0

I am trying to establish a site-to-site VPN tunnel between an old SOHO3 and an ASA 5505. The ASA has a static IP and the SOHO3 is dynamic. I have tried everything my limited knowledge lets me and need some advice on how to proceed!

Phase 1 (according to the ASA logs) completes - followed by a message saying "All IPSec SA proposals found unacceptable!" so I guess the settings between the two don't match. I have played with various combinations and nothing seems to work - I am overlooking something, just not sure what it is!

Any help would be appreciated.

2 Answers2

1

From my experience with ASA 5505, I can tell that the access lists don't match.
Start by adding one IP or full subnet in the list of permitted traffic.
Aslo, you have to add a NAT exempt rule for the IP(s) on the other end.

As an example, if the traffic back from the other end is not permitted, the tunnel wont be established.

Try to debug using ASDM and Packet tracer from Tools menu.

HTH

Paul
  • 1,837
  • 1
  • 11
  • 15
0

As Paul said, probably misconfiguration in the access-list that permit traffic from sonicwall to cisco. Give a look a this document:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

It's a pix, but the commands should be almost identical. If you have problems, use two debug commands:

debug crypto isakmp
debug crypto ipsec

Lot of output, but you can see exactly what's happening. Give a read here as well:

https://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

PiL
  • 1,591
  • 8
  • 6