?
Solved

VPN setup for 2 sonicwalls one using dynamic IP

Posted on 2010-09-11
2
Medium Priority
?
807 Views
Last Modified: 2012-05-10
I have an Office that has a TZ200, and a remote home user with a TZ100.

The home user has FIOS and a dynamic IP.

I have it working to the current IP using IKE with shared Secret, but if the FIOS IP changes it will break. How do I set it ip to allow the home users to have a dynamic IP?
0
Comment
Question by:911bob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Expert Comment

by:dauman
ID: 33654655
try dyndns service,
you have to either log in every 30 days or pay (approx) $30.00 yearly for their premium service.

then point the users to the dyndns service name.
works fine.
also you either have to set the router to populate the dyndns service or setup their TSR program to update it.

http://www.dyndns.com/
0
 

Accepted Solution

by:
911bob earned 0 total points
ID: 33654747
Finally found the following at https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4834&catID2=388&catID1=143

I am currently testing. I would prefer not to use the dyndns (even thought I currently do for a number of dynamic sites.)

Configuring a Site to Site VPN on the Central Location (Static WAN IP address)
Device used on Central Site: SonicWALL PRO 4060 appliance with SonicOS Enhanced 4.0.0.2e firmware.

Central Location Network Configuration:

1.       LAN Subnet: 192.168.168.0
2.       Subnet Mask: 255.255.255.0
3.       WAN IP: 66.249.72.115
4.       Local IKE ID SonicWALLl Identifier: chicago (This could be any string except it has to match the Remote Location VPN's Peer IKE ID SonicWALLl Identifier)
 
Step 1: Creating Address Object for Remote Site:

 - Login to the Central Location SonicWALL appliance
 - Navigate to Network > Address Objects page.
 - Scroll down to the bottom of the page and click on Add button, enter the following settings.

Name – newyork vpn,
Zone – VPN,
Type – Network,
Network – 10.10.10.0,
Netmask – 255.255.255.0
 -  Click OK when finished.

Step 2: Configurating a VPN Policy:

a.       Click on VPN > Settings
b.       Check the box “Enable VPN” under Global VPN Settings.
c.       Click on the “Add” button under VPN Policies section. The VPN Policy window pops up.
 
Click the General tab

a.       Select the Authentication method as “IKE Using Preshared Secret”
b.       Name: New York Aggressive Mode VPN
c.       IPsec Primary Gateway Name or Address: 0.0.0.0
 
Note:  Since the WAN IP address changes frequently, it is recommended to use the 0.0.0.0 IP address as the Primary Gateway.

d.       IPsec Secondary Gateway Name or Address: 0.0.0.0
e.       Shared Secret: sonicwall (The Shared Secret would be the same at both SonicWALL’s)
f.         Local IKE ID: SonicWALL Identifier - chicago (This could be any string except it has to match the Remote Location VPN's Peer IKE ID SonicWALLl Identifier)
g.       Peer IKE ID: SonicWALL Identifier - newyork (This could be any string except it has to match the Remote Location VPN's Local IKE ID SonicWALLl Identifier)

 Click the Network tab

Ø       Local Networks

Select Choose local network from list, and select the Address Object – X0 Subnet (Lan subnet)
Ø       Destination Networks
Select Choose destination network from list, and select the Address Object – newyork vpn

Click the Proposals tab

IKE (Phase 1) Proposal
Exchange:  Aggressive Mode
DH Group:  Group 2
Encryption: 3DES  
Authentication: SHA1
Life Time (seconds): 28800  
Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption: 3DES  
Authentication: SHA1
Enable Perfect Forward Secrecy(not checked)
DH Group:  Group 2
Life Time (seconds): 28800
  Click the Advanced tab
Ensure that the VPN Policy bound to: Zone WAN
  - Click OK when finished

Configuring a Site to Site VPN on the Remote Location (Dynamic WAN IP address)

Device used on Remote location: SonicWALL TZ 170 appliance with SonicOS Enhanced 3.2.3.0 firmware

Network Configuration:

1.       LAN Subnet: 10.10.10.0
2.       Subnet Mask: 255.255.255.0
3.       WAN IP: DHCP (As this is a Dynamic IP Address)
4.       Local IKE ID SonicWALL Identifier: newyork (This has to match the Central Location VPN's Peer IKE ID SonicWALLl Identifier)

Step 1: Creating Address Object for Remote Site:

 - Login to the Central Location SonicWALL appliance
 - Navigate to Network > Address Objects page.
 - Scroll down to the bottom of the page and click on Add button, enter the following settings.

Name – chicago vpn
Zone – VPN
Type – Network
Network – 192.168.168.0
Netmask – 255.255.255.0

 - Click OK when finished

Step 2: Configuration VPN Policy:

a.       Click on VPN > Settings
b.       Check the box “Enable VPN” under Global VPN Settings.
c.         Click on the “Add” button under the VPN Policies section. The VPN Policy window pops up.

Click the General tab

a.      Select the Authentication method as “IKE Using Preshared Secret”
b.      Name: Chicago Aggressive Mode VPN
c.      IPsec Primary Gateway Name or Address: 66.249.72.115
d.      IPsec Secondary Gateway Name or Address: 0.0.0.0
e.      Shared Secret: sonicwall
f.         Local IKE ID: SonicWALL Identifier - newyork (This has to match the Central Location VPN's Peer IKE ID SonicWALLl Identifier)
g.       Peer IKE ID: SonicWALL Identifier – chicago (This has to match the Central Location VPN's Local IKE ID SonicWALLl Identifier)
 
Click the Network tab

Ø       Local Networks  

Select Choose local network from list, and select the Address Object – LAN Primary Subnet

Ø       Destination Networks

Select Choose destination network from list, and select the Address Object – chicago vpn

Click the Proposals tab

IKE (Phase 1) Proposal
Exchange:  Aggressive Mode
DH Group:  Group 2
Encryption: 3DES  
Authentication: SHA1
Life Time (seconds): 28800  
Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption: 3DES  
Authentication: SHA1
Enable Perfect Forward Secrecy (not checked)
DH Group:  Group 2
Life Time (seconds): 28800
 
Click the Advanced tab

Enable Keep Alive box should be checked
VPN Policy bound to: Zone WAN

                  - Click OK when finished
How to Test:

From the Remote Location try to ping an IP address on the Central Location.

Note: Before receiving successful replies, you might see couple of “Request Timed Out“ messages while the VPN tunnel is still establishing.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question