Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fail with site-to-site with Fg to Sinicwall

I have encountered a issue, i´ve setup a vpn site-to-site connection between a fortigate and a sonicwall, but i´m having trouble getting the service to work.
here is the scenario:


vpn site-to-site.png


FortiGate Device Setting

Go to VPN > IPSec > Phase 1.
Gateway Name: ToSonicWall
Remote Gateway: SonicWall Static Public IP Address:

Local Interface:
Mode: IkeV2
Authentication Method: Preshared Key
Preshared Key: preshared key


Encryption: AES256
Authentication: SHA512
DH Group: 2
Keylife: 28800

Dead Peer Detection: Disabled

the other settings as default.


the Phase 2 settings


Remote Gateway:
Select Advanced:

Encryption: AES256
Authentication: SHA512
Enable replay detection : Unchecked
DH group: 5
Keylife: 28800
Autokey Keep Alive : Checked
Quick Mode Selector
Source address:
Destination address:

To add the addresses

Go to Firewall > Address.
Select Create New to create the FortiGate address.
Enter a name for the address, for example FortiGate_network.
Enter the FortiGate IP address and subnet. “ Internal LAN Subnet ”
Select Create New again to create the SonicWALL address.
Enter the name for the address, for example SonicWALL_network.
Enter the SonicWall IP address and subnet. “ Remote LAN Subnet ”

To create a firewall policy for the VPN traffic going from the SonicWALL device to the FortiGate unit

Go to Firewall > Policy.

Source Interface: Internal
Source IP address:
Destination Interface: WAN1 (or external)
Destination Address Name:
Schedule: always
Service: ANY
Action: Encrypt
VPN Tunnel: ToSonicWall
Select Allow inbound
Select Allow outbound


My Internet Service Provider (ISP) on side 1 has provided me with a public IP address, I need to manage this address in my FortiGate. Additionally, the ISP has assigned me an IP in the DMZ,, which I've placed on my WAN interface in my FortiGate. All the necessary settings have been configured for this interface. On the SonicWall, I've created the VPN connection to the public address,, as my destination.

When I check the FortiGate, the IPsec section shows traffic both on the outside and inside, but when I review the SonicWall, the site-to-site VPN doesn't establish a connection. In the SonicWall logs, I see the following message: 



953 VPN Payload Processing Error Warning IKEv2 Payload processing error, 500, 500 udp
974 VPN Initiator: Received IKE_AUTH Response Inform IKEv2 Initiator: Received IKE_AUTH response, 500, 500 udp
959 VPN Unable to Find IKE SA Warning IKEv2 Unable to find IKE SA, 500, 500 udp
940 VPN Initiator: Send IKE_AUTH Request Inform IKEv2 Initiator: Send IKE_AUTH Request, 500, 500 udp
943 VPN Accept IKE SA Proposal Inform IKEv2 Accept IKE SA Proposal, 500, 500 udp
973 VPN Initiator: Received IKE_SA_INT Response Inform IKEv2 Initiator: Received IKE_SA_INT response, 500, 500 udp
938 VPN Initiator: Send IKE_SA_INIT Request Inform IKEv2 Initiator: Send IKE_SA_INIT Request, 500, 500 udp
1052 VPN VPN Policy Modified Inform VPN policy CENTRAL is modified.


i appreciate a helping hand.





The error is probably generated due phase1/2 mismatch. You may consider to collect ike debug on FortiGate side and check phase1/2 proposals.



In this scenario i see some issues.
1. Sonicwall has in its routing table (directly connected)
2. Fortigate is behind nat, and is using subnet as outside interface (DMZ)
3. You should enable NAT-T and also force NAT-T on fortigate so they use port 4500 and not 500.
4. You should reconsider changing internal lan for sonicwall from to something else
5. Also since fortigate is behind nat, you may want to use local-id under phase1-interface
set localid-type address
set local-id

But as i stated, the main problem is on lan assignment where sonicwall will see packets from subnet, and also send that subnet as phase2-traffic selector.

Fortigate on the other side, has subnet directly configured on DMZ and also will se the same subnet coming from VPN tunnel interface. So design and settings are wrong in this case.

Please check this article on how to properly setup:
Techniocal Tip: List of articles about FortiGate I... - Fortinet Community


Hi @Jalero,


Can you run ike debugs on the FortiGate side by following this article:


# diagnose vpn ike log-filter dst-addr4
# diagnose debug console timestamp enable
# diagnose debug application ike -1
# diagnose debug enable



New Contributor

I would only log utm where needed, double check ur logs to make sure that this is what happened and if it is, adjust your conserve mode threshold to be a little higher while u navigate ur options to prevent more disruption. Wouldn’t hurt to enable fail open as well on ips

Hi @Jalero,

Can you please run the following command and see if there is any mismatch on the config of P1/2:

diag debug reset 
diagnose vpn ike log filter rem-addr4 X.X.X.X (remote peer IP)
diagnose debug application ike  -1 
diag debug enable 



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors