How Do I... Configure SonicWALL VPN Connections?

Specifying authorized VPN users

The Beagle - Technology for SMB's
I do have a question though. Log into the remote Sonicwall and do the same thing indicate the remote lans that can access the main site over the tunnel, and what they can access. We set this up on the Networks portion of each policy and bound the policies to the LAN subnets at each end. If so you may need to switch to a route-based VPN which means the VPN policy simply handles the tunnel and then you have explicit routing rules that handle the various routing scenarios. Do you have any thoughts?

A site about stuff

Site to Site VPN via two Sonicwall firewalls – With DHCP over VPN

Hundreds of thousands of organizations turn to SonicWALL hardware to fulfill their firewall and network switching needs.

SonicWALL firewalls also power effective VPN connections, providing secure remote access for everyone from mobile employees to executive staff. Essentially, there are three steps to the process: Follow these steps to configure the end user client:. Can Russian hackers be stopped? Here's why it might take 20 years. How driverless cars, hyperloop, and drones will change our travel plans.

How labs in space could pave the way for healthcare breakthroughs on Earth. We deliver the top business tech news stories about the companies, the people, and the products revolutionizing the planet.

Our editors highlight the TechRepublic articles, galleries, and videos that you absolutely cannot miss to stay current on the latest IT news, innovations, and tips. Click on the VPN button. Specify whether you wish to use a default key or use a preshared key. There is a way to make it work but it may take some real dancing to do so. A is the subnet at our main office. It is working properly over the VPN.

However, subnet B is not. Is this setup correctly? Thanks for the compliment, much appreciated! As for your issue it sounds like you have created the configuration correctly. That is the first test as that would indicate the Sonicwall has set up both tunnels. This would also indicate that the Sonicwall knows to route traffic to those subnets across the VPN.

The ASA might not know the route to the Sonicwall from the If both ping correctly then the tunnel is working as it should and it is just route tweaking that you have to mess with. If not then there is more digging required. Excellent blog post and great site! Thanks for taking the time to share with the rest of the world. I do have some firewall experience but never had to work with a SonicWall before!

So I followed your post to create a site-to-site with a FortiGate and that worked out well if the remote subnet is a single subnet counters increase and I can ping. So in the last part you said to create the additional firewall subnets, to put them in the VPN zone and add them to the firewall object group that as needed. Unfortunately, once I do that, and while I do get 3 green bullets next to each subnet under the VPN page on the SonicWall I can no longer ping to any remote subnets even the one that was previously working.

How do I do that with the SonicWall or perhaps you have any tips on what could be wrong? If I remove the 2 subnets from the remote site in the VPN configuration and this leave one one subnet in the group and do the same on the other firewall, communication is restored. This methodology allows for much more complex settings network, routes, and so on but also requires a lot more configuration. Let me know if you want me to PM you and we can take the discussion offline.

I was able to figure it out after all. So I had to go on the fortiGate and create separate phase2 SAs for each additional subnet. Thank you, this saved me a lot of time. The mistake I was making was in trying to use the site with the dynamic IP as the master.

Do you think you could help with this? I can send whatever information you need about the setup here. Please ignore my previous log. I managed to hack my way around and figured out what the problem was. All I had to do was add the appropriate groups to the VPN user setup. Check the network definitions for the VPN on sides. Also, my post was Sonicwall specific for setting up VPN between Sonicwalls, the process may not work according to plan with non-Sonicwall.

Just wanted to say a huge thank you for such a great article! Made setting up our site to site a breeze. I did initially struggle getting any traffic to traverse the VPN but after much gnashing of teeth I figured it out.

Our set up is this: Static IPs at HQ on The VPN worked straight off the bat but I could get no traffic over it. That DHCP lease was on the So for me, the key point from all of this is if you have trouble check all your possibilities, look at every bit of networking involved as the setup detailed above is rock solid and just works, great work Robert, thank you. Glad my scribbles helped you out. Thanks for your comment and thanks for reading my blog! Thanks for creating this post.

I was able to configure my site-to-site VPN will very little trouble but now I am having a name resolution problem. Currently I have a TZw on the master side on the production side currently and a NSA on the slave side recently purchased and currently configuring , in the end I am going to reverse roles but for testing this is how I have it set up. However if I do not use the mapped drive and type in the IP address for the file server I can connect to it with no problem and everything functions as I would expect.

How can I get my slave to resolve the remote domain names in order to get my mapped drives to work without resorting to IP addresses? Generally, when you have a condition such as you describe, you have not set up DNS correctly on the remote site as you have proven that traffic flows correctly across the VPN. So I am trying to get a remote site to connect to azure. My main site is connected to azure via static VPN and it works fine.

I can get trafic from teh remote site to travel to azure without issue, but sending traffic from azure to the remote site is not working. The main site sonic wall is dropping the packets. I can see this happening in the log. To enable the remote traffic to get to azure we just had to add the azure network as a remote destination on the vpn setup. We tried to add the azure network as a local destination on the Azure VPN on the main site, that does not work. Not sure what I am missing but any ideas would be appreciated.

Are you doing the site to site VPN as per my post everything including networks is encapsulated in the one policy? If so you may need to switch to a route-based VPN which means the VPN policy simply handles the tunnel and then you have explicit routing rules that handle the various routing scenarios. Thanks for the help. That was exactly it. Unfortunately not all is fixed. I am feeling like the fish today.

Thinking it was the phone I tried multiple times to reconfigure account on phone with no success. When I got home I was able to connect to the Exchange server with no problem. The next day I had the same problem so I asked a co-worker to try with his Samsung and he was having the same problem through the SonicPoint.

When I unbridge the interfaces with or without the site-to-site enabled or disable the site-to-site with a bridged interface or unbridged interface I can connect mobile devices to my exchange server.

It is a SoincPoint ACe by the way. After done a reset on my testing process, I figured out why the bridged interface was not working. I suspect a misconfiguration on the Cisco side. Make sure that the rules on the Sonicwall for the inbound traffic clearly identify the remote side LAN this is probably in place as Sonicwall users can get to the Cisco LAN but check it anyway and make sure the rules on the Cisco clearly identify the Sonicwall side of things.

It sounds like the tunnel is in place so now it is just routing that probably has to be fixed up. I was hoping you could expand upon allowing additional subnets in the tunnel. Address Objects for the additional subnets Type: Network have been created. You have to clearly define all the subnets that you want seen on each end of the tunnel so this usually means you have to create an address group object then include the subnets in that object.

If you are doing Sonicwall to Sonicwall using the quick method you will see that there is a tunnel created for each subnet pairing.

So this means you have to ensure that the Local Network includes all the subnets on the local side and the Remote Network includes all of the subnets on the remote side that you want to include in the VPN and this needs to be mirrored on the other device. So if you have The info in brackets above would be the Address Group Objects.

And each Sonicwall would show 2 tunnels up there is a tunnel created for each subnet like the last illustration in the post. I followed the instructions on this page https: Follow my post on setting up the easy way and make the MX the unit that the TZw initiates the connection to as the has the static address. It will work for you as this is the recommended way to set up when one end is dynamic. Follow this post as it is exactly the config you need to work in your situation.

Set it up this way and I guarantee your VPN will work. Only thing I suggest is that you ensure the firmware on both units is at the same level or a s close as possible. Having very different firmware levels can cause problems. Robert good morning, we continue step by step; and still does not work; frimware are the same level of SonicOS Enhanced upgrade 5. Can you give me a little more detail? Great write up and it worked like a charm. Master in Hayward hosts The remote site can see every thing on the master site.

From the master site I can ping the gateway of the remote site This sounds like a misconfiguration on the Sacramento side. NAS could also be the same thing. The tunnels themselves are fine so it is a routing issue the gateway thing or local firewall issue. I factory reset the Sacramento side and walked through it again. Works now without a problem.

I must have missed something originally. Great to hear it all works! Thanks for touching base, appreciated! I am new to SonicWall, and I followed this procedure exactly on both devices. I do have a question though. We are moving to a location where there is no viable data center space so I am moving my servers to a colocation data center.

My plan is to use site to site vpn between the office and the data center. I have a Sonicwall Pro that will go on the data center side and a Sonicwall Pro that will go on the office side. If all your nets are on the same IF you can clearly define what segments lie behind one gateway say the then you might be able to get away with the simple config methodology.

You might have to do some testing and tuning. Thank you for the reply. I guess I should have said that the current subnet is I can easily change the scope to a different subnet, say We have two separate internet connections so I tested the site to site tunnel and got it to work using your instructions.

I used a laptop with a static IP of I did have one question on the setup though. Does this make sense? OK, if you got the tunnel up AND each side of the tunnel knows about the networks on the other side of the tunnel then you are over the first hurdle. And, if you can reach servers or devices over the tunnel via IP address then yo know your routing is working. So, it looks like it is a question of tuning some settings.

Also, when you tested with the laptop, where was it pointing for its DNS? Did you point at a server on the main side? Finally, in answer to your last question, yes, objects on firewall A that refer to something on the remote side of a VPN tunnel on firewall B should always be VPN objects.

That ensures the object is attached to the correct zone and has proper security wrapped around it. You are a genius! I changed the DNS settings and viola! My logon script runs, I get my mapped drives and printers and can browse the network. There is one more naggling little issue though. Laptop getting DNS correctly? In other words, if you do an nslookup from the laptop for an external site, does the DNS server give the IP address?

Finally, make sure the network settings on the X1 port on the remote Sonicwall are correct and the laptop has the correct gateway IP configured. Then the default routing config on the remote Sonicwall should then handle the access from the laptop to the Internet. Yes, it appears the laptop is getting DNS correctly. I checked the gateway on the laptop and it is pointing to the remote Sonicwall.

I checked the gateway on the Sonicwall and it is pointing to the correct IP. This seems correct, no? So it seems that everything is set correctly yet I am still unable to browse the internet. Any other gotchas you can think of? What do diags on the firewall give you? Can it ping its gateway and its DNS sites?

And, stupid question is the firewall showing as being properly licensed? If it is not licensed there may be an impact on traffic. Finally, have you restarted the remote sides modem and then the firewall? Sometimes that seems to sort everything out. Once you KNOW things are working you can start to cut in the security services.

Anyway, all looks fine. So I plugged the wireless router back in and set the laptop up to connect to that and the internet works fine like it always did. Once it was set up, the tunnel came right up, and viola! The internet works too! I then log off of the laptop and log back on to make sure the logon script runs and I get my mapped drives and printers.

However, there is no policy type option. I get to this step very early in the process: Because there is no policy type drop down. The first option I can interact with is Authentication Method. Hi there — I followed your guide, very well written and easy to follow. I tried getting this going on my own, and have had some success.

I have 3 offices well, actually 8 but focusing on 3 for now. I originally followed your guide and linked two of the offices together, and today I was tackling adding a third to the mix. I added the first office to the third office successfully, I got the green light right away and was able to see network items across the tunnel. Figuring I did it wrong, I deleted the address objects and vpn tunnel and started fresh, same thing. The only thing I can think is that these are on the same subnet, too similar and not passing traffic.

All three devices are Sonicwall NSA Do you have any thoughts? Any advice or direction would be super greatly appreciated. The other two branch offices with exact same settings are fine. I realize there could be many causes but does anything come to mind that I could try? Maybe I should make Master be the initiator. Best bet, if you can, is factory restore, relicense the mysonicwall thing , apply firmware updates if any then apply your saved settings back to the box you do have settings saved from before the failure, yes???

Any updates on how to force all traffic from the remote site across the VPN. I tried what you said to someone else in the comments but changing any settings just brings down the tunnels. I also tried a route based tunnel with no luck. Yes, you can have DHCP traverse the tunnel. Ignore all the bits prior to Step 3. So, you need to set the name in your DNS servers.

Great work and ty for making my IT life that little more stressless. I was given the task of creating a site to site, after searching and reading forums and articles. I found yours to be the best and easiest one around. I know you have answered a few questions like this, but is there a configuration where I have to let the traffic flow?

Go back and check your settings on each side of the tunnel. What you are doing with these two settings is defining the routing that will be baked into the VPN policy. This is what sets up for you to be able to access devices on the far side of the tunnel you are behind Firewall A and can ping a device on the subnet behind Firewall B. I would recheck the settings for both Local and Remote Networks and verify you have covered your bases. Also, verify settings on your devices on the target subnets and ensure your gateway settings are correct.

Your local devices have to go to the correct gateway in order to access the VPN. Thanks for the reply. I will go ahead and check my settings again. What I did was added the range of the addresses that the WiFi Router could give out as subnets.

Hopefully this is not confusing. If you can see my email, can you shoot me a message, so that I can show you pics of my configuration? We can ping between the subnets So please suggest me for the same?? Is it for the license expiry or any other reason. Mail will not be published required. Leave this field empty. Notify me of follow-up comments by email. Notify me of new posts by email. Robert Dick itgroove Alumni. On the master unit perform the following steps: Fill in your entries as follows: Make note of what you enter as you will need to enter the same key on the other Sonciwall.

Click on the Network tab:

Configuring the router

Leave a Reply