Vpn two offices together

If I have two Sonicwall TZ-210 firewall devices, can I create a VPN tunnel that would always be open between two offices?

say I have one of the devices in office A, along with our domain server, and I have another device in office B across town, can I link the two offices together so that the people in office B can log into the domain and share files, etc....?

Thanks
redekopmfgAsked:
Who is Participating?
 
lewisgCommented:
1. When you set up your Address Objects did you use the correct network notation?
BE SURE the Network: fields end in a ZERO!
Shop Local     192.168.2.0/255.255.255.0  Network  LAN
Remote Remote  192.168.3.0/255.255.255.0  Network  VPN

Remote Local   192.168.3.0/255.255.255.0  Network  LAN
Shop Remote    192.168.2.0/255.255.255.0  Network  VPN

Open in new window


2. Do both locations have static WAN IP addresses?

3. Are you using IKE like in the video? Did you enter the same secret on both routers?

4. Other than names, IP addresses and IKE secret did you follow the video tutorial exactly?

5. Does the Ping Diagnostic on the SonicWall return a alive?

6. Does the SonicWall indicate that the tunnel is active?


Please answer all questions to proceed. It will be helpful to follow along with the video tutorial as you check these items to respond to the questions.
0
 
kmt333Commented:
Yes you can create a site-to-site VPN on the TZ-210.  you can share files, etc this way.  However, if what you're trying to do is have machines joined to the domain in Office B and logon and authenticate on a domain controller in Office A, I would not recommend that.  Depending on the office size, I would recommend a local domain controller that replicates with Office A's if you have many employees or (if you have just a few) having employees log onto their local machines and then put in their domain credentials when accessing files.

kmt
0
 
redekopmfgAuthor Commented:
Hi kmt,

why would you not recommend this?  what are the limitations?

This is going to be a temporary location with only a few users and not high use users either. so we do not want to spend bunch of money on servers and replication if we don't need to.

Thanks

Denten
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
lewisgCommented:
For temporary use by a few users you might get by with using the domain controller on the main office LAN. The issue is VPN speeds are almost always a fraction of what you are used to on a LAN. Add to that the probability that the VPN will go down. A domain controller at the remote location does a LOT to mitigate those problems.

So the simple, BE SURE you use a different network for the remote office. For example:

Main office:
192.168.1.0
255.255.255.0

Remote office:
192.168.2.0
255.255.255.0

I don't know how many times this simple problem has tripped up a newcomer to VPN configuration. It is also VERY helpful (if not required) that at least one end of the VPN have a static public IP.
0
 
kmt333Commented:
With just a few users there's no need for a local DC.  Lewis stated the issues I would have stated regarding authenticating with an offsite DC.  I would add that even with cached credentials, I've seen instances where users cannot log onto their workstations if the domain is not available, which is way more likely to occur when you're authenticating across a VPN and it is down.  For a just few users, I typically have them log onto their machines locally and then establish a PPTP VPN with the main office--you can use a variety of utilities to make this seamlessly initiate at log on.  That way if the VPN is down, they can still access their machines, the internet, etc.  You can set up Outlook to use RPC via HTTPS, so that can be used with your Exchange servers (if you have one) either with the VPN or without.  That's my two cents.  It's pretty much six of one, half dozen of another.  

kmt
0
 
shukalo83Commented:
Just get for Lan2Lan vpn. You'll learn in the process and get more confident. Make your login trust on DC last longer than, say, 24 hrs, so that users can login if your tunnel is down. (They will not be able to share files but for the most part they will be able to work. I've checked on SonicWall site. TZ200 can do it. So just make sure that you have Static IP on at least one end and go for their Site-to-Site wizard. Use IPsec if in doubt. I've seen that they have SSL and IPSec.

Post a comment here if you don't get something right.
0
 
lewisgCommented:
I'm not very familiar with SonicWall products but as shukalo83 seems to indicate their site to site VPN requires at least one static public IP. In general I tend to prefer site to site VPNs even for just a few users since other network resources such as printers work SO much better than with a client to endpoint VPN like PPTP. Support is easier also since all the remote resources are easily available from the main site.

Local logins for the remote office users is a good idea as a backup plan if the VPN has connectivity issues. Simply configuring a local user name and password that are the same as the domain credentials for that machine's user should allow the user to log on either way.

In my experience the biggest problem with domain logins over VPN is the size of the user's profile. Keeping this as small as possible is very helpful. Be sure they don't store a bunch of stuff in their "My Documents" area and keep their temp files flushed and you should be good.

I'd avoid the extra configuration issues of PPTP if possible and stick to a site to site VPN using routers you are familiar with. If you use DHCP for clients then PC configuration could be very easy.

What other network devices besides PCs and the router will be at the remote office? Printers, Credit card terminals, scanners...
0
 
redekopmfgAuthor Commented:
sorry for the delay.........many iron's in the fire!

I just got my second TZ-210 last week, and have been trying to set this up.  but I must be doing something wrong.  I have run the wizard on both devices, and both have static IP addresses, however no tunnel gets initiated.  Is there something i have to do to have this tunnel open, or should it just do it?

Thanks
0
 
lewisgCommented:
Have you looked at video tutorial V-61 Configuring Site-to-Site VPN at http://www.sonicwall.com/us/support/3653.html ?
0
 
redekopmfgAuthor Commented:
Thanks Lewisq,

that helped, quite a bit, and I now have the the tunnel open between the two sites.  

However, I still cannot get to any of the resources on our network from the remote office.

what am I missing?

Thanks
0
 
lewisgCommented:

For the purposes of this discussion we will assume you have a machine named server1 with an IP address of 192.168.22.10 on your main network that you want to access from the remote site. Be sure to use your actual names and IP addresses in the following...

The first thing to do is verify basic connectivity. Ping the IP addresses of the servers on the main network from the remote site. (start, run, type cmd, press enter, type ping 192.168.22.10, press return, you should get responses.)

Browsing over a VPN is not very usable. Try entering  \\192.168.22.10 in a Windows Explorer address box. If you are able to get to your files via IP address you can add the IP and hostname of your resources to the \windows\system32\drivers\etc\hosts file. The line you would add to hosts would look like this:

192.168.22.10       server1

Type the IP then press tab then type the server name. Save the file. It takes effect instantly, no reboot required.

Hopefully that is what you are missing...

0
 
redekopmfgAuthor Commented:
the tunnel between the two buildings is active, but i am not getting response from my pinging?

what could I be missing here?
0
 
lewisgCommented:
Possibly firewalls on the machines. Turn them off and try again.

It would be helpful to know the IP address ranges, netmasks and default gateways for both the main and remote networks.
0
 
redekopmfgAuthor Commented:
firewalls are turned off, so that is not a problem.

I am running two different IP ranges, could that be part of the problem?

192.168.2.100 - 200 at main shop
192.168.3.100 - 200 at remote office
0
 
lewisgCommented:
It's been a while!

As long as your netmasks are 255.255.255.0 then the IP ranges you posted should be fine.

Can you ping across the VPN?
0
 
redekopmfgAuthor Commented:
Ya IT HAS been awhile!!  wish I could just focus on these problems, but don't have that luxury! :(

no I cannot ping across the network?
0
 
lewisgCommented:
I'm taking your last line as a statement, a PC at the main shop cannot ping a PC at the remote office by IP address,  rather than a question.

I'm also assuming that you realize that the 192.168.0.0 network is usually a private class C network commonly divided into smaller networks with a 24 bit netmask.

So when you say:
192.168.2.100 - 200 at main shop
192.168.3.100 - 200 at remote office

I'm assuming that you really mean:
192.168.2.1 - 254 at main shop
192.168.3.1 - 254 at remote office
and both networks have a netmask of:
255.255.255.0
hopefully the routers are at:
192.168.2.1 main shop
192.168.3.1 remote office

That would be the most common setup unless you have a REAL GOOD REASON to do otherwise.
0
 
redekopmfgAuthor Commented:
Sorry for the delay....Again! :P

Yes, all your assumptions are correct above.  

The only change is that my the Addresses of the Sonicwall Firewall Routers are 2.3 and 3.3
0
 
redekopmfgAuthor Commented:
The answer to all 6 questions is Yes.
0
 
lewisgCommented:
Then you most likely have a problem with the client machines and/or servers. Check the firewalls to be sure both 192.168.2.0/255.255.255.0 and 192.168.3.0/255.255.255.0 are treated as local networks.
0
 
redekopmfgAuthor Commented:
Hi Lewsig,

Sorry for my slow response on accepting this solution.  I found the problem sometime ago, but i got tied up putting out some other fires!!

as it turns out, the problem was that I had one set of numbers reversed from question #1 above.  All is working well now.  Thanks for all your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.