This was very useful. I dont have any SonicWall's but in my new role I'm likely to come across customers who use them, so I've been playing around with various combinations of Cisco to X. This video has helped me understand the Sonicwall side so that if i'm troubleshooting a connection and they have Sonicwall I have a better idea what they're looking at and what they can try. Very clearly demonstrated and easy to follow, thanks.
I am new to all this and find your video outstanding. If I am not sure what you are saying I watch again..... until I get it. You are giving away great information, thank you. If I can't get a concept then I ask questions.
Thank you Andrew, these videos are pricless and have been a huge help getting me started with sonicwall. Can't begin to thank you enough, Awesome foundation to work from.
We figured it out My boss was unaware that you could not use a .0 network. I made the mistake of assuming that he knew that was common knowledge, until I got tired of pounding my head against the wall. Once I felt the pressure was too much, i simply started from the beginning, and within 2 minutes, found the error. Thanks!!!!
Oh, that will work on either WAN, even if you are using it as "active/passive". It depends on what IP/WAN the remote side connects to. You could set a remote side to use the backup WAN as the primary IPsec gateway, and that will work fine. Both WANs are fully operable no matter what and can do port forwarding, etc. The LB/failover settings are basically just for outbound internet purposes.
If you check the "Packet Trace" feature, it will allow you to capture/export a pcap for Wireshark. It also display what interfaces traffic is being routed to, but doesn't really help when you have a site-to-site VPN. If you can create a tunnel interface/route-based VPN, then it would show properly in the trace and help with troubleshooting.
Both sides static IP? Are you using IKEv1 (Main Mode/Aggressive) or IKEv2? The latter solves many headaches. Also make sure Dead Peer Detection is enabled, and possibly Keep Alive.
Andrew - glad I found your channel, I've learned a lot. I have a main office with 2 WAN connections - 1 is a T1, the other is Comcast (static 5 IP). I need the T1 for VOIP. Right now Comcast is set up as a failover. Can I steer the site-site VPN connections through Comcast to avoid burning my limited T1 bandwidth? I've got 15 site-site connections going on here.When I try to point to the 2nd WAN IP, I get IKE remote party timeout errors.
You certainly can, but the remote sites will also need to be modified to initiate to the Comcast IP of your choice. Otherwise, yeah you'll get negotiation errors.
Andrew , I have watched most of the your videos. They are very knowledge sharing. You are very good at explaining too. Earlier you have replied to few of my problems. Now I have a serious problem again. In my TZ 200 sonic wall I have to "Renogitate" my Site-to-Site connections every time it drops. It has started few weeks ago. Not sure why its playing up. Once I restart it I can connect to all remote machine using RDP or to DB. Now please help me, People are always complaining. Pramod
I would check the VPN config and re-test on the Juniper/other device. Additionally, run packet captures on both sides and have both sides try to access the other. That may give you a hint what side is misconfigured. It is quite possible the other side does not have return routes setup correctly or something like that.
Nice tutorial - I have gained new knowledge today! Thanks for this video. Do you have a tutorial for multi-sites as well? I now have 2 remote sites and 1 HQ but the remote sites could not talk to each other.
Ahh, I should make one for that. What you want to do is on the Remote Site 1, make an Address Group that includes Network Address Objects (VPN) for both HQ and Remote Site 2. Then make that your remote network in the VPN config on Remote Site 1. Then for Remote Site 2, make an Address Group that includes Network Address Objects (VPN) for both HQ and Remote Site 1. Then make that your remote network in the VPN config on Remote Site 2. Finally at HQ, make two Address Groups. One for Remote Site 1 that includes Network Address Objects (VPN) for both HQ and Remote Site 2. And one for Remote Site 2, that includes Network Address Objects (VPN) for both HQ and Remote Site 1. Then apply the Remote Site 1 Address Group as the local network in the VPN config for Remote Site 1 and the Remote Site 2 Address Group as the local network in the VPN config for Remote Site 2. Basically what you are doing is allowing the other Remote Site subnet over the VPN tunnel. That will then allow for VPN hair pinning like you are asking for.
Since you already have a tunnel, the easiest way is to add both subnets into a address object group, and set the group as the Local network in the VPN config. That will then present both subnets to them.
You're making the change on both sides before checking if the tunnel is up? If it refuses to work even after disabling/re-enabling the tunnel.. try Main Mode with IKE ID's that are IP Addresses.
Can you share with me the configs you have set for this VPN tunnel? Are you doing split-tunnel or tunnel all? A "route print" output from a client may help as well.
Thanks Andrew. I was referring to the local site. If i have 2 WANs can the sonicwall maintain a connection on both WAN's simultaneously (GRE over ipsec?) or will it only be able to move the tunnel to another WAN in the event of WAN failure? Hope that makes sense.
Good to know. This is a Rackspace environment so i don't have direct control over the remote firewalls. I'm assuming their capability to allow our multiple WAN IP's to connect at this time but wanted to be sure of the sonicwall capabilities before hand. I've seen the Draytek Vigor 3900 'VPN Trunking' which looks pretty handy (essentially Active/Active VPN) but these doesn't seem to be supported by many devices at this time.
Hello Andrew, I have question here. I need to a one vpn but the remote location LAN, conflicts with another VPN remote LAN. I have tried to do a NAT on the advance tab in the VPN policy but is not working. Im sure I'm doing something wrong. Advise on how to solve this?? Where do I set their remote LAN in the NAT tab or in the network proposal? I'm kinda lost.
That only works if its a one way VPN with say one server to NAT. If you need more or less full availability both ways, you'll need to change subnets on one side.
hello i wondering if i could toss out a life line andrew. do u know anything about configuring Site-to-Site VPN between Windows Server 2008 R2 and Sonicwall. i know this is a old video but your videos have been great help to me and looking for a little guidance
Mista Recoil No sorry, I pretty much stick to hardware for VPN. I'm not sure Windows has the option to do a site-to-site IKE tunnel, I thought it was only remote access L2TP/PPTP.
You can! Just make sure the IKE ID is set to "Firewall Identifier" on both sides and choose a name for each firewall to use, otherwise using IP as the IKE ID will just frustrate you during diagnostics.
I would connect the VPN/WAN to X1 and the Metrolan to X2, or your favorite interfaces... and use probing on the routes to remove them from your table when they go down. With that method though, you will want to make a Tunnel Interface/route-based VPN which I don't think I've made a video for yet.
One question if you don't mind Andrew. When setting up the tunnel we are using the ip address in the proposal so local address of firewall 1 and remote address of firewall 2 then obviously we have firewall 2 swapping round so its local will be remote of firewall 1. I get the principal but if were using no routable address's Does this mean the ISP will be responsible for setting some sort of connection so the firewalls have line of site of each other?? apologies for the waffle hope makes sense Regards Daniel
Not sure if you are still responding but can I use aggressive mode with a DHCP relay over a site to site VPN? I can’t bridge mode my modem and have a private ip on my sonicwall. And as I understand it, I have to use IKE-1 with DHCP relay over s2s VPN.
Thanks Andrew for replying. So do you mean to use IKEv2 and not IKEv1 I didn't quiet get you. Also I couldn't find Dead Peer Detection Option in the VPN Settings. Thanks for replying..
We have a Site to Site VPN setup between a Sonicwall TZ205 and a Cisco ASA. Is it possible to setup a Network Monitor to probe the network inside of the VPN tunnel? I have seen examples but they are using a Tunnel Interface method and not Site to Site. Thank you
Yes they are both ends Static IPs. I found Dead Peer Detection & enabled for Idle VPN sessions with an Interval 600 seconds. Also If I choose IKEv2 Exchange mode do I need to change any other settings for connectivity. Thanks Vinod
Hello Andrew, we would like to install Sonicwall at 4 locations in our organization. We would like to establish VPN among all 4 devices, but would like to route the packets through the Head Office. How will I configure the same. Please help me out. We have decided purchased NSA3500 for Head office and for other locations NSA2400.
I've had several questions about this recently, I'm going to make a video. What you are looking for is "VPN hairpinning". What you want to do, is create an Address Group at the Head Office which contains Network Objects (VPN zone) of each remote office. Make that your source network for each tunnel to the remote offices. Then on the remote offices, make their destination network an Address Group that contains Address Objects (VPN zone) of each other remote office plus the Head Office. So each remote office will have a slightly different Address Group, as they will have all the other networks, minus their own.
Is there any possible way you can explain on how to do VPN Looback known as a "Hairpin connection"? Basically what I would like to do is have someone on my Public WiFi (completely separate from our network) and allow them to VPN into the network and only to gain access to our network. The reason for this is because we do not have WiFi in our internal network and he will need to run some tests all around the building and he needs WiFi for mobility.
In the office I have a local server connected to the internet using router,every thing pluged in switch. I have pluged the SOHO sonicwall in the switch . things went messy . do I have to change my local network address to 192.168.168.x. ?(its the default of SOHO) from home I want to connect to SOHO in the office and from SOHO I want to connect to remote server in other site, do you have any documentation for this scenario.
We are not using VPN config in sonicwall. We are NATing internal IP to public NAT IP and then routing it to the VPN device. The NAT is setup and we can ping the VPN gateway but traffic isn't being routed to the vpn device so it's something in sonicwall I think. Is there way to trace traffic between LAN to VPN device on the network?
Hello Andrew The Site-Site VPN Disconnections seem to be working alright now. Thanks always for your prompt reply's. Each time I used to click on the ">" (Play Symbol) under VPN Policies Section as well as Current Active VPN Tunnels. And then there is a drop the VPN connections fail so I had to "re-negotiate" each time. I think by Default the "ll" Pause symbol should be selected. Now the connections fine. Thanks
I'm finding it forces ALL traffic through the site-to-site tunnel and a rule that says "send only 80/443 through VPN" is lower in priority than the send ANY rule. Or I could also use a way to NOT send a particular service through the tunnel, in other words, "send all except port X"
Andrew, We have a preconfigured juniper device with our public IP address connected to our network. With it, we've established site to site VPN tunnel. However, we are not able to ping any of the server behind the customer's main gateway. After monitoring the packet, we've determined, the traffic is not going through the VPN device. We've set up the route policy to route any traffic to IP range (servers behind customer firewall) to be routed to the VPN device but it isn't being routed.Help?
Hi Andrew we have a Sonic wall 3060 and I am tying to create a VPN to a newer Sonicwall that is running newer advanced software that has the ability to use IKE authentication using firewall identifier which my version does not have.I get IKE Responder does not match and also "peers local network does not match VPN policy" we have several already running but this connection just will to work. Is it due to our (host) older software version. I wanted to try Aggressive per your video but my end does not have the ability to use firewall identifier thanks for any sugesstions
Honestly it sounds like a config problem like it says. I would need screenshots and network info to really help diagnose, but the local/remote address objects you are using for the VPN policy apparently are not matching up.
I was able to get it up by having the remote user change their subnet masrk from 255.255.255.255 to 255.255.255.0. now I need to point 192.168.100.86 to 192.168.1.33 on the remote end. Can I do this using NAT ?? for some reason we can not get 192.168.1.33 to iniate a successful VPN connection so we are using the .100.86 and want to point it to .1.33 thanks
hi Andrew, how many site to site vpn you can create. I have 2 sites for a clients. He wants to add of his home sites. so we are talking about site to site for 4 sites. is it possible?
So if there are variances in the exchanges and how that works with Local & Peer IKE IDs....why is not controlled in the user interface as being a possible mis-configuration?
i have a site to site VPN where the tunnel is up but traffic does not pass. It used to work and now I cannot figure out why it doesn't. Both sites have static WANs and are on main mode. I have tried IKEv2 and aggressive and multiple other ways and it wont pass traffic. No firewalls are blocking traffic.
I'm trying to connect to my work through a Sonic Wall VPN desktop client and I'm not even passing trough phase 1. I got the error "the peer is not responding to phase 1 isakmp requests". What can I do? Any suggestions?
Yeah agreed, sorry for the bickering. If you would still like to check up on my channel in the future, I will be continuing SonicWALL related videos. If you have any requests, please let me know and I'll do my best to help.
Hi Andrew great vids but was wondering if you had any advice for this problem I am experiencing with an Azure site-to-site vpn to a Sonicfirewall TZ 210. I have created the VPN (Route based policy, IKEv2) on the TZ 210 and it connects and works. The only problem is after a period of time the VPN disconnects I have timed this and it seems like it is every 7hrs or around 420min but does vary from time to time.. I then under the VPN Policy have to uncheck the "enable" check box and the check it again and the VPN comes up again. I have also noticed that when I first connect the VPN there is only one connection under "Currently Active VPN Tunnels" but when the VPN disconnects ther are two of the same connections under "Currently Active VPN Tunnels". the firmware is up to date. SonicOS Enhanced 5.8.1.14-68o. Any suggestions would be greatly appreciated.
I've seen that ghost active tunnel before when a tunnel times out. I'm not familiar with the Azure connection, but is it using PFS? Can you change the re-key time period? I've seen this kind of thing happen with Cisco VPNs where there is a data re-key limit as well.
I have a Sonic Wall in India Office & ASA in US. This connection was stable since 1 1/2 yrs, suddenly not sure why the connection is disconnecting & no change was taken place recently. Each time I will have to click on re-negotiate from VPN sectoin in the web interface of Sonic wall TZ 200. Then it starts working fine for about 8 hours and again drops. But at times it continuously works 2days with out any disconnections. Can you suggest me any settings where I can check and avoid the issue
I have a question and I cant find the answer anywhere. Sonicwall firewall, 2 ISP connections (Failover configured), need to have redundant Site 2 Site connection to other office. How do I do that? If I try to configure this, I always get the error "network overlaps". Network which overlaps is destination network. Cant find the way to do this? Is it even possible?
What is the trick to allow a GlobalVPN client on the Lan, to connect to the WAN side to test the client configuration before sending user home. The LAN>WAN any doesn't allow the connection.
+Ken Crook You can't unfortunately, as it creates a crypto overlap. You can connect to the internal/LAN IP of the SonicWALL to make sure the authentication works, but that's it.
Hey Andrew, can I contact you via PM. I have an issue. I followed all your instructions for site to site. I got it up and running. Then I got multiple IPs at one location and things are starting to fail. However I am not sure about NAT policies and firewall rules to use. Please if you can assist it would be very appreciated.
I have a tunnel established, but I do not have internet. I am using Aggresive mode as I have with my other offices, and I can see on my end that I have the VPN established, but the site is not getting internet.
HI..I HAVE A SONICWALL TC215 WITH ME.i CONFIGURED THE SONICWALL FOR gLOBASL VPN..BUT IT IS NOT CONNECTING & IT IS SAYING IN L,OGS "THE PEER is not responding to phase 1 isakmp" .. TRIED MANY SUGGESTIONS..BUT NOT YET SUCCEED..SOME ONE HELP ME PLZ
I have a site to site VPN created for VoIP (X2 interface) and I also need one for the LAN (X0 Interface) to communicate but when I try to create it says peer gateway already in use it will overwrite policy. is there away to create two site to site VPNs for separate interfaces?
Actually I found that creating an address object group containing the subnet for each interface one for the local interfaces and one for the remote interfaces and Applying them to the site to site vpn i could create the vpn for my voip and lan interface without a problem. But thanks for your quick response and your easy to understand and informative videos i am now a subscriber.
Also I found out that if your dealing with a wireless sonicwall and you have the WLAN interface bridged to the LAN interface and you create a site to site vpn. Even though your wireless network and your lan are sharing the same subnet you will not be able to communicate with devices at the other site wirelessly without first creating any any access rules for the WLAN to VPN on both sides. Because by default sonicwall blocks all traffic from the WLAN to the VPN. just a heads up but im sure you knew that but for you watchers out there i hope this prevents a headache.
***** Thank you for the heads up. I just finished configuring A Sonic Wall TZ 205W for a client and I noticed that even though I had the wireless bridged to the LAN and an access rule from the WLAN to LAN auto added because of the bridge, users were having difficulty accessing remote VPN destinations. I had to create 2 access rules one for VPN access to WLAN and the other for WLAN to VPN. Your comment actually gave me the idea so once again thank you.
Kolawole Oladapo Hey man no problem at all, i know how it is trust me. Us SonicWALL guys need to stick together. if you have any questions don't hesitate to ask.
I'm sorry, but you mistaken and are watching the wrong video if you want a basic configuration video. This video is titled "Tips and Tricks and Troubleshooting", so I do not go into all the details of a basic VPN setup in this video. Please see my other videos that *do* go into details about the basics of configuration, such as "Dell SonicWALL Basic VPN Configuration" at watch?v=bBoAZugL4kA. I also have one about locking down the VPN at watch?v=9EjE482HhQs.
Plz help I'm facing problem in site to site vpn everything is find from branch office I can access head office but from head office I can access branch office and I can ping branch office SonicWALL device but I can't access or ping branch office LAN from head office lan and from to head office SonicWALL device as well please guide me
One on site to site for ABSOLUTE NOOBS would be cool someday. It's shocking how much info is in a mouse click. I configured both sides best I knew how according to your 'basic' version, but either missed something, or don't know how to activate other than enable... it's always some dumb little thing that 'if it can be mucked up, a noob WILL MANAGE IT' (smile). I 'think' you'll be surprised how many of us there are. Most are afraid to talk for sounding stupid. I'm happy to, need to, to get info!
Ignore my last part about tunnel interfaces and such. The packet trace feature should do what you want and at least tell you if it is routing to the correct interface.
OK, but now how to get a PC that is connected to LAN X0 to get out to the internet on X1 once you DHCP X1 WAN interface????? but HOW?? how do you get the IP from the ISP modem to the firewall? i have a NSA 4600 at the main office, trying to build a site to site connection but first i cannot even get remote users PC on internet, i have a user in a different state, who has a TZ350, pc connected to TZ, TZ is connected to ATT modem, with public IP of 75.7.x.x (firewall on modem turned off) modem pools out DHCP of 192.168.1.82 to X1 on firewall but i cannot get internet from her pc if plugged into X0 . X1 is WAN as DHCP from MODEM as 192.168.1.82, X0 is configured with static ip 172.23.x.10 , PC connected to X0 gets a DHCP IP as 172.23.x.23 Firewall access rule LAN > WAN (any any any allow) PC cannot ping or access internet, however if i move PC directly to ATT modem, gets internet just fine, so its SONICWALL not allowing me to get out from LAN to WAN nor can i get the site to site VPN connected.
Assumptions galore, my friend... if you can't see that, then you can't help newbs is all. The first part of the video you put in 8.8.8.8, which is like google's DNS, and don't simply explain 'okay, this could be your public static IP on this side of the VPN' (which I assume, but don't know, because I'm a sonicwall vpn newb). It's fine, but useless to me, who needs a step by step explanation rather than "I'll fill in a bunch of stuff here", and then type away. I'll just find another video, np man
Hmm... well, if IT'S NOT FOR NEWBS THEN THERE ARE. (grin). Gee whiz guy... whatever, it's all fine, but text sucks and you have to assume the best. I meant ZERO harm, except to give feedback. I'm a FREAKING NEWB here.. do you get that now? (ha ha ha...) Man, just be nice. You want feedback, you gotta be nice. 8.8.8.8 was confusing. It's a known DNS, I wasn't wrong. nya nya... (ha ha ha... laugh with me man). Let's drop it, we have work to do!
If you wanted to be nice and a bro, you could say "Oh, right, yeah, this video isn't for newbs, go to this other one friend". Otherwise, you come off as kinda jerky with the whole 'you are mistaken' attitude. I'll avoid you man, sorry to bother you.
Andrew, I have just started working for Dell SonocWall a level one engineer and I want you to know your videos have helped me out alot!!!
This was very useful. I dont have any SonicWall's but in my new role I'm likely to come across customers who use them, so I've been playing around with various combinations of Cisco to X. This video has helped me understand the Sonicwall side so that if i'm troubleshooting a connection and they have Sonicwall I have a better idea what they're looking at and what they can try. Very clearly demonstrated and easy to follow, thanks.
+Tripledonkey Thanks!
I am new to all this and find your video outstanding. If I am not sure what you are saying I watch again..... until I get it. You are giving away great information, thank you. If I can't get a concept then I ask questions.
Thank you Andrew, these videos are pricless and have been a huge help getting me started with sonicwall. Can't begin to thank you enough, Awesome foundation to work from.
Thanks!
Yeah a lot of people get confused on the IKE IDs. I'm glad I was able to help!
We figured it out My boss was unaware that you could not use a .0 network. I made the mistake of assuming that he knew that was common knowledge, until I got tired of pounding my head against the wall. Once I felt the pressure was too much, i simply started from the beginning, and within 2 minutes, found the error. Thanks!!!!
Oh, that will work on either WAN, even if you are using it as "active/passive". It depends on what IP/WAN the remote side connects to. You could set a remote side to use the backup WAN as the primary IPsec gateway, and that will work fine. Both WANs are fully operable no matter what and can do port forwarding, etc. The LB/failover settings are basically just for outbound internet purposes.
If you check the "Packet Trace" feature, it will allow you to capture/export a pcap for Wireshark. It also display what interfaces traffic is being routed to, but doesn't really help when you have a site-to-site VPN. If you can create a tunnel interface/route-based VPN, then it would show properly in the trace and help with troubleshooting.
Both sides static IP? Are you using IKEv1 (Main Mode/Aggressive) or IKEv2? The latter solves many headaches. Also make sure Dead Peer Detection is enabled, and possibly Keep Alive.
Andrew - glad I found your channel, I've learned a lot.
I have a main office with 2 WAN connections - 1 is a T1, the other is Comcast (static 5 IP).
I need the T1 for VOIP.
Right now Comcast is set up as a failover. Can I steer the site-site VPN connections through Comcast to avoid burning my limited T1 bandwidth? I've got 15 site-site connections going on here.When I try to point to the 2nd WAN IP, I get IKE remote party timeout errors.
You certainly can, but the remote sites will also need to be modified to initiate to the Comcast IP of your choice. Otherwise, yeah you'll get negotiation errors.
Andrew ,
I have watched most of the your videos. They are very knowledge sharing. You are very good at explaining too. Earlier you have replied to few of my problems.
Now I have a serious problem again. In my TZ 200 sonic wall I have to "Renogitate" my Site-to-Site connections every time it drops. It has started few weeks ago. Not sure why its playing up. Once I restart it I can connect to all remote machine using RDP or to DB. Now please help me, People are always complaining.
Pramod
I would check the VPN config and re-test on the Juniper/other device. Additionally, run packet captures on both sides and have both sides try to access the other. That may give you a hint what side is misconfigured. It is quite possible the other side does not have return routes setup correctly or something like that.
I'm not sure what you are referring to, but changes to the VPN will only affect the VPN.
good one, especially on the main mode / aggressive mode . that explained why I have to use peer ike ip like a rfc1918 address
Nice tutorial - I have gained new knowledge today! Thanks for this video. Do you have a tutorial for multi-sites as well? I now have 2 remote sites and 1 HQ but the remote sites could not talk to each other.
Ahh, I should make one for that.
What you want to do is on the Remote Site 1, make an Address Group that includes Network Address Objects (VPN) for both HQ and Remote Site 2. Then make that your remote network in the VPN config on Remote Site 1.
Then for Remote Site 2, make an Address Group that includes Network Address Objects (VPN) for both HQ and Remote Site 1. Then make that your remote network in the VPN config on Remote Site 2.
Finally at HQ, make two Address Groups. One for Remote Site 1 that includes Network Address Objects (VPN) for both HQ and Remote Site 2. And one for Remote Site 2, that includes Network Address Objects (VPN) for both HQ and Remote Site 1. Then apply the Remote Site 1 Address Group as the local network in the VPN config for Remote Site 1 and the Remote Site 2 Address Group as the local network in the VPN config for Remote Site 2.
Basically what you are doing is allowing the other Remote Site subnet over the VPN tunnel. That will then allow for VPN hair pinning like you are asking for.
That works! You're the man I owe you big time ;) Thanks man!!
Since you already have a tunnel, the easiest way is to add both subnets into a address object group, and set the group as the Local network in the VPN config. That will then present both subnets to them.
You're making the change on both sides before checking if the tunnel is up? If it refuses to work even after disabling/re-enabling the tunnel.. try Main Mode with IKE ID's that are IP Addresses.
Can you share with me the configs you have set for this VPN tunnel? Are you doing split-tunnel or tunnel all? A "route print" output from a client may help as well.
Thanks Andrew. I was referring to the local site. If i have 2 WANs can the sonicwall maintain a connection on both WAN's simultaneously (GRE over ipsec?) or will it only be able to move the tunnel to another WAN in the event of WAN failure? Hope that makes sense.
Good to know. This is a Rackspace environment so i don't have direct control over the remote firewalls. I'm assuming their capability to allow our multiple WAN IP's to connect at this time but wanted to be sure of the sonicwall capabilities before hand. I've seen the Draytek Vigor 3900 'VPN Trunking' which looks pretty handy (essentially Active/Active VPN) but these doesn't seem to be supported by many devices at this time.
Hey Andrew, Another great video. Is there a guide for configuring VPN with load balancing and failover using multiple WAN's?
Hello Andrew, I have question here. I need to a one vpn but the remote location LAN, conflicts with another VPN remote LAN. I have tried to do a NAT on the advance tab in the VPN policy but is not working. Im sure I'm doing something wrong.
Advise on how to solve this??
Where do I set their remote LAN in the NAT tab or in the network proposal? I'm kinda lost.
That only works if its a one way VPN with say one server to NAT. If you need more or less full availability both ways, you'll need to change subnets on one side.
hello i wondering if i could toss out a life line andrew. do u know anything about configuring Site-to-Site VPN between Windows Server 2008 R2 and Sonicwall. i know this is a old video but your videos have been great help to me and looking for a little guidance
Mista Recoil No sorry, I pretty much stick to hardware for VPN. I'm not sure Windows has the option to do a site-to-site IKE tunnel, I thought it was only remote access L2TP/PPTP.
Thanks you, I'm glad they are helpful. Let me know if you need any help.
Hey Andrew, great video!
Is there any way to setup email alerts in case VPN tunnel drops?
TIA
You can! Just make sure the IKE ID is set to "Firewall Identifier" on both sides and choose a name for each firewall to use, otherwise using IP as the IKE ID will just frustrate you during diagnostics.
See KB article 7486 on the SonicWALL Fuzeqna support site. Step 3 at the bottom goes over the steps for object groups.
Great to hear! I'm glad they help!
I would connect the VPN/WAN to X1 and the Metrolan to X2, or your favorite interfaces... and use probing on the routes to remove them from your table when they go down. With that method though, you will want to make a Tunnel Interface/route-based VPN which I don't think I've made a video for yet.
One question if you don't mind Andrew. When setting up the tunnel we are using the ip address in the proposal so local address of firewall 1 and remote address of firewall 2 then obviously we have firewall 2 swapping round so its local will be remote of firewall 1. I get the principal but if were using no routable address's Does this mean the ISP will be responsible for setting some sort of connection so the firewalls have line of site of each other?? apologies for the waffle hope makes sense
Regards
Daniel
On the remote side, you just need to add the two IPs of your WANs as the IPsec Primary/Secondary Gateways in the VPN config.
Not sure if you are still responding but can I use aggressive mode with a DHCP relay over a site to site VPN? I can’t bridge mode my modem and have a private ip on my sonicwall. And as I understand it, I have to use IKE-1 with DHCP relay over s2s VPN.
I only worded it that way since your comment also started off on the wrong foot with the "Assumptions galore..." part.
Yes, a group can contain any two or more objects of any kind.
I explain everything as I go along and have received a lot of feedback stating so... could you be more specific as to what I skipped?
Thanks Andrew for replying.
So do you mean to use IKEv2 and not IKEv1
I didn't quiet get you. Also I couldn't find Dead Peer Detection Option in the VPN Settings.
Thanks for replying..
I'm glad it was helpful!
We have a Site to Site VPN setup between a Sonicwall TZ205 and a Cisco ASA.
Is it possible to setup a Network Monitor to probe the network inside of the VPN tunnel?
I have seen examples but they are using a Tunnel Interface method and not Site to Site.
Thank you
Mark Silka I think you can but you'll need to do Tunnel Interface like you saw.
Yes they are both ends Static IPs.
I found Dead Peer Detection & enabled for Idle VPN sessions with an Interval 600 seconds.
Also If I choose IKEv2 Exchange mode do I need to change any other settings for connectivity.
Thanks
Vinod
Hello Andrew, we would like to install Sonicwall at 4 locations in our organization. We would like to establish VPN among all 4 devices, but would like to route the packets through the Head Office. How will I configure the same. Please help me out. We have decided purchased NSA3500 for Head office and for other locations NSA2400.
I've had several questions about this recently, I'm going to make a video. What you are looking for is "VPN hairpinning". What you want to do, is create an Address Group at the Head Office which contains Network Objects (VPN zone) of each remote office. Make that your source network for each tunnel to the remote offices. Then on the remote offices, make their destination network an Address Group that contains Address Objects (VPN zone) of each other remote office plus the Head Office. So each remote office will have a slightly different Address Group, as they will have all the other networks, minus their own.
***** Thanks for your prompt reply. Waiting for the video please.
Thanks, good to know info ...
Andrew, how would you recommend a setup for a Metrolan connection to a sonicwall and a back up VPN path?
Is there any possible way you can explain on how to do VPN Looback known as a "Hairpin connection"? Basically what I would like to do is have someone on my Public WiFi (completely separate from our network) and allow them to VPN into the network and only to gain access to our network. The reason for this is because we do not have WiFi in our internal network and he will need to run some tests all around the building and he needs WiFi for mobility.
Sounds like you want something different actually. You can turn on SSLVPN on the WLAN (or other zone) and allow people to VPN into the LAN like that.
In the office I have a local server connected to the internet using router,every thing pluged in switch.
I have pluged the SOHO sonicwall in the switch . things went messy .
do I have to change my local network address to 192.168.168.x. ?(its the default of SOHO)
from home I want to connect to SOHO in the office and from SOHO I want to connect to remote server in other site, do you have any documentation for this scenario.
No, you can switch to IKEv2 without changing anything else, it's just the phase 1 that changes due to that. I would certainly get off Aggressive Mode.
We are not using VPN config in sonicwall. We are NATing internal IP to public NAT IP and then routing it to the VPN device.
The NAT is setup and we can ping the VPN gateway but traffic isn't being routed to the vpn device so it's something in sonicwall I think. Is there way to trace traffic between LAN to VPN device on the network?
Hello Andrew
The Site-Site VPN Disconnections seem to be working alright now.
Thanks always for your prompt reply's.
Each time I used to click on the ">" (Play Symbol) under VPN Policies Section as well as Current Active VPN Tunnels.
And then there is a drop the VPN connections fail so I had to "re-negotiate" each time.
I think by Default the "ll" Pause symbol should be selected.
Now the connections fine.
Thanks
I'm finding it forces ALL traffic through the site-to-site tunnel and a rule that says "send only 80/443 through VPN" is lower in priority than the send ANY rule. Or I could also use a way to NOT send a particular service through the tunnel, in other words, "send all except port X"
Andrew,
We have a preconfigured juniper device with our public IP address connected to our network. With it, we've established site to site VPN tunnel. However, we are not able to ping any of the server behind the customer's main gateway. After monitoring the packet, we've determined, the traffic is not going through the VPN device. We've set up the route policy to route any traffic to IP range (servers behind customer firewall) to be routed to the VPN device but it isn't being routed.Help?
Hi Andrew we have a Sonic wall 3060 and I am tying to create a VPN to a newer Sonicwall that is running newer advanced software that has the ability to use IKE authentication using firewall identifier which my version does not have.I get IKE Responder does not match and also "peers local network does not match VPN policy" we have several already running but this connection just will to work. Is it due to our (host) older software version. I wanted to try Aggressive per your video but my end does not have the ability to use firewall identifier thanks for any sugesstions
Honestly it sounds like a config problem like it says. I would need screenshots and network info to really help diagnose, but the local/remote address objects you are using for the VPN policy apparently are not matching up.
I was able to get it up by having the remote user change their subnet masrk from 255.255.255.255 to 255.255.255.0. now I need to point 192.168.100.86 to 192.168.1.33 on the remote end. Can I do this using NAT ?? for some reason we can not get 192.168.1.33 to iniate a successful VPN connection so we are using the .100.86 and want to point it to .1.33 thanks
Marc Burling Again, I'm going to need a lot more information on how the network and VPN policy is setup on both sides to be able to help.
hi Andrew, how many site to site vpn you can create. I have 2 sites for a clients. He wants to add of his home sites. so we are talking about site to site for 4 sites. is it possible?
+Smart Investor It depends on the model you have and the licensing you have. Can you check under System > Licenses?
***** thanks Andrew. We are planning to get Sonicwall TZ 400. I believe it should be able to handle it.
So if there are variances in the exchanges and how that works with Local & Peer IKE IDs....why is not controlled in the user interface as being a possible mis-configuration?
Lazy programmers I suppose.
i have a site to site VPN where the tunnel is up but traffic does not pass. It used to work and now I cannot figure out why it doesn't. Both sites have static WANs and are on main mode. I have tried IKEv2 and aggressive and multiple other ways and it wont pass traffic. No firewalls are blocking traffic.
I'm trying to connect to my work through a Sonic Wall VPN desktop client and I'm not even passing trough phase 1. I got the error "the peer is not responding to phase 1 isakmp requests". What can I do? Any suggestions?
Yeah agreed, sorry for the bickering. If you would still like to check up on my channel in the future, I will be continuing SonicWALL related videos. If you have any requests, please let me know and I'll do my best to help.
Hey Andrew, do you or any of your friends know how to configure a sv8100 Nec VoIP phone system over a SonicWall VPN using Enchanced OS.
Hi Andrew great vids but was wondering if you had any advice for this problem I am experiencing with an Azure site-to-site vpn to a Sonicfirewall TZ 210.
I have created the VPN (Route based policy, IKEv2) on the TZ 210 and it connects and works. The only problem is after a period of time the VPN disconnects I have timed this and it seems like it is every 7hrs or around 420min but does vary from time to time.. I then under the VPN Policy have to uncheck the "enable" check box and the check it again and the VPN comes up again. I have also noticed that when I first connect the VPN there is only one connection under "Currently Active VPN Tunnels" but when the VPN disconnects ther are two of the same connections under "Currently Active VPN Tunnels". the firmware is up to date. SonicOS Enhanced 5.8.1.14-68o. Any suggestions would be greatly appreciated.
I've seen that ghost active tunnel before when a tunnel times out. I'm not familiar with the Azure connection, but is it using PFS? Can you change the re-key time period? I've seen this kind of thing happen with Cisco VPNs where there is a data re-key limit as well.
Hi thanks for the reply according to some information it does use pfs. What is the re-key time period?
Mark Partridge It may be PFS then getting goofy. The re-key will be the Life Time number of seconds you see in the config. Such as 86400 or so.
I will check the logs for any pfs info and will revert back thanks once again.
Yup
I have a Sonic Wall in India Office & ASA in US. This connection was stable since 1 1/2 yrs, suddenly not sure why the connection is disconnecting & no change was taken place recently. Each time I will have to click on re-negotiate from VPN sectoin in the web interface of Sonic wall TZ 200. Then it starts working fine for about 8 hours and again drops. But at times it continuously works 2days with out any disconnections.
Can you suggest me any settings where I can check and avoid the issue
I have a question and I cant find the answer anywhere.
Sonicwall firewall, 2 ISP connections (Failover configured), need to have redundant Site 2 Site connection to other office. How do I do that?
If I try to configure this, I always get the error "network overlaps". Network which overlaps is destination network. Cant find the way to do this? Is it even possible?
sephirothfemto You want to add the second WAN IP to the original VPN config. "IPsec Secondary Gateway Name or Address:"
What is the trick to allow a GlobalVPN client on the Lan, to connect to the WAN side to test the client configuration before sending user home. The LAN>WAN any doesn't allow the connection.
+Ken Crook You can't unfortunately, as it creates a crypto overlap. You can connect to the internal/LAN IP of the SonicWALL to make sure the authentication works, but that's it.
Hello Andrew,
Can you please help me with site-to-site vpn frequent drops. Not sure why it is causing an issue.
regards
Pramod
thanks sir
You're welcome.
help plz when trying to connect to my xfinity Internet to my ps4 it says ssl error 0x00000000 failure when receiving data from peer?
Hey Andrew, can I contact you via PM. I have an issue. I followed all your instructions for site to site. I got it up and running. Then I got multiple IPs at one location and things are starting to fail. However I am not sure about NAT policies and firewall rules to use. Please if you can assist it would be very appreciated.
You can certainly message me through UA-cam here, or Google+, or LinkedIn, whatever works for you. Screenshots always help when you do.
I have a tunnel established, but I do not have internet. I am using Aggresive mode as I have with my other offices, and I can see on my end that I have the VPN established, but the site is not getting internet.
HI..I HAVE A SONICWALL TC215 WITH ME.i CONFIGURED THE SONICWALL FOR gLOBASL VPN..BUT IT IS NOT CONNECTING & IT IS SAYING IN L,OGS "THE PEER is not responding to phase 1 isakmp" .. TRIED MANY SUGGESTIONS..BUT NOT YET SUCCEED..SOME ONE HELP ME PLZ
I have a site to site VPN created for VoIP (X2 interface) and I also need one for the LAN (X0 Interface) to communicate but when I try to create it says peer gateway already in use it will overwrite policy. is there away to create two site to site VPNs for separate interfaces?
***** No sorry, you'll need to do that with routing/firewall rules inside the SonicWALL.
Actually I found that creating an address object group containing the subnet for each interface one for the local interfaces and one for the remote interfaces and Applying them to the site to site vpn i could create the vpn for my voip and lan interface without a problem. But thanks for your quick response and your easy to understand and informative videos i am now a subscriber.
Also I found out that if your dealing with a wireless sonicwall and you have the WLAN interface bridged to the LAN interface and you create a site to site vpn. Even though your wireless network and your lan are sharing the same subnet you will not be able to communicate with devices at the other site wirelessly without first creating any any access rules for the WLAN to VPN on both sides. Because by default sonicwall blocks all traffic from the WLAN to the VPN. just a heads up but im sure you knew that but for you watchers out there i hope this prevents a headache.
***** Thank you for the heads up. I just finished configuring A Sonic Wall TZ 205W for a client and I noticed that even though I had the wireless bridged to the LAN and an access rule from the WLAN to LAN auto added because of the bridge, users were having difficulty accessing remote VPN destinations. I had to create 2 access rules one for VPN access to WLAN and the other for WLAN to VPN. Your comment actually gave me the idea so once again thank you.
Kolawole Oladapo Hey man no problem at all, i know how it is trust me. Us SonicWALL guys need to stick together. if you have any questions don't hesitate to ask.
I'm sorry, but you mistaken and are watching the wrong video if you want a basic configuration video. This video is titled "Tips and Tricks and Troubleshooting", so I do not go into all the details of a basic VPN setup in this video. Please see my other videos that *do* go into details about the basics of configuration, such as "Dell SonicWALL Basic VPN Configuration" at watch?v=bBoAZugL4kA. I also have one about locking down the VPN at watch?v=9EjE482HhQs.
Plz help I'm facing problem in site to site vpn everything is find from branch office I can access head office but from head office I can access branch office and I can ping branch office SonicWALL device but I can't access or ping branch office LAN from head office lan and from to head office SonicWALL device as well please guide me
i would like you to help to configure Site to site VPN using sonic firewall
One on site to site for ABSOLUTE NOOBS would be cool someday. It's shocking how much info is in a mouse click. I configured both sides best I knew how according to your 'basic' version, but either missed something, or don't know how to activate other than enable... it's always some dumb little thing that 'if it can be mucked up, a noob WILL MANAGE IT' (smile). I 'think' you'll be surprised how many of us there are. Most are afraid to talk for sounding stupid. I'm happy to, need to, to get info!
Ignore my last part about tunnel interfaces and such. The packet trace feature should do what you want and at least tell you if it is routing to the correct interface.
does not work with two identical tz350 site to site , in a lab - on same network switch.
OK, but now how to get a PC that is connected to LAN X0 to get out to the internet on X1 once you DHCP X1 WAN interface????? but HOW?? how do you get the IP from the ISP modem to the firewall? i have a NSA 4600 at the main office, trying to build a site to site connection but first i cannot even get remote users PC on internet, i have a user in a different state, who has a TZ350, pc connected to TZ, TZ is connected to ATT modem, with public IP of 75.7.x.x (firewall on modem turned off) modem pools out DHCP of 192.168.1.82 to X1 on firewall but i cannot get internet from her pc if plugged into X0 .
X1 is WAN as DHCP from MODEM as 192.168.1.82, X0 is configured with static ip 172.23.x.10 , PC connected to X0 gets a DHCP IP as 172.23.x.23 Firewall access rule LAN > WAN (any any any allow) PC cannot ping or access internet, however if i move PC directly to ATT modem, gets internet just fine, so its SONICWALL not allowing me to get out from LAN to WAN nor can i get the site to site VPN connected.
I have tried IKEv2 but the VPN connections ( GREEN colored button) disappears.
They working fine in Aggressive mode.
If you'd like, you can submit a question on Experts Exchange with screenshots of your configs, and I'd be glad to look them over to help.
Currently I am using Aggressive Mode.
Assumptions galore, my friend... if you can't see that, then you can't help newbs is all. The first part of the video you put in 8.8.8.8, which is like google's DNS, and don't simply explain 'okay, this could be your public static IP on this side of the VPN' (which I assume, but don't know, because I'm a sonicwall vpn newb). It's fine, but useless to me, who needs a step by step explanation rather than "I'll fill in a bunch of stuff here", and then type away. I'll just find another video, np man
hi
Check my other comment to you, let me know.
You fill in a lot of stuff without explanations dude... For those new to sonicwall it's not all that obvious. Just a little talking would help!
Hmm... well, if IT'S NOT FOR NEWBS THEN THERE ARE. (grin). Gee whiz guy... whatever, it's all fine, but text sucks and you have to assume the best. I meant ZERO harm, except to give feedback. I'm a FREAKING NEWB here.. do you get that now? (ha ha ha...) Man, just be nice. You want feedback, you gotta be nice. 8.8.8.8 was confusing. It's a known DNS, I wasn't wrong. nya nya... (ha ha ha... laugh with me man). Let's drop it, we have work to do!
If you wanted to be nice and a bro, you could say "Oh, right, yeah, this video isn't for newbs, go to this other one friend". Otherwise, you come off as kinda jerky with the whole 'you are mistaken' attitude. I'll avoid you man, sorry to bother you.