Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1296
  • Last Modified:

Help Setting up a VPN Site-to-Site from Sonicwall TZ-100 to ISA 2004

Hello:

I'm triying to establish a site-to-site VPN connection from a remote site using a Sonicwall TZ-100 and the main Site Using an ISA server 2004.

Here's the sites network information:

Main Office Site:
External IP : 65.97.184.160
Gateway internal IP (ISA): 192.168.168.254
Subnet: 255.255.255.0

Remote Site:
External IP: 24.233.186.52
Gateway Internal IP: (sonicwall): 192.168.100.254
Subnet: 255.255.255.0

I created the following VPN site-to-site on ISA:
Name: REMOTE VPN

Address Range: 192.168.100.1~254

On the Connection TAB:
Remote Tunnel endpoint: 24.233.186.52
Local VPN Gateway IP address: 65.97.184.160

IPSec Setting:
Phase I Values:  
3DES
SHA1
Group2
Phase II Values
3DES
SHA1
Generate key every 3600 sec
PFS unchecked

Autentication TAB:
Use Preshared-key for autentication: 123456 (Not the real one)

On the ISA I Created a Network rule:

Sourcenetwork: Local Network
Destination Network: REMOTE VPN
Relation: Route

On the ISA Firewall policy created an access rule that allows all outbound traffic between the Local Host, the internal network and the REMOTE VPN networks.

On the Remote (Sonic Wall  TZ-100):

I created a Address Object:

Name: Main Office LAN
Zone Assigment: VPN
Type: Range
Starting IP: 192.168.168.1
Ending IP: 192.168.168.254

And Finally Created a VPN Policy:

General TAB
Name: Main Office VPN
Type: Site-to-site
IPsec Primary Gateway Name or Address: 65.97.184.160
IPsec Secondary Gateway Name or Address: 0.0.0.0
Shared Secret:123456 (Not the real one)
Local IKE ID: IP Address (Blank)
Peer IKE ID: IP Address (Blank)
Network TAB:
Local Network: Lan Primary SUBNET
Remote Network: Main Office LAN (object Created Before)

Proposal TAB:

IKE (Phase 1) Proposal
Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption:  3DES
Authentication:  SHA1
Enable Perfect Forward Secrecy: uncheked
Life Time (seconds): 28800

Advanced TAB

The Only thing checked is:

Enable Keep Alive  : Checked
VPN Policy bound to:  ZONE WAN

THE PROBLEM:

The VPN-site to Site never gets created, I try pinging the main site from the remote site and All I get is timeout.

AM I missing someting?

THE log in the sonicwall shows:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
segp
Asked:
segp
  • 2
1 Solution
 
digitapCommented:
first, make sure your life time for both phase 1 and phase 2 at both ends is the same.

second, sonicwall does not recommend using an address object that specifies a range.  you want to specify a host or an entire network.

give those a shot and report the results.  you might also analyze the logs on the sonicwall.  it should report where your vpn is failing...i.e., phase 1 and/or phase 2.  i think right now, with the two points i made above, you're going to fail in phase 1 before you ever get to phase 2.
0
 
segpAuthor Commented:
Digitap:

Thank you for your answer, you where right, as soon as I changed the address objet to a entire network, the VPN started working right away.
0
 
digitapCommented:
great...glad it's working and thanks for the points!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now