Symptom: Phase 1 Settings Are Identical On Both Sides, But The Log Displays A Failure In Phase - SonicWALL TZ 180 Recommends Manual
Hide thumbs
Also See for TZ 180:
- Getting started manual (46 pages) ,
- Getting started manual (39 pages) ,
- Getting started manual (35 pages)
Table of Contents
Advertisement
Troubleshooting TZ 180 Configuration and Settings Issues
Symptom: Phase 1 Settings Are Identical on Both Sides, but the Log Displays a
Failure in Phase 2
For a VPN tunnel to successfully negotiate, most of the settings must exactly match on both sides. Below
is a list of settings that must match.
Verify that both sides have their Protocol, Encryption, and Authentication settings set to match, or the
tunnel fails. These settings are found by clicking the Configure icon next to the VPN policy and clicking
on the Proposals tab.
Figure 14
Perfect Forward Secrecy (PFS) Mismatch - By default, PFS is disabled on SonicWALL security
appliances. PFS is a security mechanism in IPsec that adds a layer of security to the VPN tunnel. To use PFS,
check the box next to Enable Perfect Forward Secrecy on the VPN policy's Proposals tab, verify that the
DH Group matches, and verify that the Life Time (seconds) field entry matches on both sides. If the Life
Time settings do not match, the VPN policy negotiates using the lower of the two settings.
provides a view of the Life Time field.
Incorrect destination network(s) -If an incorrect destination exists, for example, if one side of the
connection has Keep Alive enabled and does not match one-to-one the destination networks configured on
the peer, it displays the message NO PROPOSAL CHOSEN.
Missing 'Default LAN Gateway' Option - When running SonicOS Standard or Firmware 6.x on a
SonicWALL security appliance at a main site, using the Use this VPN Tunnel as default route for all
Internet traffic option (also referred to as tunnel-all mode), a LAN default gateway must be specified on
the other side's VPN. This LAN default gateway cannot be the LAN IP address of the SonicWALL security
appliance, and must be a separate internal router residing on the other side's LAN segment. To configure
this feature, log into the main site's SonicWALL security appliance, navigate to the VPN > Settings page,
click the Configure icon next to the VPN policy to the remote site that is set to tunnel-all to the main site,
and click the Advanced tab. In the Default LAN Gateway field, enter the IP address of the third-party
router on the main SonicWALL security appliance LAN segment. Click OK.
You do not need to update the Default LAN Gateway option when using SonicOS Enhanced.
Note
22
SonicWALL TZ 180 Recommends Guide
Figure 14
provides an example of Phase 2 settings.
Phase 2 Settings
Figure 14
Advertisement
Table of Contents
Troubleshooting
