Site to Site VPN via two Sonicwall firewalls – With DHCP over VPN

Configuring the router

The Beagle - Technology for SMB's
Is it for the license expiry or any other reason. And when would you use one over the other? So I had to go on the fortiGate and create separate phase2 SAs for each additional subnet. I will go ahead and check my settings again. We tried to add the azure network as a local destination on the Azure VPN on the main site, that does not work.

Specifying authorized VPN users

How Do I... Configure SonicWALL VPN Connections?

From the master site I can ping the gateway of the remote site This sounds like a misconfiguration on the Sacramento side. NAS could also be the same thing. The tunnels themselves are fine so it is a routing issue the gateway thing or local firewall issue. I factory reset the Sacramento side and walked through it again.

Works now without a problem. I must have missed something originally. Great to hear it all works! Thanks for touching base, appreciated! I am new to SonicWall, and I followed this procedure exactly on both devices. I do have a question though. We are moving to a location where there is no viable data center space so I am moving my servers to a colocation data center.

My plan is to use site to site vpn between the office and the data center. I have a Sonicwall Pro that will go on the data center side and a Sonicwall Pro that will go on the office side. If all your nets are on the same IF you can clearly define what segments lie behind one gateway say the then you might be able to get away with the simple config methodology.

You might have to do some testing and tuning. Thank you for the reply. I guess I should have said that the current subnet is I can easily change the scope to a different subnet, say We have two separate internet connections so I tested the site to site tunnel and got it to work using your instructions.

I used a laptop with a static IP of I did have one question on the setup though. Does this make sense? OK, if you got the tunnel up AND each side of the tunnel knows about the networks on the other side of the tunnel then you are over the first hurdle.

And, if you can reach servers or devices over the tunnel via IP address then yo know your routing is working. So, it looks like it is a question of tuning some settings. Also, when you tested with the laptop, where was it pointing for its DNS?

Did you point at a server on the main side? Finally, in answer to your last question, yes, objects on firewall A that refer to something on the remote side of a VPN tunnel on firewall B should always be VPN objects. That ensures the object is attached to the correct zone and has proper security wrapped around it. You are a genius! I changed the DNS settings and viola!

My logon script runs, I get my mapped drives and printers and can browse the network. There is one more naggling little issue though. Laptop getting DNS correctly? In other words, if you do an nslookup from the laptop for an external site, does the DNS server give the IP address? Finally, make sure the network settings on the X1 port on the remote Sonicwall are correct and the laptop has the correct gateway IP configured.

Then the default routing config on the remote Sonicwall should then handle the access from the laptop to the Internet. Yes, it appears the laptop is getting DNS correctly. I checked the gateway on the laptop and it is pointing to the remote Sonicwall.

I checked the gateway on the Sonicwall and it is pointing to the correct IP. This seems correct, no? So it seems that everything is set correctly yet I am still unable to browse the internet. Any other gotchas you can think of? What do diags on the firewall give you? Can it ping its gateway and its DNS sites? And, stupid question is the firewall showing as being properly licensed? If it is not licensed there may be an impact on traffic. Finally, have you restarted the remote sides modem and then the firewall?

Sometimes that seems to sort everything out. Once you KNOW things are working you can start to cut in the security services. Anyway, all looks fine. So I plugged the wireless router back in and set the laptop up to connect to that and the internet works fine like it always did.

Once it was set up, the tunnel came right up, and viola! The internet works too! I then log off of the laptop and log back on to make sure the logon script runs and I get my mapped drives and printers. However, there is no policy type option. I get to this step very early in the process: Because there is no policy type drop down. The first option I can interact with is Authentication Method. Hi there — I followed your guide, very well written and easy to follow.

I tried getting this going on my own, and have had some success. I have 3 offices well, actually 8 but focusing on 3 for now. I originally followed your guide and linked two of the offices together, and today I was tackling adding a third to the mix.

I added the first office to the third office successfully, I got the green light right away and was able to see network items across the tunnel.

Figuring I did it wrong, I deleted the address objects and vpn tunnel and started fresh, same thing. The only thing I can think is that these are on the same subnet, too similar and not passing traffic.

All three devices are Sonicwall NSA Do you have any thoughts? Any advice or direction would be super greatly appreciated. The other two branch offices with exact same settings are fine. I realize there could be many causes but does anything come to mind that I could try? Maybe I should make Master be the initiator.

Best bet, if you can, is factory restore, relicense the mysonicwall thing , apply firmware updates if any then apply your saved settings back to the box you do have settings saved from before the failure, yes???

Any updates on how to force all traffic from the remote site across the VPN. I tried what you said to someone else in the comments but changing any settings just brings down the tunnels. I also tried a route based tunnel with no luck. Yes, you can have DHCP traverse the tunnel. Ignore all the bits prior to Step 3. So, you need to set the name in your DNS servers.

Great work and ty for making my IT life that little more stressless. I was given the task of creating a site to site, after searching and reading forums and articles.

I found yours to be the best and easiest one around. I know you have answered a few questions like this, but is there a configuration where I have to let the traffic flow? Go back and check your settings on each side of the tunnel. What you are doing with these two settings is defining the routing that will be baked into the VPN policy. This is what sets up for you to be able to access devices on the far side of the tunnel you are behind Firewall A and can ping a device on the subnet behind Firewall B.

I would recheck the settings for both Local and Remote Networks and verify you have covered your bases. Also, verify settings on your devices on the target subnets and ensure your gateway settings are correct. Your local devices have to go to the correct gateway in order to access the VPN. Thanks for the reply.

I will go ahead and check my settings again. What I did was added the range of the addresses that the WiFi Router could give out as subnets. Hopefully this is not confusing. If you can see my email, can you shoot me a message, so that I can show you pics of my configuration?

We can ping between the subnets So please suggest me for the same?? Is it for the license expiry or any other reason. Mail will not be published required. Leave this field empty.

Notify me of follow-up comments by email. Notify me of new posts by email. Robert Dick itgroove Alumni. On the master unit perform the following steps: Fill in your entries as follows: Make note of what you enter as you will need to enter the same key on the other Sonciwall.

Click on the Network tab: You should then have something like the following: Click on the Proposals tab and set like the following: Click on the Advanced tab and set like the following: Click the OK button to save the settings. Now, switch yourself over to the other Sonicwall and repeat the same steps with the following differences: The Proposals should match the other side: Click the OK button to save the policy.

An example of how multiple networks display under a VPN policy follows: As you can see, this tunnel knows about 3 separate networks at the other end. July 22, at 6: July 22, at 8: July 30, at 6: July 30, at 9: August 6, at August 7, at 1: September 8, at September 9, at 3: September 10, at September 9, at 1: September 16, at 2: September 19, at 2: October 22, at 6: October 27, at 3: October 31, at 8: October 31, at 9: November 17, at 9: November 21, at 3: December 3, at 3: December 3, at 4: December 4, at 2: December 4, at 4: January 15, at 2: January 15, at 8: January 22, at 3: January 22, at 4: January 28, at 6: February 6, at 7: February 8, at February 9, at 9: March 17, at 6: March 17, at 3: March 20, at 3: March 20, at 6: March 29, at March 29, at 2: April 2, at 9: April 2, at 2: April 3, at 8: April 3, at 9: April 9, at April 9, at 7: April 9, at 5: April 9, at 6: April 15, at April 20, at 6: April 27, at 3: April 27, at 4: May 8, at 3: May 12, at 3: July 6, at 5: July 10, at 2: July 7, at 2: July 28, at 2: July 30, at July 8, at 4: July 10, at July 13, at 2: July 13, at 3: August 22, at 2: August 22, at 3: September 16, at 7: September 17, at September 17, at 1: September 17, at 5: September 19, at September 22, at October 15, at 6: October 15, at 7: October 15, at October 16, at October 16, at 9: October 21, at 4: October 31, at 3: October 26, at November 5, at 4: November 7, at 5: November 13, at 5: November 16, at November 25, at November 29, at 3: November 30, at 5: November 30, at 7: December 18, at 4: Select SonicWall Select Advanced and enter the following: Add a firewall policy Add an the source and destination addresses and add an internal to external policy that includes these source and destination addresses to permit the traffic flow.

Enter the FortiGate IP address and subnet. Enter the SonicWall IP address and subnet. Select Create New and set the following: WAN1 or External Schedule: Internal Destination Address Name: Select Add and enter the following: FortiGate IP address Netmask: FortiGate netmask Select OK.

A site about stuff

Leave a Reply