• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2064
  • Last Modified:

SonicWall TZ-170 Enhanced point-to-point tunnel to CheckPoint NGX R65 - Connected BUT NO DATA FLOW

I have a Point-to Point VPN between sites using a SonicWall TZ-170 Enhanced and a CheckPoint NGX R65. The connection on the SonicWall side (my side) is "green" and I can RDP to the other server (behind the CheckPoint FW) no problem.

PROBLEM: I cannot map drives, sync data between shares, transfer data - which is the point of this VPN.

Logs n the SonicWall show...

IKE Responder: Peer's local network does not match VPN policy's Destination Network
IKE Responder: IPSEC Proposal does not match (Phase 2)

The Phase 1 & 2 Settings look good.
The VPN is up.
I can RDP over the VPN to the remote server using that networks NATed IP.

I'm I missing a policy here?

4 Solutions
SteveIT ManagerCommented:
Check your policy settings, i'd personally delete then re-create the policies after jotting them down....

Phase 1 & Phase 2 proposals as well as the appropriate gateway would then be re-defined as part of the re-creation process which would resolve the issue.
mojopojoAuthor Commented:
DId it and I am in the same boat and all of the settings look the same now as they did. Still get the "green-light" on the SonicWall. I can still RDP over the VPN. But no finle transfer or mapping. Same events in logs.

Thanks, but I'm still at this...
Cas KristCommented:
Maybe something in your firewall rules VPN -> LAN??
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

mojopojoAuthor Commented:
To test that I opened up a VPN > LAN bidirectional Any/Any for All Services (**to test only) and got no better results.

I have them going over the CheckPoint FW right now. Possibly they have my subnet down incorectly, so we are verifying all the settings yet again.
Check that you created the network object for their LAN properly and that it's selected properly on the VPN configuration... Also, are the settings identical on both sides? For phase 1 and 2? everything has to match.
That's what those messages on the logs are telling you at least.


If your IPSEC Phase2 proposals dont match then I would be very doubtful that any traffic could pass as this is the stage where local and remote subnets are negotiated.

Do you have a setting that allows you to specify whether there is one tunnel only or one tunnel per subnet pair? Ask the CheckPoint admin to verify this.

How many subnets are on the remote end of the VPN?  It may be that the tunnel for the subnet with the RDP server is correct in the VPN config but the tunnel for the other machines on which you want to map drives is incorrect in the config.

Is the RDP definitely going over the VPN or is it an excluded service and actaully going over the internet in clear?

Policy-wise, you would need to have ports 135 - 139 and 445 open to allow mapped drives etc.

If you could post the requirements and the VPN config (with samitised external IPs) then we may be able to help further.

mojopojoAuthor Commented:
We had traffic one way, which doesn't make any sense. If the IKE Policy was working at all it should have been all or nothing - correct?

Anyway we swapped out the SonicWall TZ-170 for a TZ-180 and rebuilt the tunnel. That did it. The servers' shares are now in sync and we can RDP/VNC both ways.

Thanks everyone.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now