SonicWall TZ-170 (2.2.0.0) <–> Mac OS X (10.3.4)

[Anonymous]

Joel —

Thanks for having the forum and making so many helpful replies! 😀

I’ve been through the forum and haven’t seen a solution yet, so let me ask it here:

1.0) The Mac goes through that AppleScript beeping thing, but then seems to work. (Not a major problem.)

2.0) The tunnel does not get built. SonicWall reports the connection thus:

Does anything jump out from these reports and configurations?

RECEIVED<<< ISAKMP OAK AG (InitCookie 0xacd923bb0e8c2192, MsgID: 0x0) (SA, KE, NON, ID, VID) – Source:Macintosh, 500 – Destination:SonicWall, 500 – –
IKE Responder: Received Aggressive Mode request (Phase 1) – Source:Macintosh – Destination:SonicWall – –
NAT Discovery : Peer IPSec Security Gateway doesn’t support VPN NAT Traversal – Source:SonicWall – Destination:Macintosh – –
SENDING>>>> ISAKMP OAK AG (InitCookie 0xacd923bb0e8c2192, MsgID: 0x0) (SA, KE, NON, ID, VID, HASH) – Source:SonicWall, 500 – Destination:Macintosh, 500 – –
IKE Responder: No response – remote party timeout – Source:SonicWall, 500 – Destination:Macintosh, 500 – –
IKE Responder: No response – remote party timeout – Source:SonicWall, 500 – Destination:Macintosh, 500 – –
Received packet retransmission. Drop duplicate packet – Source:Macintosh – Destination:0.0.0.0 – –
IKE Responder: No response – remote party timeout – Source:SonicWall, 500 – Destination:Macintosh, 500 – –
IKE negotiation aborted due to timeout – Source:SonicWall – Destination:Macintosh – –

Which indicates that the Mac gets the SonicWall’s attention, but is not responding to SonicWall’s ‘What’s up?’ reply.

Settings are as follows:
Sonicwall :
IPSec Keying Mode = IKE using Preshared Secret
Name = Named specifically for this connection
IPSEc Primary Gateway = 0.0.0.0
IPSec Secondary Gateway = 0.0.0.0.
Shared Secret = Named specifically for this connection
Destination Network ; 192.168.0.0 255.255.255.0
Default LAN Gateway 0.0.0.0

Proposals:
Phase 1:
Exchange = Agressive Mode
DH Group = Group 2 (Alternates are 1 & 5)
Authentication = MD5 (Alternate is SHA1
Lifetime = 28800 seconds

Phase 2:
Protocol = ESP (Alternate is AH)
Encryption = 3DES (Alternates are DES, AES 128, AES 192, AES 256, ArcFOUR, NONE)
Authentication = SHA1 (alternates are MD5 and none)
Enable Perfect Forward Secrecy is ON
DH Group = Group 2 (alternates 1 & 5)
Lifetime = 28800 seconds

Vapor Sec (1.0 v100) is set up as follows:
Connection Name = SA Policy Name from above
Remote IPSec Device = Sonicwall’s Public IP
Remote Network = 192.168.201.1/24
Local Network Mask = 24
Main Tab:
Shared Secret = shared secret from above
Local IP 192.168.0.5 (IP assigned by home network router/firewall
Mode = agressive
Proposal check = Obey
Nonce size = 16

Phase 1:
Lifetime = 28800 seconds
DH Group = 2
Encryption = DES
Authentication = md5

Phase 2:
Lifetime = 28800 seconds
PFS Group = 2
Encryption = 3des
Authentication = hmac_sha1

ID:
Local = name of SA policy on SonicWall
Remote = SonicWall Serial Number (as is standard when linking two SonicWall’s together)

We’ve twiddled around with the authentication and DH groups, changed modes to Main, Main/Agressive, Agressive/Main, etc. all to no avail.

At some point we managed to get past phase 1 and starting seeing ‘Phase 2 Proposal does not match’, but can’t even get that far anymore.

Thanks In Advance for any help you can give….

[Anonymous]

Joel —

Still looking into the remote network/router setup….

By the way, there are two public links for VaporSec right now:
[url]https://www.afp548.com/etc/VaporSec.zip[/url]
which gives only the application

and

[url]https://www.afp548.com/Software/VaporSec/index.html[/url]
application as .dmg with help file

Either way, the item downloaded shows a version number of 1.0 (v100) and has access to my older settings.
❓ Are they the same?
❓ Is this the latest version?
❓ Is seeing the old settings expected?

[Anonymous]

Joel —

More info on the network opposite the SonicWall TZ-170:
Router/Firewall is a NetLINE Wireless Broadband Gateway model 8581, originally sold by Farallon, now owned by Proxim [url]www.proxim.com[/url]

The latest firmware upgrade for this device adds IPSec support. (It seems your guess about not allowing IPSec pass through was perfectly correct.)

I’ll have the remote worker do the firmware upgrade and we’ll try again. By the way, will we need to open/allow him to receive IKE traffic? Someone at SonicWall said that their devices use TCP port 50 and UDP port 500 for this. Can you confirm what you understand is necessary?

[figmentfly]

We recently purchased the TZ170 for firewall/router. I had tried some of the freeware configuration tools (VaporSec and IPSecuratis) but could not get them to complete the VPN transaction. We purchased VPN Tracker (at the suggestion of the reseller/consultant) and I have to say that it was probably worth it. The canned settings make it a snap.

I did give IPSecuratis (SP?) a second try by looking at the settings supplied by VPN Tracker but I could not get it to work. Somethings were on different groupled screens but also some terminology was different.

Too late for a freeware application for us but I would still like to be able to make it work. You may be able to download a demo of VPN Tracker and look at the settings to get some clues but it did not seem to help me. I know little about the details of the process though.

[Anonymous]

I do not know if this board is only for Mac and sonic wall but I was hoping to get an answer to my question regarding my sonic wall. I have had a sonic wall (pro 200) setup as the central point for multiple VPN’s. I have soho 3 and now TZ170 that link to us via a point to point VPN. The setup has been running for about a year without any problem until our company decsided to hang a PIX on the network and now I get these errors showing up in the logs.10/28/2004 18:55:38.464 – IKE Responder: IPSec proposal does not match (Phase 2) – Source:141.x.x.x – Destination:12.x.x.x. – 10.2.0.0/16 -> 12.x.x.x/28 –
Is there anyway to get them to sync? thanks alfie

[donmontalvo]

[QUOTE BY= figmentfly] We recently purchased the TZ170 for firewall/router. I had tried some of the freeware configuration tools (VaporSec and IPSecuratis) but could not get them to complete the VPN transaction. We purchased VPN Tracker (at the suggestion of the reseller/consultant) and I have to say that it was probably worth it. The canned settings make it a snap.

I did give IPSecuratis (SP?) a second try by looking at the settings supplied by VPN Tracker but I could not get it to work. Somethings were on different groupled screens but also some terminology was different.

Too late for a freeware application for us but I would still like to be able to make it work. You may be able to download a demo of VPN Tracker and look at the settings to get some clues but it did not seem to help me. I know little about the details of the process though.[/QUOTE]

we got ipsecuritas to work pretty easily with both a tz170 and tzw. we decided to stick to vpn tracker (personal edition) since it allows you to lock down configurations.

don

[tmyers]

I would love to see any configuration information for ipsecuritas to work with the tz170. I have had no luck getting it to work.

Or if someone has gotten l2tp working, the config for that owuld be great

[Anonymous]

[QUOTE BY= Alfie] I do not know if this board is only for Mac and sonic wall but I was hoping to get an answer to my question regarding my sonic wall. I have had a sonic wall (pro 200) setup as the central point for multiple VPN’s. I have soho 3 and now TZ170 that link to us via a point to point VPN. The setup has been running for about a year without any problem until our company decsided to hang a PIX on the network and now I get these errors showing up in the logs.10/28/2004 18:55:38.464 – IKE Responder: IPSec proposal does not match (Phase 2) – Source:141.x.x.x – Destination:12.x.x.x. – 10.2.0.0/16 -> 12.x.x.x/28 –
Is there anyway to get them to sync? thanks alfie[/QUOTE]I’m replying to an old post, but I’ve seen similar questions (regarding the ipsec proposal not matching) posted in a number of places and few (if any) solutions.

The problem for me was caused by having Keep Alive turned on at both firewalls. I’m not sure why this made a difference, but there ya go. The minute I turned off keepalive at the hub firewall (I had been playing with one spoke and turned on keep alive for that specific vpn) the problem went way. The odd thing is it looked like it was somehow routing through the alternate subnet I had at my servers.

My config: hub is a SOHO3, spoke is a TZ 170. I’ve had keepalive turned on at the spokes (4 in all) since day one, no problem. I turned it on for one spoke at the SOHO3 and the problem started showing up.

[Anonymous]

[QUOTE BY= tmyers] I would love to see any configuration information for ipsecuritas to work with the tz170. I have had no luck getting it to work.

Or if someone has gotten l2tp working, the config for that owuld be great[/QUOTE]

Simply disable XAuth and IPSecuritas should work just fine.

[Anonymous]

I think the main problem with anyone’s issue with VPN from Mac to sonicwall is Sonicwall! I don’t care for this company anymore. Unless someone can tell me why they are better than netgear or similar. I have spent way too much time on VPN tunnels and VPN connections and have got zero support from sonic wall support. Plus they limit the number of users and I just see this as greedy. And one more thing.. their interface is antiquated and I think they make confusing on purpose.

btw, what I have tried is making a VPN connection with a mac running OSX 10.3.9 to sonicwall tz170, tried both Ipsecuritas and VPN tracker. If it’s any help, and tim eis short try VPN tracker first. My sonic wall os is 2.2.0.3

I think the main reason I have failed at this endevour is becasue my firmware on my tz170 is outdated. I refuse to call Sonicwall again to try to get an update. They connect you to India and I cannot understand anyone. I will be out to buy two new Netgears (with dual WAN support yay!) tomorrow. Boycot Sonicwall!

-bill

[Author]

Posts