Good morning! Crazy problem here. Our site to site VPN at our place of business quit working when we changed our primary site's internet connection from Spectrum to an AT&T Wireless Broadband device (4G cellular) using the Nighthawk MR1100. After connecting the new internet at the primary site and changing the interface, the internet works well. The only change we make at the remote site is to change the gateway IP address that points to the main site to the new public static IP address assigned by AT&T. After making this change the tunnel shows active but no data is exchanged. It appears that the Phase 2 negotiation stalls out when the tunnel tries to come up. Here are some relevant details. Hoping someone here has run into something similar or could provide us some suggestions on what to try. Our current thinking is something is different about this network traffic being sent out over the nighthawk modem (cellular network)
Firewalls on both sides = Sonic Wall 250
Remote side makes a vpn connection to the primary site
Nighthawk is set to IP passthrough and VPN passthru is enabled.
Nighthawk has a custom APN assigned by ATT to provide the public static IP for us.
VPN connects using aggressive mode, IKE phase 1 is on aggresive mode, DH Group 2, Encryption: 3DES, Auth: SHA1, Ipsec Phase 2 Protocol: ESP, Encryption: AES-128, Auth SHA1
Some notes:
The only thing that changed was the new internet connection and changing vpn gateway IP at the new site. Before that everything was working fine. So all of our routes and access rules should be fine.
After the tunnel comes up, looking at the packet monitor I see Phase 1 looks good. I see UDP Port 500 traffic get received successfully on the remote site from the main site. However it doesn't look like phase 2 completes. Sonic Wall tells me I should see UDP port 4500 next for the ESP but that packet is never received.
AT&T also told me their MTU size should be 1430. The largest packet I can send using ping using "ping -f -l is 1402 google.com" is 1402. I'm wondering if the overhead with IPSec needs a larger packet size than this?
I have tried setting the MTU on the WAN interfaces on both sides to 1430, 1400, and lower.
Many thanks to anyone taking the time to read this and to give ideas. I know enough to be dangerous. This was written up by our trusted friend and IT consultant. We have spent a ton of time reading, researching and trying different settings. We are going to try one more time with a couple more changes today but after today, we have exhausted everything we know to try. We have been on the phone with ATT, SonicWALL, and our IT support company for the last week and putting in lots of hours on this to no avail. Any help is much appreciated!
Thank you!
No comments:
Post a Comment