• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1297
  • Last Modified:

Help Setting up a VPN Site-to-Site from Sonicwall TZ-100 to ISA 2004


I'm triying to establish a site-to-site VPN connection from a remote site using a Sonicwall TZ-100 and the main Site Using an ISA server 2004.

Here's the sites network information:

Main Office Site:
External IP :
Gateway internal IP (ISA):

Remote Site:
External IP:
Gateway Internal IP: (sonicwall):

I created the following VPN site-to-site on ISA:

Address Range:

On the Connection TAB:
Remote Tunnel endpoint:
Local VPN Gateway IP address:

IPSec Setting:
Phase I Values:  
Phase II Values
Generate key every 3600 sec
PFS unchecked

Autentication TAB:
Use Preshared-key for autentication: 123456 (Not the real one)

On the ISA I Created a Network rule:

Sourcenetwork: Local Network
Destination Network: REMOTE VPN
Relation: Route

On the ISA Firewall policy created an access rule that allows all outbound traffic between the Local Host, the internal network and the REMOTE VPN networks.

On the Remote (Sonic Wall  TZ-100):

I created a Address Object:

Name: Main Office LAN
Zone Assigment: VPN
Type: Range
Starting IP:
Ending IP:

And Finally Created a VPN Policy:

General TAB
Name: Main Office VPN
Type: Site-to-site
IPsec Primary Gateway Name or Address:
IPsec Secondary Gateway Name or Address:
Shared Secret:123456 (Not the real one)
Local IKE ID: IP Address (Blank)
Peer IKE ID: IP Address (Blank)
Network TAB:
Local Network: Lan Primary SUBNET
Remote Network: Main Office LAN (object Created Before)

Proposal TAB:

IKE (Phase 1) Proposal
Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption:  3DES
Authentication:  SHA1
Enable Perfect Forward Secrecy: uncheked
Life Time (seconds): 28800

Advanced TAB

The Only thing checked is:

Enable Keep Alive  : Checked
VPN Policy bound to:  ZONE WAN


The VPN-site to Site never gets created, I try pinging the main site from the remote site and All I get is timeout.

AM I missing someting?

THE log in the sonicwall shows:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
  • 2
1 Solution
first, make sure your life time for both phase 1 and phase 2 at both ends is the same.

second, sonicwall does not recommend using an address object that specifies a range.  you want to specify a host or an entire network.

give those a shot and report the results.  you might also analyze the logs on the sonicwall.  it should report where your vpn is failing...i.e., phase 1 and/or phase 2.  i think right now, with the two points i made above, you're going to fail in phase 1 before you ever get to phase 2.
segpAuthor Commented:

Thank you for your answer, you where right, as soon as I changed the address objet to a entire network, the VPN started working right away.
great...glad it's working and thanks for the points!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now