Re: Sonicwall VPN: Phase 2 failures Anyone know of a good resource for Sonicwall VPN support?

From: sean weintz (strap_at_hanh-ct.org)
Date: 12/18/03


Date: Thu, 18 Dec 2003 15:33:39 -0500

ngunity wrote:
> Hello,
>
> Since upgrading my Sonicwall's firmware to 6.5.0.4 I have been unable to
> establish a VPN into the Sonicwall using the Client software ver 8.x
>
> My sonicwall Support agreement is long expired, and I am being wiped out in
> the Phase2 negotiations for the VPN with the old favourite: "No Proposal
> Chosen" error.

There are issues with the licensing with 6.5.x.x firmware and VPN client licenses that you will need to address with sonicwall.
How did you get the very recent 6.5.0.4 firmware if your support is expired?
Is your sonicwall registered with the new firmware?
If not, your VPN service will not function (nor any other premium features). When you upgrade to 6.5.x.x from 6.4.xx or anything eralier, you MUST re-register your box with the sonicwall website. You
will get a brand new registration number that will be all alpha characters.

If you have all that taken care of, I found this on their website:

You have a VPN client connection that used to work, and now it doesn't, and has a log message saying : "No Proposal Chosen". This is a new issue with firmware 6.4.0.0 and above that is easily fixed.
What's happening is that a VPN client policy.spd file that used to work before the firmware upgrade no longer works, and the software's log message appears during a failure of IKE Phase 1.

The easy way to fix this is to simply re-export the policy.spd file from the GroupVPN screen of the firewall, and give it to the remote user so that they can type in the shared secret again, save and
use. This new file will have one setting change in it.

There is another way to fix it inside the VPN Client software.

The SonicWALL is requiring Extended Authentication for GroupVPN; on the advanced tab, the 'Require XAUTH' checkbox is enabled. For a VPN client to connect with firmware 6.4.0.0 and above, it must have
a corresponding setting enabled. It is found in the Security Policy-Authentication-Policy 1 screen, and is labelled 'Authentication Method.' This setting must be set to 'Pre-Shared Key; Extended
Authentication' to work correctly.