Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Site to Site VPN -- any difference using SOHO250 over TZ170?

We’ve had a VPN tunnel between two TZ100 firewalls for several years. We’re replacing one of them with a SOHO250 and matched all of the network and VPN settings, but cannot get the tunnel to connect. 

At one point we gave the SOHO250 the MAC address of the replaced TZ100, and the tunnel connected. We don’t know whether that was a necessary configuration or if the tunnel coming up then was just coincidental. However the tunnel no longer connects, whether the SOHO250 has its own MAC address or the one from the old TZ100. 

The old TZ100 can still connect fine to the TZ100 at the other end. 

Are there any known issues or easily missed configurations when connecting a VPN between a TZ100 and a SOHO250?

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    NoelNoel Newbie ✭
    Accepted Answer

    Apparently the problem might have been that we didn't enable 'Keep Alive' when we used Agressive mode.

    We came across a minor bug:  In the QUICK CONFIGURATION's VPN Guide, on the Security Settings, pick any DH Group. Go to the Summary, and it shows that it actually picked the DH Group that's next up in the list. For instance, pick Group 1, and actually it's undefined. Pick Group 2, and it actually picks Group 1. If Group 5, then it picks Group 2, and so on.

Answers

  • shiprasahu93shiprasahu93 Moderator

    Hello @Noel,

    Kindly look at the GUI logs to see why the VPN connection is failing with the SOHO250. That should give us a clue wrt the configuration change required.

    MAC address change is not necessary for the VPN setup, it usually helps with the immediate devices connected like the ISP modem or the LAN switch.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    My guess is you are missing the correct firewall identifier in the IPSec config. That is why 'changing the MAC address' allowed it to work. You'll need to update the older firewall tunnel config with the new firewall identifier (MAC address).

    In my experience it's rare that tunnels are configured based on the firewall identifier but I've seen it before.

  • NoelNoel Newbie ✭
    edited June 5

    Thanks, SHIPRASAHU93 and TKWITS. We took your suggestions but are still having problems.

    To recap, at one end there's a TZ100, which will remain in service. At the other end we're replacing a TZ100 with a SOHO250.   Both are configured with Main Mode for the VPN.

    The TZ100 log shows it's sending out packets to establish a VPN, but it's timing out on waiting for a reply. At the new SOHO250, the log shows no VPN activity at all -- neither sending nor receiving any packets for the VPN. Its VPN is configured and enabled, but nothing is happening with it.

    We expected to see failed communications coming from the SOHO250, but are surprised to see no VPN communications at all. There are mainly just a lot of IPv6 packets (mostly dropped ICMPv6 packets). The tunnels are configured on IPv4.

    We've used the same WAN settings on the SOHO250 as on the TZ100 that it's replacing. Its WAN address is a local IPA given out by the ISP onsite device.

    Any ideas on why the SOHO250's enabled VPN wouldn't be sending or receiving any VPN packets at all?

    Thanks.

  • shiprasahu93shiprasahu93 Moderator
    edited June 9

    @Noel,

    Glad that it is working correctly now. Thanks for sharing the solution here.

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.