VPN site to site Sonicwall to Draytek

Posted on 2013-01-31
Medium Priority
Last Modified: 2013-02-05
Have an SonicWall NSA240 at our Head office and a Draytek 2830 at a branch office

Please offer a simple guide to configure a site to site vpn between these two routers?

Our branch office does not have a static public IP, however it it does have a dyndns address.

Thanks for any help you can offer
Question by:antonioking
  • 2
LVL 37

Accepted Solution

ArneLovius earned 2000 total points
ID: 38843054
LVL 26

Expert Comment

by:Fred Marshall
ID: 38844013
The SonicWall:

First thing I would do is to determine if the SonicWall will accept a URL instead of an IP address for the remote end in the VPN setup.  I don't know that I've seen a VPN setup that *would* but the manual in the link above says you can enter the "host name" OR IP address on page 891.  I'm not sure what they mean by "host name" but at least it's encouraging.
If it won't take a URL to hit your dyndns then you likely need a static IP at the remote end.

Setting up a VPN (particularly the first time) requires a great degree of patience and persistence.  So just be prepared for that.

You will want to have access to both the SonicWall and the Draytek at the same time.  If you were doing this from scratch you could have them in the same room with a couple of computers (one each) and work until you have a VPN that connects.

Just as convenient is to have a workstation at each site that can access their respective VPN devices.  Then you remote into both of them at once and work on the VPN setup until it's working.  

(Doing a VPN without access to both ends at the same time would be too horrible for me to imagine.  So don't even think about it.)

You must have different subnet address ranges at each end.  Do you?  If not then you will want to change one of them.

You must have routing such that packets going from one subnet to the other won't be dropped by your gateway.  In this case the SonicWall and Draytek are probably your internet gateways anyway, right?  In that case you probably don't need to worry about this.

If either the SonicWall or the Draytek isn't the site's internet gateway then you need to do 2 things:
1) have a route in the gateway that routes remote-site packets to the local LAN IP address of the VPN device.
2) turn off SYN packet checking at the gateway so return packets going back to the remote site aren't dropped (some routers do this and others don't).  This arises because packets coming IN from the remote site don't go through the gateway at all .. just out onto the wire.  Then, the return packets hit the gateway and it doesn't have a context for them and they are dropped.

Well, these are perhaps "step 2" kinds of things but you can save a lot of headaches if you know about them up front.

I would start by setting up the simplest possible VPN using a very simple pass key (to avoid typos that will drive ya nuts).   You will need to have the SAME settings at both ends and with two different brands of device it will be more challenging.  Peruse the settings on both boxes. Write down the settings you will use that will match - depending on what those boxes offer.  They are probably pretty much similar if not the same - but this is a place to be very methodical.

I see on the SonicWall you have to use IPSEC if the manufacturer of the remote box is not SonicWall.  Little things like that.........

If you figure that 10 tries before success is likely then you won't get too frustrated I hope.

Author Comment

ID: 38846623
I've followed guides on the draytek site and not had any success.
Site1 is the head office, the network ip is
Site2 is the branch office, the network ip is

1. Common Settings
Profile name: Site1
Enable this profile: ticked
Call direction: Dial out

2. Dial out settings
Type of Server I am calling:
IPSEC tunnel
IKE Authentication Method: Pre-Shared Key: sharedsecret
IPsec Security Method: High(ESP)
IKE phase 1 mode:  Main mode
IKE phase 1 proposal: Auto
IKE phase 2 proposal: DES_SHA1
IKE phase 1 key lifetime: 28800
IKE phase 2 key lifetime: 3600
Perfect Forward Secret: Disable
Local ID: Site2

5. TCP/IP Network Settings
Remote Network IP:
Remote Network Mask:
Local Network IP:
Local Network Mask:

Authentication Method:
IKE using preshared secret
Name: Site2
IPsec Primary Gateway Name or Address: Site2's IP
Shared Secret: sharedsecret
Local IKE ID: IP address
Peer IKE ID: IP address

Choose local network from list: "LAN Subnets"
Choose destination network from list: "Site2 Local LAN"

IKE (Phase 1) Proposal
 Main Mode
DH Group:  Group 1
Encryption:  DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Encryption: DES
Authentication: SHA1
Enable Perfect Forward Secrecy: unticked
Life Time (seconds): 3600

Any suggestions on what's wrong here?

Author Closing Comment

ID: 38855123
That guide was useful, however it ommited the fact that Dial-in settings need to be filled in too.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question