IPSEC Tunnel Between SonicWALL TZ170 (Enhanced) and Draytek 2820

synergiq used Ask the Experts™
I am busy trying to setup a IPSEC tunnel between a TZ170 with enhanced OS and a Draytek 2820. I have input the settings on both ends and the tunnel passes phase 1 but then fails on phase two. I have tried all combinations and I am getting nowhere. Below are the errors that are being logged in the SonicWALL

Received IKE SA delete request      Destination IP, 4500      Local IP, 4500      VPN Policy: Chris       
Received packet retransmission. Drop duplicate packet      Destination IP, 4500      Public IP, 4500      VPN Policy: Chris       
Received packet retransmission. Drop duplicate packet      Destination IP, 4500      Local IP, 4500      VPN Policy: Chris       
IKE Responder: IPSec proposal does not match (Phase 2)      Destination IP, 4500      Local IP, 4500      VPN Policy: Chris       
IKE Responder: Route table overrides VPN policy      Destination IP, 4500      Local IP, 4500      VPN Policy: Chris; Local network /; Remote network       
IKE Responder: Received Quick Mode Request (Phase 2)      Destination IP, 4500      Local IP, 4500      VPN Policy: Chris       
IKE Responder: Main Mode complete (Phase 1)      Destination IP, 4500      Local IP, 4500      VPN Policy: Chris;3DES; MD5; DH Group 2; lifetime=28800 secs       
NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device                          
IKE Responder: Received Main Mode request (Phase 1)      Destination IP, 500      Local IP, 500

Here are the VPN Settings on the SonicWALL

Authentication Method : IKE Using Preshared Secret
Name : Chris
IPsec Primary Gateway Name or Address : Destination IP
Shared Secret : SHAREDSECRET
Confirm Secret : SHAREDSECRET
Local Network : LAN Interface IP (
Destination Network :
IKE Phase 1 Proposal
Exchange : Main Mode
DH Group : Group 2
Encryption : 3DES
Authentication : MD5
Life Time : 28800

IPSEC (Phase 2)
Protocol : AH
Encryption : none
Authentication : MD5
Life Time : 3600

On the Draytek this is the config

Call Direction : Dial Out
Type Of Sever : IPSec Tunnel
Server / Hostname : Public IP of Head Office
IPSEC Security : AH (Medium)
IKE Phase 1 Mode : Main Mode
IKE Phase 1 Proposal : Lists all protocols in various groups
IKE Phase 2 Proposal : HMAC_MD5
IKE Phase 1 Key Life Time : 28800
IKE Phase 2 Key Life Time : 3600

My WAN IP : Destination IP Listed Above
Remote Gateway IP :
Remote Network IP :
Remote Network Mask :
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

most common Phase 2 failures (from the debug errors)

IKE Responder: IPSec proposal does not match (Phase 2)-- most likely your transform set but could be:

access control lists for interesting traffic (traffic to be encrypted thru tunnel)and
transform set mismatch. You try different transform sets for testing
recheck syntax - network id and subnet masks, delete and re-apply them
Top Expert 2007
Looks like you are using AH and also there is NAT implemented in between, would not work.

Use ESP instead of AH and then check.

Post more sanitized logs if problem persists.

Thank you.

agree with dpk wal, ESP protocol is the most common used with ipsec tunnels.
Because AH includes the IP addresses in the Integrity checksum value, any modification by NAT will cause the check to fail when the peer tries to verify.  The nat router cannot recompute this integrity checksome.

good call dpk wal
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


I am visiting site this afternoon to put the NAT router into bridge mode. The ESP tunnel did still not work correctly so think this is the way forward.

Will post back if I am still having issues.


Put the router into bridge mode and now the SonicWALL lan is getting the public IP. Now getting the following error on the logs

02/03/2010 15:47:46.880      Notice      Network Access      UDP packet dropped, 1900, WAN, 1900      UDP UDP 1900

Now used to be the IP of the router, but since this is in bridge mode it does not have this IP Anymore. I have added a rule for UDP 1900 to forward on from the WAN to LAN but this is still not allowing the VPN to even get to Phase 1.


Putting the router into Bridge mode and then reconfiguring working.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial