Re: Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

From: sean weintz (strap_at_hanh-ct.org)
Date: 12/18/03


Date: Thu, 18 Dec 2003 15:33:39 -0500

ngunity wrote:
> Hello,
>
> Since upgrading my Sonicwall's firmware to 6.5.0.4 I have been unable to
> establish a VPN into the Sonicwall using the Client software ver 8.x
>
> My sonicwall Support agreement is long expired, and I am being wiped out in
> the Phase2 negotiations for the VPN with the old favourite: "No Proposal
> Chosen" error.

There are issues with the licensing with 6.5.x.x firmware and VPN client licenses that you will need to address with sonicwall.
How did you get the very recent 6.5.0.4 firmware if your support is expired?
Is your sonicwall registered with the new firmware?
If not, your VPN service will not function (nor any other premium features). When you upgrade to 6.5.x.x from 6.4.xx or anything eralier, you MUST re-register your box with the sonicwall website. You
will get a brand new registration number that will be all alpha characters.

If you have all that taken care of, I found this on their website:

You have a VPN client connection that used to work, and now it doesn't, and has a log message saying : "No Proposal Chosen". This is a new issue with firmware 6.4.0.0 and above that is easily fixed.
What's happening is that a VPN client policy.spd file that used to work before the firmware upgrade no longer works, and the software's log message appears during a failure of IKE Phase 1.

The easy way to fix this is to simply re-export the policy.spd file from the GroupVPN screen of the firewall, and give it to the remote user so that they can type in the shared secret again, save and
use. This new file will have one setting change in it.

There is another way to fix it inside the VPN Client software.

The SonicWALL is requiring Extended Authentication for GroupVPN; on the advanced tab, the 'Require XAUTH' checkbox is enabled. For a VPN client to connect with firmware 6.4.0.0 and above, it must have
a corresponding setting enabled. It is found in the Security Policy-Authentication-Policy 1 screen, and is labelled 'Authentication Method.' This setting must be set to 'Pre-Shared Key; Extended
Authentication' to work correctly.



Relevant Pages

  • Re: WRT54GL with DD-WRT VPN firmware - wheres the beef?
    ... There is no "server" of any real ... Netgear Prosafe VPN client works well with Sonicwalls in a GroupVPN SA using ... even have access to another Sonicwall, ...
    (alt.internet.wireless)
  • Re: Hub and Spoke configuration, or something better, using SonicWALL?
    ... > can be at any remote client node and be able to access and manage the ... > We install SonicWALL Tele or Soho security appliances at our client ... > less-transparent configuration for greater security. ... GroupVPN is used with the Windows VPN Client, not in a hub and spoke ...
    (comp.security.firewalls)
  • Re: Multipoint VPN access, but secure - SonicWALL? Other hardware?
    ... Seems to me that using PCAnywhere at EVERY client computer at EVERY site ... > We have various clients currently using SonicWALL security appliances. ... > VPN site, access to any other client network for maintainance. ...
    (comp.security.firewalls)
  • RE: VPN Question
    ... The usual issue is that the firewall the client is behind is ... At the VPN server (in your case, the SonicWall), ... the "envelope" source IP address had been altered by the NAT, ...
    (Security-Basics)
  • What is the newest Sonicwall firmware for SOHO?
    ... I have a couple of Webramp 700s (re-badged Sonicwall SOHOs w/ VPN ... bought new from Ramp Networks) on which I've been running Sonicwall ... the most recent firmware version I have is 5.1.7.0. ...
    (comp.security.firewalls)