Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by ngunit » Wed, 17 Dec 2003 16:28:31


Hello,

Since upgrading my Sonicwall's firmware to 6.5.0.4 I have been unable to
establish a VPN into the Sonicwall using the Client software ver 8.x

My sonicwall Support agreement is long expired, and I am being wiped out in
the Phase2 negotiations for the VPN with the old favourite: "No Proposal
Chosen" error.

Can anyone suggest other things to check when dealing with IKE phase 2 in
addition to:
- Encapsulation/ Authentication variants (I feel I've tried every
combination at both end)
- The IP settings for each end of the tunnel (again I've tried every
combination)

Or failing that direct me to a good resource for Sonicwall info e.g. a user
forum. The Sonicwall VPN client doco is out of date and useless, their site
equally as useless

thank you
Nick
 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by chris vill » Fri, 19 Dec 2003 04:45:16

Not sure if this will help...

If using Group VPN, have you tried re-Exporting the SA, then bringing into
the client?

Chris



in
user
site

 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by ngunit » Fri, 19 Dec 2003 11:15:31

No, I am not using Group VPN in this case

Just a sonicwall VPN client software to a custom SA on the Sonicwall.

thanks
Nick





in
 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by sean weint » Sat, 20 Dec 2003 05:33:39


There are issues with the licensing with 6.5.x.x firmware and VPN client licenses that you will need to address with sonicwall.
How did you get the very recent 6.5.0.4 firmware if your support is expired?
Is your sonicwall registered with the new firmware?
If not, your VPN service will not function (nor any other premium features). When you upgrade to 6.5.x.x from 6.4.xx or anything eralier, you MUST re-register your box with the sonicwall website. You
will get a brand new registration number that will be all alpha characters.

If you have all that taken care of, I found this on their website:

You have a VPN client connection that used to work, and now it doesn't, and has a log message saying : "No Proposal Chosen". This is a new issue with firmware 6.4.0.0 and above that is easily fixed.
What's happening is that a VPN client policy.spd file that used to work before the firmware upgrade no longer works, and the software's log message appears during a failure of IKE Phase 1.

The easy way to fix this is to simply re-export the policy.spd file from the GroupVPN screen of the firewall, and give it to the remote user so that they can type in the shared secret again, save and
use. This new file will have one setting change in it.

There is another way to fix it inside the VPN Client software.

The SonicWALL is requiring Extended Authentication for GroupVPN; on the advanced tab, the 'Require XAUTH' checkbox is enabled. For a VPN client to connect with firmware 6.4.0.0 and above, it must have
a corresponding setting enabled. It is found in the Security Policy-Authentication-Policy 1 screen, and is labelled 'Authentication Method.' This setting must be set to 'Pre-Shared Key; Extended
Authentication' to work correctly.
 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by ngunit » Thu, 01 Jan 2004 13:35:11

Hello,

I did register the Sonicwall properly as you suggested, when I said my
support had expired I meant they'll no longer answer support queries, not
that I can no longer get firmware updates, etc.

I tried using the Group VPN and exporting a pre-shared key policy as
suggested and still ended up with the 'No Proposal Chosen' in Phase2 of the
IKE communication. Can you confirm that you have had success with
Sonicwall's client VPN software since the 6.5x firmware upgrade. Everything
I try fails in phase2 with the server response 'No Proposal Chosen', so I'm
beginning to wonder if anyone has their Sonicwall VPNs functioning!

thanks for your input

regards

Nick
 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by GhostMagi » Fri, 02 Jan 2004 07:31:57

"ngunity" < XXXX@XXXXX.COM > wrote in



How many VPN Clients does mysonicwall.com tell you that you are entitled
to? 6.5.x and up does license verification. No more purchase 1 client and
have it work on a 100 machines!
 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by ngunit » Fri, 09 Jan 2004 14:13:03

My Sonicwall records 11 VPN client licenses. I can't get a single connection
to work as yet.

Note: I had a functional VPN 2 versions of Sonicwall Firmware back and was
holding off on upgrading until I could get Sonicwall 6.5x to work with VPN.
I've done the upgrade and stuck with it now, but cannot for the life of me
get the VPN running.....

thanks
Nick
 
 
 

Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

Post by Ghostmagi » Sat, 10 Jan 2004 02:37:58


Nick, have you been able to synch your firewall with the registration
server via the firewall interface? If they're not synch'ed, then the
firewall doesn't "know" that you're entitled to 11 VPN clients. Let me
know if you need the specific steps and I'll post them.