Solved

Help Setting up a VPN Site-to-Site from Sonicwall TZ-100 to ISA 2004

Posted on 2011-02-18
3
1,266 Views
Last Modified: 2012-08-13
Hello:

I'm triying to establish a site-to-site VPN connection from a remote site using a Sonicwall TZ-100 and the main Site Using an ISA server 2004.

Here's the sites network information:

Main Office Site:
External IP : 65.97.184.160
Gateway internal IP (ISA): 192.168.168.254
Subnet: 255.255.255.0

Remote Site:
External IP: 24.233.186.52
Gateway Internal IP: (sonicwall): 192.168.100.254
Subnet: 255.255.255.0

I created the following VPN site-to-site on ISA:
Name: REMOTE VPN

Address Range: 192.168.100.1~254

On the Connection TAB:
Remote Tunnel endpoint: 24.233.186.52
Local VPN Gateway IP address: 65.97.184.160

IPSec Setting:
Phase I Values:  
3DES
SHA1
Group2
Phase II Values
3DES
SHA1
Generate key every 3600 sec
PFS unchecked

Autentication TAB:
Use Preshared-key for autentication: 123456 (Not the real one)

On the ISA I Created a Network rule:

Sourcenetwork: Local Network
Destination Network: REMOTE VPN
Relation: Route

On the ISA Firewall policy created an access rule that allows all outbound traffic between the Local Host, the internal network and the REMOTE VPN networks.

On the Remote (Sonic Wall  TZ-100):

I created a Address Object:

Name: Main Office LAN
Zone Assigment: VPN
Type: Range
Starting IP: 192.168.168.1
Ending IP: 192.168.168.254

And Finally Created a VPN Policy:

General TAB
Name: Main Office VPN
Type: Site-to-site
IPsec Primary Gateway Name or Address: 65.97.184.160
IPsec Secondary Gateway Name or Address: 0.0.0.0
Shared Secret:123456 (Not the real one)
Local IKE ID: IP Address (Blank)
Peer IKE ID: IP Address (Blank)
Network TAB:
Local Network: Lan Primary SUBNET
Remote Network: Main Office LAN (object Created Before)

Proposal TAB:

IKE (Phase 1) Proposal
Exchange:  Main Mode
DH Group:  Group 2
Encryption:  3DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:  ESP
Encryption:  3DES
Authentication:  SHA1
Enable Perfect Forward Secrecy: uncheked
Life Time (seconds): 28800

Advanced TAB

The Only thing checked is:

Enable Keep Alive  : Checked
VPN Policy bound to:  ZONE WAN

THE PROBLEM:

The VPN-site to Site never gets created, I try pinging the main site from the remote site and All I get is timeout.

AM I missing someting?

THE log in the sonicwall shows:
NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal
0
Comment
Question by:segp
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34934834
first, make sure your life time for both phase 1 and phase 2 at both ends is the same.

second, sonicwall does not recommend using an address object that specifies a range.  you want to specify a host or an entire network.

give those a shot and report the results.  you might also analyze the logs on the sonicwall.  it should report where your vpn is failing...i.e., phase 1 and/or phase 2.  i think right now, with the two points i made above, you're going to fail in phase 1 before you ever get to phase 2.
0
 
LVL 1

Author Comment

by:segp
ID: 34943061
Digitap:

Thank you for your answer, you where right, as soon as I changed the address objet to a entire network, the VPN started working right away.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943279
great...glad it's working and thanks for the points!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now