Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SonicWall TZ 370 vs. Enreach SwyxOn - IPSec VPN not connecting

For the IPPBX-Cloudservice SwyxON (Deutsche Telekom netphone successor) you need an IPSec-VPN-Tunnel to use the on premise VoIP-Phones. I have no clue, how to set up an connection there.

You see some screenshots from https://service.swyx.net/hc/de/community/posts/360003767359-SwyxON-VPN-mit-Sonicwall-Firewall

How would you "translate" these parameters to SonicWall? Is there Difference between AES-GCM16-256 and the AES-GCM-256 mentioned in this screenshot?

Best Regards,

ckonrads

Category: Entry Level Firewalls
Reply
Tagged:

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @ckonrads GCM and GCM16 have a different size of the ICV (Integrity Check Value), I guess GCM (without number) has 64-bit ICV and GCM16 has 128-bit ICV. From what I see in your screenshot GCM is the way to go, but to be honest, if GCM does not work, try GCM16 and if this does not work get in touch with DTAG.

    The system log is pretty helpful to figure out why P1 or P2 is not coming up.

    The configuration itself looks straight forward, anything else you're struggling with?

    --Michael@BWC

  • ckonradsckonrads Newbie ✭

    We have changed to IKEv1 and it`s the same problem. I have to figure out, which RFCs are implemented so that i can understand the settings.

    https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-3.pdf

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @ckonrads according to the screenshot you need to use AES-256 (without any suffix), but you might struggle with the DH Group, because 15 is not supported by SNWL. DH Group 5 isn't accepted from the remote side?

    This would be my best guess, but DTAG should provide information except they wanna sell you a new router.

    If you can provide sanitzed logs there might be some hint to get it resolved (if possible).

    --Michael@BWC

  • ckonradsckonrads Newbie ✭

    The problem must be in this area. The group 5 is not recommended and the BSI recommends strictly the use of 3072 instead of 2048.

    I don't know how much influence the DTAG has on Enreach. Stay tuned till tomorrow.

  • ckonradsckonrads Newbie ✭

    We have a solution - by using an one-legged LANCOM Router. 😐️

    Upcoming SonicOS 7.1 should be able to do some more algorithms but we can't wait so long.

    @BWC Thank you for your help!!!

Sign In or Register to comment.