Site to Site IPSec VPN from TZ470 to Grandstream GWN7062 firewall
KMBIT
Newbie ✭
I am attempting to determine how to create a site to site from my office to my clients office where we have a TZ470 Firewall in our office and they have a Grandstream GWN7062 Firewall at their office. It does support IPSec but there is enough of a difference in the field names from what I am used to I do not understand how to translate from SonicWALL to Grandstream. I went looking for documentation but was not able to find any thing that directly applied.
Do we have documentation on how this needs to be configured?
Thank for any guidance you can provide!
Kevin
Category: Entry Level Firewalls
Tagged:
0
Answers
Post the field names from the Grandstream and we can help you translate.
TKWiTS,
Thank you here is an image of the Grandstream Phase one and Phase two settings:
That looks a lot like the OpnSense GUI, presumably this Grandstream is using the same IPsec implementation.
Given that you have given us a screenshot of 30+ different fields, I think you should at least list all the ones you don't understand as nobody is going to reply to this post explaining all of them. And probably screenshot your settings Sonicwall-side as well.
If I had to guess, "Destination: All" is probably wrong unless you want to tunnel all traffic through the Sonicwall. Check the tooltip though because remote subnet was already specified as was "remote server address", so who knows what this "destination" really is?
"Local source IP" is probably wrong, you want your source WAN IP in there. Very unlikely that your source WAN IP would be in the LAN subnet that you're trying to connect.
I think you want to set "Number of Reconnect" to 0, this means it will try forever [don't ask me what the point of giving up after 'n' tries would be].
"Status"....if this really is a status thing, it shouldn't look like an on/off switch, that makes no sense. If it's actually a disable/enable switch, then enable it.
To add to what ARKWRIGHT said, always mask your public IPs when posting screenshots or descriptions!
UPDATE: just to provide an update here - it would seem that there is a BUG in one or the other of the products in play here. but with the aid of SonicWall engineering we were able to find a configuration that worked. But not an explanation of why the other methods did not.
on the SonicWall side of the equation they have a bit more granularity with regards to the configuration of the IPSec VPN site to site setup. For the Peer and Local IKE ID they allow for the following:
I have always used the Firewall Identifier Mode ( MAC ADDRESS) and SonicWall to SonicWall it works.
On the GrandStream side - there is not that level of granularity - only the Local and Remote ID.
so I was trying the MAC address on both sides, we tried the IP address ( even though the GS side is dynamic) and also simple strings. Finally we tried a domain name flipping the granular field to “Domain Name” on the SonicWall and just putting the domain names in the GS fields. And that worked… no explanation as to why none of the other versions worked - but domain name did - SonicWall Engineering has taken this as a potential Bug on there end as it seems most likely that is where the issue is.
Thank you - for your assistance and now we have a way to make it work if any one else runs into the same situation.