Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Cisco ASA & sonicwall vpn tunnel problem

JeongJeong Newbie ✭
in Mid Range Firewalls

I connected VPN tunnel with Cisco ASA with "IKEv2, Site to Site". But a problem arose.


I connected local is two networks subnet, remote is three hosts unit.

Although a total of 6 tunnels should be created, only one tunnel is created.

If I delete the connected tunnel, only one connection will be made to the next one.


Is there anything that needs to be reviewed on the SonicWall side or on the Cisco side?

If not, is it possible to only have one tunnel with ASA?


The guide only composed one tunnel.

https://www.sonicwall.com/support/knowledge-base/site-to-site-ipsec-vpn-setup-between-sonicwall-and-cisco-asa-firewall/170505299431474/

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    AjishlalAjishlal Community Legend ✭✭✭✭✭
    Answer ✓

    @Jeong

    Since sonicwall doesn't have PRF feature in 1st or 2nd phase, you must have to configure the Integrity algorithm and the PRF algorithm should be same in cisco ASA, since in IKEv2 (cisco), the hash algorithm is separated into two options, one for the integrity algorithm, and one for the pseudo-random function (PRF).

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Jeong

    Share with us the CISCO configuration and the sonicwall configuration.

  • JeongJeong Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/17321#Comment_17321

    I share the settings of cisco and sonicwall.

    The object of sonicwall is the same as that of cisco.

    Currently, only one tunnel is active.


    Thanks


    == Cisco ASA config ===

    object-group network IPSEC-CHEMON-LOCAL

    network-object host xx.xx.xx.xx1

    network-object host xx.xx.xx.xx2

    network-object host xx.xx.xx.xx3

    exit

    object-group network IPSEC-CHEMON-REMOTE

    network-object xxx.xxx.x.xx1 255.255.255.128

    network-object xxx.xxx.x.xx2 255.255.252.0

    exit


    nat (any,outside) source static IPSEC-CHEMON-LOCAL IPSEC-CHEMON-LOCAL destination static IPSEC-CHEMON-REMOTE IPSEC-CHEMON-REMOTE no-proxy-arp route-lookup

    access-list IPSEC-CHEMON extended permit ip object-group IPSEC-CHEMON-LOCAL object-group IPSEC-CHEMON-REMOTE


    crypto map mycryptomap 270 match address IPSEC-CHEMON

    crypto map mycryptomap 270 set peer xxx.xx.xx.xxx

    crypto map mycryptomap 270 set ikev2 ipsec-proposal AES256-SHA256

    crypto map mycryptomap 270 set security-association lifetime seconds 3600


    tunnel-group xxx.xx.xx.xxx type ipsec-l2l

    tunnel-group xxx.xx.xx.xxx ipsec-attributes

    ikev2 remote-authentication pre-shared-key *****

    ikev2 local-authentication pre-shared-key *****


    crypto ipsec ikev2 ipsec-proposal AES256-SHA256

    protocol esp encryption aes-256

    protocol esp integrity sha-256


    crypto ikev2 policy 10

    encryption aes-256

    integrity sha256

    group 5

    prf sha

    lifetime seconds 86400

    crypto ikev2 policy 20

    encryption aes-256

    integrity sha256

    group 5

    prf sha256

    lifetime seconds 86400

    crypto ikev2 policy 30

    encryption aes-gcm-256

    integrity null

    group 5

    prf sha

    lifetime seconds 86400

    crypto ikev2 policy 40

    encryption aes-256

    integrity sha256

    group 5

    prf sha512 sha384 sha256 sha

    lifetime seconds 86400

    crypto ikev2 policy 50

    encryption aes-256 aes-192 aes

    integrity sha512 sha384 sha256 sha

    group 20 19 24 14 5 2

    prf sha512 sha384 sha256 sha

    lifetime seconds 3600



    === SonicWall ===

    image.png
    image.png
    image.png
    image.png


  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Is anything actually not working? I saw this too, and when someone pinged between one of the "down" tunnels, it came up and all was OK.

    I would think "keep alive" would avoid this micro-issue, however.

Sign In or Register to comment.