none
Azure VPN with Sonicwall - peer IKE ID

    Question

  • I successfully configured a sonicwall device to connect to an azure VPN and all was workign well.

    After a day or so the connection dropped. It seems the data being sent as the peer IKE ID/remote ID changed.

    Intiially it was X.X.X.4 and now its X.X.X.5 . If I change the ID at the sonicwall end then it reconnects, but then after a time it changes again!

    I understand the feature is in preview and sonicwall isn't on the supported list, but is there a way to avoid this remote ID changing or can we specify it in the Azure management portal?

    Thanks.

    Marcus

    Friday, June 29, 2012 1:15 PM
    Moderator

Answers

  • Hi, Marcus:

    Unfortunately, this is currently by design (i.e. the peer IKE ID of the Azure gateway is dynamic).  I cannot get into too much implementation details of this problem in the public forum (hope you can understand), but we are aware of this problem, and it is actually one of the main reasons why we do not officially support some of the VPN router products out there (e.g. WatchGuard, SonicWall, etc).  As I have pointed out in the other thread with EDRandD (the WatchGuard thread), you are stepping into the unsupported territory here:

    For the Cisco/Juniper devices we officially support, none of them require such a setting to be explicitly declared, but we are also aware that some device may have such a requirement (and that's also the reason why we do not support these devices officially at this point).

    That said, we are currently working on addressing this issue in the next release (i.e. making the peer IKE ID static).  In the meantime, unfortunately, it seems your best choice is to either go with a support hardware device or keep up with this changing peer ID property (I know that's not pleasant, I am sorry about that...).

    Friday, June 29, 2012 6:46 PM
    Moderator

All replies

  • Marcus,

    I would be curious to see how your private network on Azure is setup.  I have been working with the VPN Azure since day one and playing with a Watchguard (another unsupported device) and after almost a month it still has not changed for me.

    it always x.x.x.4.  The only time it changes is if i reset the Network on Azure.

    I use: 10.4.0.0/16

    FrontNet: 10.4.2.0/24

    Gateway: 10.4.1.0/24

    ID always stays.  I don't have a sonic wall but i know some devices will allow you to either create a subnet or allow multiple Ips for the ID.  Sonic doesn't allow that?

    -King

    Friday, June 29, 2012 3:26 PM
  • It's back to .4 now. Was .5 earlier today.

    The network subnet definitions are fine and match. It's just the peer IKE ID that seems to change occasionally. It would be interesting to know why it changes.

    Friday, June 29, 2012 3:31 PM
    Moderator
  • Hi Marcus,

    I have also been trying to get a Sonicwall to connect to Azure Vpn but i have not had any luck, can you please help advise me on where i am going wrong? below are my setting for my sonicwall pro 3060..

    • Edited by only993 Friday, June 29, 2012 6:05 PM
    Friday, June 29, 2012 4:56 PM
  • Hi, Marcus:

    Unfortunately, this is currently by design (i.e. the peer IKE ID of the Azure gateway is dynamic).  I cannot get into too much implementation details of this problem in the public forum (hope you can understand), but we are aware of this problem, and it is actually one of the main reasons why we do not officially support some of the VPN router products out there (e.g. WatchGuard, SonicWall, etc).  As I have pointed out in the other thread with EDRandD (the WatchGuard thread), you are stepping into the unsupported territory here:

    For the Cisco/Juniper devices we officially support, none of them require such a setting to be explicitly declared, but we are also aware that some device may have such a requirement (and that's also the reason why we do not support these devices officially at this point).

    That said, we are currently working on addressing this issue in the next release (i.e. making the peer IKE ID static).  In the meantime, unfortunately, it seems your best choice is to either go with a support hardware device or keep up with this changing peer ID property (I know that's not pleasant, I am sorry about that...).

    Friday, June 29, 2012 6:46 PM
    Moderator
  • Had trouble getting the image to upload. Uploaded it to imageshack. Hoping that someone could help me get Azure VPN to work on the Sonicwall Pro 3060.

    Image

    Friday, June 29, 2012 7:24 PM
  • Sorry, only just seen this. You need to have he peer IKE ID set. If you look in the Sonicwall logs it should show what is being proposed by the Azure end.

    My VPN has stayed up for a week or so now.
    Wednesday, July 11, 2012 7:55 PM
    Moderator
  • Thanks for the responce Marcus, i have got mine to work as well.. not sure how stable it will be yet. Good o hear that yours has been up for a week though..
    Wednesday, July 11, 2012 8:00 PM
  • Hello, Ive been testing this scenario for couple of weeks. Unfortuantely it cuts off for me about every week and I have to change the peer id. 
    Thursday, August 9, 2012 7:06 PM
  • Hi Arwind.

    Do you know when (or if) Microsoft will support the Sonicwall NSA 2400 for use with the Azure VPN?

    Thanks.

    Ed

    Wednesday, September 26, 2012 1:47 PM
  • >That said, we are currently working on addressing this issue in the next release<

    Has this ever been 'resolved/worked around', either by SW or MS? I would really like to know.

    Tuesday, August 13, 2013 2:16 PM
  • Hi all

    There is now a SonicWall technote on this very topic. It was published on October 7th 2013:

    http://www.sonicwall.org.cn/us/support/2134_20335.html

    An important point to note is that there are different configurations on the Sonicwall if you choose dynamic or static routing at the Azure end. This caught me out, as I was trying to use the approach for a static route with a dynamic routing gateway.


    Operations Manager, Black Marble Limited

    Monday, October 28, 2013 1:26 PM
  • Technote looks good but does it solve the issue of the changing IKE IPv4 address?

    Richard Parry

    Monday, October 28, 2013 7:45 PM
  • If make sure you leave the IKE IDs blank as in the technote then all seems good. That's where I was going wrong. I've been running like this for a month or so now and no issues.
    Monday, October 28, 2013 8:45 PM
    Moderator