Sonicwall VPN – Troubleshooting IKE Initiator Drop

nat;sonicwallvpn

I am trying to resurrect a once working VPN between two Sonicwall devices.
The branch office is the initiator and sends the request, the main office drops the packets and signals an error:

IKE Initiator drop: VPN tunnel end point does not match configured VPN Policy Bound to scope

Have you seen this error before? Can you suggest what to do about it?

More details on the configuration.
I assume nothing has changed on the main office configuration. I have changed things in the branch office.

The branch office has two local networks, a local one for the office devices (printer etc) and a second one for the VPN. It has only one public IP on the modem/router/all in one. The Sonicwall manages the VPN but has to go through the local network out to the modem.

                    =----= printer, wifi
modem+LAN(10.X.X.X) =----= X1-Sonicwall-VPN-X0 (192.168.X.X) =--= Tunnelling PCs

The modem is doing NAT for the local network, and the Sonicwall is doing NAT for its own network.

Best Answer

I cannot answer the question about the error, however, what solved the problem for me was adding a new NAT rule to translate traffic directed to the WAN port of the Sonicwall and point it to the VPN.

With this setup, tunnelling PCs can send connect to the VPN and to the local network.

Related Solutions

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Why it works from our side when I use 1.1.1.10 and I get error using 1.1.1.9 in NAT table?

You have a problem with the 1.1.1.9 configuration as an external NAT IP on the Mikrotik. The outside interface of the Mikrotik is a /30; you're using 1.1.1.9/30 as the default gateway and an outside NAT IP on the Mikrotik. If you're going to use 1.1.1.9/30 on the Mikrotik, you need 1.1.1.10 as a default-gateway.

As it stands, you're currently using 1.1.1.9 as both default-gateway and external NAT IP.

Current Routing table:

Dst. address   | Gateway      | Distance | Pref. source   |
0.0.0.0/0      | 1.1.1.9      | 2        | -              |

Current NAT table:

Action     | Chain  | Source Addr    | Dst Address   | Proto    | Dst Port | Out Intf   |
masquerade | srcnat | -              | -             | -        | -        | ether1     |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 1723     | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 47 (GRE) | -        | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 5006     | -          |
masquerade | srcnat | 192.168.1.0/24 | 192.168.1.230 | -        | -        | -          |

What's a little confusing is the diagram, which says the ISP-A's router is in transparent "modem state". Please be sure that the IP addressing scheme you're using on the Mikrotik is consistent with ISP-A's expectations. If the router is transparent, I'm not entirely sure you should have an IP address on it.

Integrating Router into LAN – Best Practices

1.) Yes, the gateways should reside on the L3 switch. If you were running Routing on a Stick, you would instead house their gateways on the Router. Your current configuration is inline with what is called a "collapsed core" design. Where the L3 core performs both switching and VLAN routing and acts as a distribution layer.

2.) No, your L3 routing should be occuring on your 3750.

3.)If the cable modem is in bridge mode, there should be no double NAT. Bridge mode should disable all the routing features and leave the cable modem as just a cable modem.

4.) I would, just so you can hit devices on the seperate VLANs.

5.) The address of the inside interface of the Cable modem may be .1. Leave it as it is. Like Ron said, it doesn't need to be changed.

Can we see the NAT configuration of your router? It will be helpful in identifying your NAT issue.

****EDIT****

This link may be helpful: Configuring NAT I failed to take note of the NAT statement you had originally. This brings into question the claims made by your ISP. You're both able to hit the internet and your being PAT'd with the correct commands. Are you experiencing any problems?

Best Answer

Related Solutions

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Integrating Router into LAN – Best Practices

Related Topic