Sonicwall Site-To-Site VPN Setup

39 Comments

Setting up a Site-to-Site VPN is pretty simple in Sonicwall. Whether you have a dynamic IP connecting to a Static IP, or 2 static IP’s, its pretty simple to setup and you can have it up and running in no time. It’s as reliable as your internet connection and allows for quick failover to a backup IP address if one should go down. Here’s a quick write-up that will show you how to do it whether you have a 2 static addresses or 1 static and 1 dynamic address. Two Dynamic IP’s might require you to use Dynamic DNS or some other tool that automatically updates your IP address with a DNS server to make it appear static.  For this write-up, I am connecting a TZ100 router to an NSA240 router.

Quick Note: For a dynamic IP to static IP  site-to-site configuration,  use 0.0.0.0 as the “IPSec Primary Gateway Name or Address” on the static side because obviously the dynamic address will change.

1. To start on both Sonicwalls: Login to the Sonicwall, Go to VPN Settings page and write down both of your unique firewall ID. Lets call the routers Sonicwall1 and Sonicwall2 to keep things simple. For this writeup I’ve also kept it simple and put the Unique ID of 000000000001 and 000000000002, and IP addresses of 1.1.1.1 for Sonicwall1 and 2.2.2.2 for Sonicwall2 that way we know which one we’re talking about here. We will need it in a little bit. By default I believe this is the MAC address of your sonicwall. You might want to change this to something more secure. If not then leave it as the MAC address.

2. Now on Sonicwall one >> Click VPN Settings again >> and click Add Under VPN Policies.

3. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall2.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 2. If your Sonicwall2 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address.

c. The Ipsec Secondary is the backup route to your Sonicwall2. This would be if you had 2 WAN connections on the Sonicwall2. If one of them went down it would automatically switch to the other line until the Primary becomes available again.

d. Enter your shared secret and then confirm it. This should be a pretty random set of numbers, letters, special characters, etc Write it down for now since you will need it when configuring Sonicwall2

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “SonicwallIdentifier” and enter the Unique Firewall ID of Sonicwall2. Here’s a screenshot

4. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

5. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

6. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

7. Now we go to Sonicwall2, and basically enter the same settings reversed. So Login to Sonicwall2 and go to the VPN Settings page and click Add under VPN Policies.

8. Now we Enter our information on the General Tab.

a. For auth. method use IKE using Preshared Secret. For the name put whatever you want, I put ConnectionToSonicwall1.

b. Set the IPSec Primary Gateway Name or Address to that of Sonicwall 1. If your Sonicwall1 has a dynamic address instead of a static address then enter 0.0.0.0 as the IP address. My Sonicwall one has a static address of 1.1.1.1, so Enter that here

c. The Ipsec Secondary is the backup route to your Sonicwall1. This would be if you had 2 WAN connections on the Sonicwall1. If one of them went down it would automatically switch to the other line until the Primary becomes available again. So if I had a failover on Sonicwall one of 3.3.3.3 then I would enter it here.

d. Enter the shared secret that you entered when configuring Sonicwall1.

e. For the local IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall2 (the one you’re currently on)

f. For the Peer IKE ID: In the dropdown select “Sonicwall Identifier” and enter the Unique Firewall ID of Sonicwall1 that you copied earlier. Here’s a screenshot:

9. On the Network Tab

a. Under Local Networks choose local Network from the list, click “Lan Subnets.” If you would like the remote Sonicwall to access whatever is on your local network

b. Under Destination Networks click “Choose destination network from List” in which I add the Sonicwall2 network (2.2.2.0) by clicking “Create New Address Object” and entering the appropriate info. Here’s a screenshot of what I put for network 2:

10. On the proposals tab. You want to change the Exchange to “Aggressive Mode”, and I changed the encryption to AES-256. Although you can leave it at its default of 3DES. Everything else I left default. Here’s what looks like:

11. On the “Advanced” tab I checked “Enable Keep Alive” and “Enable Windows Networking ( Netbios) Broadcast and left everything else default. Click OK when you’re done.

That should be it. To see if it connected correctly, go back to the VPN settings page and see if it connected. There will be a “Green Light” to the right of Gateway under VPN Policies. If it does not connect then you may want to go the the Logs menu and under the filter category select VPN IKE to filter out only your VPN traffic. On both routers it will give you the reason it is not connecting, which can be cryptic.  However, there are plenty of info on the errors you may receive if you Google. Before pulling your hair out, Go back and double check your settings to make sure that they match in areas like IP Address, Preshared Secrets, Sonicwall Identifiers, and the Proposals Tab. Also make sure that “Enable VPN” is checked on the VPN Settings page and make sure that “Enable” is checked on the VPN settings page next to your VPN policy or else it will not try to connect.

Advertisements

Android to Sonicwall VPN

2 Comments

I was having trouble setting up my Motorola Droid with my sonicwall VPN.  The reason I couldn’t connect is because Android (for some reason unbeknownst to me) uses DES instead of 3des for Phase 2 of IPSec Negotiation.  This is far less secure than DES, but for the purposes of getting the droid connected we’ll just ignore that fact. My setup is a Motorola Droid running android 2.2.1 (FRG83D)  and I am connecting to a Sonicwall NSA240 with firmware of SonicOS Enhanced 5.1.1.1-18o. Here’s some step by step instructions:

UPDATE 12/30/11: I have this working on my Sonicwall TZ100 Wireless-N router, with SonicOS Enhanced 5.6.0.11-61o and my Droid Bionic With Android 2.3.4. I’ve also added some additional instructions regarding setting up an L2TP Server that are necessary to get this to work.

1.       On the Sonicwall Go to VPN Settings Pages (make sure “enable VPN” is checked) and then click on the Edit button for the WAN Group VPN.

2. On the General Tab “IKE using Preshared Secret” , and then enter your preshared secret.

3. On the Proposals tab make sure all your settings look like so:

4. On the advanced tab make sure your settings look like the following:

5. On the Client Tab make sure it looks like this:

6. Now Also under VPN go to the the L2TP Server. Make sure that “Enable L2TP Server” is checked.

7. Click the “Configure button” and put in your dns servers, and IP address range that you would like to use.  UPDATE: Please see the update below (step 11 for additional info on this)

8. Next go to the “Users” menu and click on “Local Users” and click on “Add User”.  On the User Settings Tab, enter the username/password combo you want to use

9. On the Group Tab make sure you have the following:  I think you can leave off Sonicwall Administrators and Limited Administrators but i’m not sure, so for testing just leave them in, and remove them later and see if you can still connect and browse the network.

10. On the VPN Access Page  make sure you have “Lan Subnets” in the “Access List” then click OK to Finish.

UPDATE: 12/30/2011

11. Now that we have that done we also need to setup L2TP.  To do this perform the following:

a. On the sonicwall go to VPN menu, then click on L2TP Server

b. Click “enable L2TP server” and then click “Configure”

c. The fields should look like this

1. Keep Alive: 60

2. DNS Server 1 and 2: 208.67.222.222 (this is opendns but you can enter anything here)

3. Wins Server 1 and 2: not necessary unless you use them. Mine say 0.0.0.0

4. Click Use the Local L2TP IP Pool

5. For the start IP and End IP.  You need to enter a Subnet Other than the subnet that the Sonicwall is currently on.   I actually put in a subnet that does not exist on my network. For instance, My network is 192.168.4.0, but I entered for the start 192.168.5.101 and for the end 192.168.5.110 as the start and end addresses. This has to do with L2TP needing to route traffic, i guess that’s why it cannot be on the same network.

6: User Group For L2TP users should be set to “Trusted Users” or whatever group you would like

UPDATE: 12/30/2011

Now for the DROID BIONIC Setup

1. Go to Settings, then Wireless & Networks, then VPN Setup

2. Click “Basic VPN”, Then Click “Add VPN”

3. Choose Add L2TP/IPSec PSK VPN

4. Set your all your parameters like VPN Name, Server, Pre-shared key,  Do not check Enable L2TP Secret, and I did not put in any DNS Search Domains

5. Click on the VPN name that you just created, and it should ask you for your credentials. That should be it.

NOW FOR THE OG DROID SETUP I DON”T HAVE SCREENSHOTS FOR THIS BECAUSE YOU NEED TO BE ROOTED IN ORDER TO DO THAT:

1. Go to your applications menu, click on “Settings”, and then click on “Wireless& Network Settings”, then “VPN Settings”

2. Click “Add VPN”

3. Choose “Add L2TP/IPSec PSK VPN”

4. Click “VPN Name” and enter a name.

5. click VPN and enter the URL that points to your sonicwall device, or enter the IP address of your sonicwall device. If you don’t know your IP address, and are behind the Sonicwall, go to the settings tab and look at the WAN address.  If you have a dynamic address, consider using a tool like Dynamic DNS which will update your changing IP address by using a tool installed on a computer on the same subnet as your sonicwall.

6. Click “Set IPSec pre-shared key” and enter the key that you entered in Step 2 of the sonicwall setup.

7. Leave the rest of the fields empty and save the VPN.

8. Now click on your VPN that you just setup, enter the password you entered in step 8 of the Sonicwall Setup and it should connect.  If it doesn’t look at the logs and see if it says anything there.  if you don’t see anything in the logs then you might want to double check that you entered the correct IP Address/URL in step 5 of the droid setup.  You can get back to edit the settings by “Long-Pressing” your the VPN name.

What can you do now?  To test out if it’s working download a Ping tool from the Android Market. I download one called DNS and Ping.  Then try to ping something on your network like a printer or computer without a firewall. Another thing I use this for is for Remote Desktop and VNC.  A really good client that I use is called xtralogic remote desktop client. It does cost $18 or something like that, but the UX is great and allows you to use your finger as the mouse and your keyboard like a regular keyboard as well as having options for Function Keys and such.  It is invaluable when your an admin and you get an emergency call with no computer. Here’s some more information on it: http://www.xtralogic.com/rdpclient.shtml

UPDATE 12/30/11 – Obviously now that I am on the Bionic I don’t have a keyboard. I will give some feedback on the Xtralogic program in the future when i install it.

There’s also a free VNC client out there that works pretty well and there might be a few other free RDP clients or trials that you can use. i just haven’t looked at the market in a while.

Another one called pocket cloud allows you to use a google account and install a client on your computer to connect. this is ok for your home computer, not sure how safe it is to use with servers. Enjoy.