SonicWall TZ-170 Enhanced point-to-point tunnel to CheckPoint NGX R65 - Connected BUT NO DATA FLOW

I have a Point-to Point VPN between sites using a SonicWall TZ-170 Enhanced and a CheckPoint NGX R65. The connection on the SonicWall side (my side) is "green" and I can RDP to the other server (behind the CheckPoint FW) no problem.

PROBLEM: I cannot map drives, sync data between shares, transfer data - which is the point of this VPN.

Logs n the SonicWall show...

IKE Responder: Peer's local network does not match VPN policy's Destination Network
IKE Responder: IPSEC Proposal does not match (Phase 2)

The Phase 1 & 2 Settings look good.
The VPN is up.
I can RDP over the VPN to the remote server using that networks NATed IP.

I'm I missing a policy here?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SteveIT ManagerCommented:
Check your policy settings, i'd personally delete then re-create the policies after jotting them down....

Phase 1 & Phase 2 proposals as well as the appropriate gateway would then be re-defined as part of the re-creation process which would resolve the issue.
mojopojoAuthor Commented:
DId it and I am in the same boat and all of the settings look the same now as they did. Still get the "green-light" on the SonicWall. I can still RDP over the VPN. But no finle transfer or mapping. Same events in logs.

Thanks, but I'm still at this...
Cas KristCommented:
Maybe something in your firewall rules VPN -> LAN??
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

mojopojoAuthor Commented:
To test that I opened up a VPN > LAN bidirectional Any/Any for All Services (**to test only) and got no better results.

I have them going over the CheckPoint FW right now. Possibly they have my subnet down incorectly, so we are verifying all the settings yet again.
Check that you created the network object for their LAN properly and that it's selected properly on the VPN configuration... Also, are the settings identical on both sides? For phase 1 and 2? everything has to match.
That's what those messages on the logs are telling you at least.


If your IPSEC Phase2 proposals dont match then I would be very doubtful that any traffic could pass as this is the stage where local and remote subnets are negotiated.

Do you have a setting that allows you to specify whether there is one tunnel only or one tunnel per subnet pair? Ask the CheckPoint admin to verify this.

How many subnets are on the remote end of the VPN?  It may be that the tunnel for the subnet with the RDP server is correct in the VPN config but the tunnel for the other machines on which you want to map drives is incorrect in the config.

Is the RDP definitely going over the VPN or is it an excluded service and actaully going over the internet in clear?

Policy-wise, you would need to have ports 135 - 139 and 445 open to allow mapped drives etc.

If you could post the requirements and the VPN config (with samitised external IPs) then we may be able to help further.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mojopojoAuthor Commented:
We had traffic one way, which doesn't make any sense. If the IKE Policy was working at all it should have been all or nothing - correct?

Anyway we swapped out the SonicWall TZ-170 for a TZ-180 and rebuilt the tunnel. That did it. The servers' shares are now in sync and we can RDP/VNC both ways.

Thanks everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.