Site to Site VPN via two Sonicwall firewalls – With DHCP over VPN

1. Create a virtual network

Create a Site-to-Site connection in the Azure portal
October 22, at 6: The ASA might not know the route to the Sonicwall from the Click the Advanced tab and select any of the following optional settings you want to apply to your VPN policy: On the Create local network gateway page , specify the values for your local network gateway. Adjust the auto-filled Address range values to match your configuration requirements.

A site about stuff

The Beagle - Technology for SMB's

Type a Name for the Security Association in the Name field. You must have imported local certificates before selecting this option. If the certificate contains a Subject Alternative Name, that value must be used. This is because site-to-site VPNs are expected to connect to a single peer, as opposed to Group VPNs, which expect to connect to multiple peers.

Wild card characters are not supported. The actual Subject Distinguished Name field in an X. The fields are separated by the forward slash character, for example: Click on the Network tab. Group 1 , Group 2 , Group 5 , or Group Select the desired authentication method from the Authentication menu. Enter a value in the Life Time seconds field. The default setting of forces the tunnel to renegotiate and exchange keys every 8 hours.

In the IPsec Phase 2 Proposal section, select the following settings:. Select the desired protocol from the Protocol menu. Select Enable Perfect Forward Secrecy if you want an additional Diffie-Hellman key exchange as an added layer of security.

Select Group 2 from the DH Group menu. Click the Advanced tab. Select any optional configuration options you want to apply to your VPN policy:. Select an interface or zone from the VPN Policy bound to menu. Optionally, you can configure a static route to be used as a secondary route in case the VPN tunnel goes down. By default, static routes have a metric of one and take precedence over VPN traffic. This results in the following behavior:.

When a VPN tunnel is active: All traffic is routed over the VPN tunnel to the destination address object. When a VPN tunnel goes down: All traffic to the destination address object is routed over the static routes. To configure a static route as a VPN failover, complete the following steps: Scroll to the bottom of the page and click on the Add button. The Add Route Policy window is displayed. Ensure Metric is 1. Enable the Allow VPN path to take precedence checkbox.

From the Policy Type drop-down menu on the General tab, select the type of policy that you want to create: Under Destination Networks , select one of these: This sounds like a misconfiguration on the Sacramento side. NAS could also be the same thing. The tunnels themselves are fine so it is a routing issue the gateway thing or local firewall issue. I factory reset the Sacramento side and walked through it again. Works now without a problem. I must have missed something originally.

Great to hear it all works! Thanks for touching base, appreciated! I am new to SonicWall, and I followed this procedure exactly on both devices. I do have a question though. We are moving to a location where there is no viable data center space so I am moving my servers to a colocation data center. My plan is to use site to site vpn between the office and the data center.

I have a Sonicwall Pro that will go on the data center side and a Sonicwall Pro that will go on the office side. If all your nets are on the same IF you can clearly define what segments lie behind one gateway say the then you might be able to get away with the simple config methodology. You might have to do some testing and tuning. Thank you for the reply. I guess I should have said that the current subnet is I can easily change the scope to a different subnet, say We have two separate internet connections so I tested the site to site tunnel and got it to work using your instructions.

I used a laptop with a static IP of I did have one question on the setup though. Does this make sense? OK, if you got the tunnel up AND each side of the tunnel knows about the networks on the other side of the tunnel then you are over the first hurdle. And, if you can reach servers or devices over the tunnel via IP address then yo know your routing is working. So, it looks like it is a question of tuning some settings. Also, when you tested with the laptop, where was it pointing for its DNS?

Did you point at a server on the main side? Finally, in answer to your last question, yes, objects on firewall A that refer to something on the remote side of a VPN tunnel on firewall B should always be VPN objects. That ensures the object is attached to the correct zone and has proper security wrapped around it. You are a genius! I changed the DNS settings and viola! My logon script runs, I get my mapped drives and printers and can browse the network.

There is one more naggling little issue though. Laptop getting DNS correctly? In other words, if you do an nslookup from the laptop for an external site, does the DNS server give the IP address? Finally, make sure the network settings on the X1 port on the remote Sonicwall are correct and the laptop has the correct gateway IP configured.

Then the default routing config on the remote Sonicwall should then handle the access from the laptop to the Internet. Yes, it appears the laptop is getting DNS correctly.

I checked the gateway on the laptop and it is pointing to the remote Sonicwall. I checked the gateway on the Sonicwall and it is pointing to the correct IP. This seems correct, no? So it seems that everything is set correctly yet I am still unable to browse the internet. Any other gotchas you can think of? What do diags on the firewall give you? Can it ping its gateway and its DNS sites? And, stupid question is the firewall showing as being properly licensed?

If it is not licensed there may be an impact on traffic. Finally, have you restarted the remote sides modem and then the firewall? Sometimes that seems to sort everything out. Once you KNOW things are working you can start to cut in the security services. Anyway, all looks fine.

So I plugged the wireless router back in and set the laptop up to connect to that and the internet works fine like it always did.

Once it was set up, the tunnel came right up, and viola! The internet works too! I then log off of the laptop and log back on to make sure the logon script runs and I get my mapped drives and printers. However, there is no policy type option. I get to this step very early in the process: Because there is no policy type drop down. The first option I can interact with is Authentication Method.

Hi there — I followed your guide, very well written and easy to follow. I tried getting this going on my own, and have had some success.

I have 3 offices well, actually 8 but focusing on 3 for now. I originally followed your guide and linked two of the offices together, and today I was tackling adding a third to the mix. I added the first office to the third office successfully, I got the green light right away and was able to see network items across the tunnel.

Figuring I did it wrong, I deleted the address objects and vpn tunnel and started fresh, same thing. The only thing I can think is that these are on the same subnet, too similar and not passing traffic. All three devices are Sonicwall NSA Do you have any thoughts? Any advice or direction would be super greatly appreciated. The other two branch offices with exact same settings are fine.

I realize there could be many causes but does anything come to mind that I could try? Maybe I should make Master be the initiator. Best bet, if you can, is factory restore, relicense the mysonicwall thing , apply firmware updates if any then apply your saved settings back to the box you do have settings saved from before the failure, yes???

Any updates on how to force all traffic from the remote site across the VPN. I tried what you said to someone else in the comments but changing any settings just brings down the tunnels. I also tried a route based tunnel with no luck. Yes, you can have DHCP traverse the tunnel. Ignore all the bits prior to Step 3.

So, you need to set the name in your DNS servers. Great work and ty for making my IT life that little more stressless. I was given the task of creating a site to site, after searching and reading forums and articles. I found yours to be the best and easiest one around. I know you have answered a few questions like this, but is there a configuration where I have to let the traffic flow?

Go back and check your settings on each side of the tunnel. What you are doing with these two settings is defining the routing that will be baked into the VPN policy. This is what sets up for you to be able to access devices on the far side of the tunnel you are behind Firewall A and can ping a device on the subnet behind Firewall B.

I would recheck the settings for both Local and Remote Networks and verify you have covered your bases. Also, verify settings on your devices on the target subnets and ensure your gateway settings are correct. Your local devices have to go to the correct gateway in order to access the VPN. Thanks for the reply. I will go ahead and check my settings again. What I did was added the range of the addresses that the WiFi Router could give out as subnets. Hopefully this is not confusing.

If you can see my email, can you shoot me a message, so that I can show you pics of my configuration? We can ping between the subnets So please suggest me for the same?? Is it for the license expiry or any other reason. Mail will not be published required.

Leave this field empty. Notify me of follow-up comments by email. Notify me of new posts by email. Robert Dick itgroove Alumni. On the master unit perform the following steps: Fill in your entries as follows: Make note of what you enter as you will need to enter the same key on the other Sonciwall.

Click on the Network tab: You should then have something like the following: Click on the Proposals tab and set like the following: Click on the Advanced tab and set like the following: Click the OK button to save the settings. Now, switch yourself over to the other Sonicwall and repeat the same steps with the following differences: The Proposals should match the other side: Click the OK button to save the policy.

An example of how multiple networks display under a VPN policy follows: As you can see, this tunnel knows about 3 separate networks at the other end. July 22, at 6: July 22, at 8: July 30, at 6: July 30, at 9: August 6, at August 7, at 1: September 8, at September 9, at 3: September 10, at September 9, at 1: September 16, at 2: September 19, at 2: October 22, at 6: October 27, at 3: October 31, at 8: October 31, at 9: November 17, at 9: November 21, at 3: If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

In the search box, type Local network gateway , then press Enter to search. This will return a list of results. Click Local network gateway , then click the Create button to open the Create local network gateway page. On the Create local network gateway page , specify the values for your local network gateway. When you have finished specifying the values, click the Create button at the bottom of the page to create the local network gateway.

Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:. For more information, see Download VPN device configuration scripts. The device configuration links are provided on a best-effort basis. It's always best to check with your device manufacturer for the latest configuration information. The list shows the versions we have tested. If your OS is not on that list, it is still possible that the version is compatible.

For information about editing device configuration samples, see Editing samples. Click OK to create your connection. You'll see Creating Connection flash on the screen.

The following steps show one way to navigate to your connection and verify. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you are testing to see if you can connect, not whether name resolution is configured properly.

Locate the private IP address. You can find the private IP address of a VM in multiple ways. Below, we show the steps for the Azure portal and for PowerShell. Azure portal - Locate your virtual machine in the Azure portal. View the properties for the VM. The private IP address is listed. You don't need to modify this example before using it. If you are having trouble connecting to a virtual machine over your VPN connection, check the following:.

Before you begin

VIDEO: Informational videos with Site-to-Site VPN configuration examples are available online. For example, This encryption key is used to configure the remote SonicWALL encryption key, therefore, write it down to use when configuring the firewall. Find the answers to your questions by searching or browsing our knowledge base. Video Tutorials. This article details how to configure a Site-to-Site VPN using Main Mode, which requires the SonicWall and the Remote VPN Concentrator to both have Static, Public IP Addresses. Step 3: Configuring a VPN policy on Site B SonicWall. 1. Find the answers to your questions by searching or browsing our knowledge base. Video Tutorials This article covers how to configure a site to site VPN tunnel between a SonicWall and Linksys VPN router in aggressive mode. Resolution. Procedure: SonicWall Configuration First, on the SonicWall, you must create an address object .