General discussion


SonicWall VPN

By aquias2000 ·

Let's start off with my extreme dislike of SonicWall...and go from there.

What I'm doing is upgrading from the Standard Version to their Enahnced Version 2.5. I can get the majority of my access rules and CF setup with no problem, where I'm having an issue is on the bloody VPN. Here are the specs of it...

VPN is a site to site VPN. Both TZ 170's mine is the Enahnced OS the other site is the Standard OS. Prior to upgrading (Standard to Standard) the tunnel works fine. After the upgrade I'm getting a "Remote host timeout on IKE authentication".

I've done some digging, even enabled all IKE traffic via the VPN interface and I'm still staring at the same error message. This SHOULD NOT be this hard, my only thought is I'm missing a basic step that SonicWall requires somewhere.

Here are the rest of the spec's on the VPN tunnel.
Authentication IKE shared secret.
Gateway to Gateway connection (internal IP ranges me 192.168.x.x to them 10.1.x.x).

Both sides are using the default settings for the proposal's.

Terminating the tunnel at the LAN. (For the upgrade I've tried terminating both at the LAN and the WAN interface with no luck).

Any thoughts? Appreciate it.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to SonicWall VPN

Did you ask over in the Sonic Wall forums?

I did find the following statement over there:

There are no known problems with the current firmware which could cause VPN tunnels to drop. If you are experiencing dropped VPNs, verify there are no intermittent connectivity problems with your ISP or network connections.

There was a problem noted in v6.4.2.0 firmware where IKE VPN tunnels could be dropped when using Dead Peer Detection. With this bug, Dead Peer Detection dropped VPN SAs at renegotiation of the tunnel due to the Invalid_Cookies error. This problem has been fixed in v6.5 firmware.

Collapse -

by aquias2000 In reply to SonicWall VPN

Sonicwall Forums? Can you pop a link up to those, I haven't seen any "official" forums for them.

As to your answer, I'll try disabling our keep alive and dead peer detection settings, I don't believe I've tried those yet (even though the firmware looks like it applies to the SOHO's).

Thanks for the information! I'll let you know how it works out.

Collapse -

by Rvickers78 In reply to SonicWall VPN

Check to see if you have your Local IKE ID and Peer IKE ID set correctly. Also make sure they its set up for aggressive mode if any of the sides WAN IP's are dynamic and main mode if both sides are static. The enhanced softare is a bit hard to set up if you have never seen it before. I am also CSSA sertified by SonicWALL.

Collapse -

by ThunderForest In reply to SonicWall VPN

Just wondering how things turned out for you. I'm experiencing something similar with a client to site (Efficient 5851 DSL router and TZ-170). From home, it looks as though I complete phase 2, but the SonicWall log says the payload could not be authenticated. SonicWall told me I had to make the DSL router a bridge (for the pass through) and do NAT on the TZ-170 instead. After trying that, which was a complete nightmare, still could not get the connection. Now I'm told to find out if the ISP supports bridging PPP on the circuit. I don't know if this makes any difference or not, but the DSL router network type is PPPoA, whereas in the TZ-170 VPN setup, there is only NAT w/PPPoE, along with NAT w/DHCP, NAT, and Transparent. If I bridge, which I don't like doing, I also think I need to know the PPP authentication password. I believe that's the username and password you use in the VPN NAT setup on the TZ-170. The router will list the username the ISP uses, but the password doesn't list. I took control of the router from the ISP because their support is slow to respond and downtime is excessive, and this additional password is something I never knew about. Hopefully, the ISP will let me know what it is. Would appreciate any thoughts you may have.

Collapse -

VPN issue

by gundepudiravi In reply to

If you dont want to bridge the ISP.
Create a NAT on ur ISP's ROuter pointing towards sonicwall WAN ip.
by opening ports 500 4500 UDP
IP prtocol 51

Create a Tunnel in Aggressive mode.
Use Unique firewall Identifier which you see on VPN settings as the name of the policy on remote site.And the remote sites Unique firewall Identifier as the name on your site.
and the tunnel should be up .

Collapse -

by wentworth.dan In reply to SonicWall VPN

I'm setting up a sonicwall vpn right now and having trouble logging onto the domain thru the vpn. I have some troubleshooting tips I've come across that would help you out. It's an adobe file, do you know how to upload files on this forum. Let me know and I'll send it to you. or contact me at with your email address and I'll send it to you

Related Discussions

Related Forums