Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dakota_G
New Contributor

Site-to-Site: FortiGate to SonicWall

Hey All,

 

I'm having issues connecting my FortiGate (Head Office) to a SonicWall (Remote Office). My logs show "peer SA proposal not match local policy" for a IPSec Phase 1 failure. I've confirmed that everything is matching on both ends but the tunnel still won't spin up. Anyone have any resolutions handy?

 

Thanks!

8 REPLIES 8
winman15
New Contributor

Is your fortigate behind a NAT?  I had a similar error where my fortigate was behind a NAT so I had to configure the sonicwall settings with the remote peer ID of the WAN IP on the fortigate.  

gschmitt
Valued Contributor

Dakota_G wrote:

peer SA proposal not match local policy

Did you create policies in and out of the tunnel?

Did you create static routes pointing to the tunnel?

Are you 100% certain the P2 matches the other side exactly?

 

Please access the CLI and use

diag debug reset

diag debug application ike -1

diag debug application enable

 

and provide the log. To stop type

diag debug disable

diag debug reset

emnoc
Esteemed Contributor III

 

I hope the following can help.

 

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

 

But it sounds like you need to double check ph2-proposals and proxy-ids. I would start by obtaining the above suggest diagnostics and by reading the above link. Concentrate on  phase2 diagnostics if you actually have a IKE-SA active.

 

validate first phase1 and  then 2nd phase2. Proxy-ids will need to match, and the 0.0.0.0:0 is probably not going to work with a sonicwall or at least I never tried it on a sonicwall

 

fwiw: if you have left the default 0.0.0.0:0 in the phase2 selectors of a route-based vpn, that would work find with a FGT to FGT or FGT to SRX or FGT to CISCO ( route-based )

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hklb
Contributor II

Hello,

 

you need to specify the proxy id (do not use group) on the fortigate.

 

On sonicwall, leave the local/peer id to blank.

 

and google is your friend :

http://kb.fortinet.com/kb/viewContent.do?externalId=11657

http://www.sysprobs.com/guide-to-setup-vpn-between-sonicwall-and-fortigate-ipsec-site-to-site-vpn

 

Lucas

Dakota_G
New Contributor

I've gotten the tunnel up and I am able to ping from FortiGate to SonicWall but not SonicWall to FortiGate. I believe I have all the polices in places, anyone have any input?

emnoc
Esteemed Contributor III

The diag debug flow command is  the #1 diagnostic tool in the fortiGate toolbox. I would suggest you deploy it ;)

 

 

diag debug dis

diag debug reset

diag debug enable

 

 

diag debug flow filter addr <x.x.x.x>

diag debug flow show console enable

diag debug flow trace start 100

 

Place your traffic up, monitor he diagnostics output and look at the evidence. After conclusion disable the diagnostics

 

 

diag debug reset

diag debug disable

 

Ken

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
discoscott
New Contributor III

Make sure you're using IKEv2 - DPD and nat-t work much better between vendors

LakshmiNarayana

any one can help on this now i am getting below error from sonicwall

  

IKE Initiator: Proposed IKE ID mismatch

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors