parmor
asked on
Sonicwall NSA 2400 Device connecting users with a Windows 2000 AD. LDAP or Radius? This is for VPN users to connect in using NSA 2400
I have never used this appliance nor have I used LDAP or Radius and have no idea how to setup either one. What is the easier option. LDAP or RADIUS? This is so users can connect in using Sonicwall's VPN Client software.
Is there someone that can walk me through either one? I did set it to use LDAP and it worked but it was not secure and the NSA Appliance told me it was not recommended.
It seemed like with RADIUs I needed to setup password encryption which required a password change for every user (I don't want to have to do that).
Any one out there can walk me through it?
Thanks
Is there someone that can walk me through either one? I did set it to use LDAP and it worked but it was not secure and the NSA Appliance told me it was not recommended.
It seemed like with RADIUs I needed to setup password encryption which required a password change for every user (I don't want to have to do that).
Any one out there can walk me through it?
Thanks
You can use the local sonicwall database on the sonicwall without radius or ldap. The sonicwall recommends that you use a certificate for either authentication methods. Their concern is the traffic between the sonicwall and the server being in the clear. Someone could analyze that traffic and see username and passwords. however, this traffic is on your internal network so the likelyhood of this happening is fairly low.in my opinion, radius is easier to setup, but it requires more configuration on the windows server side. you can leave the ldap configuration despite the sonicwall's concern about the missing certificate. here are the KBs for setting up both along with Windows.LDAP: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7806RADIUS with 2008 server: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6591RADIUS with 2003 server: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5125
ASKER
thanks digitap, I imagine the setup for 2003 is similar to 2000 but I can just as easily install the Radius Component on any Server, correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks digitap: we are getting somewhere. The settings have changed a little bit on the sonicwall side so they are not exact as per the pdf.
I am able to connect using the sonicwall vpn client but it keeps rejecting my username and password. It did prompt and accept my "shared secret"
The log file shows (I replaced the actual ip and domain with fake ones for this post):
2010/08/18 13:02:30:069 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 13:02:30:131 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 13:02:30:131 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 13:02:30:131 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 13:02:30:131 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 13:02:30:146 Information 10.10.10.1 Received XAuth request.
2010/08/18 13:02:30:146 Information 10.10.10.1 Sending XAuth reply.
2010/08/18 13:02:30:147 Information 10.10.10.1 Received initial contact notify.
2010/08/18 13:02:30:169 Information 10.10.10.1 Received XAuth status.
2010/08/18 13:02:30:169 Information 10.10.10.1 Sending XAuth acknowledgement.
2010/08/18 13:02:30:169 Warning 10.10.10.1 XAuth failed. (null)
2010/08/18 13:02:30:169 Warning 10.10.10.1 User authentication has failed.
2010/08/18 13:02:30:185 Information An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 13:02:34:495 Warning vpn.mydomain.com The username/password dialog box was cancelled by the user. The connection will be disabled.
I am able to connect using the sonicwall vpn client but it keeps rejecting my username and password. It did prompt and accept my "shared secret"
The log file shows (I replaced the actual ip and domain with fake ones for this post):
2010/08/18 13:02:30:069 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 13:02:30:131 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 13:02:30:131 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 13:02:30:131 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 13:02:30:131 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 13:02:30:146 Information 10.10.10.1 Received XAuth request.
2010/08/18 13:02:30:146 Information 10.10.10.1 Sending XAuth reply.
2010/08/18 13:02:30:147 Information 10.10.10.1 Received initial contact notify.
2010/08/18 13:02:30:169 Information 10.10.10.1 Received XAuth status.
2010/08/18 13:02:30:169 Information 10.10.10.1 Sending XAuth acknowledgement.
2010/08/18 13:02:30:169 Warning 10.10.10.1 XAuth failed. (null)
2010/08/18 13:02:30:169 Warning 10.10.10.1 User authentication has failed.
2010/08/18 13:02:30:185 Information An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 13:02:34:495 Warning vpn.mydomain.com The username/password dialog box was cancelled by the user. The connection will be disabled.
you should not have been prompted for the shared secret within the GVC...that's what you are talking about right? When you configure the GroupVPN settings on the sonicwall, go to the last tab and click the checkbox called "Use Default Key for Simple Client Provisioning". Then, when you enable the connection with the GVC, you should ONLY get the username prompt. When you tested the RADIUS connection on the sonicwall, did it pass successfully?
ASKER
Yes, that is correct, the shared secret on the GVC.
I did check that box to Use Default Key for Simple Client Provisioning after you recommended it.
Also, under the Users->Settings-RADIUS-CON FIGURE I go to the Test and have tried 8 different usernames and passwords and they all say successful but the GVC client isn't working with the same username and passwords.
"Radius Client Authentication Succeeded"
I did check that box to Use Default Key for Simple Client Provisioning after you recommended it.
Also, under the Users->Settings-RADIUS-CON
"Radius Client Authentication Succeeded"
ASKER
OK for some reason I am getting further, now the log shows the following:
2010/08/18 14:03:19:002 Warning vpn.mydomain.com The downloaded policy configuration contains no destination networks.
2010/08/18 14:03:19:002 Error vpn.mydomain.com The policy downloaded from the firewall is invalid or incomplete. Contact your network administrator.
2010/08/18 14:03:19:002 Warning vpn.mydomain.com The downloaded policy configuration contains no destination networks.
2010/08/18 14:03:19:002 Error vpn.mydomain.com The policy downloaded from the firewall is invalid or incomplete. Contact your network administrator.
Check the group that was assigned access within the GroupVPN policy and see what networks have been assigned to that group. Users > Local Group click edit and go to the VPN Access tab. You'll want to add all the networks that you want GVC users to access.
ASKER
We are getting somewhere but the log shows the following: user Andrew but that is not the user I am logging in to GVC with:
and I am not getting a "local" IP Address.
2010/08/18 14:55:49:661 Information The connection "vpn.mydomain.com" has been enabled.
2010/08/18 14:55:50:168 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 14:55:50:182 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 14:55:50:243 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 14:55:50:244 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 14:55:50:244 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 14:55:50:244 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 14:55:50:262 Information 10.10.10.1 Received XAuth request.
2010/08/18 14:55:50:262 Information 10.10.10.1 XAuth has requested a username but one has not yet been specified.
2010/08/18 14:55:50:262 Information 10.10.10.1 Sending phase 1 delete.
2010/08/18 14:55:50:263 Information 10.10.10.1 User authentication information is needed to complete the connection.
2010/08/18 14:55:50:287 Information An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 14:56:01:030 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 14:56:01:039 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 14:56:01:098 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 14:56:01:098 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 14:56:01:098 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 14:56:01:098 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 14:56:01:111 Information 10.10.10.1 Received XAuth request.
2010/08/18 14:56:01:111 Information 10.10.10.1 Sending XAuth reply.
2010/08/18 14:56:01:112 Information 10.10.10.1 Received initial contact notify.
2010/08/18 14:56:01:131 Information 10.10.10.1 Received XAuth status.
2010/08/18 14:56:01:131 Information 10.10.10.1 Sending XAuth acknowledgement.
2010/08/18 14:56:01:131 Information 10.10.10.1 User authentication has succeeded.
2010/08/18 14:56:01:145 Information 10.10.10.1 Received request for policy version.
2010/08/18 14:56:01:145 Information 10.10.10.1 Sending policy version reply.
2010/08/18 14:56:01:157 Information 10.10.10.1 Received policy change is not required.
2010/08/18 14:56:01:157 Information 10.10.10.1 Sending policy acknowledgement.
2010/08/18 14:56:01:157 Information 10.10.10.1 The configuration for the connection is up to date.
2010/08/18 14:56:01:179 Information 10.10.10.1 Starting ISAKMP phase 2 negotiation with 192.168.3.1/255.255.255.25 5:Any:Any: N/A.
2010/08/18 14:56:01:179 Information 10.10.10.1 Starting quick mode phase 2 exchange.
2010/08/18 14:56:01:192 Information 10.10.10.1 The SA lifetime for phase 2 is 28800 seconds.
2010/08/18 14:56:01:192 Information 10.10.10.1 Phase 2 with 192.168.3.1/255.255.255.25 5:Any:Any: N/A has completed.
2010/08/18 14:56:01:223 Information vpn.mydomain.com NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 14:56:05:723 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 14:56:05:723 Information vpn.mydomain.com calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 14:56:05:724 Information vpn.mydomain.com NetUserGetInfo returned: home dir: , remote dir: , logon script:
and I am not getting a "local" IP Address.
2010/08/18 14:55:49:661 Information The connection "vpn.mydomain.com" has been enabled.
2010/08/18 14:55:50:168 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 14:55:50:182 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 14:55:50:243 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 14:55:50:244 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 14:55:50:244 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 14:55:50:244 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 14:55:50:262 Information 10.10.10.1 Received XAuth request.
2010/08/18 14:55:50:262 Information 10.10.10.1 XAuth has requested a username but one has not yet been specified.
2010/08/18 14:55:50:262 Information 10.10.10.1 Sending phase 1 delete.
2010/08/18 14:55:50:263 Information 10.10.10.1 User authentication information is needed to complete the connection.
2010/08/18 14:55:50:287 Information An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 14:56:01:030 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 14:56:01:039 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 14:56:01:098 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 14:56:01:098 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 14:56:01:098 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 14:56:01:098 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 14:56:01:111 Information 10.10.10.1 Received XAuth request.
2010/08/18 14:56:01:111 Information 10.10.10.1 Sending XAuth reply.
2010/08/18 14:56:01:112 Information 10.10.10.1 Received initial contact notify.
2010/08/18 14:56:01:131 Information 10.10.10.1 Received XAuth status.
2010/08/18 14:56:01:131 Information 10.10.10.1 Sending XAuth acknowledgement.
2010/08/18 14:56:01:131 Information 10.10.10.1 User authentication has succeeded.
2010/08/18 14:56:01:145 Information 10.10.10.1 Received request for policy version.
2010/08/18 14:56:01:145 Information 10.10.10.1 Sending policy version reply.
2010/08/18 14:56:01:157 Information 10.10.10.1 Received policy change is not required.
2010/08/18 14:56:01:157 Information 10.10.10.1 Sending policy acknowledgement.
2010/08/18 14:56:01:157 Information 10.10.10.1 The configuration for the connection is up to date.
2010/08/18 14:56:01:179 Information 10.10.10.1 Starting ISAKMP phase 2 negotiation with 192.168.3.1/255.255.255.25
2010/08/18 14:56:01:179 Information 10.10.10.1 Starting quick mode phase 2 exchange.
2010/08/18 14:56:01:192 Information 10.10.10.1 The SA lifetime for phase 2 is 28800 seconds.
2010/08/18 14:56:01:192 Information 10.10.10.1 Phase 2 with 192.168.3.1/255.255.255.25
2010/08/18 14:56:01:223 Information vpn.mydomain.com NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 14:56:05:723 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 14:56:05:723 Information vpn.mydomain.com calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 14:56:05:724 Information vpn.mydomain.com NetUserGetInfo returned: home dir: , remote dir: , logon script:
i think you might be able to ignore the stuff about andrew. is andrew the name of the local workstation where the gvc is installed? it appears to be connecting...can you get to hosts behind the sonicwall once you get connected...i mean, you get an IP address.
ASKER
Yes, you are correct that is my home computer where I am testing, d'oh!
I am not getting an IP Address from my work network and cannot access any resources on the other end.
I am not getting an IP Address from my work network and cannot access any resources on the other end.
OK...then we need to make sure you have DHCP setup correctly. Go to VPN > DHCP over VPN. With Central Gateway showing in the drop down, click Configure. What do you have configured for a DHCP server? My recommendation is to use a DHCP scope on the sonicwall. Most, however, utilize a Windows DHCP server for this. I don't like to do that as Windows will sometimes assign a GVC host with an IP that a host on the internal network already has. Obviously, that causes problems. I use the WLAN DHCP scope.
Then, what's 192.168.3.1? Is that the IP network of your home computer?
ASKER
192.168.0.1-192.168.3.255
subnet mask 255.255.252.0
internal network at work.
192.168.3.1 is the Sonicwall internal IP address
subnet mask 255.255.252.0
internal network at work.
192.168.3.1 is the Sonicwall internal IP address
ASKER
Still cannot connect locally to anything inside the network
NetGetDCName Failed I think that could be part of the problem as well.
---
2010/08/18 15:25:15:807 Information 10.10.10.1 Phase 2 with 192.168.3.1/255.255.255.25 5:Any:Any: N/A has completed.
2010/08/18 15:25:15:836 Information vpn.mydomain.com NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 15:25:20:338 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 15:25:20:338 Information vpn.mydomain.com calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 15:25:20:339 Information vpn.mydomain.com NetUserGetInfo returned: home dir: , remote dir: , logon script:
NetGetDCName Failed I think that could be part of the problem as well.
---
2010/08/18 15:25:15:807 Information 10.10.10.1 Phase 2 with 192.168.3.1/255.255.255.25
2010/08/18 15:25:15:836 Information vpn.mydomain.com NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 15:25:20:338 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 15:25:20:338 Information vpn.mydomain.com calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 15:25:20:339 Information vpn.mydomain.com NetUserGetInfo returned: home dir: , remote dir: , logon script:
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should see in the log the IP address assigned your GVC.
Also, go to Firewall > Access Rules and check VPN > LAN and LAN > VPN. IF you are getting an IP, if the access rules aren't correct, you won't be able to connect to the network.
ASKER
dumb question:
"type the IP address of the WLAN interface in the Relay IP address box, click ok" Is that t he External IP or internal IP? I tried both and neither made a difference.
The only IP I am seeing in the GVC is the 192.168.3.1 (internal IP of the NSA 2400) I am still not seeing any DHCP address from my network.
Re: the Firewall both were automatically ALLOW because they were generated by the appliance. I couldn't make any changes.
"type the IP address of the WLAN interface in the Relay IP address box, click ok" Is that t he External IP or internal IP? I tried both and neither made a difference.
The only IP I am seeing in the GVC is the 192.168.3.1 (internal IP of the NSA 2400) I am still not seeing any DHCP address from my network.
Re: the Firewall both were automatically ALLOW because they were generated by the appliance. I couldn't make any changes.
ASKER
Also, under VPN->SETTINGS
VPN Policies:
#1 WAN GroupVPN
#2 WLAN GroupVPN
I cannot check enable next to WLAN GroupVPN (#2) I get Error: No interface attached to this zone
Is that something I need to be concerned with?
The only one I can enable is the #1 WAN GroupVPN
VPN Policies:
#1 WAN GroupVPN
#2 WLAN GroupVPN
I cannot check enable next to WLAN GroupVPN (#2) I get Error: No interface attached to this zone
Is that something I need to be concerned with?
The only one I can enable is the #1 WAN GroupVPN
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. I am still connecting but it is still not giving me an internall IP nor access to anything behind the NSA 2400. FYI: the 10.10.10.1 (is actually 70.50.X.X my external IP I just modified it for posting).
192.168.3.1 is the Sonicwall NSA 2400.
I did a test and created a VPN Server inside the Network on a Win 2k3 Standard Server and manually added a VPN connection using Windows 7 I have no problems connecting and logging in. It seems like something on the NSA 2400 is just not configured correctly and I am unsure of what that is. The problem with that is I just purchased 50 user license for Sonicwall Global VPN Clients and once it is working will be a much easier process to walk users through using it than manually creating instructions for 4-6 different OS's
The results, either using DHCP on the Sonicwall (192.168.3.1) or my internal DHCP Server (192.168.0.3)
are exacty the same:
2010/08/18 22:08:47:322 Information The connection "vpn.mydomain.com" has been enabled.
2010/08/18 22:08:47:904 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 22:08:47:918 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 22:08:47:981 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 22:08:47:981 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 22:08:47:981 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 22:08:47:981 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 22:08:47:996 Information 10.10.10.1 Received XAuth request.
2010/08/18 22:08:47:996 Information 10.10.10.1 XAuth has requested a username but one has not yet been specified.
2010/08/18 22:08:47:996 Information 10.10.10.1 Sending phase 1 delete.
2010/08/18 22:08:47:997 Information 10.10.10.1 User authentication information is needed to complete the connection.
2010/08/18 22:08:48:028 Information An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 22:08:54:215 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 22:08:54:223 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 22:08:54:519 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 22:08:54:519 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 22:08:54:519 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 22:08:54:519 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 22:08:54:757 Information 10.10.10.1 Received XAuth request.
2010/08/18 22:08:54:757 Information 10.10.10.1 Sending XAuth reply.
2010/08/18 22:08:54:759 Information 10.10.10.1 Received initial contact notify.
2010/08/18 22:08:55:025 Information 10.10.10.1 Received XAuth status.
2010/08/18 22:08:55:025 Information 10.10.10.1 Sending XAuth acknowledgement.
2010/08/18 22:08:55:025 Information 10.10.10.1 User authentication has succeeded.
2010/08/18 22:08:55:271 Information 10.10.10.1 Received request for policy version.
2010/08/18 22:08:55:271 Information 10.10.10.1 Sending policy version reply.
2010/08/18 22:08:55:529 Information 10.10.10.1 Received policy change is not required.
2010/08/18 22:08:55:529 Information 10.10.10.1 Sending policy acknowledgement.
2010/08/18 22:08:55:529 Information 10.10.10.1 The configuration for the connection is up to date.
2010/08/18 22:08:55:551 Information 10.10.10.1 Starting ISAKMP phase 2 negotiation with 192.168.3.1/255.255.255.25 5:Any:Any: N/A.
2010/08/18 22:08:55:551 Information 10.10.10.1 Starting quick mode phase 2 exchange.
2010/08/18 22:08:55:831 Information 10.10.10.1 The SA lifetime for phase 2 is 28800 seconds.
2010/08/18 22:08:55:831 Information 10.10.10.1 Phase 2 with 192.168.3.1/255.255.255.25 5:Any:Any: N/A has completed.
2010/08/18 22:08:55:885 Information vpn.mydomain.com NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 22:09:00:385 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 22:09:00:385 Information vpn.mydomain.com calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 22:09:00:386 Information vpn.mydomain.com NetUserGetInfo returned: home dir: , remote dir: , logon script:
192.168.3.1 is the Sonicwall NSA 2400.
I did a test and created a VPN Server inside the Network on a Win 2k3 Standard Server and manually added a VPN connection using Windows 7 I have no problems connecting and logging in. It seems like something on the NSA 2400 is just not configured correctly and I am unsure of what that is. The problem with that is I just purchased 50 user license for Sonicwall Global VPN Clients and once it is working will be a much easier process to walk users through using it than manually creating instructions for 4-6 different OS's
The results, either using DHCP on the Sonicwall (192.168.3.1) or my internal DHCP Server (192.168.0.3)
are exacty the same:
2010/08/18 22:08:47:322 Information The connection "vpn.mydomain.com" has been enabled.
2010/08/18 22:08:47:904 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 22:08:47:918 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 22:08:47:981 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 22:08:47:981 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 22:08:47:981 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 22:08:47:981 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 22:08:47:996 Information 10.10.10.1 Received XAuth request.
2010/08/18 22:08:47:996 Information 10.10.10.1 XAuth has requested a username but one has not yet been specified.
2010/08/18 22:08:47:996 Information 10.10.10.1 Sending phase 1 delete.
2010/08/18 22:08:47:997 Information 10.10.10.1 User authentication information is needed to complete the connection.
2010/08/18 22:08:48:028 Information An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 22:08:54:215 Error Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 22:08:54:223 Information 10.10.10.1 Starting ISAKMP phase 1 negotiation.
2010/08/18 22:08:54:519 Information 10.10.10.1 Starting aggressive mode phase 1 exchange.
2010/08/18 22:08:54:519 Information 10.10.10.1 NAT Detected: Local host is behind a NAT device.
2010/08/18 22:08:54:519 Information 10.10.10.1 The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 22:08:54:519 Information 10.10.10.1 Phase 1 has completed.
2010/08/18 22:08:54:757 Information 10.10.10.1 Received XAuth request.
2010/08/18 22:08:54:757 Information 10.10.10.1 Sending XAuth reply.
2010/08/18 22:08:54:759 Information 10.10.10.1 Received initial contact notify.
2010/08/18 22:08:55:025 Information 10.10.10.1 Received XAuth status.
2010/08/18 22:08:55:025 Information 10.10.10.1 Sending XAuth acknowledgement.
2010/08/18 22:08:55:025 Information 10.10.10.1 User authentication has succeeded.
2010/08/18 22:08:55:271 Information 10.10.10.1 Received request for policy version.
2010/08/18 22:08:55:271 Information 10.10.10.1 Sending policy version reply.
2010/08/18 22:08:55:529 Information 10.10.10.1 Received policy change is not required.
2010/08/18 22:08:55:529 Information 10.10.10.1 Sending policy acknowledgement.
2010/08/18 22:08:55:529 Information 10.10.10.1 The configuration for the connection is up to date.
2010/08/18 22:08:55:551 Information 10.10.10.1 Starting ISAKMP phase 2 negotiation with 192.168.3.1/255.255.255.25
2010/08/18 22:08:55:551 Information 10.10.10.1 Starting quick mode phase 2 exchange.
2010/08/18 22:08:55:831 Information 10.10.10.1 The SA lifetime for phase 2 is 28800 seconds.
2010/08/18 22:08:55:831 Information 10.10.10.1 Phase 2 with 192.168.3.1/255.255.255.25
2010/08/18 22:08:55:885 Information vpn.mydomain.com NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 22:09:00:385 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 22:09:00:385 Information vpn.mydomain.com calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 22:09:00:386 Information vpn.mydomain.com NetUserGetInfo returned: home dir: , remote dir: , logon script:
Here's my log after a successful connection from almost the moment that I launch the GVC to the end when my connection is made.
2010/08/19 00:25:06:937 Information <local host> SonicWALL Global VPN Client version 4.2.6.0305
2010/08/19 00:25:13:640 Information <local host> The connection "myconnection" has been enabled.
2010/08/19 00:25:14:968 Information xx.xx.xx.xx Starting ISAKMP phase 1 negotiation.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx Starting aggressive mode phase 1 exchange.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx NAT Detected: Local host is behind a NAT device.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx The SA lifetime for phase 1 is 28800 seconds.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx Phase 1 has completed.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx Received XAuth request.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx XAuth has requested a username but one has not yet been specified.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx Sending phase 1 delete.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx User authentication information is needed to complete the connection.
2010/08/19 00:25:15:906 Information <local host> An incoming ISAKMP packet from xx.xx.xx.xx was ignored.
2010/08/19 00:25:22:921 Information xx.xx.xx.xx Starting ISAKMP phase 1 negotiation.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx Starting aggressive mode phase 1 exchange.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx NAT Detected: Local host is behind a NAT device.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx The SA lifetime for phase 1 is 28800 seconds.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx Phase 1 has completed.
2010/08/19 00:25:23:593 Information xx.xx.xx.xx Received XAuth request.
2010/08/19 00:25:23:593 Information xx.xx.xx.xx Sending XAuth reply.
2010/08/19 00:25:23:593 Information xx.xx.xx.xx Received initial contact notify.
2010/08/19 00:25:23:906 Information xx.xx.xx.xx Received XAuth status.
2010/08/19 00:25:23:906 Information xx.xx.xx.xx Sending XAuth acknowledgement.
2010/08/19 00:25:23:906 Information xx.xx.xx.xx User authentication has succeeded.
2010/08/19 00:25:24:171 Information xx.xx.xx.xx Received request for policy version.
2010/08/19 00:25:24:187 Information xx.xx.xx.xx Sending policy version reply.
2010/08/19 00:25:24:234 Information xx.xx.xx.xx Received policy change is not required.
2010/08/19 00:25:24:234 Information xx.xx.xx.xx Sending policy acknowledgement.
2010/08/19 00:25:24:234 Information xx.xx.xx.xx The configuration for the connection is up to date.
2010/08/19 00:25:24:265 Information xx.xx.xx.xx Starting ISAKMP phase 2 negotiation with 192.168.3.0/255.255.255.0: BOOTPC:BOO TPS:UDP.
2010/08/19 00:25:24:265 Information xx.xx.xx.xx Starting quick mode phase 2 exchange.
2010/08/19 00:25:24:343 Information xx.xx.xx.xx The SA lifetime for phase 2 is 28800 seconds.
2010/08/19 00:25:24:343 Information xx.xx.xx.xx Phase 2 with 192.168.3.0/255.255.255.0: BOOTPC:BOO TPS:UDP has completed.
2010/08/19 00:25:24:359 Information <local host> Renewing IP address for the virtual interface (00-60-73-DA-71-AB).
2010/08/19 00:25:28:515 Information <local host> The IP address for the virtual interface has changed to 172.16.33.21.
2010/08/19 00:25:28:531 Information <local host> The system ARP cache has been flushed.
2010/08/19 00:25:28:593 Information vpn.domain.org NetWkstaUserGetInfo returned: user: tcarver, logon domain: local, logon server: server
2010/08/19 00:25:31:203 Information vpn.domain.org NetGetDCName failed: Could not find domain controller for this domain.
2010/08/19 00:25:31:203 Information vpn.domain.org calling NetUserGetInfo: Server: \, User: username, level: 3
2010/08/19 00:25:06:937 Information <local host> SonicWALL Global VPN Client version 4.2.6.0305
2010/08/19 00:25:13:640 Information <local host> The connection "myconnection" has been enabled.
2010/08/19 00:25:14:968 Information xx.xx.xx.xx Starting ISAKMP phase 1 negotiation.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx Starting aggressive mode phase 1 exchange.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx NAT Detected: Local host is behind a NAT device.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx The SA lifetime for phase 1 is 28800 seconds.
2010/08/19 00:25:15:546 Information xx.xx.xx.xx Phase 1 has completed.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx Received XAuth request.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx XAuth has requested a username but one has not yet been specified.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx Sending phase 1 delete.
2010/08/19 00:25:15:796 Information xx.xx.xx.xx User authentication information is needed to complete the connection.
2010/08/19 00:25:15:906 Information <local host> An incoming ISAKMP packet from xx.xx.xx.xx was ignored.
2010/08/19 00:25:22:921 Information xx.xx.xx.xx Starting ISAKMP phase 1 negotiation.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx Starting aggressive mode phase 1 exchange.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx NAT Detected: Local host is behind a NAT device.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx The SA lifetime for phase 1 is 28800 seconds.
2010/08/19 00:25:23:328 Information xx.xx.xx.xx Phase 1 has completed.
2010/08/19 00:25:23:593 Information xx.xx.xx.xx Received XAuth request.
2010/08/19 00:25:23:593 Information xx.xx.xx.xx Sending XAuth reply.
2010/08/19 00:25:23:593 Information xx.xx.xx.xx Received initial contact notify.
2010/08/19 00:25:23:906 Information xx.xx.xx.xx Received XAuth status.
2010/08/19 00:25:23:906 Information xx.xx.xx.xx Sending XAuth acknowledgement.
2010/08/19 00:25:23:906 Information xx.xx.xx.xx User authentication has succeeded.
2010/08/19 00:25:24:171 Information xx.xx.xx.xx Received request for policy version.
2010/08/19 00:25:24:187 Information xx.xx.xx.xx Sending policy version reply.
2010/08/19 00:25:24:234 Information xx.xx.xx.xx Received policy change is not required.
2010/08/19 00:25:24:234 Information xx.xx.xx.xx Sending policy acknowledgement.
2010/08/19 00:25:24:234 Information xx.xx.xx.xx The configuration for the connection is up to date.
2010/08/19 00:25:24:265 Information xx.xx.xx.xx Starting ISAKMP phase 2 negotiation with 192.168.3.0/255.255.255.0:
2010/08/19 00:25:24:265 Information xx.xx.xx.xx Starting quick mode phase 2 exchange.
2010/08/19 00:25:24:343 Information xx.xx.xx.xx The SA lifetime for phase 2 is 28800 seconds.
2010/08/19 00:25:24:343 Information xx.xx.xx.xx Phase 2 with 192.168.3.0/255.255.255.0:
2010/08/19 00:25:24:359 Information <local host> Renewing IP address for the virtual interface (00-60-73-DA-71-AB).
2010/08/19 00:25:28:515 Information <local host> The IP address for the virtual interface has changed to 172.16.33.21.
2010/08/19 00:25:28:531 Information <local host> The system ARP cache has been flushed.
2010/08/19 00:25:28:593 Information vpn.domain.org NetWkstaUserGetInfo returned: user: tcarver, logon domain: local, logon server: server
2010/08/19 00:25:31:203 Information vpn.domain.org NetGetDCName failed: Could not find domain controller for this domain.
2010/08/19 00:25:31:203 Information vpn.domain.org calling NetUserGetInfo: Server: \, User: username, level: 3
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Finally! With all of your help my VPN is now up and running with NSA 2400 and the Windows 2000 RADIUS!!!
THANK YOU SO MUCH!
THANK YOU SO MUCH!
You're welcome! If I didn't love this stuff, I wouldn't be here, but the kudos are nice (so are the points...thanks for those!)!
ASKER
Digitap are you still around?
I thought everything was working perfectly but apparently its not. I cannot use Remote Destkop to connect to any workstations.
I am getting an IP from the DHCP server but when I try to connect to SERVER1 it times out, and if I try SERVER1.mydomain.com it also fails.
If I use the VPN that I created from before I connect and then enter the entire name of the PC/Server, ie SERVER1.mydomain.com and it works without error.
Any ideas?
I thought everything was working perfectly but apparently its not. I cannot use Remote Destkop to connect to any workstations.
I am getting an IP from the DHCP server but when I try to connect to SERVER1 it times out, and if I try SERVER1.mydomain.com it also fails.
If I use the VPN that I created from before I connect and then enter the entire name of the PC/Server, ie SERVER1.mydomain.com and it works without error.
Any ideas?
ASKER
oh, and when connected with Sonicwall VPN Client software I can use a command prompt and ping any pc/server and get a response but for some reason Remote Desktop is not working
If you are getting an IP address, then you should be golden. Login to the sonicwall and go to Firewall > Access Rules. Click the VPN > LAN matrix and tell me what you see there for rules. Also, check the reflexive rules for LAN > VPN.
ASKER
Is this what you are referring to?
see attached images
Firewall-rules-VPN-to-LAN.JPG
Firewall-rules-LAN-to-VPN.JPG
see attached images
Firewall-rules-VPN-to-LAN.JPG
Firewall-rules-LAN-to-VPN.JPG
Yes...but then after I asked the question, it dawned on me that you could ping. What if you ping by IP address rather than FQDN or hostname? Does that work?
ASKER
Now I can ping SERVER1 and I get a the IP address but it times out, it also times out when I ping by IP address.
ASKER
2010/08/25 00:00:18:186 Information vpn.mydomain.com NetGetDCName failed: Could not find domain controller for this domain.
OK...check the user group on the sonicwall that you've used to configure Client Authentication within the WAN GroupVPN SA to confirm you've given that group the proper network access. Login to the sonicwall > Users > Local Groups. Edit the user group and go to the VPN Access tab. When I add networks, I usually add Firewalled Subnets. If you add something different, make sure it's the whole subnet and not just a primary IP address.
ASKER
Login to the sonicwall > Users > Local Groups. Edit the user group and go to the VPN Access tab.
----
All I have under Users> Local Groups. In VPN Access I have DMZ Subnets and LAN Subnets. I deleted LAN Subnets because I could not have both Firewall Subnets. Still nothing changed. Cannot ping IP or UNC
----
All I have under Users> Local Groups. In VPN Access I have DMZ Subnets and LAN Subnets. I deleted LAN Subnets because I could not have both Firewall Subnets. Still nothing changed. Cannot ping IP or UNC
take out everything and just put firewalled subnets. is the group you are viewing the group that's assigned within the groupvpn?
ASKER
everything is working now from my home network except one laptop.
I have one laptop (dell) and desktop (asus mobo built) and then a toshiba (laptop)
both the Dell and the Asus connect with the sonicwall Global VPN Client (GVC) and I get an IP and I can ping all my PC Names or IP addresses without error.
The Toshiba laptop can connect and I get an IP but I cannot ping by PC name and I can only ping by IP address. Any idea why?
Both the Dell and the Toshiba are wireless connecting to my Router that the Asus is wired to.
Any ideas?
I use the same username on all three pcs and like I said it connects fine and I get a valid IP but 1 of the three does not allow me to ping by PC Name, ie PC100(192.168.0.15) I can ping by IP only on the Toshiba.
I have one laptop (dell) and desktop (asus mobo built) and then a toshiba (laptop)
both the Dell and the Asus connect with the sonicwall Global VPN Client (GVC) and I get an IP and I can ping all my PC Names or IP addresses without error.
The Toshiba laptop can connect and I get an IP but I cannot ping by PC name and I can only ping by IP address. Any idea why?
Both the Dell and the Toshiba are wireless connecting to my Router that the Asus is wired to.
Any ideas?
I use the same username on all three pcs and like I said it connects fine and I get a valid IP but 1 of the three does not allow me to ping by PC Name, ie PC100(192.168.0.15) I can ping by IP only on the Toshiba.
are you getting a dns server assigned? have you modified the others hosts file or done something manually on them to give them that name resolution that the toshiba would not have?
ASKER
I do get two dns servers which are valid.
I didn't modify anything manually.
It's really strange. I ping pc100 I get a reply from 192.168.0.15 from the two. The toshiba replies but it is from my belkin router (cable modem Ip I assume)
I didn't modify anything manually.
It's really strange. I ping pc100 I get a reply from 192.168.0.15 from the two. The toshiba replies but it is from my belkin router (cable modem Ip I assume)
hmmm, sounds as if the cable modem isn't allowing your IPSEC traffic to traverse back and forth from the Toshiba? Is the Toshiba laptop the only GVC device on the Belkin?
ASKER
No all three devices are connected to the belkin.
yes, that is strange. Update the drivers on the Toshiba? Review the belkin and confirm there isn't something there singling out the Toshiba...maybe restart the belkin to clear the arp tables, etc.
ASKER
No idea why it wasn't causing problems on the other two but I changed my local belkin router. There is a optional domain name in the settings and by default it says Belkin so when pinging from the toshiba it was a actually pinging pc100.Belkin.com and giving me their ip address. I removed that from my router and it is working just fine now.
odd.
thanks again, I wish I could give you more points digitap!
odd.
thanks again, I wish I could give you more points digitap!
no worries...glad it's working.
ASKER
Hi digitap, here is a chance where I can give you 500 more points :)
https://www.experts-exchange.com/questions/26483267/Sonicwall-TZ-210-Wireless-N-Clients-with-DCHP-work-fine-clients-with-Static-IP-address-do-not-have-internet-access.html
TZ 210 Issues now.
thanks
https://www.experts-exchange.com/questions/26483267/Sonicwall-TZ-210-Wireless-N-Clients-with-DCHP-work-fine-clients-with-Static-IP-address-do-not-have-internet-access.html
TZ 210 Issues now.
thanks
hehe...I'm looking at it now...
ASKER
digitap, here is another question for you:
thanks again,
https://www.experts-exchange.com/questions/26484145/Sonicwall-TZ-210-Wireless-N-Port-Adress-Translation-and-Forwarding.html
thanks again,
https://www.experts-exchange.com/questions/26484145/Sonicwall-TZ-210-Wireless-N-Port-Adress-Translation-and-Forwarding.html