How to create a VPN site to site

I need to create a site to site VPN between two sonicwalls

TZ 270 (site A) and NS2600 (site B)

Looking at SonicWall’s build guide, it’s not clear to me all the steps to follow.

The guide starts with the sire of creating two object addresses, one per firewall, so in my case I create:

for Site A:

Name: TZ 270 VPN Network

Zones: VPNs

Network: What do I wear? the IP of the SoniWall guide or is it the address we use internally within the company?

Netmask: 255.255.255.0?

There is a wizard that will walk you through setting up the VPN tunnel. It exists on both firewalls.

Creating a site-to-site VPN tunnel in the Sonicwall OS

Need: external IP and internal IP range of both ends. Note that the external IP range of any tunnel must be different than any of the other tunnels already defined on that firewall.

If you are setting a firewall up behind an ISP router that is NOT in bridge mode (i.e. double-NATing), you must setup an IP reservation for the Sonicwall so that it always gets the same IP address. For the Sonicwall’s WAN interface, define it as Static, and input this address. Use the IP of the ISP router as the gateway. You must forward port 443 to the Sonicwall for the VPN tunnel to work. Note also that you must forward port 4886 (or whatever your management port is) to be able to manage the Sonicwall over the internet, and port 4433 (or whatever your SSLVPN port is) for SSLVPN to connect to the firewall.

In this example, we’re using LOCAL as the local and REMOTE as the remote.

  1. Create Address objects on each firewall for the other end’s LAN, e.g. LOCALLan and REMOTELan

    - On the Local firewall, create address object

    Name: REMOTELanZone: VPNType: NetworkNetwork: e.g. 10.0.0.0 (Remote location’s internal LAN range, using 0 in the last octet)Netmask: 255.255.255.0

- On the Remote firewall, create address object

\- Name: LOCALLan

\- Zone: VPN

\- Type: Network

\- Network: e.g. 172.15.1.0  (Local location’s internal LAN range, using 0 in the last octet)

\- Netmask: 255.255.255.0
  1. In the VPN base settings of each firewall, change the Firewall Identifier to be descriptive (Note minimum of 4 characters)

    - Local Identifier = LOCALFirewall

    - Remote Identifer = REMOTEFirewall

  2. Add a new VPN Policy in each firewall, name it the same as the identifier at the other end

    - On LOCAL Firewall General Tab

    Type = Site-to-siteName = Firewall ID from the other end (must match exactly)IKE using preshared secretPrimary Gateway = Remote site’s external IPSecondary Gateway = 0.0.0.0 (unless you are setting up an alternate path using a 3rd firewall)Shared Secret = you make this up, but write it down! Local IKE ID = Choose Firewall ID from the drop-down list, set value to the ID from step 2 (LOCALFirewall)Peer IKE ID = Choose Firewall ID from drop-down list, set value to the ID from step 2 (REMOTEFirewall)

- On LOCAL Firewall Network Tab

\- Choose local identifier from the list that represents IP range of local network = usually ‘LAN Primary Subnet’.  If LAN Primary Subnet not available, try using the LAN interface - usually "X0" or similar.  Check through the settings to make sure the refers to the same range from step 1 - IMPORTANT

\- Choose destination identifier from the list – choose the address object you created in step 1 (REMOTELan)

- On LOCAL Firewall Proposals Tab

\- Exchange = IKE v2 mode if available on both firewalls, otherwise use “Main Mode” if you have static IP addresses on both ends, or “Aggressive Mode” if you have a dynamic IP on either end.

\- Other fields on this tab = use the defaults

- On the LOCAL Firewall Advanced Tab

\- Check “Keep Alive”  (note: If BOTH firewalls are on the 6.0+ firmware, then BOTH need Keep Alive enabled. Otherwise only LOCAL firewall should have keep alive enabled)

\- Other fields on this tab = use the defaults

- On REMOTE Firewall General Tab

\- Type = Site-to-site

\- IKE using preshared secret

\- Name the policy the same as the Firewall ID on the other end (must match exactly)


\- Primary Gateway = LOCAL location’s external IP

\- Secondary Gateway = 0.0.0.0  (unless you are setting up an alternate path using a 3rd firewall)

\- Shared Secret = same as the shared secret you used on the other firewall

\- Local IKE ID = Firewall ID from step 2 (REMOTEFirewall)

\- Peer IKE ID = Firewall ID from step 2 (LOCALFirewall)

- On REMOTE Firewall Network Tab

\- Choose local identifier from the list that represents IP range of local network = usually ‘LAN Primary Subnet’.  If LAN primary subnet is not available, try using the LAN interface, usually "X0".  Check through the settings to make sure the refers to the same range from step 1

\- Choose destination identifier from the list – choose the address object you created in step 1 (LOCALLan)

- On REMOTE Firewall Proposals Tab

\- Exchange = Use the same parameters you selected on the other firewall

\- Other fields on this tab = use the defaults

- On the REMOTE Firewall Advanced Tab

\- Check “Keep Alive” if the firewall is on the 6.0+ firmware (note: If BOTH firewalls are on the 6.0+ firmware, then BOTH need Keep Alive enabled. Otherwise only LOCAL firewall should have keep alive enabled)

- Other fields on this tab = use the defaults

  1. Once you click OK on the 2nd firewall, you should see the tunnel come up (Green dot on the VPN tunnel listing)

  2. Test the tunnel by pinging a computer on the remote LAN from the local LAN.

Well it works, thanks a lot guys.Now ping works from both sides.How can I now get the network disks from site A to be mapped as if I were on site B?

You would out the Network of the remote side you want available to access int he vpn. The ip’s and networks in the article are just examples…

Do both sites have static IPs? I hope so then its Main mode. Else its aggressive and more then below.

There is a setup wizard. All you need to know is the site IPs and the internal network ranges of both sites. Match the secrets and proposals and tour done.

https://youtu.be/Yo5Nyb7XUis. Check out this video demonstration.

that’s exactly what I did, but I don’t understand if I have to put the IPs used by us on the two sites on the network or the ones you suggest.