Solved

How can I configure a Sonicwall behind a Router to serve as the VPN server for another SonicWall offsite?

Posted on 2009-04-08
7
2,306 Views
Last Modified: 2013-11-16
I have a SonicWall sitting behind a Cisco router.  I am trying to configure the Sonicwall to have a routable IP so that it can communicate with another SonicWall offsite.  Could someone please show me the best possible setup?  Any help is appreciated.
0
Comment
Question by:cbarbre
7 Comments
 
LVL 9

Expert Comment

by:tl121000
ID: 24101493
First - is the Cisco Router your router or the ISP's router (known as Customer Premise Equipment - CPE)?
If CPE, you need to see if you have an available public outside global address.
  • Ask your  your ISP if you have available adreeses to use?
    • Most likely if the Sonic wall is already in production you have a Public IP on Its Interface that is connecting to the CISCO device.
      • You would need to setup a site to site VPN with the other sonic wall (same rules apply to the peer sonic wall).
      • You will need to setup a pre-shared key to establish the tunnel and the encryption and hashing algortihms will need to match.

 
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24106824


You also need to ensure that the router is allowing IP protocols 50 and 51 for ESP and AH respectively in and out of the Sonicwall assuming you will be creating an IPSec tunnel..

Thanks,

Kent
0
 

Author Comment

by:cbarbre
ID: 24118402
The router is my router.  The ISP only setup their end...  I indeed do have available addresses to use, as I am already using a handful for other purposes.  Would the SonicWALL be assigned on of these public IP's as the WAN interface, along with the corresponding subnet, DNS, and gateway addresses?  Or will I be putting in some NAT statements to resolve the public back to the sonicwall on a private address?

Thanks,
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24174999
If you have public IP addresses to spare, then set the Sonicwall WAN up on one of them, so no NAT is happening on the router (do NAT on the Sonicwall to your protected network). Then it's pretty straightforward. Each end of the link you set up the VPN ...

(If using Enhanced OS, first create a "network" range name on each firewall thus:
 On siteA sonic, create a range called SiteBLanRange set it to the lan range of Site B
 On SiteB sonic, create a range caleld SiteALanRange, set it to lan range of Site A - Tricky stuff huh! :-)
If you don't have Enchanced OS, you will have to manually insert the laN IP ranges in the VPN config when you reach that point.

Main VPN page. Tick the ENable VPN box if it isn't on already. The default  Firewall Identifier will be your Firewall's serial number - that's good enough, and you should certainly not change it if you are already using any VPN tunnels.

VPN Policies - Site A
Create a new Policy.
  Auth - IKE using PreShared Secret.
  Name = SiteB
  IPsec Primary Gateway - ste this to the IP address of the WAN side of the SiteB sonicwall
  IPsec Secondary = IF the SiteB firewall has a dual WAN connection, set this to the IP of the second.
  Shared Secret = make up a password/phrase. Type it in twice. Remember it, youl'l need it on SiteB setup.
  Local IKE ID - Type = IP Address - Leave Blank
  Peer IKD ID - Type = IP address - Leave Blank
Networks
  Choose local network from list - select "Firewalled Subnets"  (a default range).
  Choose dest network from list - select "SiteBLanRange" (created above).
Proposals  - Phase 1
  Ech = Aggressive mode
  DH Grp = Group 2
  Encrpt = DES
  Auth = MD5
  TTL = 28800
Proposals - Phase 2
  ESP
  DES
  MD5
  (do not enable PFS)
  TTL 28800
Advanced
  Enable KeepAlive

Save it

Remember to check the ENABLED box for the policy

Repeat the process at Site B but remember to use SiteALanRange, and the Site a WAN ip address(es).

Once you have both sides configured and enabled they should just hook up automatically - a green blob will show agsinst the porlicy once it's active and logged on.

ONCE YOU HAVE IT WORKING then (not before) feel free to tinker with the settings, e.g. try 3DES instead of DES. But get it working first! :-)


0
 
LVL 16

Expert Comment

by:ccomley
ID: 24175006
Oh - you *do* have DIFFERENT ip ranges on each LAN don't you? You *can* set it up where both LANs have the same range but you have to do a complex double-loopback-reNat thing that makes my head spin. Avoid, don't, set the LAN ranges to be different.

If you HAVE to do this behind a NAT router, it should work but make sure the router isn't interfering with ANY of the packets. In particular, if the router is offering to be a VPN host, turn that OFF so the router doesn't suck in the incoming IKE packets. Really, if you can, do NAT on the Sonicwall NOT on the router.

If behind NAT, do NOT change the phase 2 proposal from ESP to AH - AH type proposals include the source Ip address in the encoding so of course NAT screws it up.



0
 

Author Closing Comment

by:cbarbre
ID: 31568063
Thanks for the help....
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
increase internet speed 3 54
Cisco ASA Restarted Suddenly 11 70
RDP through VPN setup 9 41
NEXUS3524 - SFP validation failed 3 28
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now