Setting up a Site-to-Site VPN is pretty simple in Sonicwall. Whether you have a dynamic IP connecting to a Static IP, or 2 static IP’s, its pretty simple to setup and you can have it up and running in no time. It’s as reliable as your internet connection and allows for quick failover to a backup IP address if one should go down. Here’s a quick write-up that will show you how to do it whether you have a 2 static addresses or 1 static and 1 dynamic address. Two Dynamic IP’s might require you to use Dynamic DNS or some other tool that automatically updates your IP address with a DNS server to make it appear static.  For this write-up, I am connecting a TZ100 router to an NSA240 router.

Quick Note: For a dynamic IP to static IP  site-to-site configuration,  use 0.0.0.0 as the “IPSec Primary Gateway Name or Address” on the static side because obviously the dynamic address will change.

1. To start on both Sonicwalls: Login to the Sonicwall, Go to VPN Settings page and write down both of your unique firewall ID. Lets call the routers Sonicwall1 and Sonicwall2 to keep things simple. For this writeup I’ve also kept it simple and put the Unique ID of 000000000001 and 000000000002, and IP addresses of 1.1.1.1 for Sonicwall1 and 2.2.2.2 for Sonicwall2 that way we know which one we’re talking about here. We will need it in a little bit. By default I believe this is the MAC address of your sonicwall. You might want to change this to something more secure. If not then leave it as the MAC address.

2. Now on Sonicwall one >> Click VPN Settings again >> and click Add Under VPN Policies.

3. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall2.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 2. If your Sonicwall2 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address.

c. The Ipsec Secondary is the backup route to your Sonicwall2. This would be if you had 2 WAN connections on the Sonicwall2. If one of them went down it would automatically switch to the other line until the Primary becomes available again.

d. Enter your shared secret and then confirm it. This should be a pretty random set of numbers, letters, special characters, etc Write it down for now since you will need it when configuring Sonicwall2

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “SonicwallIdentifier” and enter the Unique Firewall ID of Sonicwall2. Here’s a screenshot

4. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

5. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

6. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

7. Now we go to Sonicwall2, and basically enter the same settings reversed. So Login to Sonicwall2 and go to the VPN Settings page and click Add under VPN Policies.

8. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall1.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 1. If your Sonicwall1 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address. My Sonicwall one has a static address of 1.1.1.1, so Enter that here

c. The Ipsec Secondary is the backup route to your Sonicwall1. This would be if you had 2 WAN connections on the Sonicwall1. If one of them went down it would automatically switch to the other line until the Primary becomes available again. So if I had a failover on Sonicwall one of 3.3.3.3 then I would enter it here.

d. Enter the shared secret that you entered when configuring Sonicwall1.

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall2 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 that you copied earlier. Here’s a screenshot:

9. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

10. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

11. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

That should be it. To see if it connected correctly, go back to the VPN settings page and see if it connected. There will be a “Green Light” to the right of Gateway under VPN Policies. If it does not connect then you may want to go the the Logs menu and under the filter category select VPN IKE to filter out only your VPN traffic. On both routers it will give you the reason it is not connecting, which can be cryptic.  However, there are plenty of info on the errors you may receive if you Google. Before pulling your hair out, Go back and double check your settings to make sure that they match in areas like IP Address, Preshared Secrets, Sonicwall Identifiers, and the Proposals Tab. Also make sure that “Enable VPN” is checked on the VPN Settings page and make sure that “Enable” is checked on the VPN settings page next to your VPN policy or else it will not try to connect.

About these ads