Site to Site VPN

Kevin Vaughn
Kevin Vaughn used Ask the Experts™
on
We have two sites each with a SonicWall on the perimeter.

I have written out the site settings for each location.  In the document I have prepared they are referred to as Main Site and Remote Site.
Every now and then the VPN will stop working.  We go in and check it, change nothing then check the other end, check and change nothing, then at some point it will start working again.
We could be down for a long as 30 minutes.  We are getting frustrated with SonicWall support as they cannot tell us what is causing this problem.    

Would anyone be able to review our setting if I attach them to this question?
Is there an alternative to VPN?  

HELP!

Kevin
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I assume Sonic Wall Support has verified your settings for proper operation.

Check in Advanced Settings that Keep Alive is ON. If not, the line can drop as is happening.

When the line drops, are the external connections to/from the ISP still working?  That is, is the drop because of (a) the Sonic Wall or (b) the ISP connection.
J SpoorTME / Network Security Evangelist

Commented:
do you have the keepalive setting enabled?
if so on one side or both? yer supposed to enable it on one side only.

I actually never use keepalive myself

Author

Commented:
Yes SW has verified, I could attach them if you want to be sure.
Yes KEEP ALIVE is enabled on one side only.

Yes when the VPN stops, everything else is up, we can remote into the server(s) and workstation(s).
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Try updating the firmware on both routers.

Author

Commented:
HERE is the file
Site-to-Site-VPN.docx
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This is site to site.   "Aggressive" mode should be "Main" mode.

Also look at NAT Traversal. You probably do not need this for plain ISP Internet.
J SpoorTME / Network Security Evangelist

Commented:
it's most likely the case that due to lifetime expiry one side breaks down the tunnel, while the other side thinks it is still up.

Like I said, try disabling keepalive completely
Last Knight
Distinguished Expert 2018
Commented:
Hi Kevin,

Configure your MTU's at both ends. I have written an article on how to do this & the reasons for doing such: https://www.experts-exchange.com/articles/12615/Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.html

Why are you using Aggressive Mode...do you have a dynamic IP at one of the locations?

Aggressive Mode is used when one Site has Permanent/Static Public IP & the other site has a Dynamic/Temporary Public IP address, whereas Main Mode is used where both site's Public IPs are Permanent/Static. Use the one that applies to your scenario.

If Aggressive Mode is correct for you then the Local IKE IDs should be any string...you have IP addresses, which will work but could be confusing for others managing this since they have no baring on the IP themselves.

Enable Keep Alive should be checked (enabled) on the Static Public IP side. In fact if you realize you have static IPs on both ends and move to a Main Mode configuration you should enable Keep Alive on both ends of the tunnel. Keep Alive uses heartbeat messages between peers on the VPN tunnel. If one end of the tunnel fails, using Keep Alives will allow for the automatic renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.

On a security note after you get the S2S VPN stable, I'd highly recommend modifying the tunnel's policy as such:
  1. Increase the DH Group to the highest allowed for the policy.
  2. Increase the security from 3DES to AES-256 for both Proposals.
  3. Increase the authentication from SHA1 to SHA512 for both Proposals (if possible).
  4. Enable Perfect Forward Secrecy for both Proposals.
  5. Remove management from the SA so that no one can manage the SonicWALLs from the VPN & if you have a solid use case for it then remove HTTP access. You should only be managing the SonicWALLs via HTTPS with a SSL Cert installed.

Let me know if you have any questions!
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Any update on this?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
The author was using Aggressive mode and should be using Main mode as I suggested in http:#a42247976 so I think points should be split.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Hi John,

I'm fine with a split but for accuracy a S2S VPN doesn't dictate Aggressive or Main mode but rather the public IP address does on each end being static or dynamic. If one is dynamic then Aggressive mode should be used otherwise if both are static, Main mode should be used. That is primarily why I didn't split points...it is inaccurate to say that all S2S VPNs should be Main or Aggressive.

Thoughts?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I suggest Best:  http:#a42248348  and Assisted:  http:#a42247976 based on Author's site-to-site document supplied.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
There is no way for anyone here to determine if the IP addresses on either end of the VPN is static or dynamic since the OP has not provided this information and without it no one can recommend a specific configuration set. For the record, a dynamic public IP address = Aggressive Mode and a static public IP address = Main Mode. There are no two ways about it!

So, for the integrity of info on EE so that future users are not misguided, I vote Best:  https:#a42248348.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial