Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1
Accepted Solution

Site to Site VPN ER-POE5 to Sonicwall

Good morning community. This is my first experience with EdgeMax routers, Ive used UniFi for a few years now, but never any routing devices.

 

I cant seem to get my Site to Site working with a Edgmax and a sonicwall TZ205. Ive read a dozen or so threads here on the subject but I cant seem to get mine to connect.

The sonicwall also is connecting another site to site vpn using ipsec and two sonicwalls just as an FYI.

This is my config output.

The subnets on the sonicwall side are 10.0.1.0/24 and 10.0.0.0/24

bnt@bundtcake:~$ show configuration                                                 
firewall {                                                                      
    all-ping enable                                                             
    broadcast-ping disable                                                      
    ipv6-receive-redirects disable                                              
    ipv6-src-route disable                                                      
    ip-src-route disable                                                        
    log-martians enable                                                         
    receive-redirects disable                                                   
    send-redirects enable                                                       
    source-validation disable                                                   
    syn-cookies enable                                                          
}                                                                               
interfaces {                                                                    
    bridge br0 {                                                                
        address 10.0.5.1/24                                                     
        aging 300                                                               
        bridged-conntrack disable                                               
        description "Local Bridge"                                              
        hello-time 2                                                            
        max-age 20                                                              
        priority 32768                                                          
        promiscuous enable                                                      
        stp false                                                               
    }
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description "Local Bridge"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local Bridge"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        description "Local Bridge"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description "Local Bridge"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        bridge-group {
            bridge br0
        }
        description "Local Bridge"
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat disable
    lan-interface switch0
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN_BR {
            authoritative enable
            subnet 10.0.5.0/24 {
                default-router 10.0.5.1
                dns-server 10.0.5.1
                lease 86400
                start 10.0.5.38 {
                    stop 10.0.5.243
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on br0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user bundtcake {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha1
            }
        }
        site-to-site {
            peer 123.456.789 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description VPN
                ike-group FOO0
                ikev2-reauth inherit
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 10.0.5.0/24
                    }
                    remote {
                        prefix 10.0.1.0/24
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 10.0.5.0/24
                    }
                    remote {
                        prefix 10.0.0.0/24
                    }
                }
            }
        }
    }
}

Here is the sonicwall side.

New Bitmap Image.jpgNew Bitmap Image (2).jpg

Any help is appreciated. I have to fly out to install this equipment next week.

A


Accepted Solutions
Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

[ Edited ]

Well I thought you following some advice, but....

connection-type initiate - still initiator. In this mode router can be both initiator and responder. To see mode details in the log you MUST configure "respond" only mode.

ubnt@EdgeMAX# set vpn ipsec site-to-site peer 0.0.0.0 connection-type
Possible completions:
initiate This endpoint can initiate or respond to a connection
respond This endpoint will only respond to a connection

[edit]
ubnt@EdgeMAX# set vpn ipsec site-to-site peer 0.0.0.0 connection-type


For NAT-T command below:

set vpn ipsec nat-traversal enable

 

FYI: Respond mode in our case purely for troubleshooting. You can change it later back to initiate. 

 

Get PCAPs from the eth0 interface:

 

sudo tcpdump -i eth0 -n udp dst port 4500
sudo tcpdump -i eth0 -n udp dst port 500

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.

View solution in original post


All Replies
Highlighted
Emerging Member
Posts: 61
Registered: ‎06-11-2016
Kudos: 11
Solutions: 2

Re: Site to Site VPN ER-POE5 to Sonicwall

Check the local and remote peer ID on the Sonicwall, they most likely don't match; on ER the defaults are the remote and local peer address, which is also the default on the Sonicwall but you seem to have configured them otherwise.

 

You can configure those on the ERPOE5 under the authentication section of the peer, with "id" and "remote-id".

Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

[ Edited ]

What can you see in the show vpn log tail command? 

 

One proxy id is missing from the EdgeRouter config:

 

 remote {
                        prefix 10.0.0.0/24
prefix 10.0.1.0/24

You also could benefit from the below commands:

 

set vpn ipsec logging log-level 2
set vpn ipsec logging log-modes ike
set vpn ipsec logging log-modes chd

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Emerging Member
Posts: 61
Registered: ‎06-11-2016
Kudos: 11
Solutions: 2

Re: Site to Site VPN ER-POE5 to Sonicwall


mlskrypka wrote:

What can you see in the show vpn log tail command? 

 

One proxy id is missing from the EdgeRouter config:

 

 remote {
                        prefix 10.0.0.0/24
prefix 10.0.1.0/24


They are two separate phase 2 tunnels, you can't define multiple remote/local networks on the same one.

Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

Sorry, blind me. My EdgeOS (Vyatta) journey just started.
Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

thanks for the reply, Im looking in config tree and I dont see an authentication tab. Is this CLI only?

New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

Weird thing, I cant find this firewall object on the sonicwall. I wasnt the original architech to setup the sonicwall.

I cant find it whatsoever. weird. Untitled-1.jpg

New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

Jun 20 00:31:13 10[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:31:40 03[IKE] <3813> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:32:53 10[IKE] <3814> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:34:00 03[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 20 00:34:00 08[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:34:02 07[IKE] <3815> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:35:14 09[IKE] <3816> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:36:22 07[IKE] <3817> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:36:46 05[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:36:57 13[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 20 00:37:37 02[IKE] <3818> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:38:49 03[IKE] <3819> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:39:32 05[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:39:47 13[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 20 00:40:00 06[IKE] <3820> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:41:15 09[IKE] <3821> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:42:19 02[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:42:24 07[IKE] <3822> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:42:40 03[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 20 00:43:39 05[IKE] <3823> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:44:50 07[IKE] <3824> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:45:05 02[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:45:37 07[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 20 00:45:58 15[IKE] <3825> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:47:08 08[IKE] <3826> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:47:51 06[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789
Jun 20 00:48:18 05[IKE] <3827> 123.456.789 is initiating a Main Mode IKE_SA
Jun 20 00:48:28 10[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 20 00:49:16 00[DMN] signal of type SIGINT received. Shutting down
Jun 19 19:49:19 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10
.20-UBNT, mips64)
Jun 19 19:49:19 04[KNL] creating acquire job for policy 10.0.5.1/32[udp/bootpc] 
=== 10.0.0.1/32[udp/bootps] with reqid {2}
Jun 19 19:49:19 02[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

Ive added the local and peer names under authentication, removed a subnet peeer, and tried directly connecting through a bridged cable modem.

Any advice? thanks

Welcome to EdgeOS
ubnt@ubnt:~$ show vpn log
Jun 20 08:18:00 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10
.20-UBNT, mips64)
Jun 20 08:18:24 05[KNL] creating acquire job for policy 10.0.5.1/32[udp/12147] =
== 10.0.0.1/32[udp/domain] with reqid {2}
Jun 20 08:18:24 15[IKE] <peer-123.456.789-tunnel-1|1> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[1] to 123.456.789                             
Jun 20 08:21:17 15[KNL] creating acquire job for policy 10.0.5.1/32[udp/54163] =
== 10.0.0.1/32[udp/domain] with reqid {2}                                       
Jun 20 08:21:17 10[IKE] <peer-123.456.789-tunnel-1|2> initiating Main Mode IKE
_SA peer-174.47.23.146-tunnel-1[2] to 123.456.789                           
Jun 20 08:22:43 00[DMN] signal of type SIGINT received. Shutting down           
Jun 20 08:22:47 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10
.20-UBNT, mips64)                                                               
Jun 20 08:29:31 15[IKE] <1> 123.456.789 is initiating a Main Mode IKE_SA      
Jun 20 08:30:40 07[IKE] <2> 123.456.789 is initiating a Main Mode IKE_SA      
ubnt@ubnt:~$
Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

[ Edited ]

Did you configure logging under the ipsec section:

set vpn ipsec logging log-level 2
set vpn ipsec logging log-modes ike
set vpn ipsec logging log-modes chd

Did you put your edge router into the passive mode? This will help in the troubleshooting as EdgeRouter will be a responder. All useful log info always is written on the responder side, not the initiator. This is similar to when you trying to access any server using your username/password. If you typed incorrectly and something is not matching the maximum infro you will get something like (user or password is wrong). However, on the server side (responder), you will see all useful and full log failure info.  Logs above are not very informative.

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

[ Edited ]

I am not able to add these via the cli, says invalid command.

Googling Passive mode for these routers doesnt produce very many relevant results. How do I do this?

 

EDIT I wasnt in configure mode. I have those added

Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

set vpn ipsec site-to-site peer (your-peer-ip) connection-type respond
Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Deactivating log source ike], received error code 65280

connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory    
failed to connect to stroke socket 'unix:///var/run/charon.ctl'                 
Warning: unable to [Deactivating log source chd], received error code 65280     
                                                                                
connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory    
failed to connect to stroke socket 'unix:///var/run/charon.ctl'                 
Warning: unable to [Stroking log source ike to loglevel 2], received error code 
65280                                                                           
                                                                                
conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.
                                                                                

not sure what this means. It appears to have saved though

Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

l do have the same. Just ignore, Post the logs from the edgrouter (responder side)
Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

I dont see anything different, unless I need to show a different log

ubnt@ubnt:~$ show vpn log                                                       
Jun 21 09:05:53 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10
.20-UBNT, mips64)                                                               
Jun 21 09:06:28 05[IKE] <1> 123.456.789 is initiating a Main Mode IKE_SA  
Established Member
Posts: 1,447
Registered: ‎04-21-2015
Kudos: 190
Solutions: 72

Re: Site to Site VPN ER-POE5 to Sonicwall

[ Edited ]

Did you force the edgerouter to be a responder:

set vpn ipsec site-to-site peer (your peer ip address) connection-type respond

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

I did. Looking at the logs in the sonicwall side it appears to be a double nat issue. I believe my home modem won't truly bridge as the lan side always has a 192.168 address. I can show some logs when. I get in front of a computer. Thanks for the help thus far
Emerging Member
Posts: 61
Registered: ‎06-11-2016
Kudos: 11
Solutions: 2

Re: Site to Site VPN ER-POE5 to Sonicwall

Then you need to enable NAT-T; you can still use the public IPs for ID, you just have to explicitly configure them, otherwise RFC1918 ones will be used.
New Member
Posts: 17
Registered: ‎06-08-2015
Kudos: 1

Re: Site to Site VPN ER-POE5 to Sonicwall

The modem in the remote Office im setting up will be true business class where I can bridge the modem.  If I add NAT-T now, Ill have to remove for its permanent home, correct?

Heere is a sample from the sonicwall

3 06/21/2017 11:47:47.112 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. 123.456.789, 4500 3.4.5.6, 4500 VPN Policy: TIT1        
7 06/21/2017 11:47:32.336 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device           
8 06/21/2017 11:47:31.112 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 123.456.789, 500 3.4.5.6, 500 VPN Policy: TIT1    
9 06/21/2017 11:47:31.112 Info VPN IKE IKE negotiation aborted due to timeout 123.456.789, 4500 3.4.5.6, 4500 VPN Policy: TIT1
Emerging Member
Posts: 61
Registered: ‎06-11-2016
Kudos: 11
Solutions: 2

Re: Site to Site VPN ER-POE5 to Sonicwall


the_owl wrote:

The modem in the remote Office im setting up will be true business class where I can bridge the modem.  If I add NAT-T now, Ill have to remove for its permanent home, correct?

Heere is a sample from the sonicwall

3 06/21/2017 11:47:47.112 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. 123.456.789, 4500 3.4.5.6, 4500 VPN Policy: TIT1        
7 06/21/2017 11:47:32.336 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device           
8 06/21/2017 11:47:31.112 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 123.456.789, 500 3.4.5.6, 500 VPN Policy: TIT1    
9 06/21/2017 11:47:31.112 Info VPN IKE IKE negotiation aborted due to timeout 123.456.789, 4500 3.4.5.6, 4500 VPN Policy: TIT1

NAT-T is negotiated, when not needed it should establish a regular ESP tunnel.

 

Does the ERPOE5 have the appropriate rules to accept IKE and IPSEC packets (i.e.: UDP/500, UDP/4500 and ESP) from the WAN interface? They should be on the LOCAL chain.

Is it behind NAT like the Sonicwall, in that case you'd need also the DNAT configured on the upstream router.

Reply