need some help connecting a cisco 800 at home on a dynamic IP to the
office Sonicwall.
If i statically assign an IP on the sonicwall SA and set it to Main
mode, it works.
soon as i change the sonicwall gateway to 0.0.0.0 (for dynamic) and
set aggressive mode, i get the following
IKE Responder: IKE proposal does not match (Phase 1)
any ideas?
Am Mon, 23 Jul 2007 14:20:26 -0700 schrieb james:
> need some help connecting a cisco 800 at home on a dynamic IP to the
> office Sonicwall.
>
> If i statically assign an IP on the sonicwall SA and set it to Main
> mode, it works.
>
> soon as i change the sonicwall gateway to 0.0.0.0 (for dynamic) and
> set aggressive mode, i get the following
>
> IKE Responder: IKE proposal does not match (Phase 1)
>
> any ideas?
Aggressive mode is genereally a bad idea (e.g PSK hash will be transmitted
clear text).
Which model do you have? On 4100 or 5600 you need to deal with the options
for GlobalVPN Client, as far as I remember it's called GroupVPN.
There are some documentations on the sonicwall website but I made the
experience that the VPN implementations (especially x509 authentication)
is a little crappy.
cheers
On Jul 24, 2:06 am, Burkhard Ott
> Am Mon, 23 Jul 2007 14:20:26 -0700 schrieb james:
>
> > need some help connecting a cisco 800 at home on a dynamic IP to the
> > office Sonicwall.
>
> > If i statically assign an IP on the sonicwall SA and set it to Main
> > mode, it works.
>
> > soon as i change the sonicwall gateway to 0.0.0.0 (for dynamic) and
> > set aggressive mode, i get the following
>
> > IKE Responder: IKE proposal does not match (Phase 1)
>
> > any ideas?
>
> Aggressive mode is genereally a bad idea (e.g PSK hash will be transmitted
> clear text).
> Which model do you have? On 4100 or 5600 you need to deal with the options
> for GlobalVPN Client, as far as I remember it's called GroupVPN.
> There are some documentations on the sonicwall website but I made the
> experience that the VPN implementations (especially x509 authentication)
> is a little crappy.
>
> cheers
well we have home users using a voip phone. we want to set up the
cisco 800 for some qos and have it vpn to the office sonciwall PRO-VX
(smaller unit). i was under the impression we needed to use
aggressive since home ip is dynamic.
i read somewhere that ciscos do not initiate aggresive mode vpns but
can accpet - not sure if this is still true.
it all works with a static IP and main mode. but i need to get these
to work from anyones house, with any random IP.
thanks for your help.
Am Tue, 24 Jul 2007 06:24:46 -0700 schrieb james:
> well we have home users using a voip phone. we want to set up the
> cisco 800 for some qos and have it vpn to the office sonciwall PRO-VX
> (smaller unit). i was under the impression we needed to use
> aggressive since home ip is dynamic.
nope
> i read somewhere that ciscos do not initiate aggresive mode vpns but
> can accpet - not sure if this is still true.
afaik not true
> it all works with a static IP and main mode. but i need to get these
> to work from anyones house, with any random IP.
>
> thanks for your help.
Your home users have an vpn client, this client connect to sonicwall,
sonicwall has an vpn to cisco, am I right.
For the home users with the vpn client and the dynamic IP's you need to
configure GroupVPN, between cisco and sonicwall establish a site-to-site
VPN, thats it.
You also can run dhcp via ipsec, that means you define a pool (usually
your local IPSec network) on the sonicwall.
Thats the way it would work, has the sonicwall an dynamic or staic IP?
In you decription above your clients are the guy's with thw dynamic IP,
right.
cheers