Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I configure a Site to Site VPN between SonicWALL devices?

Posted on 2014-02-24
16
Medium Priority
?
2,400 Views
Last Modified: 2014-02-27
Hello all,

I have never setup a site to site VPN before and some of the network requirements are unclear to me.

We currently pay for TLS connections through our ISP to connect 6 remote sites to our central site where all servers reside, and a single internet POP is shared. The TLS connections are slow and expensive. The goal is to instead have an internet POP at each site and utilize Site to Site VPN's for the LAN. Each remote site has IP phones and several workstations that need to access servers at the central site.


I have a SonicWALL NSA 2400 at the primary site with a static public IP.

I plan to put SonicWALL TZ215's at each remote site. Each site will have it's own internet POP (DSL) with a static IP. The DSL router will allow me to configure DMZ host, port forwarding etc. I want DHCP to be handled by the TZ215's at each remote site.

How should I configure the VPN Policies for this to function as planned?
0
Comment
Question by:CoSmismgr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 39885301
The easiet way to do this is to use the Wizard. Login to the Sonicwall and look in the upper right hand corner. You will see an item labeled Wizards. Click that and select VPN Wizard and follow the instructions.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886202
I followed the Wizard, and have been following along with some online tutorials. The VPN is active and shows a green dot, but I am unable to ping devices across the VPN or access any network resources.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39886238
Can you excluding public IPs and secret/preshared key post your data.

One thing to make sure is that the locations you are linking do not use the same or overlapping IPs.

Location HQ 10.0.0.0/22
Location A.    10.0.0.1/24

Will be one such example.
The difficulty is that you have an existing setup with which you do not want to interfere.
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 20

Expert Comment

by:carlmd
ID: 39886243
If you login to the local Sonicwall and go to VPN -> Settings. Then uner VPN Policies first verify that the Enable box is checked. Then click the Configure button for the tunnel, and go to the Network tab. In local networks you should have (Choose Local Network form List) an Address Object that includes all the local nets that will be able to go over the tunnel to the remote. Then in Remote Networks you should have an Address Object that includes all the remote lans that are to be accessed over the tunnel.

After you do/verify that you must do the same for the Sonicwall on the other end of the tunnel. Log into the remote Sonicwall and do the same thing indicate the remote lans that can access the main site over the tunnel, and what they can access.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886725
Can you excluding public IPs and secret/preshared key post your data.


Central Site NSA 2400Central Site NSA 2400Remote Site TZ215Remote Site TZ215
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 39886822
The issue I see is that you are mixing LOCAL NETWORKS on the two ends of the VPN.

10.10.110.0/24 Should pick the local network to allow passage versus ANY.
10.10.110.0/24 has the remote defined as 10.10.120.0/24

on the other side

10.10.120.0/24 should also only have its local networks chosen versus all.
10.10.120.0/24 points for the local network (as the network for this tunnel) as 192.168.0.0/24.  It should point to 10.10.110.0/24

The tunnel might establish, but the traffic from the 10.10.120.0/24 even as a response will never enter the tunnel.
 
Is 10.10.120.0/24 the HUB (HQ)?

You should first test/setup individual Tunnels between point A and point B.
If you want a hub and spoke HQ to each branch. OR a mix HQ to each branch and some branches will have inter-branch VPNs.
And then want to allow traffic via the VPNs such that should one VPN drop, there are other paths to the same location via a different VPN.

Start small, Once you get this setup and functioning, the rest is a repetition.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886884
I should add on the remote side, the DSL router LAN IP is 192.168.1.1 /24 and the SonicWALL TZ215 WAN IP is 192.168.1.2 /24. The DSL router is directing Ports 500 and 4500 to 192.168.1.2
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39886933
arnold I am trying to implement the network paths as you suggested, will report back soon
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 39886992
The IPs in the local/remote should be mirrored between any two locations.


LAN                            Site A                                            Site B                  
Local                   10.10.110.0/24                               10.10.120.0/24
Remote               10.10.120.0/24                               10.10.110.0/24

The VPN rules is how the routers determines which packets go through which mechanism out the internet, out via the VPN, out via another connection you may have (i.e. Point-to-point, etc.)

The WAN components are configured as the VPN gateway i.e. to establish a VPN what IP should the router initiate a connection to.


If you only have one Location with a static IP, it usually will wait for incoming connection rather than initiating an outgoing connection.

HQ static IP
location A (while the IP might not have changed in the past, the provider can begin at will i.e. they need to move IPs, they will change the IP that is allocated)

In this case, the most consistent VPN will be initiated from location A to HQ.
Your HQ VPN should not restrict this VPN based on the current IP of Location A since the VPN will be rejected should the location A WAN IP ever changed.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39887043
That seemed to help arnold, I can now ping between the SonicWALL's, but still no traffic between hosts or access to servers at HQ. The servers are on a different LAN at HQ - 192.168.0.0/24

sonicwall at HQ can ping sonicwall at A
sonicwall at A can ping sonicwall at HQ
Host at A can ping sonicwall at HQ
Host at HQ cannot ping sonicwall at A
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 39887641
The difficulty you may have deals with the existing routing table on the sonicwall.
the TLS solution you have might include a routing rule on the sonicwalls if that is where the connections terminate.

You may have an ACL on the sonicwall not to respond to pings from outside the LAN or WAN block.

i.e. a ping from 192.168.x.x or 10.10.110.0/24 will be returned on the local sonicwall, but the remote location has an IP of 10.10.120.0/24 to which the sonicwall either does not respond, or responds and that packets goes out the other path.

Back to VPNs, if you need access to multiple IP segments via the tunnel, you would need to replace the remote VPN IP segment with a group of IP segments i.e.
HQ_group
192.168.1.0/24
10.10.110.0/24
10.10.130.0/24

So you would as part of the local/remote groups use custom rules where each has the IP segments that you need accessed.

A more advanced solution that does not require these static changes is to configure routing over the VPN.



The interface seems older, but the information may clearup/illustrate what I am trying to put forward.

http://www.sonicwall.com/downloads/SonicWALL_Failover_Network_Designs.pdf
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39890845
Still no luck. The VPN is active, and I can ping between sonicwalls but not much else. Hosts at A cannot access servers at HQ. There's something I am missing, maybe some routing statements?
Servers at HQ are on 192.168.0.0 /24 VLAN 1
Hosts at HQ are on 10.10.110.0 /24 VLAN 110
The Hosts at A I want to be on 10.10.120.0 /24 VLAN 120
Is it to do with the VLAN's?
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 39890860
Since you are using VLAns, do you have ACLs that define/restrict access?
Possibly.

I.e. You have an access rule deals with which IP segments can access VLAN 120 on one side and VLAN 110 on the other.  I.e. You need an allow rule for 10.10.110.0/24 to access 10.10.120.0/24 and the same in reverse on the other side.

You could debug requests on the sonic wall for traffic from 10.10.110.0/24 on the 10.10.120.0/24 side after the tunnel.
This will confirm traffic is making it through the tunnel.  Then you can see whether the packet is dropped at the VLAN border.

You can the use microsoft network monitor or wireshark on one of the 10.10.120.0/24 systems looking for packets from 10.10.110.0/24.  
This way you can see whether a packet makes its way.  You can look at the packet to see what IP is reflected as the source of this packet which should be 10.10.110.x.  You can then look at whether the system you are on responded.  

This way you have to dril in one layer at a time.
0
 
LVL 31

Expert Comment

by:masnrock
ID: 39891213
You can leave Local IKE ID fields blank on both Sonicwalls. Also, could you show us the advanced tabs on each Sonicwall? Do you want users behind the remote Sonicwall to obtain IP addresses from the main Sonicwall? If so, you need to tweak DHCP over VPN settings.
0
 
LVL 5

Author Comment

by:CoSmismgr
ID: 39892413
Since you are using VLAns, do you have ACLs that define/restrict access?

Yes. I looked at the ACL switch and noticed routing statements for the 10.10.120.0 /24 network pointing to an old test switch that is offline so I changed the gateway to the LAN IP of the sonicWALL at A and that solved a lot of issues!

I then had to specify DNS servers in the DHCP scope on the sonicwall at A so hosts at A could resolve host names at HQ.

I can now access servers at HQ as I had hoped. Next I will test IP phones at A communicating with PBX controller at HQ over the VPN. Thank you for your help all, especially arnold!
0
 
LVL 79

Expert Comment

by:arnold
ID: 39892459
I do not believe you need to point the 10.10.120.0/24 to a gateway.  That route should be added by the sonicwall when the VPN ties established.

A static route will cause issues if you interconnect the various locations.  You should look into QoS setup on your VPN prioritization of SIP/VOIP data over other.

http://www.experts-exchange.com/Networking/Telecommunications/IP_Telephony/VoIP/Q_28044049.html

While it does not provide an example, it indicates that you should look under the firewall configuration.....

http://www.sonicwall.com/downloads/Configuring_VoIP_for_SonicOS_Enhanced.pdf
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question