[FireWall] SonicWall VPN setup

| |
[2009/08/25 22:18 | 分类: 隨手查隨手記 | by hero ]
Overview:
•set the unique names of each device
•configure subnet, dhcp, etc
•create a VPN policy to connect to the other
NOTE: I'm not talking about setting passwords or security here - it's assumed that you've already setup the environment.

Set the Unique Name on each device:
1.log into the first device's web interface
2.click on VPN on the left side
3.under "Unique Firewall Identifier" create a name logical name like "USNY1"
4.log into the second device's web interface
5.click on VPN
6.under "Unique Firewall Identifier" create another name like "USNY2"
Configure Subnets for DHCP:
1.log into the first device's web interface
2.click Network > LAN
3.set the SonicWall LAN IP to something like 10.0.1.1
4.set the subnet mask to whatever is appropriate for your network like 255.255.255.0
5.repeat the sames steps for device 2 except make the ip and subnet different like 10.0.2.1 and 10.0.2.0/255.255.255.0
Setup VPN Policy:
Assuming you have the following configuration we can create the VPN policy:

Site 1
Device Name: USNY1
Subnet: 10.0.1.0/24

Site 2
Device Name: USNY2
Subnet: 10.0.2.0/24
Setup Device 1
1.On device 1 click on VPN > Settings
2.click Add under VPN Policies
3.Fill out the information as shown below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY2 [name of your device 2]
IPSec Primary Gateway Name or Address: the public IP address of device 2
IPSec Secondary Gateway or Name or Address: left blank in most cases
Shared Secret: Since you will only be typing it in twice and this is the basis of the tunnel's security, you should set it to be very strong. [https://www.grc.com/passwords.htm] Write it down!
4.click the Specify destination networks below and click Add
5.type in the subnet that device 2 is controlling - in this example 10.0.2.0/24
6.click OK
Setup Device 2 [Almost same as above]
1.On device 1 click on VPN > Settings
2.click Add under VPN Policies
3.Fill out the information as shown below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY1 [name of your device 1]
IPSec Primary Gateway Name or Address: the public IP address of device 1
IPSec Secondary Gateway or Name or Address: left blank in most cases
Shared Secret: same as the password you generated above
- click the Specify destination networks below and click Add
- type in the subnet that device 1 is controlling - in this example http://10.0.1.0/24
- click OK


Check The logs:
If you've configured everything correctly, you should be able to watch the VPN tunnel negotiation process from the event logs.
1.click on Log > Categories
2.check "Log all categories" - this will record VPN functions
3.under Log click "View"
4.review the logs for the following events:
SENDING>>>> ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x26D85F88) *(HASH, NOTIFY:DPD_ACK)
RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x3AAF690F) *(HASH, NOTIFY:DPD_REQUEST)


Troubleshooting:
Phase 2 or Algorithm's Don't Match
If you see a log with this kind of message it is most likely caused by different encryption under the Phase 2 settings. Go back and make sure they match exactly.

IKE Initiator: Proposed IKE ID mismatch
This message is most likely caused by the firewall names being mismatched.  Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.

Dynamic IP's
If you're connecting two sites with dynamic IP addresses, I've read that you need to check the "Aggressive Mode" type of VPN but maybe someone can confirm that.
1.click VPN and click configure on the tunnel you created
2.under proposals change "Exchange" to Aggressive mode
3.click the Advanced tab
4.click Enable Keep Alive and Try to bring up all possible Tunnels
5.click OK
Tags: ,
評論(0) | 引用(0) | 閱讀(1481)
發表評論
暱稱 [註冊]
密碼 訪客無需密碼
網址
電郵
開啟HTML 開啟UBB 開啟表情 隱藏 記住我