Skip to main content
technician
technician
New Member
November 2, 2017
Question

unable to do Site-to-Site ipsec VPN with a Sonicwall

  • November 2, 2017
  • 2 replies
  • 59609 views

Hi, this subject might sound common to all but it's just weird where I have all settings correct but its just not working, ok here it goes.

 

I have a Fortigate 60D and a Sonicwall TZ100. I'm trying to set a Site-to-Site ipsec vpn and settings for both are as follows below:

 

Fortigate 60D                                                                  Sonicewall TZ100

Firmware Version: 5.2.11                                                                           Firmware Version: 5.9.1.7-2o

SS-LOCAL-FG (192.168.x.x/24) LAN interface subnet where the Fortigate

SS-REMOTE-SW (10.5.x.x/24) ANY interface subnet where the Sonicwall 

 

On the Fortigate, I created a New > Custom VPN Tunnel:                                  

                                                                                                  General Tab

Name: SS-VPN-SW                                                                       Name: SS-VPN-FG

Remote gateway: 122.x.x.x                                                           IPsec Primary Gateway Name of Address: 122.49.216.42

Interface: WAN1                                                                           Auth Method: IKE using Preshared Secret

Auth Method: Pre-shared Key                                                         Shared secret: xxxxxxxx

Pre-shared Key: xxxxxxxx

IKE Version: 1                                                                               Network Tab

Mode: Main                                                                                   Choose local network from list: LAN Pri Subnet

                                                                                                    Choose Destination Network: SS-REMOTE-SW

Phase 1 proposal

Algorithms: 3DES-SHA1                                                                  Proposals Tab IKE (Phase 1)

DH Group: 2                                                                                   Exchange: Main Mode

Key Lifetime: 28800                                                                        DH Group: Group 2

XAUTH: none                                                                                  Encryption: 3DES

                                                                                                     Authentication: SHA1

Phase 2                                                                                           Life Time (secs): 28800

Name: SS-VPN-SW                                            

Local Address: <subnet> 192.168.x.x/24                                          Proposals Tab Ipsec (Phase 2)

Remote Address: <subnet> 10.5.x.x/24                                            Protocol: ESP

                                                                                                      Encryption: 3DES

inside Advanced                                                                                Auth: SHA1

3DES-SHA1                                                                                      Enable Perfect Forward Secrecy: no

Enable Replay Detection: no                                                              DH Group: 2 

Enable Perfect Forward Secrecy: no                                                    Life Time (secs): 28800

local port: yes

remote port: yes                                                                               Advanced

Protocol: yes                                                                                     Enable Keep Alive: yes

Autokey Keepalive: no

Auto-negotiate: no                                                                             Access Rules created automatically by SW

Key Lifetime: 28800

                                                                                                         Log Message

Access rules for Fortigate 60D                                                            IKE Initiator: Remote party timeout - Retransmitting                                                                                                           IKE request 

Outgoing

SS-LOCAL-FG(LAN int) > SS-REMOTE-SW (SS-VPN-SW int) Service: all 

 

Incoming

SS-REMOTE-SW (SS-VPN-SW int) > SS-LOCAL-FG(LAN int) Service: all

 

Static Route

10.5.x.x/24 using SS-VPN-SW tunnel/sub int

 

Log Message

negotiate_error     IPsec Phase 1 error

 

So Im not sure whats wrong with both configs. 

 

Thanks

Jeff

2 replies

brycemd
brycemd
New Member
November 2, 2017

Are you using Local/Peer IDs or no?

 

Also, your phase 2 on sonicwall shows DH 2 and Forigate shows no secrecy

Fullmoon
Fullmoon
New Member
November 3, 2017

pls make it sure that under Sonicwall FW Policies you allowed WANx-Internal/LAN, by default it was set to disabled.

technician
technicianAuthor
New Member
November 3, 2017

No local/peer ID. 

 

Tick the Enable Perfect Forward Secrecy. Though Ive did this before and it didn't work as well. I'll try to tick it again and see what happens. 

 

Thanks

Jeff

 

 

brycemd
brycemd
New Member
November 3, 2017

The only issues i've had were when using local/peer ID, always had to leave them blank/accept any peer for sonicwall connections

 

Beyond that the config looks ok to me. You'll have to see what happening to point you in the right direction

 

diag debug app ike -1
diag debug enable
Terms & ConditionsAccessibility statement