troubleshooting Question
Site-to-Site VPN w/ two Sonicwall TZ 100 devices - need beginner help
I have been doing networking for a while, but am fairly new to VPN setup/config. I've been asked to help a friend setup what I believe is a simple site-to-site VPN between their north & south side offices.
I'm using two Sonicwall TZ 100 devices and I cannot make this work properly. Both ends are behind DSL modems and are double NATed - I cannot get around this limitation. I have forwarded the external IPs to the WAN port on the TZ 100s.
From what I've read, I need to setup my VPN on each device to point to the other, using different subnets. I've done that such that:
North Office: 192.168.10.0/24
South Office: 192.168.20.0/24
I've setup DynDNS accounts for each and in my VPN setup my IPsec primary gateway for each end is the other's dyndns domain.
I'm not 100% sure how I should be setting up the "Network" tab. Right now it's set to "firewalled subnets" for local and a group I created with the opposite ends IP range for remote.
I see failed IKE connection attempts in the logs, but the VPN itself never comes up.
I don't know if I'm making this more difficult than it needs to be, but I cannot figure it out. Does anyone have any good advice or a walk through on setting up a point-to-point VPN using the TZ100s?
Here's a snipping of the log from the south office:
15 03/08/2011 21:22:32.736 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch x.x.x.x, 500 y.y.y.y, 500 VPN Policy: ticketsnorth; Local ID:
99.61.213.116;Remote ID: 192.168.1.2
00
16 03/08/2011 21:22:32.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
17 03/08/2011 21:22:26.192 Info VPN IKE IKE negotiation aborted due to timeout y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
18 03/08/2011 21:22:15.448 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
19 03/08/2011 21:22:06.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
20 03/08/2011 21:22:01.560 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
21 03/08/2011 21:21:52.192 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
I'm using two Sonicwall TZ 100 devices and I cannot make this work properly. Both ends are behind DSL modems and are double NATed - I cannot get around this limitation. I have forwarded the external IPs to the WAN port on the TZ 100s.
From what I've read, I need to setup my VPN on each device to point to the other, using different subnets. I've done that such that:
North Office: 192.168.10.0/24
South Office: 192.168.20.0/24
I've setup DynDNS accounts for each and in my VPN setup my IPsec primary gateway for each end is the other's dyndns domain.
I'm not 100% sure how I should be setting up the "Network" tab. Right now it's set to "firewalled subnets" for local and a group I created with the opposite ends IP range for remote.
I see failed IKE connection attempts in the logs, but the VPN itself never comes up.
I don't know if I'm making this more difficult than it needs to be, but I cannot figure it out. Does anyone have any good advice or a walk through on setting up a point-to-point VPN using the TZ100s?
Here's a snipping of the log from the south office:
15 03/08/2011 21:22:32.736 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch x.x.x.x, 500 y.y.y.y, 500 VPN Policy: ticketsnorth; Local ID:
99.61.213.116;Remote ID: 192.168.1.2
00
16 03/08/2011 21:22:32.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
17 03/08/2011 21:22:26.192 Info VPN IKE IKE negotiation aborted due to timeout y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
18 03/08/2011 21:22:15.448 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
19 03/08/2011 21:22:06.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
20 03/08/2011 21:22:01.560 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
21 03/08/2011 21:21:52.192 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 10 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.