Solved

Sonicwall NSA 2400 Device connecting users with a Windows 2000 AD. LDAP or Radius? This is for VPN users to connect in using NSA 2400

Posted on 2010-08-17
47
2,685 Views
Last Modified: 2013-12-24
I have never used this appliance nor have I used LDAP or Radius and have no idea how to setup either one.  What is the easier option. LDAP or RADIUS?  This is so users can connect in using Sonicwall's VPN Client software.
Is there someone that can walk me through either one?  I did set it to use LDAP and it worked but it was not secure and the NSA Appliance told me it was not recommended.
It seemed like with RADIUs I needed to setup password encryption which required a password change for every user (I don't want to have to do that).
Any one out there can walk me through it?
Thanks
0
Comment
Question by:parmor
  • 24
  • 23
47 Comments
 
LVL 33

Expert Comment

by:digitap
Comment Utility
You can use the local sonicwall database on the sonicwall without radius or ldap.  The sonicwall recommends that you use a certificate for either authentication methods.  Their concern is the traffic between the sonicwall and the server being in the clear.  Someone could analyze that traffic and see username and passwords.  however, this traffic is on your internal network so the likelyhood of this happening is fairly low.in my opinion, radius is easier to setup, but it requires more configuration on the windows server side.  you can leave the ldap configuration despite the sonicwall's concern about the missing certificate.  here are the KBs for setting up both along with Windows.LDAP: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7806RADIUS with 2008 server: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6591RADIUS with 2003 server: http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5125
0
 

Author Comment

by:parmor
Comment Utility
thanks digitap, I imagine the setup for 2003 is similar to 2000 but I can just as easily install the Radius Component on any Server, correct?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
I believe so.  I haven't been in 2000 server for some time.  Here are the steps for 2000 server.
http://www.sonicwall.com/downloads/FW65_VPN_RADIUS_and_Windows_2000_IAS_v2.pdf


0
 

Author Comment

by:parmor
Comment Utility
Thanks digitap: we are getting somewhere.  The settings have changed a little bit on the sonicwall side so they are not exact as per the pdf.

I am able to connect using the sonicwall vpn client but it keeps rejecting my username and password. It did prompt and accept my "shared secret"
The log file shows (I replaced the actual ip and domain with fake ones for this post):


2010/08/18 13:02:30:069      Information      10.10.10.1      Starting ISAKMP phase 1 negotiation.
2010/08/18 13:02:30:131      Information      10.10.10.1      Starting aggressive mode phase 1 exchange.
2010/08/18 13:02:30:131      Information      10.10.10.1      NAT Detected: Local host is behind a NAT device.
2010/08/18 13:02:30:131      Information      10.10.10.1      The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 13:02:30:131      Information      10.10.10.1      Phase 1 has completed.
2010/08/18 13:02:30:146      Information      10.10.10.1      Received XAuth request.
2010/08/18 13:02:30:146      Information      10.10.10.1      Sending XAuth reply.
2010/08/18 13:02:30:147      Information      10.10.10.1      Received initial contact notify.
2010/08/18 13:02:30:169      Information      10.10.10.1      Received XAuth status.
2010/08/18 13:02:30:169      Information      10.10.10.1      Sending XAuth acknowledgement.
2010/08/18 13:02:30:169      Warning          10.10.10.1      XAuth failed. (null)
2010/08/18 13:02:30:169      Warning          10.10.10.1      User authentication has failed.
2010/08/18 13:02:30:185      Information            An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 13:02:34:495      Warning          vpn.mydomain.com      The username/password dialog box was cancelled by the user. The connection will be disabled.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
you should not have been prompted for the shared secret within the GVC...that's what you are talking about right?  When you configure the GroupVPN settings on the sonicwall, go to the last tab and click the checkbox called "Use Default Key for Simple Client Provisioning".  Then, when you enable the connection with the GVC, you should ONLY get the username prompt.  When you tested the RADIUS connection on the sonicwall, did it pass successfully?
0
 

Author Comment

by:parmor
Comment Utility
Yes, that is correct, the shared secret on the GVC.
I did check that box to Use Default Key for Simple Client Provisioning after you recommended it.

Also, under the Users->Settings-RADIUS-CONFIGURE I go to the Test and have tried 8 different usernames and passwords and they all say successful but the GVC client isn't working with the same username and passwords.

"Radius Client Authentication Succeeded"
0
 

Author Comment

by:parmor
Comment Utility
OK for some reason I am getting further, now the log shows the following:

2010/08/18 14:03:19:002      Warning          vpn.mydomain.com      The downloaded policy configuration contains no destination networks.
2010/08/18 14:03:19:002      Error            vpn.mydomain.com      The policy downloaded from the firewall is invalid or incomplete. Contact your network administrator.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Check the group that was assigned access within the GroupVPN policy and see what networks have been assigned to that group.  Users > Local Group click edit and go to the VPN Access tab.  You'll want to add all the networks that you want GVC users to access.
0
 

Author Comment

by:parmor
Comment Utility
We are getting somewhere but the log shows the following: user Andrew but that is not the user I am logging in to GVC with:
and I am not getting a "local" IP Address.

2010/08/18 14:55:49:661      Information            The connection "vpn.mydomain.com" has been enabled.
2010/08/18 14:55:50:168      Error                  Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 14:55:50:182      Information      10.10.10.1      Starting ISAKMP phase 1 negotiation.
2010/08/18 14:55:50:243      Information      10.10.10.1      Starting aggressive mode phase 1 exchange.
2010/08/18 14:55:50:244      Information      10.10.10.1      NAT Detected: Local host is behind a NAT device.
2010/08/18 14:55:50:244      Information      10.10.10.1      The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 14:55:50:244      Information      10.10.10.1      Phase 1 has completed.
2010/08/18 14:55:50:262      Information      10.10.10.1      Received XAuth request.
2010/08/18 14:55:50:262      Information      10.10.10.1      XAuth has requested a username but one has not yet been specified.
2010/08/18 14:55:50:262      Information      10.10.10.1      Sending phase 1 delete.
2010/08/18 14:55:50:263      Information      10.10.10.1      User authentication information is needed to complete the connection.
2010/08/18 14:55:50:287      Information            An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 14:56:01:030      Error                  Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 14:56:01:039      Information      10.10.10.1      Starting ISAKMP phase 1 negotiation.
2010/08/18 14:56:01:098      Information      10.10.10.1      Starting aggressive mode phase 1 exchange.
2010/08/18 14:56:01:098      Information      10.10.10.1      NAT Detected: Local host is behind a NAT device.
2010/08/18 14:56:01:098      Information      10.10.10.1      The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 14:56:01:098      Information      10.10.10.1      Phase 1 has completed.
2010/08/18 14:56:01:111      Information      10.10.10.1      Received XAuth request.
2010/08/18 14:56:01:111      Information      10.10.10.1      Sending XAuth reply.
2010/08/18 14:56:01:112      Information      10.10.10.1      Received initial contact notify.
2010/08/18 14:56:01:131      Information      10.10.10.1      Received XAuth status.
2010/08/18 14:56:01:131      Information      10.10.10.1      Sending XAuth acknowledgement.
2010/08/18 14:56:01:131      Information      10.10.10.1      User authentication has succeeded.
2010/08/18 14:56:01:145      Information      10.10.10.1      Received request for policy version.
2010/08/18 14:56:01:145      Information      10.10.10.1      Sending policy version reply.
2010/08/18 14:56:01:157      Information      10.10.10.1      Received policy change is not required.
2010/08/18 14:56:01:157      Information      10.10.10.1      Sending policy acknowledgement.
2010/08/18 14:56:01:157      Information      10.10.10.1      The configuration for the connection is up to date.
2010/08/18 14:56:01:179      Information      10.10.10.1      Starting ISAKMP phase 2 negotiation with 192.168.3.1/255.255.255.255:Any:Any:N/A.
2010/08/18 14:56:01:179      Information      10.10.10.1      Starting quick mode phase 2 exchange.
2010/08/18 14:56:01:192      Information      10.10.10.1      The SA lifetime for phase 2 is 28800 seconds.
2010/08/18 14:56:01:192      Information      10.10.10.1      Phase 2 with 192.168.3.1/255.255.255.255:Any:Any:N/A has completed.
2010/08/18 14:56:01:223      Information      vpn.mydomain.com      NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 14:56:05:723      Information      vpn.mydomain.com      NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 14:56:05:723      Information      vpn.mydomain.com      calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 14:56:05:724      Information      vpn.mydomain.com      NetUserGetInfo returned: home dir: , remote dir: , logon script:
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i think you might be able to ignore the stuff about andrew.  is andrew the name of the local workstation where the gvc is installed?  it appears to be connecting...can you get to hosts behind the sonicwall once you get connected...i mean, you get an IP address.
0
 

Author Comment

by:parmor
Comment Utility
Yes, you are correct that is my home computer where I am testing, d'oh!
I am not getting an IP Address from my work network and cannot access any resources on the other end.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...then we need to make sure you have DHCP setup correctly.  Go to VPN > DHCP over VPN.  With Central Gateway showing in the drop down, click Configure.  What do you have configured for a DHCP server?  My recommendation is to use a DHCP scope on the sonicwall.  Most, however, utilize a Windows DHCP server for this.  I don't like to do that as Windows will sometimes assign a GVC host with an IP that a host on the internal network already has.  Obviously, that causes problems.  I use the WLAN DHCP scope.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Then, what's 192.168.3.1?  Is that the IP network of your home computer?
0
 

Author Comment

by:parmor
Comment Utility
192.168.0.1-192.168.3.255
subnet mask 255.255.252.0
internal network at work.
192.168.3.1 is the Sonicwall internal IP address
0
 

Author Comment

by:parmor
Comment Utility
Still cannot connect locally to anything inside the network
NetGetDCName Failed I think that could be part of the problem as well.
---

2010/08/18 15:25:15:807      Information      10.10.10.1      Phase 2 with 192.168.3.1/255.255.255.255:Any:Any:N/A has completed.
2010/08/18 15:25:15:836      Information      vpn.mydomain.com      NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 15:25:20:338      Information      vpn.mydomain.com      NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 15:25:20:338      Information      vpn.mydomain.com      calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 15:25:20:339      Information      vpn.mydomain.com      NetUserGetInfo returned: home dir: , remote dir: , logon script:
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
Comment Utility
OK...are you using the WLAN zone on the sonicwall?  well, whether you are or not, the sonicwall configures it by default and creates a DHCP scope for it.  Configure DHCP over VPN like this:

Check User Internal DHCP Server
Check For Global VPN Client
Type the IP address of the WLAN interface in the Relay IP address box.  Click OK.
Then, try your connection again.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
You should see in the log the IP address assigned your GVC.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Also, go to Firewall > Access Rules and check VPN > LAN and LAN > VPN.  IF you are getting an IP, if the access rules aren't correct, you won't be able to connect to the network.
0
 

Author Comment

by:parmor
Comment Utility
dumb question:
"type the IP address of the WLAN interface in the Relay IP address box, click ok" Is that t he External IP or internal IP?  I tried both and neither made a difference.

The only IP I am seeing in the GVC is the 192.168.3.1 (internal IP of the NSA 2400) I am still not seeing any DHCP address from my network.

Re: the Firewall both were automatically ALLOW because they were generated by the appliance. I couldn't make any changes.
0
 

Author Comment

by:parmor
Comment Utility
Also, under VPN->SETTINGS
VPN Policies:
#1 WAN GroupVPN
#2 WLAN GroupVPN
I cannot check enable next to WLAN GroupVPN (#2) I get       Error: No interface attached to this zone
Is that something I need to be concerned with?
The only one I can enable is the #1 WAN GroupVPN
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
Comment Utility
OK, based off the error when you tried to enable the WLAN GroupVPN, you have not assigned the WLAN zone to an interface yet.  You won't enable the WLAN GroupVPN, but leave the WAN GroupVPN.  Sorry if I'm creating confusion.

If you want to use the Sonicwall DHCP server for GVC connections, then you'll want to go to Network > Interfaces.  Identify an available interface and assign the WLAN zone to it.  When you assign the WLAN zone you'll be given the opportunity to assign an IP address to it.  Pick something that doesn't match any other IP network used internally, like 10.10.1.0/24.  The interface would then be 10.10.1.1 with a Mask of 255.255.255.0.  When you do this, the Sonicwall will automatically create and enable a DHCP scope for this interface.  Go to Network > DHCP.  Edit the scope that matches the IP of the WLAN interface.  You can modify the scope it creates.  I usually change it to something like 10.10.1.50 - 10.10.1.100.  I give it a DNS IP address of an internal DNS server so they resolve names internally properly.  Also include the domain suffix for your active directory domain.

Then, go to VPN > DHCP over VPN.  Make sure Central Gateway is in the drop down and click the Configure button.  Configure the settings using the screen shot, Sonicwall As DHCP Server, I've attached below.  Then, click OK, try to connect and report your results.


- If you want to use the DHCP server of a Windows server:

Go to VPN > DHCP over VPN.  Make sure the Central Gateway is displayed in the drop down and click Configure.  Then, configure yours like the screen shot, Windows As DCHP Server, I've attached below.  Of course, you'll put in place of 192.168.3.21, the IP address of your internal DHCP server.  Then, click OK and try to connect to the GVC again.  Report your results.

Hope that helps.


greenshot-2010-08-18-22-40-56.jpg
greenshot-2010-08-18-22-26-31.jpg
0
 

Author Comment

by:parmor
Comment Utility
OK. I am still connecting but it is still not giving me an internall IP nor access to anything behind the NSA 2400.  FYI: the 10.10.10.1 (is actually 70.50.X.X my external IP I just modified it for posting).
192.168.3.1 is the Sonicwall NSA 2400.  

I did a test and created a VPN Server inside the Network on a Win 2k3 Standard Server and manually added a VPN connection using Windows 7 I have no problems connecting and logging in.  It seems like something on the NSA 2400 is just not configured correctly and I am unsure of what that is. The problem with that is I just purchased 50 user license for Sonicwall Global VPN Clients and once it is working will be a much easier process to walk users through using it than manually creating instructions for 4-6 different OS's

The results, either using DHCP on the Sonicwall (192.168.3.1) or my internal DHCP Server (192.168.0.3)
are exacty the same:


2010/08/18 22:08:47:322      Information            The connection "vpn.mydomain.com" has been enabled.
2010/08/18 22:08:47:904      Error                  Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 22:08:47:918      Information      10.10.10.1      Starting ISAKMP phase 1 negotiation.
2010/08/18 22:08:47:981      Information      10.10.10.1      Starting aggressive mode phase 1 exchange.
2010/08/18 22:08:47:981      Information      10.10.10.1      NAT Detected: Local host is behind a NAT device.
2010/08/18 22:08:47:981      Information      10.10.10.1      The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 22:08:47:981      Information      10.10.10.1      Phase 1 has completed.
2010/08/18 22:08:47:996      Information      10.10.10.1      Received XAuth request.
2010/08/18 22:08:47:996      Information      10.10.10.1      XAuth has requested a username but one has not yet been specified.
2010/08/18 22:08:47:996      Information      10.10.10.1      Sending phase 1 delete.
2010/08/18 22:08:47:997      Information      10.10.10.1      User authentication information is needed to complete the connection.
2010/08/18 22:08:48:028      Information            An incoming ISAKMP packet from 10.10.10.1 was ignored.
2010/08/18 22:08:54:215      Error                  Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.
2010/08/18 22:08:54:223      Information      10.10.10.1      Starting ISAKMP phase 1 negotiation.
2010/08/18 22:08:54:519      Information      10.10.10.1      Starting aggressive mode phase 1 exchange.
2010/08/18 22:08:54:519      Information      10.10.10.1      NAT Detected: Local host is behind a NAT device.
2010/08/18 22:08:54:519      Information      10.10.10.1      The SA lifetime for phase 1 is 28800 seconds.
2010/08/18 22:08:54:519      Information      10.10.10.1      Phase 1 has completed.
2010/08/18 22:08:54:757      Information      10.10.10.1      Received XAuth request.
2010/08/18 22:08:54:757      Information      10.10.10.1      Sending XAuth reply.
2010/08/18 22:08:54:759      Information      10.10.10.1      Received initial contact notify.
2010/08/18 22:08:55:025      Information      10.10.10.1      Received XAuth status.
2010/08/18 22:08:55:025      Information      10.10.10.1      Sending XAuth acknowledgement.
2010/08/18 22:08:55:025      Information      10.10.10.1      User authentication has succeeded.
2010/08/18 22:08:55:271      Information      10.10.10.1      Received request for policy version.
2010/08/18 22:08:55:271      Information      10.10.10.1      Sending policy version reply.
2010/08/18 22:08:55:529      Information      10.10.10.1      Received policy change is not required.
2010/08/18 22:08:55:529      Information      10.10.10.1      Sending policy acknowledgement.
2010/08/18 22:08:55:529      Information      10.10.10.1      The configuration for the connection is up to date.
2010/08/18 22:08:55:551      Information      10.10.10.1      Starting ISAKMP phase 2 negotiation with 192.168.3.1/255.255.255.255:Any:Any:N/A.
2010/08/18 22:08:55:551      Information      10.10.10.1      Starting quick mode phase 2 exchange.
2010/08/18 22:08:55:831      Information      10.10.10.1      The SA lifetime for phase 2 is 28800 seconds.
2010/08/18 22:08:55:831      Information      10.10.10.1      Phase 2 with 192.168.3.1/255.255.255.255:Any:Any:N/A has completed.
2010/08/18 22:08:55:885      Information      vpn.mydomain.com      NetWkstaUserGetInfo returned: user: Andrew, logon domain: ANDREW, logon server: ANDREW
2010/08/18 22:09:00:385      Information      vpn.mydomain.com      NetGetDCName failed: Could not find domain controller for this domain.
2010/08/18 22:09:00:385      Information      vpn.mydomain.com      calling NetUserGetInfo: Server: \, User: Andrew, level: 3
2010/08/18 22:09:00:386      Information      vpn.mydomain.com      NetUserGetInfo returned: home dir: , remote dir: , logon script:
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Here's my log after a successful connection from almost the moment that I launch the GVC to the end when my connection is made.

2010/08/19 00:25:06:937      Information      <local host>      SonicWALL Global VPN Client version 4.2.6.0305
2010/08/19 00:25:13:640      Information      <local host>      The connection "myconnection" has been enabled.
2010/08/19 00:25:14:968      Information      xx.xx.xx.xx      Starting ISAKMP phase 1 negotiation.
2010/08/19 00:25:15:546      Information      xx.xx.xx.xx      Starting aggressive mode phase 1 exchange.
2010/08/19 00:25:15:546      Information      xx.xx.xx.xx      NAT Detected: Local host is behind a NAT device.
2010/08/19 00:25:15:546      Information      xx.xx.xx.xx      The SA lifetime for phase 1 is 28800 seconds.
2010/08/19 00:25:15:546      Information      xx.xx.xx.xx      Phase 1 has completed.
2010/08/19 00:25:15:796      Information      xx.xx.xx.xx      Received XAuth request.
2010/08/19 00:25:15:796      Information      xx.xx.xx.xx      XAuth has requested a username but one has not yet been specified.
2010/08/19 00:25:15:796      Information      xx.xx.xx.xx      Sending phase 1 delete.
2010/08/19 00:25:15:796      Information      xx.xx.xx.xx      User authentication information is needed to complete the connection.
2010/08/19 00:25:15:906      Information      <local host>      An incoming ISAKMP packet from xx.xx.xx.xx was ignored.
2010/08/19 00:25:22:921      Information      xx.xx.xx.xx      Starting ISAKMP phase 1 negotiation.
2010/08/19 00:25:23:328      Information      xx.xx.xx.xx      Starting aggressive mode phase 1 exchange.
2010/08/19 00:25:23:328      Information      xx.xx.xx.xx      NAT Detected: Local host is behind a NAT device.
2010/08/19 00:25:23:328      Information      xx.xx.xx.xx      The SA lifetime for phase 1 is 28800 seconds.
2010/08/19 00:25:23:328      Information      xx.xx.xx.xx      Phase 1 has completed.
2010/08/19 00:25:23:593      Information      xx.xx.xx.xx      Received XAuth request.
2010/08/19 00:25:23:593      Information      xx.xx.xx.xx      Sending XAuth reply.
2010/08/19 00:25:23:593      Information      xx.xx.xx.xx      Received initial contact notify.
2010/08/19 00:25:23:906      Information      xx.xx.xx.xx      Received XAuth status.
2010/08/19 00:25:23:906      Information      xx.xx.xx.xx      Sending XAuth acknowledgement.
2010/08/19 00:25:23:906      Information      xx.xx.xx.xx      User authentication has succeeded.
2010/08/19 00:25:24:171      Information      xx.xx.xx.xx      Received request for policy version.
2010/08/19 00:25:24:187      Information      xx.xx.xx.xx      Sending policy version reply.
2010/08/19 00:25:24:234      Information      xx.xx.xx.xx      Received policy change is not required.
2010/08/19 00:25:24:234      Information      xx.xx.xx.xx      Sending policy acknowledgement.
2010/08/19 00:25:24:234      Information      xx.xx.xx.xx      The configuration for the connection is up to date.
2010/08/19 00:25:24:265      Information      xx.xx.xx.xx      Starting ISAKMP phase 2 negotiation with 192.168.3.0/255.255.255.0:BOOTPC:BOOTPS:UDP.
2010/08/19 00:25:24:265      Information      xx.xx.xx.xx      Starting quick mode phase 2 exchange.
2010/08/19 00:25:24:343      Information      xx.xx.xx.xx      The SA lifetime for phase 2 is 28800 seconds.
2010/08/19 00:25:24:343      Information      xx.xx.xx.xx      Phase 2 with 192.168.3.0/255.255.255.0:BOOTPC:BOOTPS:UDP has completed.
2010/08/19 00:25:24:359      Information      <local host>      Renewing IP address for the virtual interface (00-60-73-DA-71-AB).
2010/08/19 00:25:28:515      Information      <local host>      The IP address for the virtual interface has changed to 172.16.33.21.
2010/08/19 00:25:28:531      Information      <local host>      The system ARP cache has been flushed.
2010/08/19 00:25:28:593      Information      vpn.domain.org      NetWkstaUserGetInfo returned: user: tcarver, logon domain: local, logon server: server
2010/08/19 00:25:31:203      Information      vpn.domain.org      NetGetDCName failed: Could not find domain controller for this domain.
2010/08/19 00:25:31:203      Information      vpn.domain.org      calling NetUserGetInfo: Server: \, User: username, level: 3
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
Comment Utility
Also, here are step by step instructions for configuring the GroupVPN for GVC.  I don't think the Sonicwall is configured quite right.  You're almost there, though.
UTM---GVC--How-to-Configure-WAN-.pdf
0
 

Author Closing Comment

by:parmor
Comment Utility
Finally!  With all of your help my VPN is now up and running with NSA 2400 and the Windows 2000 RADIUS!!!
THANK YOU SO MUCH!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
You're welcome!  If I didn't love this stuff, I wouldn't be here, but the kudos are nice (so are the points...thanks for those!)!
0
 

Author Comment

by:parmor
Comment Utility
Digitap are you still around?

I thought everything was working perfectly but apparently its not.  I cannot use Remote Destkop to connect to any workstations.
I am getting an IP from the DHCP server but when I try to connect to SERVER1 it times out, and if I try SERVER1.mydomain.com it also fails.

If I use the VPN that I created from before I connect and then enter the entire name of the PC/Server, ie SERVER1.mydomain.com and it works without error.
Any ideas?
0
 

Author Comment

by:parmor
Comment Utility
oh, and when connected with Sonicwall VPN Client software I can use a command prompt and ping any pc/server and get a response but for some reason Remote Desktop is not working
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
If you are getting an IP address, then you should be golden.  Login to the sonicwall and go to Firewall > Access Rules.  Click the VPN > LAN matrix and tell me what you see there for rules.  Also, check the reflexive rules for LAN > VPN.
0
 

Author Comment

by:parmor
Comment Utility
Is this what you are referring to?
see attached images
Firewall-rules-VPN-to-LAN.JPG
Firewall-rules-LAN-to-VPN.JPG
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Yes...but then after I asked the question, it dawned on me that you could ping.  What if you ping by IP address rather than FQDN or hostname?  Does that work?
0
 

Author Comment

by:parmor
Comment Utility
Now I can ping SERVER1 and I get a the IP address but it times out, it also times out when I ping by IP address.
0
 

Author Comment

by:parmor
Comment Utility
2010/08/25 00:00:18:186      Information      vpn.mydomain.com      NetGetDCName failed: Could not find domain controller for this domain.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
OK...check the user group on the sonicwall that you've used to configure Client Authentication within the WAN GroupVPN SA to confirm you've given that group the proper network access.  Login to the sonicwall > Users > Local Groups.  Edit the user group and go to the VPN Access tab.  When I add networks, I usually add Firewalled Subnets.  If you add something different, make sure it's the whole subnet and not just a primary IP address.
0
 

Author Comment

by:parmor
Comment Utility
Login to the sonicwall > Users > Local Groups.  Edit the user group and go to the VPN Access tab.
----
All I have under Users> Local Groups.  In VPN Access I have DMZ Subnets and LAN Subnets. I deleted LAN Subnets because I could not have both Firewall Subnets.  Still nothing changed. Cannot ping IP or UNC
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
take out everything and just put firewalled subnets.  is the group you are viewing the group that's assigned within the groupvpn?
0
 

Author Comment

by:parmor
Comment Utility
everything is working now from my home network except one laptop.
I have one laptop (dell) and desktop (asus mobo built) and then a toshiba (laptop)
both the Dell and the Asus connect with the sonicwall Global VPN Client (GVC) and I get an IP and I can ping all my PC Names or IP addresses without error.  
The Toshiba laptop can connect and I get an IP but I cannot ping by PC name and I can only ping by IP address. Any idea why?
Both the Dell and the Toshiba are wireless connecting to my Router that the Asus is wired to.
Any ideas?
I use the same username on all three pcs and like I said it connects fine and I get a valid IP but 1 of the three does not allow me to ping by PC Name, ie PC100(192.168.0.15) I can ping by IP only on the Toshiba.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
are you getting a dns server assigned?  have you modified the others hosts file or done something manually on them to give them that name resolution that the toshiba would not have?
0
 

Author Comment

by:parmor
Comment Utility
I do get two dns servers which are valid.
I didn't modify anything manually.
It's really strange. I ping pc100 I get a reply from 192.168.0.15 from the two. The toshiba replies but it is from my belkin router (cable modem Ip I assume)
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
hmmm, sounds as if the cable modem isn't allowing your IPSEC traffic to traverse back and forth from the Toshiba?  Is the Toshiba laptop the only GVC device on the Belkin?
0
 

Author Comment

by:parmor
Comment Utility
No all three devices are connected to the belkin.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
yes, that is strange.  Update the drivers on the Toshiba?  Review the belkin and confirm there isn't something there singling out the Toshiba...maybe restart the belkin to clear the arp tables, etc.
0
 

Author Comment

by:parmor
Comment Utility
No idea why it wasn't causing problems on the other two but I changed my local belkin router. There is a optional domain name in the settings  and by default it says Belkin so when pinging from the toshiba it was a actually pinging pc100.Belkin.com and giving me their ip address.  I removed that from my router and it is working just fine now.
odd.

thanks again, I wish I could give you more points digitap!
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
no worries...glad it's working.
0
 

Author Comment

by:parmor
Comment Utility
Hi digitap, here is  a chance where I can give you 500 more points :)

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_26483267.html

TZ 210 Issues now.
thanks
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
hehe...I'm looking at it now...
0
 

Author Comment

by:parmor
Comment Utility
digitap, here is another question for you:

thanks again,

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_26484145.html
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This article describes some very basic things about SQL Server filegroups.
Creating and Managing Databases with phpMyAdmin in cPanel.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now