Options
Help with Site to Site VPN
I am trying to set up a site to site vpn connection and my knowledge is a bit limited. On one side there is a sonicwall nsa 240. The DSL modem on this side is in bridged mode with the sonicwall doing nat & dhcp.
On the other side there is a Zywall 2 plus. I don't even know if this will work the way that the network is set up on this side. The DSL modem is not in bridged mode and is doing NAT & DHCP with a 10.0.0.0/24 network. The dsl modem is doing port forwarding with ports 500, 4500, 443. Then the zywall is doing dhcp as well with a 172.16.17.0/24 subnet.
The keys match on both sides and phas1 is set up with Main mode; 3des encryption, sha1 authentication, 28800 SA life time, DH1 key group. phase 2 is using tunnel encapsulation mode, esp active protocol, 3des encryption, sha1 authentication 28800, pfs is not enabled. Nat traversal is currently selected on both sides and I'm not sure if that is right heck I'm not even sure if it it will work at all with the network set up like that.
Any tips will be greatly appreciated.
On the other side there is a Zywall 2 plus. I don't even know if this will work the way that the network is set up on this side. The DSL modem is not in bridged mode and is doing NAT & DHCP with a 10.0.0.0/24 network. The dsl modem is doing port forwarding with ports 500, 4500, 443. Then the zywall is doing dhcp as well with a 172.16.17.0/24 subnet.
The keys match on both sides and phas1 is set up with Main mode; 3des encryption, sha1 authentication, 28800 SA life time, DH1 key group. phase 2 is using tunnel encapsulation mode, esp active protocol, 3des encryption, sha1 authentication 28800, pfs is not enabled. Nat traversal is currently selected on both sides and I'm not sure if that is right heck I'm not even sure if it it will work at all with the network set up like that.
Any tips will be greatly appreciated.
Comments
-
Options
ajmatson
Member Posts: 289
If the SonicWALL is setup as the edge device (which it sounds like it is) then you just need to make sure the shared secret, proposals and networks match on both sides and the tunnel should come up.
The SonicWALL only uses 500 and 4500 for VPN negotiation so those are the ports you need to forward. The SonicWALL logs are pretty good for troubleshooting so check them and see what errors they give under "VPN IKE" to see what they say.Working on currently:
Masters Degree Information Security and Assurance (WGU) / Estimated 06/01/2016
Next Up: CCNP Routing Exam | Certified Ethical Hacker Exam
Cisco Lab: ASA 5506-X, GNS3, 1x 2801 Router, 1x 2650XM, 1x 3750-48TS-E switch, 2x 3550 EMI Switches and 1x 2950T swtich.
Juniper Lab: 1x SRX100H2, 1x J2320 (1GB Flash/1GB RAM, JunOS 11.4R7.5), and 4 JunOS Firefly vSRX Routers in VMWare ESXi 5.1 -
Options
gosh1976
Member Posts: 441
the sonicwall logs show an ike id mismatch local id type: IP address; remote id type: FQDN but they are both set to ip for local and remote on both sides. -
Options
jibbajabba
Member Posts: 4,317 ■■■■■■■■□□
Make sure you have the correct proposals, zone and type configured
My own knowledge base made public: http://open902.com
-
Options
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Sorry about the thread jack but I have literally the same issue. Do any of you know what the unique identifier needs to be (one side of the tunnel is a cisco router, the other is a sonicwall nra 3500). -
Optionsajmatson
Member Posts: 289
The local and remote identifier can be anything you want as long as the match on both ends. By default on a Sonicwall they are the serial number.Working on currently:
Masters Degree Information Security and Assurance (WGU) / Estimated 06/01/2016
Next Up: CCNP Routing Exam | Certified Ethical Hacker Exam
Cisco Lab: ASA 5506-X, GNS3, 1x 2801 Router, 1x 2650XM, 1x 3750-48TS-E switch, 2x 3550 EMI Switches and 1x 2950T swtich.
Juniper Lab: 1x SRX100H2, 1x J2320 (1GB Flash/1GB RAM, JunOS 11.4R7.5), and 4 JunOS Firefly vSRX Routers in VMWare ESXi 5.1 -
Optionsgosh1976
Member Posts: 441
Well, I'm not sure if it should have worked but the double NAT was messing it up. As soon as I switched things up took the Zywall out of it and set up the edge device to handle the VPN everything worked a charm. This is the headache of networks inherited from other companies. I never would have set it up like that in the first place.
