Topic: IPSEC SONICWALL V5.01

[Maaz Lid]

Hi
I have tried few suggestions from the forum and i still can make it work.


I'm using sonicwall for work vpn connection.
I've done the two commands you are giving us them checked my ipchains and i have.

I have done the following commands to enable the masqing of IPSec in SME5.5:
/sbin/e-smith/db configuration setprop masq ipsec yes
/sbin/e-smith/signal-event remoteaccess-update

2 chains corresponding to the above rules:
ACCEPT ipv6-crypt---0.0.0.0/0 n/a
ACCEPT udp ------ 0.0.0.0/0 500 -> 500

Enter manually wins@work and my Local dns them Actived SonicWall.

This Sonicwall logs:

14:20:10.648 Interface added: 10.1.1.83
14:20:30.606
14:20:30.606 MyServer@work - Initiating IKE Phase 1 (IP ADDR=MyDMZ_IP_Range)
14:20:30.606 MyServer@work - SENDING>>>> ISAKMP OAK MM (SA)
14:20:46.489 MyServer@work - message not received! Retransmitting!
14:20:46.489 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:21:01.541 MyServer@work - message not received! Retransmitting!
14:21:01.541 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:21:16.592 MyServer@work - message not received! Retransmitting!
14:21:16.592 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:21:31.644 MyServer@work - Exceeded 3 IKE SA negotiation attempts
14:21:34.869
14:21:34.869 MyServer@work - Initiating IKE Phase 1 (IP ADDR=MyDMZ_IP_Range)
14:21:34.869 MyServer@work - SENDING>>>> ISAKMP OAK MM (SA)
14:21:50.702 MyServer@work - message not received! Retransmitting!
14:21:50.702 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:22:05.753 MyServer@work - message not received! Retransmitting!
14:22:05.753 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:22:20.805 MyServer@work - message not received! Retransmitting!
14:22:20.805 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:22:35.856 MyServer@work - Exceeded 3 IKE SA negotiation attempts
14:24:30.601
14:24:30.601 MyServer@work - Initiating IKE Phase 1 (IP ADDR=MyDMZ_IP_Range)
14:24:30.601 MyServer@work - SENDING>>>> ISAKMP OAK MM (SA)
14:24:46.324 MyServer@work - message not received! Retransmitting!
14:24:46.324 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:25:01.356 MyServer@work - message not received! Retransmitting!
14:25:01.356 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:25:16.417 MyServer@work - message not received! Retransmitting!
14:25:16.417 MyServer@work - SENDING>>>> ISAKMP OAK MM (Retransmission)
14:25:31.459 MyServer@work - Exceeded 3 IKE SA negotiation attempts


SomeExtra-info from a tcpdump from my second trial:

17:52:17.554706 MyRemoteNetIp.500 > MyExternalIp.500: isakmp: phase 1 R ident: [|sa]
17:52:17.554917 MyExternalIp > MyRemoteNetIp: icmp: MyExternalIp udp port 500 unreachable [tos 0xc0]
17:52:17.762253 MyExternalIp.61929 > MyRemoteNetIp.500: isakmp: phase 1 I ident: [|sa]
17:52:32.815881 MyExternalIp.61929 > MyRemoteNetIp.500: isakmp: phase 1 I ident: [|sa]
17:52:32.965860 MyRemoteNetIp.500 > MyExternalIp.500: isakmp: phase 1 R ident: [|sa]
17:52:32.966052 MyExternalIp > MyRemoteNetIp: icmp: MyExternalIp udp port 500 unreachable [tos 0xc0]
17:52:47.950091 MyRemoteNetIp.500 > MyExternalIp.500: isakmp: phase 1 R ident: [|sa]
17:52:47.950292 MyExternalIp > MyRemoteNetIp: icmp: MyExternalIp udp port 500 unreachable [tos 0xc0]



No connection established...

If anyone could give a hint to make work it'll be appreciated.

Thankx.


Maaz

[Jonathan Storey]

Looks like the key exchange isn't even happening on port 500.  I'm wondering why you need to alter anything at the console for passing ipsec from the sonicwall client (i'm assuming that your using the latest vpn client from sonicwall to access your works sonicwall? - i't at about version 8ish now i think).  I have two e-smith boxes at work (both 5.5) through which i have to pass through before i get on the internet.  I can connect with no probs to several remote sonicwall's using a group vpn spd policy on the client.  Why do you need to alter stuff on the console?

Regard,
Jonathan Storey

[Jonathan Storey]

Another thing i forgot to add on that last post, I totally ran into problems when my home subnet was the same as my remote vpn net's.  Is your local subnet the same as your works lan? Hope this helps.
Regards

[Maaz Lid]

Hi janathan,

1 - I altered at the console because masq on ipsec is disable on sme 5.5
2 - I using sonicwall client versoin 5.01 (company policy).
3 - From my tcpdum, I realized that the key exchange was not doing the job and the UDP port 500 is open for inbound & oubound traffic when  I checked my ipchains.
4- I'am not using the same subnet at work and home network.

thankx.


Maaz

[Jonathan Storey]

Dam. shame about your company policy.  The version 8 software (which your company would not know you're running btw)  allows for nat-d traversal.  This would be why mune works and your does not, even though i do not have ipsec masqerading enabled.  Try it out on a virtual machine (http://www.vmware.com) if you can, but rather than messing about with your e-smith box, i'd upgrade to sonicwall client v8.  Depending on how your .spd file is configured (i'm using the group policy .spd file to access most of our supported sonicwalls using a preshared key).  My spd's worked fine with v5 , and similarly the same with the v8 client.  I know this ain't much help on the acking e-smith to your needs front, but it is a solution.

Regards

[Maaz]

Ugrading to sme 5.6 solve the problem.

Tkankx for your time & help Jonathan.

Maaz