Site to Site VPN problems between SonicWall TZ150 (remote) and TZ170 (central)

The following is our current network infrastructure:
Client PCs > SBS 2003 DC (with DHCP & 2 NICs - one internal on and one external to the SonicWall on > SonicWall TZ170 > ADSL Internet

The goal is to add a pair of TZ150's which will register via VPN to the TZ170 over the internet.  The TZ150's will have dynamtic addresses while the TZ170 is on a static.  We have worked on the issue for a while today (we are all NEW to VPN's in general here) and were able to get the TZ150s to establish the tunnel successfullly to the TZ170.  We can ping back/forth from the 150's to the 170 and vice-versa.  We are having issues with two items:

1.) The TZ150's can't seem to "see" beyond the TZ170.  They can ping (using the SonicWall built-in admin ping) the 170 and the external NIC on the SBS but not the Internal at all.  Nor can the 170 or SBS ping the clients attached to the 150's.  Also, only the SonicWall ping works, built-in Windows one does not.  Nothing beyond the SonicWall ping works either.

2.) We would like to be able to have the SBS box hand-out the IP addresses via DHCP to the clients behind the TZ150's... however this may be impossible... not sure.

Couple of details:
1.) We know the SBS network works, it has been in-place and running for about 3-years.  The client has decided to add remote sites and needs a high-level of monitoring, control, and access restrictions... unfortunately the built-in SBS VPN isn't going to cut it.  Also, they want something that is on prior to log-in, so the user can authenticate on the SBS network, hence the reason no software client.

2.) The SonicWalls (all 3) are using the most current firmware -- as of today -- and all are on SonicOS Standard.  

3.) We have many custom access rules set-up ont he TZ170 already, so we are familiar with SonicWall and general firewall functionality... however, as stated, VPN is new to us.

Any assistance would be GREATLY appreciated.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Jeffrey Kane - TechSoEasyConnect With a Mentor Principal ConsultantCommented:
I'm hoping that you are following the SonicOS 3.1 Standard Administrators Guide:
(assuming you have the Standard OS installed on your Sonicwall's)

If so, then you will see that DHCP over VPN is quite easy to set up.  (See the DHCP over VPN section of that guide)

Then, when using a SonicWall as your Firewall, you may find that its much easier to just use a single NIC on your SBS, which I would strongly suggest.

There is no way for SBS to "trust" the other subnets as tmoon suggests above... you would just create a persistent route between the two subnets.  But again, I refer you to the guide linked above.  See the "VPN Planning Sheet for Site-to-Site VPN Policies" for help in configuring this.

Quick general info...
Remote sites should be on "different" subnets for VPN to work properly.  Sonicwall and / or other firewall (SBS) should be configured to "allow" those subnets to pass properly.  Depending how SBS is setup it needs to "trust" the other subnets.
level3solutionsAuthor Commented:

I did look at that guide, unfortunately I don't think closely-enough.  Thank you for the information.  I will attempt some of the changes suggested by the guide more stringently.  Will let you know.

-Level 3
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
For what it's worth... I never attempt these type of configurations without directly following the documentation.  Then, if it doesn't work I at least know where to start looking.  :-)

Jeff is correct and I was wrong for using the word "trust" as SBS does not really "trust" other domains per se..... (how silly of me) what I meant was....
If firewalling etc... make sure the far-end subnet is setup as far as DNS etc is concerned... for example..
Lets say location 1 is 192.168.0.x and location 2 is 192.168.1.x

You didn't mention if you were pinging by name... etc.. but for SBS to work correctly and domain logging in to occur properly DNS must be set up correctly.  
Make sure you have a reverse zone with location 2's subnet in it.
Also, have an A record (manual or dyn) setup

As far as the SonicWall... for the TZ 170 it should look something like this:
VPN Policy Window:
General Tab:
select IKE using Preshared Secret
name will default to GroupVPN
enter in "shared secret" pwd
for Proposal Tab:
DH Group = Group 2
Encryption = 3DES
Authentication = SHA1
Liime Time = 28800

Phase 2:
Protocol = ESP
Encryption = 3DES
Authentication = SHA1
---Enable Perfect Forware Secrecy = NOT checked
the last 2 leave default
Advanced Tab:
Enable Windows Networking NetBIOS Broadcast = Check
Apply NAT = NOT checked
Forward Packets to remote VPN's = NOT checked
**important** Default LAN Gateway =
VPN terminated at = LAN (assum'ng... on your infrastctr of course)
Client Auth = check "Require...."
Last Tab "Client":
Virtual Adapter Settings = DHCP Lease (best way to do it we found)
Allow Connectionsto = Split Tunnels
other 3 boxes = NOT checked

Are your settings similar to these?
tmoonConnect With a Mentor Commented:
Also could you post your sonicwall log section pertaining to this issue?  Might help :)  Man I'm tired.... I just posted Group VPN.... duh... site to site try this:

3 tabs for site to site usually (on TZ 170 anyway)
General Tab:
IPSec Keying Mode = IKE using Preshared Secret
Name = whatever u like
IPSec Primary gw name or Address = other end
IPSec secondary addr =
shared secret = your pwd
choose 3rd radio button "specify dest. networks below"
Make sure to enter opposite end subnet in "router form"
that is 192.168.x.0 /

Exchange = Main Mode
DH Group = Group 2
Encryption = 3DES
Authentication = SHA1
Life Time = 28800
Protocal = ESP
Encryption = 3DES
Authentication = SHA1
Enable perfect for. secrecy = NOT checked
last 2 leave default
out of all those checkboxes ONLY check ENABLE windows
networking NetBIOS broadcast
NOT nat / firewall rules or any other
Default LAN gateway =
VPN Term at = LAN
one more thing..... you mentioned dynamic IP's at a location?
If so, under the General Tab.. you should use a service like then just enter your "" instead of the remote IP.  Of course make sure the dyndns section of the SonicWall is setup and tested :)
level3solutionsAuthor Commented:
You guys have both been great.  Hopefully will get to implement your suggestions tomorrow or over the weekend.  I think where we are getting royally-hosed is with the SonicWall 170 (central) Nat'ing once, and then the SBS Nat'ing again.  As I said, the SonicWall is set to have the WAN addy, then translate that to a, of which there are only two addresses, one for the SonicWall internal and one is the external on the SBS... the SBS then has two addresses as well, one is the to connect to the SW, the other is the internal DHCP scope of

My System Specialist is swearing that is where the issue is coming in, and he might be right (he would never let me hear the end of it).  We will check/configure as suggested above and see if that helps; if we still have issues the next step is to remove the second NATing on the SBS box I guess.  Anyway, I will let you guys know.  I really appreciate it.

-Level 3
Sounds good... and good luck... which is what I'll need with our SBS issues tomorrow morning :(
Jeff might slam me for saying this ;).. but I've always been a fan of using Cisco Pix / Sonicwall etc... on the outside or to create a DMZ and only having one NIC on my SBS boxes... seems cleaner / easer like that... never been a fan of the ol' double NIC wanna be a firewall type of SBS setup
just my 2 cents
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I wouldn't slam you for saying that... if you look at my comment above, http:#20380087 I made the suggestion that a single NIC configuration would be best.  But not creating a DMZ, since that wouldn't provide any sort of protection.

FYI, the next version of SBS will only support a single NIC configuration.

Thats interesting regarding the single NIC in the next SBS.  As for the DMZ... I meant in general instead of firewalling the SBS box.. .not for the above problem :)  Jeff, when you get a chance could you take a look at our SBS current problem.  I posted it early this morning.  I'm gonna add a better description after I type this.  Thx
level3solutionsAuthor Commented:
Thank you both, my apologies for taking so long to get back to this, we implemented on a non-double-NAT solution the following day without issues.  I have just been too busy to reply, but thank you again.
All Courses

From novice to tech pro — start learning today.