IKE VPN between OS 6.5 and OS 7.0 not getting past Phase 2
Okay,
HQ had TZ400 (Static IP) (SonicOS 6.5.4.9) configured and set to IKE VPN.
Home Office has TZ600 (Dymanic IP) (SonicOS 6.5.4.9) configured and set to IKE VPN.
Both Firewalls connect across Agressive Site to Site IKE VPN without issues over Verizon FIOS ISP at both sites.
HQ upgraded to TZ370 (Static IP) (SonicOS 7.0.1-5095) configured using Exported configuration from TZ400 and SonicWall Online Migration Tool. Migration configuration Imported and TZ370 rebooted.
All network devices recognized and TZ370 successfully connected to Verizon FIOS ISP (Static IP).
Agressive Site to Site IKE VPN doesn't get past Phase 2.
Error messages :
IKE Responder: IPsec proposal does not match (Phase 2)
IKE Responder: Peer's local network does not match VPN Policy's [Destination ]
Reset TZ370 configuration and manually create NEW configuration just in case migration tool isn't perfect.
All VPN settings are correct. VPN Tunneling is successful but Agressive Site to Site IKE VPN still doesn't get past Phase 2.
Sounds like SonicOS 7.0.1-5095 is not syncing with SonicOS 6.5.4.9.
Any suggestions ??
Peter R
Answers
@Peter_R in general Gen6 to Gen7 works just fine, did you compared the Local and Remote Networks defined in your configuration on both sides thoroughly? I'am sure the Address Objects do not match, maybe the Subnet size differs or the IP Range. What kind of objects are you using for the VPN Tunnel networks, Subnets, Ranges or Hosts?.
In SNWL-to-SNWL scenarios I never use Site to Site, always Tunnel Interface because of it's flexibility.
--Michael@BWC
@BWC,
I have been through all of the settings several times.
It did not connect with the Migration settings, It did not work with a Fresh comfiguration.
I even put in a ticket and a SonicWall Tech asked me the same.
Everything is exactly as it should be with no mistakes.
It should be connecting but it is not !!!
TZ370 is complaining about INVALID_INFO.
I have seen comments about rolling back the Firmware to an earlier version and it works.
This is not why we paid for the upgrade.
My next move will be to have SonicWall Tech Support go through the TZ370 and run their diagnostics.
If I run a VPN Tunnel interface at 10.10.10.0/24 (TZ600) and 192.168.1.0/24 (TZ370)
the tunnel comes up fine.
We have Site to Site IKE VPN running because we want it SECURED.
Peter R
@Peter_R
We have Site to Site IKE VPN running because we want it SECURED.
If you believe a Tunnel Interface is less secure, then I can tell you that is not the cases. It's just a different implementation but security-wise its the same, you should look into this if you're running SNWL-to-SNWL.
To rule out any already fixed issues I recommend to update to 6.5.4.12 and 7.0.1-5111, both contain importat security fixes and should be current.
I believe support already mentioned this one:
--Michael@BWC
@BWC,
I have already seen that from multiiple suggestions and no matter how many times I have said it,
all of my configuration settings are CORRECT. This was the reason for my opening a Tech Support ticket.
The settings were correct after the Online Migration Tool created a configuration file.
After resetting the TZ370 and manually creating a configuration file, all the settings are correct.
THE SAME EXACT SETTINGS WORKED BETWEEN TWO OS6.5 DEVICES.
I will try your suggestion and upgrade the Firmware in both devices.
This is probably going to resolve the issue.
Peter R
@Peter_R
If you dont mind, can you share here the both end VPN configuration screenshot.
Usually one end or the other will say in the logs what exactly doesn't match between the two configurations.
If you're getting INVALID_ID_INFO then configure manual IKE IDs at each end, eg choose Domain Name and choose some random string for each side.
@Peter_R
This is always a case whereby Local and Destination networks do not match on either side. Please ensure the VPN policies on both Units are configured with the correct Destination and Local networks.
Most probably your issue with one of the end LAN subnets combine with multiple subnets.
For example, while creating the VPN policy -->Network, people are choosing the (Local Network) default as " LAN Subnet" group and it might be contain multiple LAN subnets & another end of the VPN policy doesn't have information about those remaining subnets. So in that case you have to create the particular LAN subnet as new address object and choose that address object as the local networks in the VPN policy.
Hi @Peter_R
log say, "Peer's local network does not match VPN Policy's [Destination ]" your both firewall local and remote network address groups does not match each other. please check ip addresses and zone assigment settings.
best regardds
@MitatOnge
THE SAME IDENTICAL CONFIGURATION WORKED BETWEEN TWO os 6.5 devices. TZ600 and TZ400.
THE SAME IDENTICAL CONFIGURATION IS PROGRAMMED INTO THE TZ600 AND THE TZ370 AND IT DOESN'T WORK.
THE TZ600 CONFIGURATION NEVER CHANGED.
THE TZ370 LAN CONFIGURATION WORKS PERFECTLY AS IT DID WITH THE TZ400.
WHY DOES THE AGRESSIVE SITE TO SITE VPN NOT WORK NOW ???
Peter R.
That might be due to the different firmware and the latest OS. so kindly try to do the suggested adjustment and let us know.