New Member

Question

Site-to-Site: FortiGate to SonicWall

Forum|Forum|10 years ago
September 17, 2015
7 replies
32311 views

Hey All,

I'm having issues connecting my FortiGate (Head Office) to a SonicWall (Remote Office). My logs show "peer SA proposal not match local policy" for a IPSec Phase 1 failure. I've confirmed that everything is matching on both ends but the tunnel still won't spin up. Anyone have any resolutions handy?

Thanks!

winman15

New Member

Is your fortigate behind a NAT? I had a similar error where my fortigate was behind a NAT so I had to configure the sonicwall settings with the remote peer ID of the WAN IP on the fortigate.

gschmitt

New Member

Dakota_G wrote:
peer SA proposal not match local policy

Did you create policies in and out of the tunnel?

Did you create static routes pointing to the tunnel?

Are you 100% certain the P2 matches the other side exactly?

Please access the CLI and use

diag debug reset

diag debug application ike -1

diag debug application enable

and provide the log. To stop type

diag debug disable

diag debug reset

emnoc

New Member

I hope the following can help.

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

But it sounds like you need to double check ph2-proposals and proxy-ids. I would start by obtaining the above suggest diagnostics and by reading the above link. Concentrate on phase2 diagnostics if you actually have a IKE-SA active.

validate first phase1 and then 2nd phase2. Proxy-ids will need to match, and the 0.0.0.0:0 is probably not going to work with a sonicwall or at least I never tried it on a sonicwall

fwiw: if you have left the default 0.0.0.0:0 in the phase2 selectors of a route-based vpn, that would work find with a FGT to FGT or FGT to SRX or FGT to CISCO ( route-based )

hklb

Visitor III

Hello,

you need to specify the proxy id (do not use group) on the fortigate.

On sonicwall, leave the local/peer id to blank.

and google is your friend :

http://kb.fortinet.com/kb/viewContent.do?externalId=11657

http://www.sysprobs.com/guide-to-setup-vpn-between-sonicwall-and-fortigate-ipsec-site-to-site-vpn

Lucas

Dakota_GAuthor

New Member

I've gotten the tunnel up and I am able to ping from FortiGate to SonicWall but not SonicWall to FortiGate. I believe I have all the polices in places, anyone have any input?

emnoc

New Member

The diag debug flow command is the #1 diagnostic tool in the fortiGate toolbox. I would suggest you deploy it ;)

diag debug dis

diag debug reset

diag debug enable

diag debug flow filter addr <x.x.x.x>

diag debug flow show console enable

diag debug flow trace start 100

Place your traffic up, monitor he diagnostics output and look at the evidence. After conclusion disable the diagnostics

diag debug reset

diag debug disable

Ken

discoscott

New Member

Make sure you're using IKEv2 - DPD and nat-t work much better between vendors

LakshmiNarayana

New Member

any one can help on this now i am getting below error from sonicwall

IKE Initiator: Proposed IKE ID mismatch

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded