[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

sonicwall vpn connection

I have a lab with 2 sonicwalls - i want to be able to setup a vpn tunnel between the 2 devices, they are connected via the wan port together and i am able to ping each others interface 1.1.1.1/24 and 1.1.1.2/24 . I configure the vpn tunnel on both devices but it never activates, i dont see anything from the log either. Any ideas?
0
zingab
Asked:
zingab
  • 9
  • 8
  • 5
  • +1
1 Solution
 
itmaximumCommented:
Try this out... your issue isnt really just the interfaces....


here is an example of an IPSEC VPN

untrust SW1 - 1.1.1.1/30    <-> untrust Sw2 1.1.1.2/30

SW1  
default route 0.0.0.0 -> untrust gateway -> 1.1.1.2

SW2
default route 0.0.0.0 -> untrust gateway -> 1.1.1.1

now
the networks behind each firewall should be different
SW1  local trust  1.10.1.1/24  
SW2  local trust  1.20,1.1/24

policies:   should show  

SW1 trust to untrust (bi directional) so traffic is in and out
1.10.1.0/24  <->  1.20.1.0/24

SW2
1.20.1.0/24  <->  1.10.1.0/24

----------------

your phase 1 policy should have nat traversal enabled if your boxes are setup with NAT

make sure phase 1 and phase 2 policies are using the same protocols

its just basic but should work for any ipsec nailed up vpn.
0
 
itmaximumCommented:
the 1st set of ips with the /30 are the interfaces .. to be clear.
0
 
itmaximumCommented:
and finally .. going over your description once more, the vpn isnt really seen from "inside" the boxes..
the interfaces are consided "outside" the vpn.

the vpn is a tunnel with the interfaces as an end point for each side, so what has to happen is the nodes within the LAN behind each firewall are what use the VPN.  
one way to make the SA come up, is to source a ping from the trusted interface to the other sonic firewalls trusted interface (these are the interfaces on the LAN side)

0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
digitapCommented:
To confirm the proper steps, here is an article to setup with the wizard:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4102,

here is an article for manually setting up the vpn:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5857.

Is the LAN subnet different on the two sonicwall appliances? They don't share a common switch do they?
0
 
digitapCommented:
To clarify, the LAN of each isn't sharing a common switch? I'm certain the WAN is since they have the same IP or are on the same subnet.
0
 
zingabAuthor Commented:
The lan subnets on each side are different, only the wan are on the same subnet. I have set up lots of these vpn tunnels in the past so i am confident the configuration is correct. This is in a lab with both wan interfaces plugged into a switch. I can ping each wan interface from each sonicwall.
0
 
digitapCommented:
OK, then let's look at the log. Can you post errors here indicating where the VPN is failing, Phase 1 or Phase 2. Additionally, what the errors are indicating specifically.

Another dumb question, is the LAN subnet of each sonicwall different than the WAN subnets?
0
 
zingabAuthor Commented:
yes both lans are different than the wan ... i dont see anything in the logs, i go into logs and filter via VPN nothing comes up.
0
 
itmaximumCommented:
so you have verified what we have talked about?

because pinging from interface to interface just means your interface see each other and thats it
basically just step 1.

all the rest is what we are asking about... you have basically given no information in that regard.

0
 
digitapCommented:
Let's make sure we're getting all the logging information we can. Go to Log > Categories and check the boxes at the top of each column selecting all the subsequent rows. Then, make sure the settings are saved and go back to Log.

If you aren't seeing any entries, then it's not even trying to route to your subnet on the other side. Doing so would cause the VPN to initialize. This says routing problem to me. What's the LAN subnets you have configured? What do you have selected for Local Networks and Destination Networks with the SA policies of each sonicwall?
0
 
itmaximumCommented:
can you describe the physical setup, ergo

LAN1
 |
Switch1
 |
Sonicwall-1
|
Sonicwall-2
 |
switch2
 |
lan2

thats your topology correcT? thats at least what I am assuming it is
0
 
digitapCommented:
Oh, one other thing. To see if it is a routing problem and not a simple VPN config problem, you could enable Keep Alive on one of the policies and have it initiate the VPN itself. This should spawn something on the logs.
0
 
zingabAuthor Commented:
will try, but i dont think its a routing issue since i can ping each other's interface and each wan gateway is the other sonicwalls wan interface
0
 
digitapCommented:
If the VPN doesn't initialize and you don't see it at least try within the log, then something's not configured properly somewhere on the sonicwall within the SA, LAN, WAN...something.

We can't see what you see right now and, at this point, you've not shared any of the configuration settings of the sonicwall except the WAN interface which have obviously been changed to protect the innocent. We provide suggestions but you shoot them down. We could do this all day, but we'll get to it faster if you help us by giving us more config information as we've asked.
0
 
zingabAuthor Commented:
lan 1 10.0.0.0/24 wan 1 1.1.1.1
lan 2  10.0.0.5/24 wan 2 1.1.1.2

Vpn 1. Gateway 1.1.1.2
Vpn 2 Gateway 1.1.1.1

0
 
digitapCommented:
Your LAN subnets are the same, zingab. 10.0.0.0.x/24 is the subnet and 10.0.0.0 and 10.0.0.5 are in the same subnet. When you try to ping a host on the other side, it's routing it locally and not sending it over the VPN. Unless you've got a typo.
0
 
zingabAuthor Commented:
Im sorry i have a typo 10.0.0.0/24 and 10.0.5.0/24
0
 
zingabAuthor Commented:
I resolved on my own - for some reason the sonicwall identifier was not working, i changed to IP and connected right up.
0
 
digitapCommented:
The logs would have revealed this.
0
 
zingabAuthor Commented:
i can give you credit i just didnt see it...please let me know if you would like your assistance awarded points.

thanks for your help
0
 
digitapCommented:
Not necessary. If you didn't see it, then it must not have been there. Please proceed to close the question accepting your solution, http:#a35695023. It's hard to say what the right answer is here. Without proof, you're merely giving points based on effort and EE protocol dictates awarding points based on correct solutions not effort.

If you had to choose the IP for the identifier then it could have possibly been a firmeware issue where a newer version would have fixed it. I never asked what model of appliances you were using or if they were enhanced/standard OS.

At any rate, glad you got it! That's the whole point, right?!? >GRIN<
0
 
zingabAuthor Commented:
Thanks again!
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 8
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now