• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 874
  • Last Modified:

VPN Site to Site with Sonicwall Setup?

Hi I would like a few brief tips on a vpn setup that I am working on.

We have aquired a client that has 2 existing offices....  Both locations have sonicwall routers and are connected by VPN.  We have now built a third office for this customer and have installed a sonicwall router as well.  I have made sure that all 3 sites have different local subnets.  I simply need to join office 3 to others.

1. What is best practice?  Do I say connect to our primary office which in turn is already connected to office 2?
2.  Perhaps a stupid question..but do I connect a VPN to both site 1 and 2?  I am thinking this will cause problems.
3.  What is the procedure to connect the sonicwall vpn?  
Thanks!
0
j-teksolutions
Asked:
j-teksolutions
  • 9
  • 7
  • 7
3 Solutions
 
Ernie BeekExpertCommented:
About 1. and 2.

Nothing stupid, the easiest thing to do is to create a full mesh (every site connected to any other). So from the two existing offices you create a new tunnel to the new office. No problems because you made sure the offices have different subnets.

3. Shouldn't be too difficult as well:
http://www.markmmanning.com/blog/2008/05/setup-site-to-site-vpn-with-sonicwall.html
You just add a new tunnel to the existing config.
0
 
j-teksolutionsAuthor Commented:
Thanks great response - will each site have DHCP enabled locally I assume to provide IPS to the local LAN or subnet?  I assume I need to ensure DHCP does not pass through the VPN tunnels?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Ernie BeekExpertCommented:
Normally DHCP doesn't pass through VPN. It's a broadcast and those don't go through (unless you specifically set it up, but that's something you don't want to do ;)
0
 
j-teksolutionsAuthor Commented:
great - I am going to attempt this in the afternoon will follow up
0
 
Ernie BeekExpertCommented:
I'll be waiting.... Well, depends on my local time ;)
0
 
digitapCommented:
i agree with ernie's direction on your vpn setup and only want to clarify some things.  what model sonicwalls do you have?  also, what is the OS, standard or enhanced?  you can tell by logging onto the sonicwall and going to system > status.  all the information is on the right.

here's a step by step picture tutorial of setting up a site to site vpn.  it's of the newer OS, but the base principals are the same.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7902
0
 
j-teksolutionsAuthor Commented:
Ok guys the TZ180 (main office) is the old os
The TZ100 (new third office) is the new os
The TZ180 (second office) also old os same as main site

Any tricks with the setup between the OLD and NEW?
0
 
digitapCommented:
don't use any spaces in the vpn name.  if you need spaces, use underscores.  also, use aggressive mode as opposed to main mode.  i think that's it.

are these all enhanced OS?
0
 
j-teksolutionsAuthor Commented:
digitap please refer to the previous post from me regarding OS versions...this is the challenge configuring the old os to connect to the new vice versa
0
 
j-teksolutionsAuthor Commented:
TZ100 (NEw OS) SonicOS Enhanced 5.5.1.0-5o

TZ180's (OLD OS)  SonicOS Standard OS 3.9.1.2-50s
0
 
j-teksolutionsAuthor Commented:
An update I really think I am close
This is what I am seeing in the TZ 100 logs

IKE Responder: Proposed IKE ID mismatch

heres the thing - I have done a full comparison with both router VPN proposal pages side by side and they are identical!
0
 
digitapCommented:
sorry, didn't realize "old" meant standard.  to me, tz180 IS old.

anywho, this message is most likely caused by the firewall names being mismatched.  Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.
0
 
j-teksolutionsAuthor Commented:
still no go....
Firewall names are correct...I wish the os' were the same...they are so different its hard to be sure that all settings on both sides are correct.  I suppose running the VPN site to site wizard is useless?
0
 
digitapCommented:
i don't know.  i usually create the vpns manually.  i don't think i've ever used the wizard on a vpn.  you might give that a try.  delete the vpn SAs on both ends and create from scratch manually.
0
 
j-teksolutionsAuthor Commented:
The mode is set to MAIN on the working vpn between Site 1 and 2 should I try "main mode" on site 3?  instead of aggressive
0
 
Ernie BeekExpertCommented:
I have done a full comparison with both router VPN proposal pages side by side and they are identical!

Perhaps asking the obvious, but shouldn't they be identical but mirrored?

If I remember correctly
Local IKE ID should match the Peer IKE ID on initiator
Peer IKE ID should match the Local IKE ID on initiator

Just brainstorming over here.
0
 
Ernie BeekExpertCommented:
If you have a static (public) address it could be better to use main mode (Ithink you have because it's allready on the other vpn).
0
 
digitapCommented:
agressive node works just as well...it has less packet overhead too.  just make sure it's the same at baoth ends.
0
 
digitapCommented:
to flesh this out some more, since you have three sites total, each sonicwall will have two vpn policies.  the phase 1 and phase 2 settings must match WITHIN each policy with the respective policy at the other end.
0
 
j-teksolutionsAuthor Commented:
Main mode did it!  thanks everyone for your help!
0
 
Ernie BeekExpertCommented:
Allways glad if we can help someone :)
0
 
digitapCommented:
thanks for the points!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 9
  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now