asked on
Site-to-Site VPN w/ two Sonicwall TZ 100 devices - need beginner help
I have been doing networking for a while, but am fairly new to VPN setup/config. I've been asked to help a friend setup what I believe is a simple site-to-site VPN between their north & south side offices.
I'm using two Sonicwall TZ 100 devices and I cannot make this work properly. Both ends are behind DSL modems and are double NATed - I cannot get around this limitation. I have forwarded the external IPs to the WAN port on the TZ 100s.
From what I've read, I need to setup my VPN on each device to point to the other, using different subnets. I've done that such that:
North Office: 192.168.10.0/24
South Office: 192.168.20.0/24
I've setup DynDNS accounts for each and in my VPN setup my IPsec primary gateway for each end is the other's dyndns domain.
I'm not 100% sure how I should be setting up the "Network" tab. Right now it's set to "firewalled subnets" for local and a group I created with the opposite ends IP range for remote.
I see failed IKE connection attempts in the logs, but the VPN itself never comes up.
I don't know if I'm making this more difficult than it needs to be, but I cannot figure it out. Does anyone have any good advice or a walk through on setting up a point-to-point VPN using the TZ100s?
Here's a snipping of the log from the south office:
15 03/08/2011 21:22:32.736 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch x.x.x.x, 500 y.y.y.y, 500 VPN Policy: ticketsnorth; Local ID:
99.61.213.116;Remote ID: 192.168.1.2
00
16 03/08/2011 21:22:32.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
17 03/08/2011 21:22:26.192 Info VPN IKE IKE negotiation aborted due to timeout y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
18 03/08/2011 21:22:15.448 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
19 03/08/2011 21:22:06.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
20 03/08/2011 21:22:01.560 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
21 03/08/2011 21:21:52.192 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
I'm using two Sonicwall TZ 100 devices and I cannot make this work properly. Both ends are behind DSL modems and are double NATed - I cannot get around this limitation. I have forwarded the external IPs to the WAN port on the TZ 100s.
From what I've read, I need to setup my VPN on each device to point to the other, using different subnets. I've done that such that:
North Office: 192.168.10.0/24
South Office: 192.168.20.0/24
I've setup DynDNS accounts for each and in my VPN setup my IPsec primary gateway for each end is the other's dyndns domain.
I'm not 100% sure how I should be setting up the "Network" tab. Right now it's set to "firewalled subnets" for local and a group I created with the opposite ends IP range for remote.
I see failed IKE connection attempts in the logs, but the VPN itself never comes up.
I don't know if I'm making this more difficult than it needs to be, but I cannot figure it out. Does anyone have any good advice or a walk through on setting up a point-to-point VPN using the TZ100s?
Here's a snipping of the log from the south office:
15 03/08/2011 21:22:32.736 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch x.x.x.x, 500 y.y.y.y, 500 VPN Policy: ticketsnorth; Local ID:
99.61.213.116;Remote ID: 192.168.1.2
00
16 03/08/2011 21:22:32.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
17 03/08/2011 21:22:26.192 Info VPN IKE IKE negotiation aborted due to timeout y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
18 03/08/2011 21:22:15.448 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
19 03/08/2011 21:22:06.464 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
20 03/08/2011 21:22:01.560 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) x.x.x.x, 500 y.y.y.y, 500
21 03/08/2011 21:21:52.192 Info VPN IKE IKE Initiator: Remote party timeout - Retransmitting IKE request. y.y.y.y, 500 x.x.x.x, 500 VPN Policy: ticketsnorth
VPN
Last Comment
digitap
go to the sonicwall on both ends and review VPN > Advanced. is NAT Traversal enabled? do tyou have the SA configured in aggressive mode or main mode? edit the VPN policies and review the third tab. it will be the first option.
ASKER
I've got NAT traversal turned on for both devices. It seems to make no difference either way.
I've tried both aggressive & main mode. Right now on both ends IKE phase 1 is set to:
Aggressive mode / Group 2 / 3DES / SHA-1 / 28800
IPsec phase 2 is set to:
ESP / 3DES / SHA-1 / 28800
How should I have the "networks" tab on the VPN policies screen set? At the moment it's "LAN subnets" for local and "north" or "south" for remote (depending on the device). These are defined as the internal IP subnet for the respective network (e.g. 192.168.10.0/24 or 192.168.20.0/24).
Are there any default firewall settings that need to be enabled/disabled? I just can't quite wrap my head around what's wrong here.
I've tried both aggressive & main mode. Right now on both ends IKE phase 1 is set to:
Aggressive mode / Group 2 / 3DES / SHA-1 / 28800
IPsec phase 2 is set to:
ESP / 3DES / SHA-1 / 28800
How should I have the "networks" tab on the VPN policies screen set? At the moment it's "LAN subnets" for local and "north" or "south" for remote (depending on the device). These are defined as the internal IP subnet for the respective network (e.g. 192.168.10.0/24 or 192.168.20.0/24).
Are there any default firewall settings that need to be enabled/disabled? I just can't quite wrap my head around what's wrong here.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I can bridge the modem at the south location - it's a Speedstream that I know supports that. At the north location it's a very (very) old Motorola surfboard DSL modem/router on which I can find no identifying model numbers, just the FCC ID (GZ53347)
I've been around and around it's config options and do not see a way to bridge it. I think I have access to another DSL modem which will bridge - I cat test it to see if that corrects the issue or moves me further along to correcting the issue.
I've been around and around it's config options and do not see a way to bridge it. I think I have access to another DSL modem which will bridge - I cat test it to see if that corrects the issue or moves me further along to correcting the issue.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
and, if this configuration doesn't work, then you have to replace the old DSL modem with something that will bridge. putting the WAN interface of the sonicwall directly on the internet will guarantee your vpn will connect.
B? take a look at this: https://www.experts-exchange.com/help.jsp#hs=29&hi=403
our answers were EXACTLY what you did per your explanation here, http:#a35090589.
our answers were EXACTLY what you did per your explanation here, http:#a35090589.
thanks!
ASKER
Sorry for the screw-up on my part all. I asked a mod to re-grade this. I did not read the guidelines for grading ahead of this and for that I sincerely apologize.
no worries. hope i wasn't too harsh...working on that and not perfected yet.