Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN to Sonicwall NSA 2400

    IPsec
    3
    12
    25.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KForce
      last edited by

      Give me a few minutes I am doing a complete step by step picture guide.

      1 Reply Last reply Reply Quote 0
      • K
        KForce
        last edited by

        Sonicwall first.

        Click VPN

        Name can be anything.

        Network tab same window.

        You will need to create a new network object, mine is called SLSC.Net. Make it a network object and put in your pFSense Local Subnet ie 10.10.10.0 255.255.255.0

        Proposals tab same vpn window. Make everything exactly as you see here. Be sure to check Perfect Forward Secrecy and use GP2

        Advanced tab same vpn window. Click ok when done with this step.

        pFSense Setup side.

        Create new vpn.

        Phase 1 PF. Make sure you add the 28800 also.

        Phase 2 PF. Be sure to uncheck everything not checked in the picture.

        Click Preshared Keys and add a new one. YOURKEY is the same as the tunnels preshared key. IP is the IP of the PFSENSE you are currently on, same as wan address. ie 24.111.111.111 is public of the pF box then put that in there. This identifies to the sonicwall.

        Lastly add firewall rules in PF to allow traffix via IPSEC.

        Any questions post em. This works for sure I have 8 sonicwalls connected to my main pF. Including a NSA 2400.

        Kyle

        1 Reply Last reply Reply Quote 0
        • D
          dmitche
          last edited by

          Well, I have followed your directions to a T. There are some subtle difference in the SonicWall setup, namely the General Tab of the VPN policy. I have an extra drop down box that allows me to select Site to Site or Tunnel. I used both, but Tunnel Interface doesn't give me the 'Network' Tab. So Site-to-Site it is. I am running SonicOS Enhanced 5.5.1.0-5o.

          Using Aggressive Mode the tunnel never becomes active. However as soon as I switch to Main mode it comes up. Still no traffic though. One thing I thought was strange was the Address Object created in the SonicWall for the Remote Location has a Zone assignment of LAN rather than VPN. I tried it with both with no success.

          Here is the IPsec Log from the pfSense box
          Apr 29 03:03:44 racoon: [First Church]: INFO: IPsec-SA established: ESP X.X.X.X[0]->X.X.X.X[0] spi=3462423859(0xce606533)
          Apr 29 03:03:44 racoon: [First Church]: INFO: IPsec-SA established: ESP X.X.X.X[0]->X.X.X.X[0] spi=137167584(0x82d02e0)
          Apr 29 03:03:44 racoon: [First Church]: INFO: respond new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]

          Here is the VPN IKE log from the SonicWall
          16:03:43.896 Info VPN IKE  IKE negotiation complete. Adding IPSec SA. (Phase 2) X.X.X.X, 500  X.X.X.X, 500  VPN Policy: TBOL; ESP:3DES; HMAC_SHA1; Group 2; Lifetime=28800 secs; inSPI:0xce606533; outSPI:0x82d02e0
          16:03:43.896 Info VPN IKE  IKE Initiator: Accepting IPSec proposal (Phase 2) X.X.X.X, 500  X.X.X.X, 500  VPN Policy: TBOL; Local network 192.168.99.0 / 255.255.255.0; Remote network 10.10.11.0/255.255.255.0
          16:03:43.816 Info VPN IKE  IKE Initiator: Start Quick Mode (Phase 2). X.X.X.X, 500  X.X.X.X, 500  VPN Policy: TBOL

          It appears to me as though the tunnel is up. So I must have something configured incorrectly in the firewall rules. Am I correct in thinking I should be able to ping a local device on the remote subnet (10.10.11.10, for instance) from a LAN subnet on the SonicWall (192.168.99.X)?

          Thanks

          pfsense_IPsec.JPG
          pfsense_IPsec.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • K
            KForce
            last edited by

            switch back to aggressive. then from sw lan 192.x ping the pf lan ip 10.x. give it a packet or two and it will make the tunnel come up. try that. let me know.

            1 Reply Last reply Reply Quote 0
            • K
              KForce
              last edited by

              also my network address object is in zone lan.

              firewall rules are auto added on sw.

              1 Reply Last reply Reply Quote 0
              • K
                KForce
                last edited by

                well get it working?

                1 Reply Last reply Reply Quote 0
                • D
                  dmitche
                  last edited by

                  The tunnel is up with aggressive mode and have a set the Address object to LAN. However, no traffic is being passed yet. I continue to get this message in the SW:
                  Notice VPN IPSec IPSec (ESP) packet dropped xxx.xxx.xxx.xxx (remote public ip), 0, X1 xxx.xxx.xxx.xxx (local Public IP) Inbound: SeqNum=65578, SPI=0x8004D31

                  Here are some screen shots to show the tunnel is active and the firewall rule that I was able to find.

                  sw.JPG
                  sw.JPG_thumb
                  firewall.JPG
                  firewall.JPG_thumb
                  pfsense.JPG
                  pfsense.JPG_thumb

                  1 Reply Last reply Reply Quote 0
                  • D
                    dcaves
                    last edited by

                    Did you guys end up finding a solution to this? I am having the exact same problem.  My tunnel appears to be active, but no traffic is passing through, and I am seeing      IPSec (ESP) packet dropped        on the Sonicwall in the logs.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dmitche
                      last edited by

                      No, no luck even after all this time. I have successfully used VPN IPsec over two pfGuards though. Setup was nearly identical to this. I believe there is some strange Sonicwall rule blocking things.
                      Their technical support simply tells me to upgrade to the latest firmware as the existing firmware has 'VPN issues' I have done this on two different occasions but it didn't change anything.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dcaves
                        last edited by

                        Wow, well that's terrible news.  Thanks a lot for the quick response.  I'm going to try upgrading my firmware (if there is an upgrade available) and see what happens.  I'll let you know if I have any success.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dmitche
                          last edited by

                          Still no luck. I am running 5.6.0.5-46o on the SW. The tunnel is active however no traffic is passed. Still getting dropped packets on the SW.

                          12/16/2010 11:55:15.256 Notice VPN IPSec IPSec (ESP) packet dropped xxx.xxx.xxx.xxx, 0, X1 xxx.xxx.xxx.xxx Inbound: SeqNum=1446931972, SPI=0x4D32000

                          When I hover over the log record I get 'Message id: 533 Legacy Category: Network Access'

                          Any luck on your end?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.