Solved

VPN site to site Sonicwall to Draytek

Posted on 2013-01-31
4
2,306 Views
Last Modified: 2013-02-05
Have an SonicWall NSA240 at our Head office and a Draytek 2830 at a branch office


Please offer a simple guide to configure a site to site vpn between these two routers?

Our branch office does not have a static public IP, however it it does have a dyndns address.

Thanks for any help you can offer
0
Comment
Question by:antonioking
  • 2
4 Comments
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
Comment Utility
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
The SonicWall:
http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=530

First thing I would do is to determine if the SonicWall will accept a URL instead of an IP address for the remote end in the VPN setup.  I don't know that I've seen a VPN setup that *would* but the manual in the link above says you can enter the "host name" OR IP address on page 891.  I'm not sure what they mean by "host name" but at least it's encouraging.
If it won't take a URL to hit your dyndns then you likely need a static IP at the remote end.

Setting up a VPN (particularly the first time) requires a great degree of patience and persistence.  So just be prepared for that.

You will want to have access to both the SonicWall and the Draytek at the same time.  If you were doing this from scratch you could have them in the same room with a couple of computers (one each) and work until you have a VPN that connects.

Just as convenient is to have a workstation at each site that can access their respective VPN devices.  Then you remote into both of them at once and work on the VPN setup until it's working.  

(Doing a VPN without access to both ends at the same time would be too horrible for me to imagine.  So don't even think about it.)

You must have different subnet address ranges at each end.  Do you?  If not then you will want to change one of them.

You must have routing such that packets going from one subnet to the other won't be dropped by your gateway.  In this case the SonicWall and Draytek are probably your internet gateways anyway, right?  In that case you probably don't need to worry about this.

If either the SonicWall or the Draytek isn't the site's internet gateway then you need to do 2 things:
1) have a route in the gateway that routes remote-site packets to the local LAN IP address of the VPN device.
2) turn off SYN packet checking at the gateway so return packets going back to the remote site aren't dropped (some routers do this and others don't).  This arises because packets coming IN from the remote site don't go through the gateway at all .. just out onto the wire.  Then, the return packets hit the gateway and it doesn't have a context for them and they are dropped.

Well, these are perhaps "step 2" kinds of things but you can save a lot of headaches if you know about them up front.

I would start by setting up the simplest possible VPN using a very simple pass key (to avoid typos that will drive ya nuts).   You will need to have the SAME settings at both ends and with two different brands of device it will be more challenging.  Peruse the settings on both boxes. Write down the settings you will use that will match - depending on what those boxes offer.  They are probably pretty much similar if not the same - but this is a place to be very methodical.

I see on the SonicWall you have to use IPSEC if the manufacturer of the remote box is not SonicWall.  Little things like that.........

If you figure that 10 tries before success is likely then you won't get too frustrated I hope.
0
 

Author Comment

by:antonioking
Comment Utility
I've followed guides on the draytek site and not had any success.
Site1 is the head office, the network ip is 192.168.58.0/24
Site2 is the branch office, the network ip is 192.168.56.0/24

DRAYTEK SETTINGS:
1. Common Settings
Profile name: Site1
Enable this profile: ticked
Call direction: Dial out

2. Dial out settings
Type of Server I am calling:
IPSEC tunnel
IKE Authentication Method: Pre-Shared Key: sharedsecret
IPsec Security Method: High(ESP)
IKE phase 1 mode:  Main mode
IKE phase 1 proposal: Auto
IKE phase 2 proposal: DES_SHA1
IKE phase 1 key lifetime: 28800
IKE phase 2 key lifetime: 3600
Perfect Forward Secret: Disable
Local ID: Site2

5. TCP/IP Network Settings
Remote Network IP:
192.168.58.0
Remote Network Mask: 255.255.255.0
Local Network IP: 192.168.56.0
Local Network Mask: 255.255.255.0

SONICWALL SETTINGS
Authentication Method:
IKE using preshared secret
Name: Site2
IPsec Primary Gateway Name or Address: Site2's IP
Shared Secret: sharedsecret
Local IKE ID: IP address
Peer IKE ID: IP address

Choose local network from list: "LAN Subnets"
Choose destination network from list: "Site2 Local LAN"

IKE (Phase 1) Proposal
Exchange:
 Main Mode
DH Group:  Group 1
Encryption:  DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:
ESP
Encryption: DES
Authentication: SHA1
Enable Perfect Forward Secrecy: unticked
Life Time (seconds): 3600

Any suggestions on what's wrong here?
0
 

Author Closing Comment

by:antonioking
Comment Utility
That guide was useful, however it ommited the fact that Dial-in settings need to be filled in too.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now