[c-nsp] sonicwall / PIX VPN woes

Adam Greene maillist at webjogger.net
Wed Apr 30 11:12:41 EDT 2008 

Hi,

Trying to set up a site-to-site VPN between PIX 515E 6.3(3) and Sonicwall TZ 170 SonicOS Enhanced 3.2.3.0-6e.

I followed all the instructions both on CCO (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml) and the Sonicwall site (http://www.sonicwall.com/downloads/vpn_interoperability_between_sonicos30e_and_cisco_pix_firewall.pdf).  

It seems to be hanging on Phase II negotiation. 

The sonicwall reports:

04/30/2008 10:02:06.080 - Info - VPN IKE - IKE Initiator: Start Main Mode negotiation (Phase 1) 
04/30/2008 10:02:06.400 - Info - VPN IKE - IKE Initiator: Main Mode complete (Phase 1) ;3DES; SHA1; DH Group 2; lifetime=28800 secs
04/30/2008 10:02:06.400 - Info - VPN IKE - IKE Initiator: Start Quick Mode (Phase 2). 
04/30/2008 10:02:06.448 - Info - VPN IKE - IKE Responder: Received Quick Mode Request (Phase 2) 
04/30/2008 10:02:21.448 - Warning - VPN IKE - Received packet retransmission. Drop duplicate packet 
04/30/2008 10:02:36.448 - Warning - VPN IKE - Received packet retransmission. Drop duplicate packet 

The pix reports:

PIX# sh crypto isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
       x.x.x.x    y.y.y.y    OAK_CONF_ADDR   0           0

And a pix debug shows:

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_QM exchange
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to x.x.x.x. ID = zzzzzzz (1xda111cf8)
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting Config Mode Request...


Any ideas what might be failing?

I'm not sure why OAK messages would be showing up at all.  

Thanks,
Adam

More information about the cisco-nsp mailing list