Solved

How do I configure a Site to Site VPN between SonicWALL devices?

Posted on 2014-02-24
16
2,284 Views
Last Modified: 2014-02-27
Hello all,

I have never setup a site to site VPN before and some of the network requirements are unclear to me.

We currently pay for TLS connections through our ISP to connect 6 remote sites to our central site where all servers reside, and a single internet POP is shared. The TLS connections are slow and expensive. The goal is to instead have an internet POP at each site and utilize Site to Site VPN's for the LAN. Each remote site has IP phones and several workstations that need to access servers at the central site.


I have a SonicWALL NSA 2400 at the primary site with a static public IP.

I plan to put SonicWALL TZ215's at each remote site. Each site will have it's own internet POP (DSL) with a static IP. The DSL router will allow me to configure DMZ host, port forwarding etc. I want DHCP to be handled by the TZ215's at each remote site.

How should I configure the VPN Policies for this to function as planned?
0
Comment
Question by:CoSmismgr
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 39885301
The easiet way to do this is to use the Wizard. Login to the Sonicwall and look in the upper right hand corner. You will see an item labeled Wizards. Click that and select VPN Wizard and follow the instructions.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886202
I followed the Wizard, and have been following along with some online tutorials. The VPN is active and shows a green dot, but I am unable to ping devices across the VPN or access any network resources.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39886238
Can you excluding public IPs and secret/preshared key post your data.

One thing to make sure is that the locations you are linking do not use the same or overlapping IPs.

Location HQ 10.0.0.0/22
Location A.    10.0.0.1/24

Will be one such example.
The difficulty is that you have an existing setup with which you do not want to interfere.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39886243
If you login to the local Sonicwall and go to VPN -> Settings. Then uner VPN Policies first verify that the Enable box is checked. Then click the Configure button for the tunnel, and go to the Network tab. In local networks you should have (Choose Local Network form List) an Address Object that includes all the local nets that will be able to go over the tunnel to the remote. Then in Remote Networks you should have an Address Object that includes all the remote lans that are to be accessed over the tunnel.

After you do/verify that you must do the same for the Sonicwall on the other end of the tunnel. Log into the remote Sonicwall and do the same thing indicate the remote lans that can access the main site over the tunnel, and what they can access.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886725
Can you excluding public IPs and secret/preshared key post your data.


Central Site NSA 2400Central Site NSA 2400Remote Site TZ215Remote Site TZ215
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39886822
The issue I see is that you are mixing LOCAL NETWORKS on the two ends of the VPN.

10.10.110.0/24 Should pick the local network to allow passage versus ANY.
10.10.110.0/24 has the remote defined as 10.10.120.0/24

on the other side

10.10.120.0/24 should also only have its local networks chosen versus all.
10.10.120.0/24 points for the local network (as the network for this tunnel) as 192.168.0.0/24.  It should point to 10.10.110.0/24

The tunnel might establish, but the traffic from the 10.10.120.0/24 even as a response will never enter the tunnel.
 
Is 10.10.120.0/24 the HUB (HQ)?

You should first test/setup individual Tunnels between point A and point B.
If you want a hub and spoke HQ to each branch. OR a mix HQ to each branch and some branches will have inter-branch VPNs.
And then want to allow traffic via the VPNs such that should one VPN drop, there are other paths to the same location via a different VPN.

Start small, Once you get this setup and functioning, the rest is a repetition.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886884
I should add on the remote side, the DSL router LAN IP is 192.168.1.1 /24 and the SonicWALL TZ215 WAN IP is 192.168.1.2 /24. The DSL router is directing Ports 500 and 4500 to 192.168.1.2
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886933
arnold I am trying to implement the network paths as you suggested, will report back soon
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39886992
The IPs in the local/remote should be mirrored between any two locations.


LAN                            Site A                                            Site B                  
Local                   10.10.110.0/24                               10.10.120.0/24
Remote               10.10.120.0/24                               10.10.110.0/24

The VPN rules is how the routers determines which packets go through which mechanism out the internet, out via the VPN, out via another connection you may have (i.e. Point-to-point, etc.)

The WAN components are configured as the VPN gateway i.e. to establish a VPN what IP should the router initiate a connection to.


If you only have one Location with a static IP, it usually will wait for incoming connection rather than initiating an outgoing connection.

HQ static IP
location A (while the IP might not have changed in the past, the provider can begin at will i.e. they need to move IPs, they will change the IP that is allocated)

In this case, the most consistent VPN will be initiated from location A to HQ.
Your HQ VPN should not restrict this VPN based on the current IP of Location A since the VPN will be rejected should the location A WAN IP ever changed.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39887043
That seemed to help arnold, I can now ping between the SonicWALL's, but still no traffic between hosts or access to servers at HQ. The servers are on a different LAN at HQ - 192.168.0.0/24

sonicwall at HQ can ping sonicwall at A
sonicwall at A can ping sonicwall at HQ
Host at A can ping sonicwall at HQ
Host at HQ cannot ping sonicwall at A
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39887641
The difficulty you may have deals with the existing routing table on the sonicwall.
the TLS solution you have might include a routing rule on the sonicwalls if that is where the connections terminate.

You may have an ACL on the sonicwall not to respond to pings from outside the LAN or WAN block.

i.e. a ping from 192.168.x.x or 10.10.110.0/24 will be returned on the local sonicwall, but the remote location has an IP of 10.10.120.0/24 to which the sonicwall either does not respond, or responds and that packets goes out the other path.

Back to VPNs, if you need access to multiple IP segments via the tunnel, you would need to replace the remote VPN IP segment with a group of IP segments i.e.
HQ_group
192.168.1.0/24
10.10.110.0/24
10.10.130.0/24

So you would as part of the local/remote groups use custom rules where each has the IP segments that you need accessed.

A more advanced solution that does not require these static changes is to configure routing over the VPN.



The interface seems older, but the information may clearup/illustrate what I am trying to put forward.

http://www.sonicwall.com/downloads/SonicWALL_Failover_Network_Designs.pdf
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39890845
Still no luck. The VPN is active, and I can ping between sonicwalls but not much else. Hosts at A cannot access servers at HQ. There's something I am missing, maybe some routing statements?
Servers at HQ are on 192.168.0.0 /24 VLAN 1
Hosts at HQ are on 10.10.110.0 /24 VLAN 110
The Hosts at A I want to be on 10.10.120.0 /24 VLAN 120
Is it to do with the VLAN's?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 39890860
Since you are using VLAns, do you have ACLs that define/restrict access?
Possibly.

I.e. You have an access rule deals with which IP segments can access VLAN 120 on one side and VLAN 110 on the other.  I.e. You need an allow rule for 10.10.110.0/24 to access 10.10.120.0/24 and the same in reverse on the other side.

You could debug requests on the sonic wall for traffic from 10.10.110.0/24 on the 10.10.120.0/24 side after the tunnel.
This will confirm traffic is making it through the tunnel.  Then you can see whether the packet is dropped at the VLAN border.

You can the use microsoft network monitor or wireshark on one of the 10.10.120.0/24 systems looking for packets from 10.10.110.0/24.  
This way you can see whether a packet makes its way.  You can look at the packet to see what IP is reflected as the source of this packet which should be 10.10.110.x.  You can then look at whether the system you are on responded.  

This way you have to dril in one layer at a time.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39891213
You can leave Local IKE ID fields blank on both Sonicwalls. Also, could you show us the advanced tabs on each Sonicwall? Do you want users behind the remote Sonicwall to obtain IP addresses from the main Sonicwall? If so, you need to tweak DHCP over VPN settings.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39892413
Since you are using VLAns, do you have ACLs that define/restrict access?

Yes. I looked at the ACL switch and noticed routing statements for the 10.10.120.0 /24 network pointing to an old test switch that is offline so I changed the gateway to the LAN IP of the sonicWALL at A and that solved a lot of issues!

I then had to specify DNS servers in the DHCP scope on the sonicwall at A so hosts at A could resolve host names at HQ.

I can now access servers at HQ as I had hoped. Next I will test IP phones at A communicating with PBX controller at HQ over the VPN. Thank you for your help all, especially arnold!
0
 
LVL 76

Expert Comment

by:arnold
ID: 39892459
I do not believe you need to point the 10.10.120.0/24 to a gateway.  That route should be added by the sonicwall when the VPN ties established.

A static route will cause issues if you interconnect the various locations.  You should look into QoS setup on your VPN prioritization of SIP/VOIP data over other.

http://www.experts-exchange.com/Networking/Telecommunications/IP_Telephony/VoIP/Q_28044049.html

While it does not provide an example, it indicates that you should look under the firewall configuration.....

http://www.sonicwall.com/downloads/Configuring_VoIP_for_SonicOS_Enhanced.pdf
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now