How to set up an IPSEC tunnel between a Windows 2008 R2 server and a Sonicwall NSA 240
Posted on 2011-03-19
Three attempts have been made to do this. Sonicwall in a FAQ said that is is possible and to contact a Windows consultant to set it up due the complexity.
The Sonicwall Global client requires an account to stay logged in to the server all the time. This isn't acceptable.
Using a L2TP connection and RRAS Dial on Demand will not work. Even though an L2TP connection created from the Network and Sharing Center WILL work but only one way . The server is able to ping nodes on the LAN behind the Sonicwall but not vice versa. A packet capture shows that the Sonicwall is dropping the packets. What is interesting is that given long enough time the pings will actually start to work. After opening a case with Sonicwall, they said that an L2TP tunnel is only good for one way communication.
If you use Windows Firewall "Secure Connection" policies, you can create a connection but with the same problem. The server can ping the LAN behind the Sonicwall but not vise versa. However the Sonicwall does not drop these packets. The packets make it to the server and Microsoft's monitor shows the IKE packets being received. The server doesn't respond to them.
If you use the IP Security Policy, so far the Sonicwall just reports "NO_PROPOSAL_CHOOSEN". So I have yet to find the magic setting to make this establish a tunnel.
For Phase one: I use:
Group2, 3DES, SHA1, Preshare Key
I have 4 different ways that ALMOST work. It is hard to believe they are so close but don't.
This project is to enable us to connect to hosted Virtual Machines we rent from a vendor.