Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Help Setting up a VPN Site-to-Site from Sonicwall TZ-100 to ISA 2004

Posted on 2011-02-18
3
Medium Priority
?
1,293 Views
Last Modified: 2012-08-13
Hello:

I'm triying to establish a site-to-site VPN connection from a remote site using a Sonicwall TZ-100 and the main Site Using an ISA server 2004.

Here's the sites network information:

Main Office Site:
External IP : 65.97.184.160
Gateway internal IP (ISA): 192.168.168.254
Subnet: 255.255.255.0

Remote Site:
External IP: 24.233.186.52
Gateway Internal IP: (sonicwall): 192.168.100.254
Subnet: 255.255.255.0

I created the following VPN site-to-site on ISA:
Name: REMOTE VPN

Address Range: 192.168.100.1~254

On the Connection TAB:
Remote Tunnel endpoint: 24.233.186.52
Local VPN Gateway IP address: 65.97.184.160

IPSec Setting:
Phase I Values:  
3DES
SHA1
Group2
Phase II Values
3DES
SHA1
Generate key every 3600 sec
PFS unchecked

Autentication TAB:
Use Preshared-key for autentication: 123456 (Not the real one)

On the ISA I Created a Network rule:

Sourcenetwork: Local Network
Destination Network: REMOTE VPN
Relation: Route

On the ISA Firewall policy created an access rule that allows all outbound traffic between the Local Host, the internal network and the REMOTE VPN networks.

On the Remote (Sonic Wall  TZ-100):

I created a Address Object:

Name: Main Office LAN
Zone Assigment: VPN
Type: Range
Starting IP: 192.168.168.1
Ending IP: 192.168.168.254

And Finally Created a VPN Policy:

General TAB
Name: Main Office VPN
Type: Site-to-site
IPsec Primary Gateway Name or Address: 65.97.184.160
IPsec Secondary Gateway Name or Address: 0.0.0.0
Shared Secret:123456 (Not the real one)
Local IKE ID: IP Address (Blank)
Peer IKE ID: IP Address (Blank)
Network TAB:
Local Network: Lan Primary SUBNET
Remote Network: Main Office LAN (object Created Before)

Proposal TAB:

IKE (Phase 1) Proposal
Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption:  3DES
Authentication:  SHA1
Enable Perfect Forward Secrecy: uncheked
Life Time (seconds): 28800

Advanced TAB

The Only thing checked is:

Enable Keep Alive  : Checked
VPN Policy bound to:  ZONE WAN

THE PROBLEM:

The VPN-site to Site never gets created, I try pinging the main site from the remote site and All I get is timeout.

AM I missing someting?

THE log in the sonicwall shows:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
Comment
Question by:segp
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 34934834
first, make sure your life time for both phase 1 and phase 2 at both ends is the same.

second, sonicwall does not recommend using an address object that specifies a range.  you want to specify a host or an entire network.

give those a shot and report the results.  you might also analyze the logs on the sonicwall.  it should report where your vpn is failing...i.e., phase 1 and/or phase 2.  i think right now, with the two points i made above, you're going to fail in phase 1 before you ever get to phase 2.
0
 
LVL 1

Author Comment

by:segp
ID: 34943061
Digitap:

Thank you for your answer, you where right, as soon as I changed the address objet to a entire network, the VPN started working right away.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943279
great...glad it's working and thanks for the points!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question