Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2538
  • Last Modified:

How do I configure a Site to Site VPN between SonicWALL devices?

Hello all,

I have never setup a site to site VPN before and some of the network requirements are unclear to me.

We currently pay for TLS connections through our ISP to connect 6 remote sites to our central site where all servers reside, and a single internet POP is shared. The TLS connections are slow and expensive. The goal is to instead have an internet POP at each site and utilize Site to Site VPN's for the LAN. Each remote site has IP phones and several workstations that need to access servers at the central site.


I have a SonicWALL NSA 2400 at the primary site with a static public IP.

I plan to put SonicWALL TZ215's at each remote site. Each site will have it's own internet POP (DSL) with a static IP. The DSL router will allow me to configure DMZ host, port forwarding etc. I want DHCP to be handled by the TZ215's at each remote site.

How should I configure the VPN Policies for this to function as planned?
0
CoSmismgr
Asked:
CoSmismgr
  • 7
  • 6
  • 2
  • +1
4 Solutions
 
carlmdCommented:
The easiet way to do this is to use the Wizard. Login to the Sonicwall and look in the upper right hand corner. You will see an item labeled Wizards. Click that and select VPN Wizard and follow the instructions.
0
 
CoSmismgrAuthor Commented:
I followed the Wizard, and have been following along with some online tutorials. The VPN is active and shows a green dot, but I am unable to ping devices across the VPN or access any network resources.
0
 
arnoldCommented:
Can you excluding public IPs and secret/preshared key post your data.

One thing to make sure is that the locations you are linking do not use the same or overlapping IPs.

Location HQ 10.0.0.0/22
Location A.    10.0.0.1/24

Will be one such example.
The difficulty is that you have an existing setup with which you do not want to interfere.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
carlmdCommented:
If you login to the local Sonicwall and go to VPN -> Settings. Then uner VPN Policies first verify that the Enable box is checked. Then click the Configure button for the tunnel, and go to the Network tab. In local networks you should have (Choose Local Network form List) an Address Object that includes all the local nets that will be able to go over the tunnel to the remote. Then in Remote Networks you should have an Address Object that includes all the remote lans that are to be accessed over the tunnel.

After you do/verify that you must do the same for the Sonicwall on the other end of the tunnel. Log into the remote Sonicwall and do the same thing indicate the remote lans that can access the main site over the tunnel, and what they can access.
0
 
CoSmismgrAuthor Commented:
Can you excluding public IPs and secret/preshared key post your data.


Central Site NSA 2400Central Site NSA 2400Remote Site TZ215Remote Site TZ215
0
 
arnoldCommented:
The issue I see is that you are mixing LOCAL NETWORKS on the two ends of the VPN.

10.10.110.0/24 Should pick the local network to allow passage versus ANY.
10.10.110.0/24 has the remote defined as 10.10.120.0/24

on the other side

10.10.120.0/24 should also only have its local networks chosen versus all.
10.10.120.0/24 points for the local network (as the network for this tunnel) as 192.168.0.0/24.  It should point to 10.10.110.0/24

The tunnel might establish, but the traffic from the 10.10.120.0/24 even as a response will never enter the tunnel.
 
Is 10.10.120.0/24 the HUB (HQ)?

You should first test/setup individual Tunnels between point A and point B.
If you want a hub and spoke HQ to each branch. OR a mix HQ to each branch and some branches will have inter-branch VPNs.
And then want to allow traffic via the VPNs such that should one VPN drop, there are other paths to the same location via a different VPN.

Start small, Once you get this setup and functioning, the rest is a repetition.
0
 
CoSmismgrAuthor Commented:
I should add on the remote side, the DSL router LAN IP is 192.168.1.1 /24 and the SonicWALL TZ215 WAN IP is 192.168.1.2 /24. The DSL router is directing Ports 500 and 4500 to 192.168.1.2
0
 
CoSmismgrAuthor Commented:
arnold I am trying to implement the network paths as you suggested, will report back soon
0
 
arnoldCommented:
The IPs in the local/remote should be mirrored between any two locations.


LAN                            Site A                                            Site B                  
Local                   10.10.110.0/24                               10.10.120.0/24
Remote               10.10.120.0/24                               10.10.110.0/24

The VPN rules is how the routers determines which packets go through which mechanism out the internet, out via the VPN, out via another connection you may have (i.e. Point-to-point, etc.)

The WAN components are configured as the VPN gateway i.e. to establish a VPN what IP should the router initiate a connection to.


If you only have one Location with a static IP, it usually will wait for incoming connection rather than initiating an outgoing connection.

HQ static IP
location A (while the IP might not have changed in the past, the provider can begin at will i.e. they need to move IPs, they will change the IP that is allocated)

In this case, the most consistent VPN will be initiated from location A to HQ.
Your HQ VPN should not restrict this VPN based on the current IP of Location A since the VPN will be rejected should the location A WAN IP ever changed.
0
 
CoSmismgrAuthor Commented:
That seemed to help arnold, I can now ping between the SonicWALL's, but still no traffic between hosts or access to servers at HQ. The servers are on a different LAN at HQ - 192.168.0.0/24

sonicwall at HQ can ping sonicwall at A
sonicwall at A can ping sonicwall at HQ
Host at A can ping sonicwall at HQ
Host at HQ cannot ping sonicwall at A
0
 
arnoldCommented:
The difficulty you may have deals with the existing routing table on the sonicwall.
the TLS solution you have might include a routing rule on the sonicwalls if that is where the connections terminate.

You may have an ACL on the sonicwall not to respond to pings from outside the LAN or WAN block.

i.e. a ping from 192.168.x.x or 10.10.110.0/24 will be returned on the local sonicwall, but the remote location has an IP of 10.10.120.0/24 to which the sonicwall either does not respond, or responds and that packets goes out the other path.

Back to VPNs, if you need access to multiple IP segments via the tunnel, you would need to replace the remote VPN IP segment with a group of IP segments i.e.
HQ_group
192.168.1.0/24
10.10.110.0/24
10.10.130.0/24

So you would as part of the local/remote groups use custom rules where each has the IP segments that you need accessed.

A more advanced solution that does not require these static changes is to configure routing over the VPN.



The interface seems older, but the information may clearup/illustrate what I am trying to put forward.

http://www.sonicwall.com/downloads/SonicWALL_Failover_Network_Designs.pdf
0
 
CoSmismgrAuthor Commented:
Still no luck. The VPN is active, and I can ping between sonicwalls but not much else. Hosts at A cannot access servers at HQ. There's something I am missing, maybe some routing statements?
Servers at HQ are on 192.168.0.0 /24 VLAN 1
Hosts at HQ are on 10.10.110.0 /24 VLAN 110
The Hosts at A I want to be on 10.10.120.0 /24 VLAN 120
Is it to do with the VLAN's?
0
 
arnoldCommented:
Since you are using VLAns, do you have ACLs that define/restrict access?
Possibly.

I.e. You have an access rule deals with which IP segments can access VLAN 120 on one side and VLAN 110 on the other.  I.e. You need an allow rule for 10.10.110.0/24 to access 10.10.120.0/24 and the same in reverse on the other side.

You could debug requests on the sonic wall for traffic from 10.10.110.0/24 on the 10.10.120.0/24 side after the tunnel.
This will confirm traffic is making it through the tunnel.  Then you can see whether the packet is dropped at the VLAN border.

You can the use microsoft network monitor or wireshark on one of the 10.10.120.0/24 systems looking for packets from 10.10.110.0/24.  
This way you can see whether a packet makes its way.  You can look at the packet to see what IP is reflected as the source of this packet which should be 10.10.110.x.  You can then look at whether the system you are on responded.  

This way you have to dril in one layer at a time.
0
 
masnrockCommented:
You can leave Local IKE ID fields blank on both Sonicwalls. Also, could you show us the advanced tabs on each Sonicwall? Do you want users behind the remote Sonicwall to obtain IP addresses from the main Sonicwall? If so, you need to tweak DHCP over VPN settings.
0
 
CoSmismgrAuthor Commented:
Since you are using VLAns, do you have ACLs that define/restrict access?

Yes. I looked at the ACL switch and noticed routing statements for the 10.10.120.0 /24 network pointing to an old test switch that is offline so I changed the gateway to the LAN IP of the sonicWALL at A and that solved a lot of issues!

I then had to specify DNS servers in the DHCP scope on the sonicwall at A so hosts at A could resolve host names at HQ.

I can now access servers at HQ as I had hoped. Next I will test IP phones at A communicating with PBX controller at HQ over the VPN. Thank you for your help all, especially arnold!
0
 
arnoldCommented:
I do not believe you need to point the 10.10.120.0/24 to a gateway.  That route should be added by the sonicwall when the VPN ties established.

A static route will cause issues if you interconnect the various locations.  You should look into QoS setup on your VPN prioritization of SIP/VOIP data over other.

http://www.experts-exchange.com/Networking/Telecommunications/IP_Telephony/VoIP/Q_28044049.html

While it does not provide an example, it indicates that you should look under the firewall configuration.....

http://www.sonicwall.com/downloads/Configuring_VoIP_for_SonicOS_Enhanced.pdf
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 7
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now