Solved

How do I configure a Site to Site VPN between SonicWALL devices?

Posted on 2014-02-24
16
2,316 Views
Last Modified: 2014-02-27
Hello all,

I have never setup a site to site VPN before and some of the network requirements are unclear to me.

We currently pay for TLS connections through our ISP to connect 6 remote sites to our central site where all servers reside, and a single internet POP is shared. The TLS connections are slow and expensive. The goal is to instead have an internet POP at each site and utilize Site to Site VPN's for the LAN. Each remote site has IP phones and several workstations that need to access servers at the central site.


I have a SonicWALL NSA 2400 at the primary site with a static public IP.

I plan to put SonicWALL TZ215's at each remote site. Each site will have it's own internet POP (DSL) with a static IP. The DSL router will allow me to configure DMZ host, port forwarding etc. I want DHCP to be handled by the TZ215's at each remote site.

How should I configure the VPN Policies for this to function as planned?
0
Comment
Question by:CoSmismgr
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 39885301
The easiet way to do this is to use the Wizard. Login to the Sonicwall and look in the upper right hand corner. You will see an item labeled Wizards. Click that and select VPN Wizard and follow the instructions.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886202
I followed the Wizard, and have been following along with some online tutorials. The VPN is active and shows a green dot, but I am unable to ping devices across the VPN or access any network resources.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39886238
Can you excluding public IPs and secret/preshared key post your data.

One thing to make sure is that the locations you are linking do not use the same or overlapping IPs.

Location HQ 10.0.0.0/22
Location A.    10.0.0.1/24

Will be one such example.
The difficulty is that you have an existing setup with which you do not want to interfere.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 20

Expert Comment

by:carlmd
ID: 39886243
If you login to the local Sonicwall and go to VPN -> Settings. Then uner VPN Policies first verify that the Enable box is checked. Then click the Configure button for the tunnel, and go to the Network tab. In local networks you should have (Choose Local Network form List) an Address Object that includes all the local nets that will be able to go over the tunnel to the remote. Then in Remote Networks you should have an Address Object that includes all the remote lans that are to be accessed over the tunnel.

After you do/verify that you must do the same for the Sonicwall on the other end of the tunnel. Log into the remote Sonicwall and do the same thing indicate the remote lans that can access the main site over the tunnel, and what they can access.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886725
Can you excluding public IPs and secret/preshared key post your data.


Central Site NSA 2400Central Site NSA 2400Remote Site TZ215Remote Site TZ215
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39886822
The issue I see is that you are mixing LOCAL NETWORKS on the two ends of the VPN.

10.10.110.0/24 Should pick the local network to allow passage versus ANY.
10.10.110.0/24 has the remote defined as 10.10.120.0/24

on the other side

10.10.120.0/24 should also only have its local networks chosen versus all.
10.10.120.0/24 points for the local network (as the network for this tunnel) as 192.168.0.0/24.  It should point to 10.10.110.0/24

The tunnel might establish, but the traffic from the 10.10.120.0/24 even as a response will never enter the tunnel.
 
Is 10.10.120.0/24 the HUB (HQ)?

You should first test/setup individual Tunnels between point A and point B.
If you want a hub and spoke HQ to each branch. OR a mix HQ to each branch and some branches will have inter-branch VPNs.
And then want to allow traffic via the VPNs such that should one VPN drop, there are other paths to the same location via a different VPN.

Start small, Once you get this setup and functioning, the rest is a repetition.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886884
I should add on the remote side, the DSL router LAN IP is 192.168.1.1 /24 and the SonicWALL TZ215 WAN IP is 192.168.1.2 /24. The DSL router is directing Ports 500 and 4500 to 192.168.1.2
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886933
arnold I am trying to implement the network paths as you suggested, will report back soon
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39886992
The IPs in the local/remote should be mirrored between any two locations.


LAN                            Site A                                            Site B                  
Local                   10.10.110.0/24                               10.10.120.0/24
Remote               10.10.120.0/24                               10.10.110.0/24

The VPN rules is how the routers determines which packets go through which mechanism out the internet, out via the VPN, out via another connection you may have (i.e. Point-to-point, etc.)

The WAN components are configured as the VPN gateway i.e. to establish a VPN what IP should the router initiate a connection to.


If you only have one Location with a static IP, it usually will wait for incoming connection rather than initiating an outgoing connection.

HQ static IP
location A (while the IP might not have changed in the past, the provider can begin at will i.e. they need to move IPs, they will change the IP that is allocated)

In this case, the most consistent VPN will be initiated from location A to HQ.
Your HQ VPN should not restrict this VPN based on the current IP of Location A since the VPN will be rejected should the location A WAN IP ever changed.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39887043
That seemed to help arnold, I can now ping between the SonicWALL's, but still no traffic between hosts or access to servers at HQ. The servers are on a different LAN at HQ - 192.168.0.0/24

sonicwall at HQ can ping sonicwall at A
sonicwall at A can ping sonicwall at HQ
Host at A can ping sonicwall at HQ
Host at HQ cannot ping sonicwall at A
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39887641
The difficulty you may have deals with the existing routing table on the sonicwall.
the TLS solution you have might include a routing rule on the sonicwalls if that is where the connections terminate.

You may have an ACL on the sonicwall not to respond to pings from outside the LAN or WAN block.

i.e. a ping from 192.168.x.x or 10.10.110.0/24 will be returned on the local sonicwall, but the remote location has an IP of 10.10.120.0/24 to which the sonicwall either does not respond, or responds and that packets goes out the other path.

Back to VPNs, if you need access to multiple IP segments via the tunnel, you would need to replace the remote VPN IP segment with a group of IP segments i.e.
HQ_group
192.168.1.0/24
10.10.110.0/24
10.10.130.0/24

So you would as part of the local/remote groups use custom rules where each has the IP segments that you need accessed.

A more advanced solution that does not require these static changes is to configure routing over the VPN.



The interface seems older, but the information may clearup/illustrate what I am trying to put forward.

http://www.sonicwall.com/downloads/SonicWALL_Failover_Network_Designs.pdf
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39890845
Still no luck. The VPN is active, and I can ping between sonicwalls but not much else. Hosts at A cannot access servers at HQ. There's something I am missing, maybe some routing statements?
Servers at HQ are on 192.168.0.0 /24 VLAN 1
Hosts at HQ are on 10.10.110.0 /24 VLAN 110
The Hosts at A I want to be on 10.10.120.0 /24 VLAN 120
Is it to do with the VLAN's?
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 39890860
Since you are using VLAns, do you have ACLs that define/restrict access?
Possibly.

I.e. You have an access rule deals with which IP segments can access VLAN 120 on one side and VLAN 110 on the other.  I.e. You need an allow rule for 10.10.110.0/24 to access 10.10.120.0/24 and the same in reverse on the other side.

You could debug requests on the sonic wall for traffic from 10.10.110.0/24 on the 10.10.120.0/24 side after the tunnel.
This will confirm traffic is making it through the tunnel.  Then you can see whether the packet is dropped at the VLAN border.

You can the use microsoft network monitor or wireshark on one of the 10.10.120.0/24 systems looking for packets from 10.10.110.0/24.  
This way you can see whether a packet makes its way.  You can look at the packet to see what IP is reflected as the source of this packet which should be 10.10.110.x.  You can then look at whether the system you are on responded.  

This way you have to dril in one layer at a time.
0
 
LVL 25

Expert Comment

by:masnrock
ID: 39891213
You can leave Local IKE ID fields blank on both Sonicwalls. Also, could you show us the advanced tabs on each Sonicwall? Do you want users behind the remote Sonicwall to obtain IP addresses from the main Sonicwall? If so, you need to tweak DHCP over VPN settings.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39892413
Since you are using VLAns, do you have ACLs that define/restrict access?

Yes. I looked at the ACL switch and noticed routing statements for the 10.10.120.0 /24 network pointing to an old test switch that is offline so I changed the gateway to the LAN IP of the sonicWALL at A and that solved a lot of issues!

I then had to specify DNS servers in the DHCP scope on the sonicwall at A so hosts at A could resolve host names at HQ.

I can now access servers at HQ as I had hoped. Next I will test IP phones at A communicating with PBX controller at HQ over the VPN. Thank you for your help all, especially arnold!
0
 
LVL 77

Expert Comment

by:arnold
ID: 39892459
I do not believe you need to point the 10.10.120.0/24 to a gateway.  That route should be added by the sonicwall when the VPN ties established.

A static route will cause issues if you interconnect the various locations.  You should look into QoS setup on your VPN prioritization of SIP/VOIP data over other.

http://www.experts-exchange.com/Networking/Telecommunications/IP_Telephony/VoIP/Q_28044049.html

While it does not provide an example, it indicates that you should look under the firewall configuration.....

http://www.sonicwall.com/downloads/Configuring_VoIP_for_SonicOS_Enhanced.pdf
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
deduplication > shared folder size weirdness? 1 59
Cisco WRVS4400N 11 37
Windows PE .WIM files WDS issue 4 27
2960 not recognizing subinterface configuraton of 5510 11 29
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question