Our company recently replaced a Sonicwall 2040 Pro with a Sonicwall NSA 240. Configuring the new Sonicwall went reasonably smoothly with the exception of one of our site t0 site VPN Links. When attempting to create a site to site VPN link to a Sonicwall TZ170 behind a Clear (Clearwire) wireless internet modem. It would receive the error: IKE Responder: Proposed IKE ID mismatch. A summary of the configuration and steps to resolve the issue include:
- Remote firewall is connected to the internet using Clear wireless network.
- The Clear box has a static IP adress assigned to it. All traffic is routed to an internal IP address on the Clear box.
- The WAN port on the remote Sonicwall firewall (Sonicwall TZ170) is set to DHCP with NAT. The WAN port gets it’s IP address from the Clear box.
VPN Connections are setup as follows:
- Policy Type: Site to Site
- Authentication Method: IKE using Preshared Secret
- Name: Use the Unique Firewall Identifier.
- IPsec Primary Gateway (on headquarters NSA 240 VPN): 75.X.X.X (the static IP address of the Clear modem at the remote office.
- Local IKE ID on NSA 240: SonicWALL Identifier: (The Unique Firewall Identifier on the NSA 240)
- Peer IKE ID on NSA 240: SonicWALL Identifier: (The Unique Firewall Identifier on the TZ170)
- NOTE: The previous 2 steps are critical for it to work properly.
- On your Proposal settings use your personal preferences but make sure the Exchange for IKE (Phase 1) Proposal is set to Aggressive Mode.
We were only able to successfully create the VPN link by using the correct Unique Firewall Identifier names, properly setting the Local and PEER IKE ID and setting the Exchange to Aggressive Mode.