Solved

VPN Site to Site with Sonicwall Setup?

Posted on 2011-02-11
23
814 Views
Last Modified: 2012-05-11
Hi I would like a few brief tips on a vpn setup that I am working on.

We have aquired a client that has 2 existing offices....  Both locations have sonicwall routers and are connected by VPN.  We have now built a third office for this customer and have installed a sonicwall router as well.  I have made sure that all 3 sites have different local subnets.  I simply need to join office 3 to others.

1. What is best practice?  Do I say connect to our primary office which in turn is already connected to office 2?
2.  Perhaps a stupid question..but do I connect a VPN to both site 1 and 2?  I am thinking this will cause problems.
3.  What is the procedure to connect the sonicwall vpn?  
Thanks!
0
Comment
Question by:j-teksolutions
  • 9
  • 7
  • 7
23 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 333 total points
ID: 34871224
About 1. and 2.

Nothing stupid, the easiest thing to do is to create a full mesh (every site connected to any other). So from the two existing offices you create a new tunnel to the new office. No problems because you made sure the offices have different subnets.

3. Shouldn't be too difficult as well:
http://www.markmmanning.com/blog/2008/05/setup-site-to-site-vpn-with-sonicwall.html
You just add a new tunnel to the existing config.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34871233
0
 

Author Comment

by:j-teksolutions
ID: 34871243
Thanks great response - will each site have DHCP enabled locally I assume to provide IPS to the local LAN or subnet?  I assume I need to ensure DHCP does not pass through the VPN tunnels?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34871267
Normally DHCP doesn't pass through VPN. It's a broadcast and those don't go through (unless you specifically set it up, but that's something you don't want to do ;)
0
 

Author Comment

by:j-teksolutions
ID: 34871275
great - I am going to attempt this in the afternoon will follow up
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34871289
I'll be waiting.... Well, depends on my local time ;)
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 167 total points
ID: 34871451
i agree with ernie's direction on your vpn setup and only want to clarify some things.  what model sonicwalls do you have?  also, what is the OS, standard or enhanced?  you can tell by logging onto the sonicwall and going to system > status.  all the information is on the right.

here's a step by step picture tutorial of setting up a site to site vpn.  it's of the newer OS, but the base principals are the same.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7902
0
 

Author Comment

by:j-teksolutions
ID: 34875561
Ok guys the TZ180 (main office) is the old os
The TZ100 (new third office) is the new os
The TZ180 (second office) also old os same as main site

Any tricks with the setup between the OLD and NEW?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34876025
don't use any spaces in the vpn name.  if you need spaces, use underscores.  also, use aggressive mode as opposed to main mode.  i think that's it.

are these all enhanced OS?
0
 

Author Comment

by:j-teksolutions
ID: 34878604
digitap please refer to the previous post from me regarding OS versions...this is the challenge configuring the old os to connect to the new vice versa
0
 

Author Comment

by:j-teksolutions
ID: 34878847
TZ100 (NEw OS) SonicOS Enhanced 5.5.1.0-5o

TZ180's (OLD OS)  SonicOS Standard OS 3.9.1.2-50s
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:j-teksolutions
ID: 34878877
An update I really think I am close
This is what I am seeing in the TZ 100 logs

IKE Responder: Proposed IKE ID mismatch

heres the thing - I have done a full comparison with both router VPN proposal pages side by side and they are identical!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34879485
sorry, didn't realize "old" meant standard.  to me, tz180 IS old.

anywho, this message is most likely caused by the firewall names being mismatched.  Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.
0
 

Author Comment

by:j-teksolutions
ID: 34879731
still no go....
Firewall names are correct...I wish the os' were the same...they are so different its hard to be sure that all settings on both sides are correct.  I suppose running the VPN site to site wizard is useless?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34879765
i don't know.  i usually create the vpns manually.  i don't think i've ever used the wizard on a vpn.  you might give that a try.  delete the vpn SAs on both ends and create from scratch manually.
0
 

Author Comment

by:j-teksolutions
ID: 34879859
The mode is set to MAIN on the working vpn between Site 1 and 2 should I try "main mode" on site 3?  instead of aggressive
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34879877
I have done a full comparison with both router VPN proposal pages side by side and they are identical!

Perhaps asking the obvious, but shouldn't they be identical but mirrored?

If I remember correctly
Local IKE ID should match the Peer IKE ID on initiator
Peer IKE ID should match the Local IKE ID on initiator

Just brainstorming over here.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 333 total points
ID: 34879885
If you have a static (public) address it could be better to use main mode (Ithink you have because it's allready on the other vpn).
0
 
LVL 33

Expert Comment

by:digitap
ID: 34879969
agressive node works just as well...it has less packet overhead too.  just make sure it's the same at baoth ends.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34881279
to flesh this out some more, since you have three sites total, each sonicwall will have two vpn policies.  the phase 1 and phase 2 settings must match WITHIN each policy with the respective policy at the other end.
0
 

Author Closing Comment

by:j-teksolutions
ID: 34889069
Main mode did it!  thanks everyone for your help!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34889093
Allways glad if we can help someone :)
0
 
LVL 33

Expert Comment

by:digitap
ID: 34889256
thanks for the points!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now