VPN ISSUE after changing WAN IP
hello !
I have a very strange problem with a site-to-site vpn on two sonicwalls that I manage, the vpn worked very well until then, we had a little problem with our fiber, we had to use a 4G box with a fixed public ip address , which has no problem, we have switched all our equipment to this public ip address (mail server, etc.)
on the other hand, the vpn sites to existing sites no longer work with the new public ip address, the logs of the remote sonicwall indicate:
IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
IKEv2 Initiator: Received IKE_SA_INT response
IKEv2 Received notify error payload
VPN Policy: No Proposal Chosen
i haven't made any change , i only changed the public ip adress
any idea ?
Answers
@mimiz , have you changed the Peer Gateway Address config for the site to site VPN, unless it is domain name based?
Hello ! thanks for your answer, of course, i changed the Primary gateway of the peer, i also changed the Local and the peer IKE ID, i chose the IPv4 adress instead of the firewalls identifier, thinking that with ip addresses it would work better, but it's still the same error message
today i made changes ,i completly changed the parameters, i chose main mode, changed the phase 1 and phase 2 proposals, but it still dont work.
on the local firewall, there is no log relating to this VPN connection, on the other hand on the remote firewall this time I no longer have a "No Proposal Chosen" message but I have a message:
IKE Initiator: Remote party Timeout - Retransmitting IKE Request.
I suspect a local firewall rule that forces the vpn to the ip address that is no longer accessible, or something like that; do you have any tips for me?
thanks!
"IKE Initiator: Remote party Timeout - Retransmitting IKE Request." This means that the VPN initiator is sending the IKE traffic to the peer gateway, and does not get any response back. This is usually an indication of an ISP issue. The best next step is probably to trace the UDP500/4500 traffic with Packet Monitor. This should certainly give an idea if the traffic is reaching to the peer gateway SonicWall firewall.
hello, thanks for your answer, i'm newbae in sonicwall firewalls,
can you give me the steps to follow for this operation or share me a KB to follow to do it?
thanks!
Hi @mimiz , check with your 4G provider or 4G router and verify that IKE udp 500 or UDP 4500 is not being blocked.
How can I setup and utilize the Packet Monitor feature for troubleshooting?
https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-and-utilize-the-packet-monitor-feature-for-troubleshooting/170513143911627
hello !! thanks for your answers;
the solution that worked for me was : delete the complete vpn , and rebuild it with main mode config and ipv4 identifiers
thank you