Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IPSEC (Cyberguard SG300 - DSL PPPoA) to SonicWall 2040Pro

Posted on 2007-10-02
18
Medium Priority
?
1,522 Views
Last Modified: 2011-10-03
Hi experts,

Up until today, I ve been able to use the SG300 (snapgear router) to do the PPPoE auth for DSL, and have a DSL router modem in bridgemode. With this config I set up a VPN (IPSEC), no problems.

The ISP (iinet) have a PPPoE issue on their DSLams, whereby PPPoE does not work.

Thus I have removed the DSL router from Bridgemode, set it to PPPoA authentication, and the internet is working!.

The IP address of the DSL router is 192.168.16.1
The IP address of the SnapGear SG300 is 192.168.16.2

I set up a direct internet connection on the SG300, as as mentioned above.. internet and DNS is working well.

The only issue that I have is that the SG300 IPSEC tunnell does not work, where it is stuck at "Negotiating Phase1". I have forwarded port 500 udp from 192.168.16.1 (DSL modem) to 192.168.168.2 (SG300).

All sharedkeys and configs for phase1 and phase2 are all correct, but still not able to establsh the VPN.

Please help
IPSEC (SonicWall/SG300)
0
Comment
Question by:WitoldRyba
  • 11
  • 5
17 Comments
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 19999336
So the problem is that the other side is not able to see the SG300. The SG must be visible on the internet with an pubic IP address. The DSL router has the public IP address but not the SnapGear. If it is possible to remove the modem and place the SnapGear in front of it that would work.

Also if you can create PAT (Port Address Translation) for ISAKMP and IPSec ports that will work as well.
0
 

Author Comment

by:WitoldRyba
ID: 19999400
hi predragpetrovic.

i ll try giving a public IP to the snap gear
wait a sec

wR
0
 

Author Comment

by:WitoldRyba
ID: 19999442
I ve given the LAN Ip address on the snap gear that of my WAN IP.

restarted VPNs.. no luck

WR
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 9

Expert Comment

by:predragpetrovic
ID: 19999510
Okay,

First of all the SnapGear must have a public IP address. In order to have a public IP address the SnapGear you need to connect it to the public network. Since you are using your modem/router in front of the Snapgear is there a way to put the router into bridge mode ?
0
 

Author Comment

by:WitoldRyba
ID: 19999514
I ve now reverted configs to:

SG300
LAN
IP: 192.168.16.2
DNS: 192.168.16.1
Gateway: 192.168.16.1

WAN
IP and Gateway: DHCP assigned - from DSL router

The other end of SonicWall 2040PRO has got about 20 other VPNs set up, and these are all working ok.
Not the issue. The issue as I see it lays with the SG300 config.

WR
0
 

Author Comment

by:WitoldRyba
ID: 19999525
I can't put the DSL router into bridgemode, as the SnapGear will not do PPPoA authentication to ISP.
Thus I need the DSL router to authenticate to internet, and have snapgear do VPN

WR
0
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 19999620
Ok...

So can you access the router ? Can you create 1-1 NAT ?
0
 

Author Comment

by:WitoldRyba
ID: 19999631
I can access the router no problem.
1-1 NAT, what for ?
WR
0
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 19999667
Map the SnapGear to the Outside IP address.
0
 

Author Comment

by:WitoldRyba
ID: 19999726
i ve set up 1-1 NAT

private ip: internet (LAN Port 192.168.16.2)
public IP: Internet Port
Public Interface: Internet Port
0
 

Author Comment

by:WitoldRyba
ID: 19999729
still no luck though :(

WR
0
 

Author Comment

by:WitoldRyba
ID: 19999762
im going to bed.. i ll try again tomorrow.

appreciate further feedback

ta

WR
0
 

Author Comment

by:WitoldRyba
ID: 20004188
Well im no longer sleeping.

Any takers ??

please help

WR
0
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 20005936
Ok...

So can you map the host 192.168.16.2 to your public IP address and remove all firewall entries on the modem/router and leave your snapgear as it is. If this cannot help you do the following:

1. Create a PAT for ISAKMP and IPSec ports for the external IP address to 192.168.16.2
2. On all of your internal workstations and servers set the default gateway to 192.168.16.2

Predrag
0
 

Author Comment

by:WitoldRyba
ID: 20006962
sorry.. in plain english.. :) ??
0
 

Author Comment

by:WitoldRyba
ID: 20083698
Well I got it to work.. through NATTING, and Aggressive VPN mode.
unfortunately there is some more overheads as a result of this.. but never mind

Please close this question moderator... no points for anyone :(
0
 
LVL 7

Accepted Solution

by:
oztrodamus earned 2000 total points
ID: 22974933
This is really old question, but it's still open so I'll comment anyway. Who knows maybe some with a similar question will be helped by it.

I believe WitoldRyba had the configuration correct from the start except he went wrong with the Phase 1 settings. I believe the problem specifically was with the "local interface" that was used.

When you setup Phase 1 with the SnapGear as the perimeter device you would use the "WAN interface", and it's default gateway, but because the Sonic Wall was used for it's PPPoA ability, you need to modify the "local interface" setting to be that of the "LAN interface" used to connect the Sonic Wall with the SG300. You would also need to manually specify the default gateway setting of the "local interface" to be that of the Sonic Wall LAN interface, because you would not have a default gateway set on the LAN interface on SG300 in this type setup.

This is my 2 cents. I hope it helps somebody some day :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question