Eric_Price
asked on
Is it possible to create a VPN tunnel between Linksys RV016 and Sonicwall XRS2?
I cant for the life of me connect a tunnel between these two routers.
Original Site is connected to the Internet via a Sonicwall XPRS2, connected to a managed Cisco 1841 router which connects to the Internet through a T1 from the phone company.
New Site connects to the internet via a Linksys RV016, connected to a broadband provider.
Both have static IP addresses.
Original Site (SONICWALL XPRS2 SIDE)
LAN address is 192.168.0.1
WAN address is xxx.xxx.85.162
IPSec Keying Mode: IKE using Preshared Secret
Name: OKC to Houston
Disable This SA: Unchecked
IPSec Gateway Name or Address: 75.148.152.141
Exchange: Aggressive Mode
Phase 1 DH Group: Group 2
SA Life Time (secs): 28800
Phase 1 Encryption/Authentication: 3DES & MD5
Phase 2 Encryption/Authentication: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
Shared Secret: same as the other side
Specify destination networks below:
Network 192.168.1.0 Subnet: 255.255.255.0
Advanced Settings
Enable Keep Alive: checked
Try to bring up all possible SAs: checked
Require authentication of local users: unchecked
Require authentication of remote users: unchecked
Enable Windows Networking (Netbios) broadcast: checked
Apply NAT and firewall rules: unchecked
Forward packets to remote VPNs: checked
Enable Perfect Forward Secrecy: checked
Phase 2 DH Group: Group 2
Default LAN Gateway: 0.0.0.0
VPN Terminated at: LAN (other options DMZ, LAN/DMZ)
New Site (Linksys RV016 SIDE)
Its LAN address is 192.168.1.1
Its WAN address is xxx.xxx.152.141
Local Group Setup
Tunnel Name: OKC to Houston
Interface: WAN1
Enable: checked
Local Security Gateway Type: IP Only
IP Address: XXX.XXX.152.141
Local Security Group Type: Subnet
IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Remote Group Setup
Remote Security Gateway Type: IP Only
IP Address: xxx.xxx.85.162
Remote Security Group Type: Subnet
IP Address: 192.168.0.0
Subnet Mask: 255.255.255.0
IP Sec Setup
Keying Mode: IKE with preshared key
Phase 1 DH Group: Group 2
Phase 1 Encryption: 3DES
Phase 1 Authentication: MD5
Phase 1 SA Life Time: 28800 seconds
Perfect Forward Secrecy: Checked
Phase 2 DH Group: Group 1
Phase 2 Encryption: 3DES
Phase 2 Authentication: MD5
Phase 2 SA Life Time: 28000 seconds
Preshared key (same as the other side)
Advanced
Keep-Alive checked
Compress (Support IPComp) checked
Keep Alive checked
AH Hash Algorith MD5 checked
NETBios broadcast checked
NAT Traversal checked
Dead Peer Detected (interval 10 sec) checked
Anyone see what I have wrong? There is virtually no logging on the Sonicwall to help diagnose the problem, nor is there a place for Phase 2 SA lifetime, nor is there discreet entries for Phase 2 DH groups, etc (As you can see from the entry above it has these vague entries with a laundry list of protocols after)
Original Site is connected to the Internet via a Sonicwall XPRS2, connected to a managed Cisco 1841 router which connects to the Internet through a T1 from the phone company.
New Site connects to the internet via a Linksys RV016, connected to a broadband provider.
Both have static IP addresses.
Original Site (SONICWALL XPRS2 SIDE)
LAN address is 192.168.0.1
WAN address is xxx.xxx.85.162
IPSec Keying Mode: IKE using Preshared Secret
Name: OKC to Houston
Disable This SA: Unchecked
IPSec Gateway Name or Address: 75.148.152.141
Exchange: Aggressive Mode
Phase 1 DH Group: Group 2
SA Life Time (secs): 28800
Phase 1 Encryption/Authentication:
Phase 2 Encryption/Authentication:
Shared Secret: same as the other side
Specify destination networks below:
Network 192.168.1.0 Subnet: 255.255.255.0
Advanced Settings
Enable Keep Alive: checked
Try to bring up all possible SAs: checked
Require authentication of local users: unchecked
Require authentication of remote users: unchecked
Enable Windows Networking (Netbios) broadcast: checked
Apply NAT and firewall rules: unchecked
Forward packets to remote VPNs: checked
Enable Perfect Forward Secrecy: checked
Phase 2 DH Group: Group 2
Default LAN Gateway: 0.0.0.0
VPN Terminated at: LAN (other options DMZ, LAN/DMZ)
New Site (Linksys RV016 SIDE)
Its LAN address is 192.168.1.1
Its WAN address is xxx.xxx.152.141
Local Group Setup
Tunnel Name: OKC to Houston
Interface: WAN1
Enable: checked
Local Security Gateway Type: IP Only
IP Address: XXX.XXX.152.141
Local Security Group Type: Subnet
IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Remote Group Setup
Remote Security Gateway Type: IP Only
IP Address: xxx.xxx.85.162
Remote Security Group Type: Subnet
IP Address: 192.168.0.0
Subnet Mask: 255.255.255.0
IP Sec Setup
Keying Mode: IKE with preshared key
Phase 1 DH Group: Group 2
Phase 1 Encryption: 3DES
Phase 1 Authentication: MD5
Phase 1 SA Life Time: 28800 seconds
Perfect Forward Secrecy: Checked
Phase 2 DH Group: Group 1
Phase 2 Encryption: 3DES
Phase 2 Authentication: MD5
Phase 2 SA Life Time: 28000 seconds
Preshared key (same as the other side)
Advanced
Keep-Alive checked
Compress (Support IPComp) checked
Keep Alive checked
AH Hash Algorith MD5 checked
NETBios broadcast checked
NAT Traversal checked
Dead Peer Detected (interval 10 sec) checked
Anyone see what I have wrong? There is virtually no logging on the Sonicwall to help diagnose the problem, nor is there a place for Phase 2 SA lifetime, nor is there discreet entries for Phase 2 DH groups, etc (As you can see from the entry above it has these vague entries with a laundry list of protocols after)
ASKER
I originally configured it without aggressive mode, and it didnt work, and I had someone tell me to try using aggressive, which is why it is where it is now. Other thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help. As it were, I didnt really have a policy mismatch, it was just a typo while I was writing my question. I never could make the old Sonicwall work, but given it was over 5 years old I had no grief on replacing it. New unit was up and running in just a few minutes. Thanks for your willingness to help anyway.
Or if you prefer to use aggressive mode (less secure since initial information exchange occurs in clear text), make sure to configure the same setting on the RV016.