I work as an integrator for a customer that is wanting to set up a site to site, ipsec ikev1 tunnel between their ASA 5515x and another companies Dell Sonicwall. As I have no experience with Sonicwall, another integrator hired by the other company is handling that side of the config.
We attempted the cutover last night, and of course it did not go well. We were able to get phase 1 up, and then we kept getting a phase 2 mismatch. Strange thing was after a while, it would go back to giving an error in phase 1 that was saying the PSK was incorrect, and so we would both re-input the key, and it would work again and fail on phase 2. Then, out of the blue we lose both phase 1 and 2, and no matter what we did it would not come back up. Guy on the other side swears he didnt change anything, and I know I didnt. Now, I say this but I am very untrusting of anything the other integrator says, due to the fact that he came completely unprepared, and it took him an hour and half to LOGIN to the firewall, and find the location of where he even begins to configure the site to site connection.
All that being said, I am sharing a scrubbed copy of the basics of my configuration script, hoping someone can put eyes on it and let me know if anything looks off. I have used the basics of this script for multiple setups (though none to a Sonicwall), and it has always worked. I am admittedly not very experienced in these setups though, so it is very possible that I am missing something. /endnovel
The agreed upon parameters are:
PHASE 1
Encryption - AES256
Hash - SHA1
Peer Auth Method - Pre-Shared Key
Diffie-Hellman Group 2
IKE SA Lifetime - 86400 Seconds
PHASE 2
Auth protocol - ESP
Encryption Algorithm - AES-256
Hash - SHA1
DH - Group2
IPsec SA lifetime - 28800
SCRUBBED CONFIG
crypto ikev1 policy 5
encryption aes-256
hash sha
authentication pre-share
group 2
lifetime seconds 86400
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key presharedkey
object network x-Peer host x.x.x.x
access-list x-Tunnel-Interesting remark INTERESTING TRAFFIC FOR a-x TUNNEL
access-list x-Tunnel-Interesting extended permit icmp object OBJ-y object x-Peer access-list x-Tunnel-Interesting extended permit tcp object OBJ-y object x-Peer access-list x-Tunnel-Interesting extended permit icmp object OBJ-z object x-Peer access-list x-Tunnel-Interesting extended permit tcp object OBJ-z object x-Peer
access-list x-Tunnel-Interesting remark PRIVATE TRAFFIC FOR a-x TUNNEL
access-list x-Tunnel-Private extended permit icmp object x-Peer object OBJ-y
access-list x-Tunnel-Private extended permit tcp object x-Peer object OBJ-y
access-list x-Tunnel-Private extended permit icmp object x-Peer object OBJ-z
access-list x-Tunnel-Private extended permit tcp object x-Peer object OBJ-z
crypto ipsec ikev1 transform-set x-set esp-aes-256 esp-sha-hmac
crypto map x-map 5 match address x-Tunnel-Interesting
crypto map x-map 5 set peer x.x.x.x
crypto map x-map 5 set ikev1 transform-set x-set
crypto map x-map 5 set security-association lifetime seconds 28800
nat (inside,outside) source static OBJ-z OBJ-z destination static x-Peer x-Peer no-proxy-arp route-lookup
nat (inside,outside) source static OBJ-y OBJ-y destination static x-Peer x-Peer no-proxy-arp route-lookup
Any help is greatly appreciated!
No comments:
Post a Comment