VPN Issues between TZ190 and TZ170 with a Site to Site VPN

I am trying to set up a VPN between a remote office TZ170 and a main office TZ190.  Both have static IPs are using a ADSL connection.  

Some of the logs are listed below.

IKE Initiator: Start Main Mode negotiation (Phase 1) (MAIN OFFICE IP), 500 (Remote Office), 500 VPN Policy: To remote Office  
2 01/29/2008 19:51:53.576 Info VPN IKE IKE negotiation aborted due to timeout (MAIN OFFICE IP), 500 75.58.246.246, 500 VPN Policy: To remote Office  
3 01/29/2008 19:51:18.576 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request.
12sierra12Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Press2EscConnect With a Mentor Commented:
You have 4 options, which all work well:
1) Bridge the Netopia and run the PPPoE on the Sonic...  this will work..  Note: config'g Netopia in bridge is a multi-step (manual) process..
2) Config the Netopia to run as a gateway (NAT On) and config IP Maps to map (1 of 5) avail public MSIPs to the Sonic's STATIC assigned private IP (e.g., 192.168.1.200); This places the Sonic in the DMZ - no firewall pin hole to config.
3) Config the Netopia to run PPPoE w/a Routed Subnet (NAT Off); Note: Dont forget to config the Sonic with Public IP & 255.255.255.248 netmask.  This places the Sonic in the DMZ - no firewall pin hole to config.  
4) Forget the MSIP and order a single Static IP  (SIP). A SIP is by far the easiest to config...

P2E
0
 
from_expCommented:
hi there!
it seems, firewall is dropping your packets for vpn.
is any of your boxes located behind the firewall?
0
 
12sierra12Author Commented:
I have a dsl modem that may be blocking.  It is a Siemens 4100 DSL modem.  I have tried to configure it for pass through but it does not seem to be working correctly.  
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
from_expCommented:
it is possible to configure your sonicwalls with nat traversal setting. configure it.
nat traversal use only udp port 500 for tunneling traffic, so most firewalls should allow it through
on your dsl router something like allow ipsec passthrough should be configurable
0
 
12sierra12Author Commented:
Do I set both Sonicwalls with Nat transversal?  or just the main office?   I have this enabled. I talked with ATT and they no longer use the Siemens 4100 DSL modem.  They can ship out a Motorolla 2210 modem or a netopia.  Not sure I need it though.  
0
 
from_expCommented:
both of them should be enabled with nat traversal, pleaes look into sonicwall's manual for configuring nat traversal.
I suppose tunnel should come up
if not, please provide logs from both boxes
0
 
12sierra12Author Commented:
I confirmed that I have both Sonicwalls set with NAT Travesal.  I have it set to 240 seconds k.eep alive on the TZ 170.  I do not see this keep alive option for the TZ190.  I can not check the dsl router now
0
 
12sierra12Author Commented:
I am getting the folloiwng in the TZ 170 Logs many times

01/30/2008 11:42:25.766 ICMP packet dropped 192.168.0.1, 8, WAN 55.55.55.55, 0, WAN ICMP Type: 8, Code: 0  


192.168.0.1 is the LAN IP of the DSL router
0
 
from_expCommented:
your tunnel is established now, isn't it?
keepalive should be set to 60 seconds, the value should be smaller then inactivity timeout
0
 
12sierra12Author Commented:
Nope my tunnel is still not up.I reset the keep alive to 60 seconds.

Some other log messages from the TZ170
01/30/2008 13:55:52.000 UDP packet dropped 192.168.0.1, 53, WAN 55.55.55.55, 34628, WAN UDP Port: 34628
0
 
budchawlaCommented:
Stepping back a bit from your immediate question, why does your DSL modem have a LAN IP at all? The way you have your network set up may affect VPN behaviour... unless you have a specific requirement, I would recommend doing all you NAT'ing on the SonicWALLs themselves rather than NATing at the DSL router. If you can set your DSL modem to bridge mode, then I recommend doing that and handling the PPP on the SonicWALL - by putting in your broadband username and password there. There are other ways to do this as well, by simply putting the router into "No-NAT" mode (this requires that you have atleast 2 public IPs) or some routers offer half-bridge or transparent modes to achieve this.

I'm not familiar with the particular model of modem you're using but in general I have found that things work a lot better when your modem is doing the minimum possible, with all address translation etc happening on the SNWLs themselves...

hth

bud
0
 
12sierra12Author Commented:
OK so the Modem has the following:

A very limited number of applications require that the public IP address assigned to the modem be used by the local LAN device.  Let LAN device share Internet address?   Yes, use public IP address.

The technicians readout is listed below:

Technician Readout
1 Manufacturer Siemens Subscriber Networks, Inc.
2 Vendor ID b500
3 Model Number 4100
4 Friendly Name SpeedStream 4100 ADSL Modem
5 Model Description Single Port Ethernet Modem
6 Model Name SpeedStream
7 Serial Number 2001xx
8 Hardware Version 1.0
9 Modem DSL Firmware Version a1.01.00.00
10 Modem Software Version 1.0.0.53
11 Hardware Options -  
12 Software Options -  
13 Modem Configured true
14 Time Since Last Boot 001 days 01:42:09
15 Current Time 2008/ 1/30 22:19:35 GMT
16 Time Servers 132.163.4.102
129.6.15.29 time-b.timefreq.bldrdoc.gov
time-b.nist.gov
17 Time First Use 2006/12/06 19:00:24 GMT
 
30 Modem Health Status ok
31 DSL Link Status up
32 Time Since Last Sync 001 days 01:41:54
33 Loss of Signal false
34 Loss of Framing false
35 ATM Cell Delineation true
36 Internet Status up
37 Ethernet Link Status up
38 PPP Connection Status connected
39 PPP Last Connection Error None
40 PPP Uptime 001 days 01:29:09
 
50 Test ADSL Line Sync pass
51 Test ATM Cell Delineation pass
52 Test ATM Signal pass
53 Test ATM OAM Segment Ping pass
54 Test ATM OAM End to End Ping pass
55 Test DSL Ethernet to ATM pass
56 Test LAN Ethernet Connection pass
57 Test Mac Bridge to LAN Ethernet pass
58 Test LAN USB Connection -
59 Test Mac Bridge to LAN USB -
60 Test PPPoE to Ethernet pass
61 Test PPP to PPPoE pass
62 Test PPPoE Server Connect pass
63 Test PPPoE Server Session pass
64 Test Authentication with PPP Server pass
65 Test IP to WAN pass
66 Test IP to LAN Ethernet pass
67 Test IP to LAN USB -
68 Test IP to PPP pass
69 Test Validate WAN IP Address pass
70 Test Gateway Ping pass
71 Test DNS Well Known Host Query pass
72 Test Primary DNS Ping pass
73 Test Secondary DNS Ping pass
74 Test Mail Srvr 1 Ping skipped
75 Test Mail Srvr 2 Ping skipped
76 Test News Srvr 1 Ping skipped
77 Test News Srvr 2 Ping skipped
78 Test Web Portal 1 Ping skipped
79 Test Web Portal 2 Ping skipped
80 Test PPPoE Connect to GateWay pass
 
90 Active VCs provisioned 1
91 DSLAM Vendor Id 414c4342 (ALCB)
92 DSL Line Mode ANSI
93 DSL Training Mode multimode
94 Conf VPI 0
95 Conf VCI 35
96 Conf PVC Search List 0/35, 8/35, 0/43, 0/51, 0/59, 8/43, 8/51, 8/59
97 VPI 0
98 VCI 35
99 VC Encapsulation LLC
100 DSL Line Type fast
101 DSL Line Interleaved Depth 0
 
110 Default Device Enabled true
111 Default Device Mac Address 00:00:00:00:00:00
112 Default Device IP Address 55.55.55.55
113 Default Device Address Type private
114 Service Provider Name  
115 Service Provider Phone  
116 Service Provider URL  
117 Service Provider Help URL  
118 Modem MAC Address 00:13:A3:xxxx
119 LAN DHCP Server Enabled true
120 DHCP Subnet Mask 255.255.0.0
121 DHCP Start IP Address 192.168.1.64
122 DHCP End IP Address 192.168.1.64
123 DHCP Default Gateway 192.168.0.1
124 DHCP Default Lease Time 000 days 01:10:00
125 Domain name  
126 DHCP Leases Allocated 0
127 DHCP Leases Available 1
 
  Rx Tx
140 Current Rate 6016 768
141 Previous Rate 0 0
142 DSL Max Rate - -
143 DSL Min Rate - -
144 Current ATTN DR 6016 -
145 Current SNRM 15.0 12.0
146 Current LATN - -
147 Current SATN 30.5 -
148 Current TP - 5.5
 
  15 Min 24 Hour Yesterday
160 Time Elapsed 637 86400 86400
161 Chan Received Blks 37632 5460920 5104217
162 Chan Transmitted Blks 37632 5460920 5104217
163 Chan Corrected Blks 0 7 7
164 Chan Uncorrected Blks 0 34 34
165 HEC Vcnt - - -
166 HEC Tcnt - - -
167 HEC Ucnt - - -
168 ICBE - - -
169 LCD 0 0 0
170 NCD 0 0 0
171 CVL 0 7 7
172 LCD Tx 0 0 0
173 NCD Tx 0 0 0
174 CVL Tx 0 2 2
175 LOF 0 0 0
176 LOS 0 0 0
177 LOSS - - -
178 LOL 0 0 0
179 LPR 0 0 0
180 ES 0 0 0
181 SESL 0 0 0
182 UASL 0 0 0
183 ECL 0 0 0
184 ECSL 0 0 0
185 ECL Tx 0 34 34
186 Inits 0 1 1
187 FastR 0 0 0
188 Failed FastR - - -
189 DSL Initialization Errors 0 0 0
190 DSL Initialization Timeouts 0 0 0
191 DSL Line Search Initializations 0 1 1
192 DSL Loss of Margin Failures 0 0 0
193 ISP Connection Establishment 0 2 2
 
210 VC ATM CoS ubr
211 VC ATM SCR -
212 VC ATM PCR -
213 VC ATM MCR -
214 VC ATM Burst Tolerance -
215 VC ATM CDV -
216 VC Max SDU 1528
217 ATM VC Receive Cells 892841
218 ATM VC Receive PDUs 234399
219 ATM VC Receive Frames 234399
220 ATM VC Receive Octets 42856372
221 ATM VC Receive Errors 0
222 ATM VC Receive Discards 0
223 ATM VC No Receive Buffers -
224 ATM VC Transmit Cells 685771
225 ATM VC Transmit PDUs 281556
226 ATM VC Transmit Frames 281556
227 ATM VC Transmit Octets 32917044
228 ATM VC Transmit Errors 0
229 ATM VC Transmit Discards 560
230 ATM VC Transmit Queue Full -
231 DSL Rate Mode -
232 Conf Target SNR Margin -
 
  Oct Err PkU PkNU Disc
240 LAN IP Tx 39266016 0 231243 8084 0
241 LAN IP Rx 26643386 0 577 283232 0
242 LAN Ethernet Tx 40655630 0 231243 7496 11
243 LAN Ethernet Rx 27778622 0 283232 577 0
244 LAN PPPoE Rx - - 0 0 -
245 IP 2684 Tx 21571246 0 278713 0 0
246 IP 2684 Rx 35688298 0 230997 0 0
247 Ethernet 2684 Tx 32917044 0 281556 0 560
248 Ethernet 2684 Rx 42856372 0 234399 0 0
 
260 Ethernet Rate 100Mbps
261 Ethernet Duplex Full
 
270 Internet Connection Type PPPoE
271 Modem Configuration Single Device Router
272 NAPT Enabled true
273 Modem IP Address 192.168.0.1
274 Modem Net Mask 255.255.0.0
275 Modem Broadcast Address 192.168.255.255
 
290 PPP UserName xxxxxx
291 PPP Service Name  
292 PPP Access Concentrator xxx
293 PPP Connect Mode Smart keep alive
294 PPP Idle Timeout  
295 Conf PPP Authentication Protocol chap  pap
296 PPP Authentication Protocol pap
297 WAN IP Address 55.55.55.55
298 WAN Subnet Mask 255.255.255.255
299 WAN Default Gateway 192.0.2.100
300 Conf DNS Servers -
301 DNS Servers xx
302 PPP MRU 1492
303 Conf PPP MRU 1492
304 LCP Echo 30
305 LCP Echo Retry 6
 
320
  LAN Device Table
Name   Type   IP      Mac
Leased Time
IP Rx
IP Tx PPPoE
Rx
Last Seen
Status
320a PAUL7 Ethernet 192.168.0.111 00:0B:xx:27:8C 2008/01/29 20:37:27 GMT 283818 239337 0 - inactive
320b - Ethernet 55.55.55.55  2008/01/29 20:40:15 GMT 283818 239337 0 - active
 
321
  IP Gateway Table
Type
Metric
Timeout
Status  
321a - - - -  
 
322
  IP Route Cache Table
Net Addr
NetMask
Type
GW
Metric
Timeout
Iface
Origin
322a 127.0.0.0 255.0.0.0 - 127.0.0.1 64 0 lo0 -
322b 192.168.0.0 255.255.0.0 - 192.168.0.1 180 92520800 LAN -
322c Default Gateway - - 192.0.2.100 64 92529886 PPPoE -
322d 55.55.55.55 255.255.255.255 - 44.44.44.4492529891 LAN -
 
323
  Ethernet IP ARP Table
IP
MAC
Flags
323a x:31:21:52 0x01
323b 192.168.1.2 00:00:00:00:00:00 0x01
323c  01:00:5E:7F:FF:FA 0x01
 
330 Receive CCF ps Hlog
    -
 
331 Receive CCF ps HLin
    -
 
332 Receive QLN ps
    -
 
333 Receive SNR ps
333a  0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0  
 
333b  0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0  
 
333c  0.0   0.0   0.0   0.0   0.0   0.0  15.5  15.5  16.5  16.0  16.0  15.5  16.0  16.0  16.0  16.0  
 
333d 16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  
 
333e  0.0  16.0  16.0  16.5  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  
 
333f 16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  17.0  16.5  16.5  16.5  16.5  16.5  16.5  16.5  
 
333g 16.5  16.5  16.5  16.5  16.5  16.0  16.5  16.5  16.5  16.0  16.0  16.0  16.0  16.0  16.5  16.5  
 
333h 16.5  16.5  16.5  17.0  17.0  16.5  16.5  16.5  16.0  16.0  17.5  16.5  16.5  16.5  16.5  16.5  
 
333i 16.5  16.5  16.5  16.5  16.5  16.5  16.0  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.0  17.0  
 
333j 17.0  17.0  19.0  17.5  17.0  17.0  16.0  16.5  16.5  16.5  16.0  16.0  16.5  16.5  16.5  16.0  
 
333k 16.5  16.0  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  16.5  
 
333l 16.5  16.0  16.5  16.0  16.0  16.5  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.5  
 
333m 16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  16.0  
 
333n 16.0  16.5  16.5  15.5  16.0   0.0  16.0  16.0  15.5  16.5  16.5  16.0  16.0  16.0  16.0  16.0  
 
333o 16.0  16.0  16.0  16.5  16.0  16.0  16.0  16.0  16.5  16.0  16.0  16.5  16.0  16.0  16.0  16.0  
 
333p 15.5  16.0  16.0   0.0  15.0  16.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0   0.0  
 
 
334 ADSL DMT Bin Bits
334a  0   0   0   0   0   0   0   7   8   8   9  10  10  10  10  10  
 
334b 10  10  10  11  11  10  10  10  10   9   9   9   8   7   0   0  
 
334c  0   0   0   0   0   0   5   6   6   7   8   8   9   9   9   9  
 
334d 10  10  10  10  10  10  10  10  11  11  11  11  11  11  11  11  
 
334e  0  10  10  10  10  10  10  10  10  10  10  10  10  10  10  10  
 
334f 10  10  10  10  10  10  10  10  10  10  10  10  10  10  10  10  
 
334g 10  10  10  10  10  10  10  10  10  10  10  10  10  10  10  10  
 
334h 10  10  10  10  10  10  10  10  10  10   9   9   9   9   9   9  
 
334i  9   9   9   9   9   9   9   9   9   9   9   9   9   9   9   8  
 
334j  9   9   5   8   9   9   9   9   9   9   9   9   9   9   9   9  
 
334k  9   9   9   8   8   8   8   8   8   8   8   8   8   8   8   8  
 
334l  8   8   8   8   7   6   7   7   7   7   7   7   7   7   7   7  
 
334m  7   7   7   7   6   6   6   6   6   5   6   6   6   6   6   5  
 
334n  5   5   5   4   4   0   2   4   5   5   5   5   5   5   5   4  
 
334o  4   4   4   2   4   4   3   3   3   3   3   2   2   2   2   2  
 
334p  2   2   2   0   2   2   0   0   0   0   0   0   0   0   0   0  
 
 
335 ADSL DMT Bin Atn

0
 
12sierra12Author Commented:
Also about PPP Location
.............
WARNING
Changing these settings may interfere with your ability to connect to the Internet.

 I have the following paragraph selected ...........

PPP is on the modem. This is the normal mode for this modem when connected to a single computer. In this mode, the PPP session is initiated from the modem. Gateways and routers should work in this mode but their configuration may have to be changed to do so (e.g., you may need to have the gateway/router IP address changed to 192.168.1.1).
   
 These are teh other two options for the router.  I have tried these and not been able to connect to teh internet from the local machines at afterward.

 PPP is on the computer. This mode is normally used if you need to run a PPPoE client on your PC. This mode can be used with a gateway or router which initiates a PPPoE session. To return to the DSL modem user interface you will need to directly connect your PC to the modem without any gateway or router between the modem and the PC.
 
 Bridged Mode (PPPoE is not used). This mode must be used if you are connecting to a non-PPPoE network. Selecting this mode will cause the modem to automatically restart.
0
 
from_expCommented:
pppoe mode mentioned above can be used along with what budchawla proposed.
so you configure modem to be transparent, without ip address, enabled with bridged mode. then on your sonicwall you can configure your wan interface as pppoe interface.
in this configuration you'll avoid nat funtion of your modem and your wan interface of sonicwall will have real ip address given out by your isp
0
 
12sierra12Author Commented:
Thanks I will try this today.  I have tried to change to the bridge mode before but have run into problems with the modem.    However it may have been that I did not switch the SW to PPOE and input correct user and password credentails.    At least I hope this is it.  Will get back to you 2 this evening.
0
 
budchawlaCommented:
Hi, sorry for not getting back earlier... yup, as I said before, you need to enable PPPoE on the WAN interface (Network->Interfaces) on your snwl - getting an internet connection depends on configuring your modem and pppoe client (in this case the snwl) properly. If you ISP is handing out a dynamic IP then you will know when you have the correct settings if you get an IP assigned to the snwl.

There aren't that many settings to play with so you shouldn't find it complicated...
0
 
12sierra12Author Commented:
DSL Modem was changed to the newer version Netopia 3356n and I disabled NAT on it.  I then went to the SW and enable PPoE on the WAN.  Was not able to get internet.  More info:
PC set to DHCP
Before disabling NAT I was able to connect to the internet when I was directly connected to the Netopia Modem.  After NAT I was not - I assume this was because the PC was set to DHCP and was not getting a DHCP server from the modem anymore.
I have a 8 static IPs available through this connection.
After getting home I was able to lookup some help from Netopia ( http://netopia.com/support/hardware/technotes/CQG_042.html )
This link show how to set up PPoE with a routed Subnet.  I believe this is what I need t do next.  I will be trying again Friday.
0
 
budchawlaConnect With a Mentor Commented:
Quite a comprehensive set of options above, I would only clarify option 1.. 12sierra12, you said you disabled NAT on the Netopia and then enabled PPPoE on the SNWL... this won't work. If all you do is disable NAT on the Netopia then you need to just set a static IP on the SNWL - not PPPoE.

You would only use PPPoE on the SNWL if you had a DSL modem in bridge mode.

No-NAT on the router is also OK (although I prefer bridge mode), just configure it with a public IP from your range - remember you can't use the router IP because the Netopia will have that...
0
 
12sierra12Author Commented:
Thanks guys!!!
This was a great comment.  thanks budchawla "You would only use PPPoE on the SNWL if you had a DSL modem in bridge mode."

Thanks for the options I like that as it is at least a starting place.  Here's my plan...
3) Config the Netopia to run PPPoE w/a Routed Subnet (NAT Off); Note: Dont forget to config the Sonic with Public IP & 255.255.255.248 netmask.  This places the Sonic in the DMZ - no firewall pin hole to config.

Question:  Do I have to route anything through the Netopia?  even with NAT off?  Don't think so but seems to be to easy.

I will be at the clients on Monday and will let you know then.

0
 
Press2EscCommented:
How did it go yesterday?  I noticed earlier where you stated you were using a Siemens 4100 and later a Netopia.  My comments were Netopia specific - hopefully you were able to access the Netopia router.

P2E
0
 
Press2EscCommented:
Hmmm, looks like we lost the virtual connection to 12sierra12 - or either 12sierra12 lost his "client connection"...  ; )
0
All Courses

From novice to tech pro — start learning today.