Making multiple outbound VPN connections from behind a SonicWall

NEMC
NEMC used Ask the Experts™
on


I have a client running a SonicWall TZ-170.  Not using the Enhanced OS.

Client has another company that uses their network services and needs to connect to their VPN in Europe.  I setup a rule permitting IKE UDP Port 500 access and redirected it the workstation in question.

That worked great.  Now they have two additional workstations and I'm not sure how to set them up.  The SonicWall redirects UDP 500 to the first workstation rule it finds in the list.

If I globally enable inbound and outbound access to UDP 500, nothing works without the explicit redirection to a single IP in place.  Is my only choice to get additional public IP addresses and reroute those?

I assume I'm missing something obvious.

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Look for a FIXUP/Helper for high security protocols.  Not sure of the specific name within a Sonic Wall, but shouldn't be too hard to find.  This would allow for multiple users behind the SW to run a hi-sec protocol without having to do any rules.

Author

Commented:
So there should be some native component of the SonicWall appliance that deals with certain protocols, including IKE in a special fashion.

Great, I'll take a look.  Thanks for the prompt response!

Author

Commented:
Found an option:

Preserve IKE Port for pass through connections

Which appears to do what I'm hoping for, although it looks like it breaks the native SonicWall Global VPN clients.

I'll test.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Sounds like you've found the right spot.  In my past experiences with Cisco PIX firewalls, yes, there is contention when this is enabled, possibly breaking the ability to establish point to point vpn tunnels, maybe even some difficulties with allowing outside users to vpn connect to the sonicwall.
Did you try out the GroupVPN option present in Sonicwall?
Wanted to make sure if you have already enabled the NAT traversal as this is required for things to work
Also you might want to enable 'allow pass-through connections' option under advanced settings
Top Expert 2010
Commented:
you don't need to do anything with your sonicwall.  The eruope end needs to make sure their VPN clients are configured for NAT traversal.  This tells their VPN client that they'll be behind a firewall that performs NAT and the VPN client will add some information to the packet header.  IPSEC doesn't like being NAT'd and that extra information in the packet header will prevent their VPN appliance from throwing out the packets.  you'd have the same issue regardless of the sonicwall appliance or firewall for that matter.

the settings above only affect sonicwall vpn clients connecting back to the sonicwall from the internet and have no affect on the Europe VPN clients.

Author

Commented:
Digitap - Thanks for the info.  I will contact their IT staff and see if it resolves the issue.

Author

Commented:
My mistake in not closing the question and awarding points.

I would split the points between amold and bob.

Thanks!
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I do not agree. digitap's answer is correct, the other ones are not. You need NAT-T in the clients.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial