zingab
asked on
sonicwall vpn connection
I have a lab with 2 sonicwalls - i want to be able to setup a vpn tunnel between the 2 devices, they are connected via the wan port together and i am able to ping each others interface 1.1.1.1/24 and 1.1.1.2/24 . I configure the vpn tunnel on both devices but it never activates, i dont see anything from the log either. Any ideas?
the 1st set of ips with the /30 are the interfaces .. to be clear.
and finally .. going over your description once more, the vpn isnt really seen from "inside" the boxes..
the interfaces are consided "outside" the vpn.
the vpn is a tunnel with the interfaces as an end point for each side, so what has to happen is the nodes within the LAN behind each firewall are what use the VPN.
one way to make the SA come up, is to source a ping from the trusted interface to the other sonic firewalls trusted interface (these are the interfaces on the LAN side)
the interfaces are consided "outside" the vpn.
the vpn is a tunnel with the interfaces as an end point for each side, so what has to happen is the nodes within the LAN behind each firewall are what use the VPN.
one way to make the SA come up, is to source a ping from the trusted interface to the other sonic firewalls trusted interface (these are the interfaces on the LAN side)
To confirm the proper steps, here is an article to setup with the wizard:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4102,
here is an article for manually setting up the vpn:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5857.
Is the LAN subnet different on the two sonicwall appliances? They don't share a common switch do they?
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=4102,
here is an article for manually setting up the vpn:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5857.
Is the LAN subnet different on the two sonicwall appliances? They don't share a common switch do they?
To clarify, the LAN of each isn't sharing a common switch? I'm certain the WAN is since they have the same IP or are on the same subnet.
ASKER
The lan subnets on each side are different, only the wan are on the same subnet. I have set up lots of these vpn tunnels in the past so i am confident the configuration is correct. This is in a lab with both wan interfaces plugged into a switch. I can ping each wan interface from each sonicwall.
OK, then let's look at the log. Can you post errors here indicating where the VPN is failing, Phase 1 or Phase 2. Additionally, what the errors are indicating specifically.
Another dumb question, is the LAN subnet of each sonicwall different than the WAN subnets?
Another dumb question, is the LAN subnet of each sonicwall different than the WAN subnets?
ASKER
yes both lans are different than the wan ... i dont see anything in the logs, i go into logs and filter via VPN nothing comes up.
so you have verified what we have talked about?
because pinging from interface to interface just means your interface see each other and thats it
basically just step 1.
all the rest is what we are asking about... you have basically given no information in that regard.
because pinging from interface to interface just means your interface see each other and thats it
basically just step 1.
all the rest is what we are asking about... you have basically given no information in that regard.
Let's make sure we're getting all the logging information we can. Go to Log > Categories and check the boxes at the top of each column selecting all the subsequent rows. Then, make sure the settings are saved and go back to Log.
If you aren't seeing any entries, then it's not even trying to route to your subnet on the other side. Doing so would cause the VPN to initialize. This says routing problem to me. What's the LAN subnets you have configured? What do you have selected for Local Networks and Destination Networks with the SA policies of each sonicwall?
If you aren't seeing any entries, then it's not even trying to route to your subnet on the other side. Doing so would cause the VPN to initialize. This says routing problem to me. What's the LAN subnets you have configured? What do you have selected for Local Networks and Destination Networks with the SA policies of each sonicwall?
can you describe the physical setup, ergo
LAN1
|
Switch1
|
Sonicwall-1
|
Sonicwall-2
|
switch2
|
lan2
thats your topology correcT? thats at least what I am assuming it is
LAN1
|
Switch1
|
Sonicwall-1
|
Sonicwall-2
|
switch2
|
lan2
thats your topology correcT? thats at least what I am assuming it is
Oh, one other thing. To see if it is a routing problem and not a simple VPN config problem, you could enable Keep Alive on one of the policies and have it initiate the VPN itself. This should spawn something on the logs.
ASKER
will try, but i dont think its a routing issue since i can ping each other's interface and each wan gateway is the other sonicwalls wan interface
If the VPN doesn't initialize and you don't see it at least try within the log, then something's not configured properly somewhere on the sonicwall within the SA, LAN, WAN...something.
We can't see what you see right now and, at this point, you've not shared any of the configuration settings of the sonicwall except the WAN interface which have obviously been changed to protect the innocent. We provide suggestions but you shoot them down. We could do this all day, but we'll get to it faster if you help us by giving us more config information as we've asked.
We can't see what you see right now and, at this point, you've not shared any of the configuration settings of the sonicwall except the WAN interface which have obviously been changed to protect the innocent. We provide suggestions but you shoot them down. We could do this all day, but we'll get to it faster if you help us by giving us more config information as we've asked.
ASKER
lan 1 10.0.0.0/24 wan 1 1.1.1.1
lan 2 10.0.0.5/24 wan 2 1.1.1.2
Vpn 1. Gateway 1.1.1.2
Vpn 2 Gateway 1.1.1.1
lan 2 10.0.0.5/24 wan 2 1.1.1.2
Vpn 1. Gateway 1.1.1.2
Vpn 2 Gateway 1.1.1.1
Your LAN subnets are the same, zingab. 10.0.0.0.x/24 is the subnet and 10.0.0.0 and 10.0.0.5 are in the same subnet. When you try to ping a host on the other side, it's routing it locally and not sending it over the VPN. Unless you've got a typo.
ASKER
Im sorry i have a typo 10.0.0.0/24 and 10.0.5.0/24
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The logs would have revealed this.
ASKER
i can give you credit i just didnt see it...please let me know if you would like your assistance awarded points.
thanks for your help
thanks for your help
Not necessary. If you didn't see it, then it must not have been there. Please proceed to close the question accepting your solution, http:#a35695023. It's hard to say what the right answer is here. Without proof, you're merely giving points based on effort and EE protocol dictates awarding points based on correct solutions not effort.
If you had to choose the IP for the identifier then it could have possibly been a firmeware issue where a newer version would have fixed it. I never asked what model of appliances you were using or if they were enhanced/standard OS.
At any rate, glad you got it! That's the whole point, right?!? >GRIN<
If you had to choose the IP for the identifier then it could have possibly been a firmeware issue where a newer version would have fixed it. I never asked what model of appliances you were using or if they were enhanced/standard OS.
At any rate, glad you got it! That's the whole point, right?!? >GRIN<
ASKER
Thanks again!
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
here is an example of an IPSEC VPN
untrust SW1 - 1.1.1.1/30 <-> untrust Sw2 1.1.1.2/30
SW1
default route 0.0.0.0 -> untrust gateway -> 1.1.1.2
SW2
default route 0.0.0.0 -> untrust gateway -> 1.1.1.1
now
the networks behind each firewall should be different
SW1 local trust 1.10.1.1/24
SW2 local trust 1.20,1.1/24
policies: should show
SW1 trust to untrust (bi directional) so traffic is in and out
1.10.1.0/24 <-> 1.20.1.0/24
SW2
1.20.1.0/24 <-> 1.10.1.0/24
----------------
your phase 1 policy should have nat traversal enabled if your boxes are setup with NAT
make sure phase 1 and phase 2 policies are using the same protocols
its just basic but should work for any ipsec nailed up vpn.