troubleshooting Question

Site-to-Site VPN w/ two Sonicwall TZ 100 devices - need beginner help

Avatar of jcazzell
jcazzell asked on
10 Comments2 Solutions2266 ViewsLast Modified:
I have been doing networking for a while, but am fairly new to VPN setup/config.  I've been asked to help a friend setup what I believe is a simple site-to-site VPN between their north & south side offices.

I'm using two Sonicwall TZ 100 devices and I cannot make this work properly.  Both ends are behind DSL modems and are double NATed - I cannot get around this limitation.  I have forwarded the external IPs to the WAN port on the TZ 100s.

From what I've read, I need to setup my VPN on each device to point to the other, using different subnets.  I've done that such that:

North Office:
South Office:

I've setup DynDNS accounts for each and in my VPN setup my IPsec primary gateway for each end is the other's dyndns domain.

I'm not 100% sure how I should be setting up the "Network" tab.  Right now it's set to "firewalled subnets" for local and a group I created with the opposite ends IP range for remote.

I see failed IKE connection attempts in the logs, but the VPN itself never comes up.

I don't know if I'm making this more difficult than it needs to be, but I cannot figure it out.  Does anyone have any good advice or a walk through on setting up a point-to-point VPN using the TZ100s?

Here's a snipping of the log from the south office:

15      03/08/2011 21:22:32.736      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      x.x.x.x, 500      y.y.y.y, 500      VPN Policy: ticketsnorth; Local ID:;Remote ID:
16      03/08/2011 21:22:32.464      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
17      03/08/2011 21:22:26.192      Info      VPN IKE      IKE negotiation aborted due to timeout      y.y.y.y, 500      x.x.x.x, 500      VPN Policy: ticketsnorth              
18      03/08/2011 21:22:15.448      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
19      03/08/2011 21:22:06.464      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
20      03/08/2011 21:22:01.560      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
21      03/08/2011 21:21:52.192      Info      VPN IKE      IKE Initiator: Remote party timeout - Retransmitting IKE request.      y.y.y.y, 500      x.x.x.x, 500      VPN Policy: ticketsnorth

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 10 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros