IPsec VPN issues – Cisco ASA to Dell Sonicwall

I work as an integrator for a customer that is wanting to set up a site to site, ipsec ikev1 tunnel between their ASA 5515x and another companies Dell Sonicwall. As I have no experience with Sonicwall, another integrator hired by the other company is handling that side of the config.

We attempted the cutover last night, and of course it did not go well. We were able to get phase 1 up, and then we kept getting a phase 2 mismatch. Strange thing was after a while, it would go back to giving an error in phase 1 that was saying the PSK was incorrect, and so we would both re-input the key, and it would work again and fail on phase 2. Then, out of the blue we lose both phase 1 and 2, and no matter what we did it would not come back up. Guy on the other side swears he didnt change anything, and I know I didnt. Now, I say this but I am very untrusting of anything the other integrator says, due to the fact that he came completely unprepared, and it took him an hour and half to LOGIN to the firewall, and find the location of where he even begins to configure the site to site connection.

All that being said, I am sharing a scrubbed copy of the basics of my configuration script, hoping someone can put eyes on it and let me know if anything looks off. I have used the basics of this script for multiple setups (though none to a Sonicwall), and it has always worked. I am admittedly not very experienced in these setups though, so it is very possible that I am missing something. /endnovel

The agreed upon parameters are:

PHASE 1

Encryption – AES256

Hash – SHA1

Peer Auth Method – Pre-Shared Key

Diffie-Hellman Group 2

IKE SA Lifetime – 86400 Seconds

PHASE 2

Auth protocol – ESP

Encryption Algorithm – AES-256

Hash – SHA1

DH – Group2

IPsec SA lifetime – 28800

SCRUBBED CONFIG

crypto ikev1 policy 5

encryption aes-256

hash sha

authentication pre-share

group 2

lifetime seconds 86400

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key presharedkey

object network x-Peer host x.x.x.x

access-list x-Tunnel-Interesting remark INTERESTING TRAFFIC FOR a-x TUNNEL access-list x-Tunnel-Interesting extended permit icmp object OBJ-y object x-Peer access-list x-Tunnel-Interesting extended permit tcp object OBJ-y object x-Peer access-list x-Tunnel-Interesting extended permit icmp object OBJ-z object x-Peer access-list x-Tunnel-Interesting extended permit tcp object OBJ-z object x-Peer

access-list x-Tunnel-Interesting remark PRIVATE TRAFFIC FOR a-x TUNNEL

access-list x-Tunnel-Private extended permit icmp object x-Peer object OBJ-y

access-list x-Tunnel-Private extended permit tcp object x-Peer object OBJ-y

access-list x-Tunnel-Private extended permit icmp object x-Peer object OBJ-z

access-list x-Tunnel-Private extended permit tcp object x-Peer object OBJ-z

crypto ipsec ikev1 transform-set x-set esp-aes-256 esp-sha-hmac

crypto map x-map 5 match address x-Tunnel-Interesting

crypto map x-map 5 set peer x.x.x.x

crypto map x-map 5 set ikev1 transform-set x-set

crypto map x-map 5 set security-association lifetime seconds 28800

nat (inside,outside) source static OBJ-z OBJ-z destination static x-Peer x-Peer no-proxy-arp route-lookup

nat (inside,outside) source static OBJ-y OBJ-y destination static x-Peer x-Peer no-proxy-arp route-lookup

Any help is greatly appreciated!

submitted by /u/ninjabean [link] [comments]

Read more: reddit.com

Leave a Reply

Your email address will not be published. Required fields are marked *