Solved

Site to Site VPN problems between SonicWall TZ150 (remote) and TZ170 (central)

Posted on 2007-11-29
12
3,488 Views
Last Modified: 2010-08-05
The following is our current network infrastructure:
Client PCs > SBS 2003 DC (with DHCP & 2 NICs - one internal on 10.xxx.xxx.xxx and one external to the SonicWall on 192.xxx.xxx.xxx) > SonicWall TZ170 > ADSL Internet

The goal is to add a pair of TZ150's which will register via VPN to the TZ170 over the internet.  The TZ150's will have dynamtic addresses while the TZ170 is on a static.  We have worked on the issue for a while today (we are all NEW to VPN's in general here) and were able to get the TZ150s to establish the tunnel successfullly to the TZ170.  We can ping back/forth from the 150's to the 170 and vice-versa.  We are having issues with two items:

1.) The TZ150's can't seem to "see" beyond the TZ170.  They can ping (using the SonicWall built-in admin ping) the 170 and the external NIC on the SBS but not the Internal at all.  Nor can the 170 or SBS ping the clients attached to the 150's.  Also, only the SonicWall ping works, built-in Windows one does not.  Nothing beyond the SonicWall ping works either.

2.) We would like to be able to have the SBS box hand-out the IP addresses via DHCP to the clients behind the TZ150's... however this may be impossible... not sure.

Couple of details:
1.) We know the SBS network works, it has been in-place and running for about 3-years.  The client has decided to add remote sites and needs a high-level of monitoring, control, and access restrictions... unfortunately the built-in SBS VPN isn't going to cut it.  Also, they want something that is on prior to log-in, so the user can authenticate on the SBS network, hence the reason no software client.

2.) The SonicWalls (all 3) are using the most current firmware -- as of today -- and all are on SonicOS Standard.  

3.) We have many custom access rules set-up ont he TZ170 already, so we are familiar with SonicWall and general firewall functionality... however, as stated, VPN is new to us.

Any assistance would be GREATLY appreciated.
0
Comment
Question by:level3solutions
  • 6
  • 3
  • 3
12 Comments
 
LVL 1

Expert Comment

by:tmoon
ID: 20379853
Quick general info...
Remote sites should be on "different" subnets for VPN to work properly.  Sonicwall and / or other firewall (SBS) should be configured to "allow" those subnets to pass properly.  Depending how SBS is setup it needs to "trust" the other subnets.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 20380087
I'm hoping that you are following the SonicOS 3.1 Standard Administrators Guide:
http://www.sonicwall.com/downloads/SonicWALL_SonicOS_Standard_3.1_Administrators_Guide.pdf
(assuming you have the Standard OS installed on your Sonicwall's)

If so, then you will see that DHCP over VPN is quite easy to set up.  (See the DHCP over VPN section of that guide)

Then, when using a SonicWall as your Firewall, you may find that its much easier to just use a single NIC on your SBS, which I would strongly suggest.

There is no way for SBS to "trust" the other subnets as tmoon suggests above... you would just create a persistent route between the two subnets.  But again, I refer you to the guide linked above.  See the "VPN Planning Sheet for Site-to-Site VPN Policies" for help in configuring this.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:level3solutions
ID: 20380152
TechSoEasy,

I did look at that guide, unfortunately I don't think closely-enough.  Thank you for the information.  I will attempt some of the changes suggested by the guide more stringently.  Will let you know.

-Level 3
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20380210
For what it's worth... I never attempt these type of configurations without directly following the documentation.  Then, if it doesn't work I at least know where to start looking.  :-)

Jeff
TechSoEasy
0
 
LVL 1

Expert Comment

by:tmoon
ID: 20380214
Jeff is correct and I was wrong for using the word "trust" as SBS does not really "trust" other domains per se..... (how silly of me) what I meant was....
If firewalling etc... make sure the far-end subnet is setup as far as DNS etc is concerned... for example..
Lets say location 1 is 192.168.0.x and location 2 is 192.168.1.x

You didn't mention if you were pinging by name... etc.. but for SBS to work correctly and domain logging in to occur properly DNS must be set up correctly.  
Make sure you have a reverse zone with location 2's subnet in it.
Also, have an A record (manual or dyn) setup

As far as the SonicWall... for the TZ 170 it should look something like this:
VPN Policy Window:
General Tab:
select IKE using Preshared Secret
name will default to GroupVPN
enter in "shared secret" pwd
--------------------------------------------------------
for Proposal Tab:
DH Group = Group 2
Encryption = 3DES
Authentication = SHA1
Liime Time = 28800

Phase 2:
Protocol = ESP
Encryption = 3DES
Authentication = SHA1
---Enable Perfect Forware Secrecy = NOT checked
the last 2 leave default
----------------------------------------------------------------
Advanced Tab:
Enable Windows Networking NetBIOS Broadcast = Check
Apply NAT = NOT checked
Forward Packets to remote VPN's = NOT checked
**important** Default LAN Gateway = 0.0.0.0
VPN terminated at = LAN (assum'ng... on your infrastctr of course)
Client Auth = check "Require...."
-----------------------------------------------------------------
Last Tab "Client":
Cache XAUTH = NEVER
Virtual Adapter Settings = DHCP Lease (best way to do it we found)
Allow Connectionsto = Split Tunnels
other 3 boxes = NOT checked

Are your settings similar to these?
0
 
LVL 1

Assisted Solution

by:tmoon
tmoon earned 250 total points
ID: 20380249
Also could you post your sonicwall log section pertaining to this issue?  Might help :)  Man I'm tired.... I just posted Group VPN.... duh... site to site try this:

3 tabs for site to site usually (on TZ 170 anyway)
General Tab:
IPSec Keying Mode = IKE using Preshared Secret
Name = whatever u like
IPSec Primary gw name or Address = other end
IPSec secondary addr = 0.0.0.0
shared secret = your pwd
DESTINATION NETWORKS
choose 3rd radio button "specify dest. networks below"
Make sure to enter opposite end subnet in "router form"
that is 192.168.x.0 / 255.255.255.0

PROPOSALS TAB:
Exchange = Main Mode
DH Group = Group 2
Encryption = 3DES
Authentication = SHA1
Life Time = 28800
PHASE 2
Protocal = ESP
Encryption = 3DES
Authentication = SHA1
Enable perfect for. secrecy = NOT checked
last 2 leave default
ADVANCED TAB
out of all those checkboxes ONLY check ENABLE windows
networking NetBIOS broadcast
NOT nat / firewall rules or any other
Default LAN gateway = 0.0.0.0
VPN Term at = LAN
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Expert Comment

by:tmoon
ID: 20380267
one more thing..... you mentioned dynamic IP's at a location?
If so, under the General Tab.. you should use a service like dyndns.org then just enter your "yourname.dyndns.org" instead of the remote IP.  Of course make sure the dyndns section of the SonicWall is setup and tested :)
0
 
LVL 1

Author Comment

by:level3solutions
ID: 20380268
You guys have both been great.  Hopefully will get to implement your suggestions tomorrow or over the weekend.  I think where we are getting royally-hosed is with the SonicWall 170 (central) Nat'ing once, and then the SBS Nat'ing again.  As I said, the SonicWall is set to have the WAN addy, then translate that to a 10.140.xxx.xxx, of which there are only two addresses, one for the SonicWall internal and one is the external on the SBS... the SBS then has two addresses as well, one is the 10.140.xxx.xxx to connect to the SW, the other is the internal DHCP scope of 192.168.xxx.xxx.

My System Specialist is swearing that is where the issue is coming in, and he might be right (he would never let me hear the end of it).  We will check/configure as suggested above and see if that helps; if we still have issues the next step is to remove the second NATing on the SBS box I guess.  Anyway, I will let you guys know.  I really appreciate it.

-Level 3
0
 
LVL 1

Expert Comment

by:tmoon
ID: 20380303
Sounds good... and good luck... which is what I'll need with our SBS issues tomorrow morning :(
Jeff might slam me for saying this ;).. but I've always been a fan of using Cisco Pix / Sonicwall etc... on the outside or to create a DMZ and only having one NIC on my SBS boxes... seems cleaner / easer like that... never been a fan of the ol' double NIC wanna be a firewall type of SBS setup
just my 2 cents
later
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20383258
I wouldn't slam you for saying that... if you look at my comment above, http:#20380087 I made the suggestion that a single NIC configuration would be best.  But not creating a DMZ, since that wouldn't provide any sort of protection.

FYI, the next version of SBS will only support a single NIC configuration.

Jeff
TechSoEasy
0
 
LVL 1

Expert Comment

by:tmoon
ID: 20383362
Thats interesting regarding the single NIC in the next SBS.  As for the DMZ... I meant in general instead of firewalling the SBS box.. .not for the above problem :)  Jeff, when you get a chance could you take a look at our SBS current problem.  I posted it early this morning.  I'm gonna add a better description after I type this.  Thx
0
 
LVL 1

Author Closing Comment

by:level3solutions
ID: 31411862
Thank you both, my apologies for taking so long to get back to this, we implemented on a non-double-NAT solution the following day without issues.  I have just been too busy to reply, but thank you again.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now