Solved

VPN site to site Sonicwall to Draytek

Posted on 2013-01-31
4
2,587 Views
Last Modified: 2013-02-05
Have an SonicWall NSA240 at our Head office and a Draytek 2830 at a branch office


Please offer a simple guide to configure a site to site vpn between these two routers?

Our branch office does not have a static public IP, however it it does have a dyndns address.

Thanks for any help you can offer
0
Comment
Question by:antonioking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38843054
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38844013
The SonicWall:
http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=530

First thing I would do is to determine if the SonicWall will accept a URL instead of an IP address for the remote end in the VPN setup.  I don't know that I've seen a VPN setup that *would* but the manual in the link above says you can enter the "host name" OR IP address on page 891.  I'm not sure what they mean by "host name" but at least it's encouraging.
If it won't take a URL to hit your dyndns then you likely need a static IP at the remote end.

Setting up a VPN (particularly the first time) requires a great degree of patience and persistence.  So just be prepared for that.

You will want to have access to both the SonicWall and the Draytek at the same time.  If you were doing this from scratch you could have them in the same room with a couple of computers (one each) and work until you have a VPN that connects.

Just as convenient is to have a workstation at each site that can access their respective VPN devices.  Then you remote into both of them at once and work on the VPN setup until it's working.  

(Doing a VPN without access to both ends at the same time would be too horrible for me to imagine.  So don't even think about it.)

You must have different subnet address ranges at each end.  Do you?  If not then you will want to change one of them.

You must have routing such that packets going from one subnet to the other won't be dropped by your gateway.  In this case the SonicWall and Draytek are probably your internet gateways anyway, right?  In that case you probably don't need to worry about this.

If either the SonicWall or the Draytek isn't the site's internet gateway then you need to do 2 things:
1) have a route in the gateway that routes remote-site packets to the local LAN IP address of the VPN device.
2) turn off SYN packet checking at the gateway so return packets going back to the remote site aren't dropped (some routers do this and others don't).  This arises because packets coming IN from the remote site don't go through the gateway at all .. just out onto the wire.  Then, the return packets hit the gateway and it doesn't have a context for them and they are dropped.

Well, these are perhaps "step 2" kinds of things but you can save a lot of headaches if you know about them up front.

I would start by setting up the simplest possible VPN using a very simple pass key (to avoid typos that will drive ya nuts).   You will need to have the SAME settings at both ends and with two different brands of device it will be more challenging.  Peruse the settings on both boxes. Write down the settings you will use that will match - depending on what those boxes offer.  They are probably pretty much similar if not the same - but this is a place to be very methodical.

I see on the SonicWall you have to use IPSEC if the manufacturer of the remote box is not SonicWall.  Little things like that.........

If you figure that 10 tries before success is likely then you won't get too frustrated I hope.
0
 

Author Comment

by:antonioking
ID: 38846623
I've followed guides on the draytek site and not had any success.
Site1 is the head office, the network ip is 192.168.58.0/24
Site2 is the branch office, the network ip is 192.168.56.0/24

DRAYTEK SETTINGS:
1. Common Settings
Profile name: Site1
Enable this profile: ticked
Call direction: Dial out

2. Dial out settings
Type of Server I am calling:
IPSEC tunnel
IKE Authentication Method: Pre-Shared Key: sharedsecret
IPsec Security Method: High(ESP)
IKE phase 1 mode:  Main mode
IKE phase 1 proposal: Auto
IKE phase 2 proposal: DES_SHA1
IKE phase 1 key lifetime: 28800
IKE phase 2 key lifetime: 3600
Perfect Forward Secret: Disable
Local ID: Site2

5. TCP/IP Network Settings
Remote Network IP:
192.168.58.0
Remote Network Mask: 255.255.255.0
Local Network IP: 192.168.56.0
Local Network Mask: 255.255.255.0

SONICWALL SETTINGS
Authentication Method:
IKE using preshared secret
Name: Site2
IPsec Primary Gateway Name or Address: Site2's IP
Shared Secret: sharedsecret
Local IKE ID: IP address
Peer IKE ID: IP address

Choose local network from list: "LAN Subnets"
Choose destination network from list: "Site2 Local LAN"

IKE (Phase 1) Proposal
Exchange:
 Main Mode
DH Group:  Group 1
Encryption:  DES
Authentication: SHA1
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol:
ESP
Encryption: DES
Authentication: SHA1
Enable Perfect Forward Secrecy: unticked
Life Time (seconds): 3600

Any suggestions on what's wrong here?
0
 

Author Closing Comment

by:antonioking
ID: 38855123
That guide was useful, however it ommited the fact that Dial-in settings need to be filled in too.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Turning Verizon Fios Router into a Bridge? 28 134
SSL-VPN 1 91
IPSec firewall rules 1 37
Site to Site: VPN connection - Onsite ASA5515 to Amazon Cloud 2 28
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question