• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3154
  • Last Modified:

VPN site to site Sonicwall to Draytek

Have an SonicWall NSA240 at our Head office and a Draytek 2830 at a branch office

Please offer a simple guide to configure a site to site vpn between these two routers?

Our branch office does not have a static public IP, however it it does have a dyndns address.

Thanks for any help you can offer
  • 2
1 Solution
Fred MarshallPrincipalCommented:
The SonicWall:

First thing I would do is to determine if the SonicWall will accept a URL instead of an IP address for the remote end in the VPN setup.  I don't know that I've seen a VPN setup that *would* but the manual in the link above says you can enter the "host name" OR IP address on page 891.  I'm not sure what they mean by "host name" but at least it's encouraging.
If it won't take a URL to hit your dyndns then you likely need a static IP at the remote end.

Setting up a VPN (particularly the first time) requires a great degree of patience and persistence.  So just be prepared for that.

You will want to have access to both the SonicWall and the Draytek at the same time.  If you were doing this from scratch you could have them in the same room with a couple of computers (one each) and work until you have a VPN that connects.

Just as convenient is to have a workstation at each site that can access their respective VPN devices.  Then you remote into both of them at once and work on the VPN setup until it's working.  

(Doing a VPN without access to both ends at the same time would be too horrible for me to imagine.  So don't even think about it.)

You must have different subnet address ranges at each end.  Do you?  If not then you will want to change one of them.

You must have routing such that packets going from one subnet to the other won't be dropped by your gateway.  In this case the SonicWall and Draytek are probably your internet gateways anyway, right?  In that case you probably don't need to worry about this.

If either the SonicWall or the Draytek isn't the site's internet gateway then you need to do 2 things:
1) have a route in the gateway that routes remote-site packets to the local LAN IP address of the VPN device.
2) turn off SYN packet checking at the gateway so return packets going back to the remote site aren't dropped (some routers do this and others don't).  This arises because packets coming IN from the remote site don't go through the gateway at all .. just out onto the wire.  Then, the return packets hit the gateway and it doesn't have a context for them and they are dropped.

Well, these are perhaps "step 2" kinds of things but you can save a lot of headaches if you know about them up front.

I would start by setting up the simplest possible VPN using a very simple pass key (to avoid typos that will drive ya nuts).   You will need to have the SAME settings at both ends and with two different brands of device it will be more challenging.  Peruse the settings on both boxes. Write down the settings you will use that will match - depending on what those boxes offer.  They are probably pretty much similar if not the same - but this is a place to be very methodical.

I see on the SonicWall you have to use IPSEC if the manufacturer of the remote box is not SonicWall.  Little things like that.........

If you figure that 10 tries before success is likely then you won't get too frustrated I hope.
antoniokingAuthor Commented:
I've followed guides on the draytek site and not had any success.
Site1 is the head office, the network ip is
Site2 is the branch office, the network ip is

1. Common Settings
Profile name: Site1
Enable this profile: ticked
Call direction: Dial out

2. Dial out settings
Type of Server I am calling:
IPSEC tunnel
IKE Authentication Method: Pre-Shared Key: sharedsecret
IPsec Security Method: High(ESP)
IKE phase 1 mode:  Main mode
IKE phase 1 proposal: Auto
IKE phase 2 proposal: DES_SHA1
IKE phase 1 key lifetime: 28800
IKE phase 2 key lifetime: 3600
Perfect Forward Secret: Disable
Local ID: Site2

5. TCP/IP Network Settings
Remote Network IP:
Remote Network Mask:
Local Network IP:
Local Network Mask:

Authentication Method:
IKE using preshared secret
Name: Site2
IPsec Primary Gateway Name or Address: Site2's IP
Shared Secret: sharedsecret
Local IKE ID: IP address
Peer IKE ID: IP address

Choose local network from list: "LAN Subnets"
Choose destination network from list: "Site2 Local LAN"

IKE (Phase 1) Proposal
 Main Mode
DH Group:  Group 1
Encryption:  DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Encryption: DES
Authentication: SHA1
Enable Perfect Forward Secrecy: unticked
Life Time (seconds): 3600

Any suggestions on what's wrong here?
antoniokingAuthor Commented:
That guide was useful, however it ommited the fact that Dial-in settings need to be filled in too.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now