168.100.0/255.255.255.0" msg="IKE Responder: Received Quick Mode Request (Phase 2)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL" msg="IKE Responder: Main Mode complete (Phase 1)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL;AES-256; SHA1; DH Group 2; lifetime=86400 secs" msg="NAT Discovery : No NAT/NAPT device detected between IPSec Security gateways" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx note="VPN Policy: VPN_to_PPS-ZyWALL" msg="IKE Responder: Received Main Mode request (Phase 1)" src=67.xxx.xxx.xxx dst=207.xxx.xxx.xxx
0 -
0
-
Hi @vgjpc,
Is one of the site firewall behind a NAT router ? it looks like sending with incorrect public IP address(or mismatch on phase 2).
1 -
@Zyxel_Cooldia
Both are front facing and not behind any router. I fixed it by deleting a custom route that i had in the routing table.1 -
Hi @vgjpc,
Thanks for sharing the information. It looks like adding static route on both site for VPN connection subnet, caused the tunnel fail to establish the VPN connection in phase 2, right?
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight