Sonicwall vpn behind Motorola Clear Modem

I've got an interesting situation with a client.  while they are waiting for as more permanent location for a small office, they are trying to create a site to site vpn between a sonicwall tz 180 and a sonicwall 1260.  The catch is that the clear 4g modem cannot go into a transparent or bridged mode, so the wan port on the 180 must take a lan ip from the motorola modem.

I'm looking for the best way to get a site to site vpn between this device and a 1260 that is sitting with a public IP.  I can get sonicwall GVC to connect from behind the 180, but can't get the 180 and 1260 to connect.

errors include -from the tz180 -
 IKE Responder: Proposed IKE ID mismatch
Received unencrypted packet while crypto active
NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device
from the 1260 -
IKE Responder: Proposed IKE ID mismatch

I've tried putting the 180 in the Motorola's dmz
and I've tried port forwarding udp 500 and ip 50 from the Motorola to the 180 with similar results.  I might not have done either function correctly.

any and all direction and guidance is appreciated.

Dylan
LVL 2
dpedersen13Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BWaringCommented:
I'm pretty sure that this cannot be done. If you cannot get a public IP to the WAN side of the SW, it is not going to work. As you mentioned, without transparent mode on the Motorla, the NAT is going to get in the way. I have tried this in the past, with support from SW, and it was not able to work. We eventually brought in a separate cable Internet connection to get that office up on the VPN....
0
dpedersen13Author Commented:
that's sort of where I think I'm headed.  nat transversal with the ipsec wrapped in a udp is supposed to work, I'm just having a hard time making it happen.  
0
dpedersen13Author Commented:
Fixed it!  

Here is what I did to get the sonicwall site to site vpn with one sonicwall behind NAT to work:
after setting all settings the way I would without NAT I had to make the following modifications:
1. in Phase 1 proposals set both to aggressive mode
2. Change the name of the vpn connection to match the unique firewall identifier on the OTHER sonicwall on both sonicwalls
3. On my enhanced OS, I had to make the PEER IKE  ID equal the internal ip of the sonicwall behind the NAT

Fired right up

I used sonicwall's guide Troubleshooting Guide IKE VPN initialization
http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_22908592.html 
and a night's sleep to get it to work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

BWaringCommented:
That's great! Better than SonicWall could do themselves (at least the two guys I spoke with there).... now you've given me something to do... I've got to try to replicate this.... thanks
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
BBQPMCommented:
I run in to the same situation.

1.) You can indeed put the Clear modem into routed bridge mode so SW will be able to obtain an public IP address and VPN will work that way. However, the problem I have is that SIP UDP port 5060 somehow filtered.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.