Solved

Help Setting up a VPN Site-to-Site from Sonicwall TZ-100 to ISA 2004

Posted on 2011-02-18
3
1,279 Views
Last Modified: 2012-08-13
Hello:

I'm triying to establish a site-to-site VPN connection from a remote site using a Sonicwall TZ-100 and the main Site Using an ISA server 2004.

Here's the sites network information:

Main Office Site:
External IP : 65.97.184.160
Gateway internal IP (ISA): 192.168.168.254
Subnet: 255.255.255.0

Remote Site:
External IP: 24.233.186.52
Gateway Internal IP: (sonicwall): 192.168.100.254
Subnet: 255.255.255.0

I created the following VPN site-to-site on ISA:
Name: REMOTE VPN

Address Range: 192.168.100.1~254

On the Connection TAB:
Remote Tunnel endpoint: 24.233.186.52
Local VPN Gateway IP address: 65.97.184.160

IPSec Setting:
Phase I Values:  
3DES
SHA1
Group2
Phase II Values
3DES
SHA1
Generate key every 3600 sec
PFS unchecked

Autentication TAB:
Use Preshared-key for autentication: 123456 (Not the real one)

On the ISA I Created a Network rule:

Sourcenetwork: Local Network
Destination Network: REMOTE VPN
Relation: Route

On the ISA Firewall policy created an access rule that allows all outbound traffic between the Local Host, the internal network and the REMOTE VPN networks.

On the Remote (Sonic Wall  TZ-100):

I created a Address Object:

Name: Main Office LAN
Zone Assigment: VPN
Type: Range
Starting IP: 192.168.168.1
Ending IP: 192.168.168.254

And Finally Created a VPN Policy:

General TAB
Name: Main Office VPN
Type: Site-to-site
IPsec Primary Gateway Name or Address: 65.97.184.160
IPsec Secondary Gateway Name or Address: 0.0.0.0
Shared Secret:123456 (Not the real one)
Local IKE ID: IP Address (Blank)
Peer IKE ID: IP Address (Blank)
Network TAB:
Local Network: Lan Primary SUBNET
Remote Network: Main Office LAN (object Created Before)

Proposal TAB:

IKE (Phase 1) Proposal
Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption:  3DES
Authentication:  SHA1
Enable Perfect Forward Secrecy: uncheked
Life Time (seconds): 28800

Advanced TAB

The Only thing checked is:

Enable Keep Alive  : Checked
VPN Policy bound to:  ZONE WAN

THE PROBLEM:

The VPN-site to Site never gets created, I try pinging the main site from the remote site and All I get is timeout.

AM I missing someting?

THE log in the sonicwall shows:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
Comment
Question by:segp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34934834
first, make sure your life time for both phase 1 and phase 2 at both ends is the same.

second, sonicwall does not recommend using an address object that specifies a range.  you want to specify a host or an entire network.

give those a shot and report the results.  you might also analyze the logs on the sonicwall.  it should report where your vpn is failing...i.e., phase 1 and/or phase 2.  i think right now, with the two points i made above, you're going to fail in phase 1 before you ever get to phase 2.
0
 
LVL 1

Author Comment

by:segp
ID: 34943061
Digitap:

Thank you for your answer, you where right, as soon as I changed the address objet to a entire network, the VPN started working right away.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943279
great...glad it's working and thanks for the points!
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question