How can i configure 3 Sonicwall Tz-170 for hub and spoke design with one dynamic ip?

Hi all!!

I need help configuring 3 sonicwall TZ-170 in a hub and spoke design (one central gateway with 2 remote gateway).
I got 2 static public ip and 1 dynamic public ip (PPPOE).

I already know how to setup branch office vpn tunnels but for a hub and spoke design (the 2 remote gateway connect to the central one so they get an ip from central DHCP) i am kind of lost.

Would really aprreciate a tutorial or step by step guide something.

Thx
inf2300Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ccomleyCommented:
Presumably you are choosing one of the fixed-IP sites for "hub".

In which case, it's fairly easy.

Set up a VPN between the hub site and the second fixed-IP site. The VPN Wizard should help you here, but basically, just keep all the defaults for the IPSec settings (then they'll be the same at both ends) and name each VPN tunnel with the Unique Firewall ID of the other end. Put the public IP address of each site in as the tunnel gateway of the other site.

The VPN from Hub to Site3 is the same *except* on the Hub end the "VPN gateway" will be 0.0.0.0 coz you don't know what the ip will be from one day to the next. Note of course that this tunnel can only be brought up by the Site3 Sonicwall, not the Hub one, as the Hub one doesn't know the IP address of Site3.

Because of the above problem, I suggest you choose the options

- Keep-Alive on
- Try to bring up all tunnels

in the VPN configs.

This should give you working VPNs between Hub and each remote site.

To enable the full hub/spoke network, just turn on the check box for "allow traffic to remote VPNs" on the hub firewall.  You should now find that traffic from Site2 can reach Site3 via the HubSite. You do have unique network addresses at each site of course. :)



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
inf2300Author Commented:
thx for the reply im on it right now
gbecharaCommented:
One thing to add if you're still having problems.  I have the exact situation at my site.

For the Hub TZ-170, in the VPN Policy Configure as follows:
The Proposals Tab, in the IKE (Phase 1) Proposal section, Select "Aggressive Mode" for the "Exchange" and uncheck "Enable Perfect Forward Secrecy"

For the Spoke TZ-170 (with the dynamic public IP), in the VPN Policy Configure as follows:
The Proposals Tab, in the IKE (Phase 1) Proposal section, Select "Main Mode" for the "Exchange" and uncheck "Enable Perfect Forward Secrecy"

As ccomley said, the connection will have to be established from the spoke.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.