Solved

Site-to-Site VPN w/ two Sonicwall TZ 100 devices - need beginner help

Posted on 2011-03-08
11
2,173 Views
Last Modified: 2012-05-11
I have been doing networking for a while, but am fairly new to VPN setup/config.  I've been asked to help a friend setup what I believe is a simple site-to-site VPN between their north & south side offices.

I'm using two Sonicwall TZ 100 devices and I cannot make this work properly.  Both ends are behind DSL modems and are double NATed - I cannot get around this limitation.  I have forwarded the external IPs to the WAN port on the TZ 100s.

From what I've read, I need to setup my VPN on each device to point to the other, using different subnets.  I've done that such that:

North Office: 192.168.10.0/24
South Office: 192.168.20.0/24

I've setup DynDNS accounts for each and in my VPN setup my IPsec primary gateway for each end is the other's dyndns domain.

I'm not 100% sure how I should be setting up the "Network" tab.  Right now it's set to "firewalled subnets" for local and a group I created with the opposite ends IP range for remote.

I see failed IKE connection attempts in the logs, but the VPN itself never comes up.

I don't know if I'm making this more difficult than it needs to be, but I cannot figure it out.  Does anyone have any good advice or a walk through on setting up a point-to-point VPN using the TZ100s?

Here's a snipping of the log from the south office:

15      03/08/2011 21:22:32.736      Warning      VPN IKE      IKE Responder: Proposed IKE ID mismatch      x.x.x.x, 500      y.y.y.y, 500      VPN Policy: ticketsnorth; Local ID:
99.61.213.116;Remote ID: 192.168.1.2
00              
16      03/08/2011 21:22:32.464      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
17      03/08/2011 21:22:26.192      Info      VPN IKE      IKE negotiation aborted due to timeout      y.y.y.y, 500      x.x.x.x, 500      VPN Policy: ticketsnorth              
18      03/08/2011 21:22:15.448      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
19      03/08/2011 21:22:06.464      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
20      03/08/2011 21:22:01.560      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      x.x.x.x, 500      y.y.y.y, 500                     
21      03/08/2011 21:21:52.192      Info      VPN IKE      IKE Initiator: Remote party timeout - Retransmitting IKE request.      y.y.y.y, 500      x.x.x.x, 500      VPN Policy: ticketsnorth
0
Comment
Question by:jcazzell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
11 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35078968
go to the sonicwall on both ends and review VPN > Advanced. is NAT Traversal enabled? do tyou have the SA configured in aggressive mode or main mode? edit the VPN policies and review the third tab. it will be the first option.
0
 

Author Comment

by:jcazzell
ID: 35084124
I've got NAT traversal turned on for both devices.  It seems to make no difference either way.

I've tried both aggressive & main mode.  Right now on both ends IKE phase 1 is set to:

Aggressive mode / Group 2 / 3DES / SHA-1 / 28800

IPsec phase 2 is set to:

ESP / 3DES / SHA-1 / 28800

How should I have the "networks" tab on the VPN policies screen set?  At the moment it's "LAN subnets" for local and "north" or "south" for remote (depending on the device).  These are defined as the internal IP subnet for the respective network (e.g. 192.168.10.0/24 or 192.168.20.0/24).

Are there any default firewall settings that need to be enabled/disabled?  I just can't quite wrap my head around what's wrong here.
0
 
LVL 8

Accepted Solution

by:
dosdet2 earned 250 total points
ID: 35084135
Your DSL Modems should be set to bridge mode so that the public IP sits on the Sonicwall's WAN port.  

You might be able to get it working without this, but it's going to be so much easier and more stable if the Sonicwalls host the public IPs.  

Most modems have this capability.  What make and model are your modems?
0
Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

 

Author Comment

by:jcazzell
ID: 35084289
I can bridge the modem at the south location - it's a Speedstream that I know supports that.  At the north location it's a very (very) old Motorola surfboard DSL modem/router on which I can find no identifying model numbers, just the FCC ID (GZ53347)

I've been around and around it's config options and do not see a way to bridge it.  I think I have access to another DSL modem which will bridge - I cat test it to see if that corrects the issue or moves me further along to correcting the issue.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 250 total points
ID: 35084611
dosdet2 hit on where i was going...eventually. IPSec doesn't like NAT. it's the primary reason this is failing. you have to bridge one side, which may not work either. bridge the side you know you can bridge. configure it in aggressive mode, with 0.0.0.0 as the primary IP within the SA. then, on the non-bridged side, you configure it to initiate the VPN. what you hope is it to be similar to a remote client connecting to your sonicwall when they are behind a NAT'ing router.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35084622
and, if this configuration doesn't work, then you have to replace the old DSL modem with something that will bridge. putting the WAN interface of the sonicwall directly on the internet will guarantee your vpn will connect.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35090884
B? take a look at this: http://www.experts-exchange.com/help.jsp#hs=29&hi=403

our answers were EXACTLY what you did per your explanation here, http:#a35090589.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35116647
thanks!
0
 

Author Comment

by:jcazzell
ID: 35119401
Sorry for the screw-up on my part all.  I asked a mod to re-grade this.  I did not read the guidelines for grading ahead of this and for that I sincerely apologize.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35119434
no worries. hope i wasn't too harsh...working on that and not perfected yet.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Vpn Server 2012 not working Draytek Vigor 2830 2 77
Server 2012 L2TP VPN Windows client to server 10 64
What is the VPn crypto table on a Cisco ASA? 2 40
VPN Server 5 79
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question