that was an outstanding video. answered many questions i've been carrying. oh the burden is light now. in the end you mentioned a video on using dynamic routing; looking forward to it :) would really appreciate the BGP one, especially if you could kind of explain the methodology behind it.
JP, I have a client that wants a P to P VPN setup. The HQ device has a public IP. The remote device is behind a router doing PAT. Can this be configured? Do you have a video on this? I suggested that both the HQ and Remote have public IP addresses but this may take a while to get provisioned.
As long as the HQ has a fix IP, you will be good. Follow this: www.sonicwall.com/support/knowledge-base/configuring-aggressive-mode-site-to-site-vpn-when-a-site-has-dynamic-wan-public-ip-address/170505565649605/
Hello! Great video. I'm learning the Sonicwall platform and this was easy to follow how they create these tunnels. Is there an easy way to create a full tunnel for VPN traffic through the interfaces that you created? Following Sonicwall instructions only shows how to wit the site-to-site configuration and not a Tunnel Interface. Awesome content again, thanks a bunch! Looking forward to watching some SMA material
@@JeanPierTalbot It was actually the other VPN policy I had in place. You cannot enable a VPN interface if you have a policy based VPN tunnel enabled. Disabling it doesn't work either, it must be deleted.
hi! Shouldn't there be an access rule to allow the incoming traffic on each firewall? I.e: From VPN to LAN. I see that the outbound rule was created automatically (from LAN to VPN), but I didn't understand why the inbound rules weren't added, yet it still worked.
Jean-Pier, what's the purpose of building the Interface under networks? You can reference a tunnel-interface VPN directly from the route next-hop pulldown, which is how I usually do it. However, this does not create an interface for use with DNS Proxy to a remote site for split-DNS. I've been told that I need to create the Network Interface, but I don't really understand what relevance it has, as you never refer to the next-hop gateway address in any of your examples (you point at the tunnel interface, but I never saw you add a pointer to the remote side IP - why is it even necessary?
What I did here is called numbered tunnel interface (with a virtual interface) There is also unnumbered tunnel interface (without an interface) which is probably what you are referring to. I’ll need to dig into the last one and probably do a video on it :)
@@JeanPierTalbot thanks for the quick reply. It would seem that with numbered interfaces, you'd still need to point your routes at the opposing gateway, no? Also, any idea why when setting up split DNS in DNS proxy, you can't pick an unnumbered interface as the path for the proxy redirection but you can (reportedly, haven't tried it yet), use a numbered tunnel interface...
Hello Jean-Pier, I have a tunnel that is active but has an error message: IKEV2 unable to find IKE SA The problem is that the IP address of the firewall identifier has changed, but apparently the old IP address is still being tried. How can I reset the IP number? thank you Roberto
When would you use a Tunnel Interface over a Site-to-Site VPN? I've built a "spoke and wheel" WAN for a company in the past using Site-to-Site with Sonicwall, so I'm unsure of the circumstance of this usage.
I think it’s a preference. Both works. I personally see the standard site to site for simple VPN setup (one subset on each sides) or for VPN with non-sonicwall firewall. I would vote for tunnel interface VPN when there is more than one subnet on each side and/or multiple VPNs. Also when you want the VPN to be a backup of a leased line
@jean-pier, I am not seeing any VPN policies when I select the dropdown when creating the VPN tunnel interface. I have already created my VPN policy in tunnel mode, yet still nothing appears in the dropdown. Is this a limitation of the models I am using? TZ300 & SOHO250
Hi JP, I did successfully created the VPN between fortigate and sonicwall OS 7.0. I would like to enhance the VPN by inplementing proxy ID on fortigate, I cannot find such proxy on Sonicwall, is there any hints from you that something equivalent to proxy subnet at Sonicwall ?! As I found that other Branding such as Juniper and Pala Alto also have such proxy setting.
I'm not entirely sure what is meant by Gateway IP Address as this could mean two different things so I'll answer this two ways: For a route-based VPN, gateway IP addresses are not required in the static routes that are added to utilize the tunnel. Instead, a logical pathway is utilized via the VTI (Virtual Tunnel Interface). When traffic is forwarded through this VTI via the static route, it is encapsulated by the sending VPN peer, and then there is only one other peer on the remote side that is also a member of the VPN that is also able to decrypt it. After the peer decrypts each VPN packet, it will utilize its own routing table to send the traffic on its way. If by gateway IP address you imply the specific gateway IP address defined at each peer member to point the tunnel to the opposite member, these tunnels can be bound to a specific interface on the local FW, pointing to a specific peer address at the remote side. This allows you to create dual tunnels between the same two FW appliances for a redundant tunnel configuration where you can configure ECMP routing between each FW appliance.
@Jean-Pier Talbot I created each step but I don't know why it didn't create the access rules automaticly even if the checmark was on. and I can't ping. The Green light is there but that it I can't do nothing else. :( I don't know why
You will need to create the access rule. You need: Vpn Interface Route Access rule If you can’t get it to work. Call sonicwall tech support. They are there to help and hold time, if any, is a single digit minute wait time :-)
Hello, and thank you for your videos. We are using TI VPN without adding the Interface(11:35). We are only using Routing policy. Is working without issues. Is our configuration supported o is better to add a VPN Interface? And if yes, why?
Good one. I would expect an interface would be needed as it’s called « tunnel interface » The sonicwall KB shows the creation of the interface. So I would expect the interface to be needed in order to be supported.
We also use route based VPN without a tunnel interface existing one works but I can’t create a new working without tunnel interface let me know how this works without a tunnel interface being added
Hello Jean-Pier, your videos are outstanding, here is a request for you, I would like to see an SMA video configuring SSL Certificate with Letsencrypt. Thank you in advance, #KeepItUp
@@JeanPierTalbot Brother, in my opinion, what put you on the map was your SMA videos, also your videos have good content, you have very good SonicWall content which is hard to find. #KeepItUp
Hello sir, I need a solution for my scenario I have two different sites one is ho another one is remote they are having two different isp's one isp have provided a public which I can use it for tunnel vpn But the other side isp can't provide a public ip is it possible to create tunnel vpn between them please give me the needful solution.
Sure thing! The site that has a public IP would need to be a fix IP. Then configure the vpn just like if one side have a dynamic IP (like I showed in my video on how to do a site to site vpn)
@@JeanPierTalbot nice.. I saw it.. Am going to implement 1 but the other side is not using sonicwall... And I wanted to Limit traffic to one the host concerned and protocol
You don’t need to have the access rules the same on both firewall. The other can be set to allow everything in and out and the other firewall to be very specific in what’s allowed
The tunnel is up but I am unable to reach any services.. I tried applying an access rule from VPN to my zone targeting my desired ip.. Still no luck.. Although you can see traffic on the access rule as last hit
Hi Pilon, good one, I don't know. I would suggest you ping your local SonicWall SE, he will be able to review that with you and maybe find different solutions if it's not supported.
Generally speaking, it’s because the other firewall didn’t answer to the initial request to build a vpn. Could be miss configuration of IP or some ISP will block vpn when you don’t have a busineee internet line (I have seen it in Canada)
Natting trafic in a tunnel is uncommon, but it can be done. Go into the nat policies and create a nat policy from your lan to the vpn subnet. Depending on your setup, you might probably want to create the corespondent reverse nat policy. Not something I can go in details here. Best would be to contact a sonicwall reseller that offer professional service.
Hello Jean-Pier, I have been a loyal fan of SonicWall since the TZ170 days. I enjoy and have learned a lot from your videos...Thanks... I do have a question. I have a total of 14 locations with a mix of SOHO250 and TZ370, all interconnected using Route-Base VPN. In most locations, I have two ISP using failover I would like your advice and best practice in creating a full failover for the site-to-site VPN. E.g. Current tunnels Site-1 X1 to Site-2 X1 Site-1 X2 to Site-2 X2 I would like to configure it as follow Site-1 X1 to Site-2 X1 Site-1 X2 to Site-2 X2 Site-1 X1 to Site-2 X2 Site-1 X2 to Site-2 X1 The idea is to ensure a tunnel will always be up as long as one of the ISP is working at any site thanks Rudy
that was an outstanding video. answered many questions i've been carrying. oh the burden is light now. in the end you mentioned a video on using dynamic routing; looking forward to it :) would really appreciate the BGP one, especially if you could kind of explain the methodology behind it.
please? the BGP VPN video for sonicwall? 😇
Outstanding! You rock JP!
Great video. Never done it before. Connected our barge through starlink to our main camera server on another isp etc
Excelente video, gracias por compartir.
Thanks
I am aware of using policy type Site-to-Site. Can you explain why we should use Tunnel Interface instead of Site-To-Site for IPSec VPN Policy Type?
Thank you for the video! It was very good. So what's the difference between site-to-site VPN and Tunnel Interface VPN?
JP, I have a client that wants a P to P VPN setup. The HQ device has a public IP. The remote device is behind a router doing PAT. Can this be configured? Do you have a video on this? I suggested that both the HQ and Remote have public IP addresses but this may take a while to get provisioned.
As long as the HQ has a fix IP, you will be good. Follow this: www.sonicwall.com/support/knowledge-base/configuring-aggressive-mode-site-to-site-vpn-when-a-site-has-dynamic-wan-public-ip-address/170505565649605/
Hello! Great video. I'm learning the Sonicwall platform and this was easy to follow how they create these tunnels. Is there an easy way to create a full tunnel for VPN traffic through the interfaces that you created? Following Sonicwall instructions only shows how to wit the site-to-site configuration and not a Tunnel Interface. Awesome content again, thanks a bunch! Looking forward to watching some SMA material
Yes, create a route for network 0.0.0.0. That will do a tunnel all.
@@JeanPierTalbot It was actually the other VPN policy I had in place. You cannot enable a VPN interface if you have a policy based VPN tunnel enabled. Disabling it doesn't work either, it must be deleted.
hi! Shouldn't there be an access rule to allow the incoming traffic on each firewall? I.e: From VPN to LAN.
I see that the outbound rule was created automatically (from LAN to VPN), but I didn't understand why the inbound rules weren't added, yet it still worked.
Pretty sure it’s there :-)
Jean-Pier, what's the purpose of building the Interface under networks? You can reference a tunnel-interface VPN directly from the route next-hop pulldown, which is how I usually do it. However, this does not create an interface for use with DNS Proxy to a remote site for split-DNS. I've been told that I need to create the Network Interface, but I don't really understand what relevance it has, as you never refer to the next-hop gateway address in any of your examples (you point at the tunnel interface, but I never saw you add a pointer to the remote side IP - why is it even necessary?
What I did here is called numbered tunnel interface (with a virtual interface)
There is also unnumbered tunnel interface (without an interface) which is probably what you are referring to.
I’ll need to dig into the last one and probably do a video on it :)
@@JeanPierTalbot thanks for the quick reply. It would seem that with numbered interfaces, you'd still need to point your routes at the opposing gateway, no? Also, any idea why when setting up split DNS in DNS proxy, you can't pick an unnumbered interface as the path for the proxy redirection but you can (reportedly, haven't tried it yet), use a numbered tunnel interface...
I had this same question as I am trying to set up OSPF on my VPNs and am unsure if I need to set up the tunnel interfaces for it to work.
Hello Jean-Pier,
I have a tunnel that is active but has an error message: IKEV2 unable to find IKE SA
The problem is that the IP address of the firewall identifier has changed, but apparently the old IP address is still being tried.
How can I reset the IP number? thank you Roberto
Watch this video to see how to do a vpn with one firewall have a dynamic wan IP
th-cam.com/video/Yo5Nyb7XUis/w-d-xo.htmlsi=4zIEzLkUA7IvG9aa
When would you use a Tunnel Interface over a Site-to-Site VPN? I've built a "spoke and wheel" WAN for a company in the past using Site-to-Site with Sonicwall, so I'm unsure of the circumstance of this usage.
I think it’s a preference. Both works. I personally see the standard site to site for simple VPN setup (one subset on each sides) or for VPN with non-sonicwall firewall.
I would vote for tunnel interface VPN when there is more than one subnet on each side and/or multiple VPNs. Also when you want the VPN to be a backup of a leased line
@jean-pier, I am not seeing any VPN policies when I select the dropdown when creating the VPN tunnel interface. I have already created my VPN policy in tunnel mode, yet still nothing appears in the dropdown. Is this a limitation of the models I am using? TZ300 & SOHO250
Most likely. Just create the policy manually. From lan to vpn and from vpn to lan
thx share it.
Hi JP, I did successfully created the VPN between fortigate and sonicwall OS 7.0.
I would like to enhance the VPN by inplementing proxy ID on fortigate, I cannot find such proxy on Sonicwall, is there any hints from you that something equivalent to proxy subnet at Sonicwall ?!
As I found that other Branding such as Juniper and Pala Alto also have such proxy setting.
Hello Jean-Pier, can you explain in your example how the SonicOS determines the gateway IP addresses of the two tunnel interfaces?
I'm not entirely sure what is meant by Gateway IP Address as this could mean two different things so I'll answer this two ways:
For a route-based VPN, gateway IP addresses are not required in the static routes that are added to utilize the tunnel. Instead, a logical pathway is utilized via the VTI (Virtual Tunnel Interface). When traffic is forwarded through this VTI via the static route, it is encapsulated by the sending VPN peer, and then there is only one other peer on the remote side that is also a member of the VPN that is also able to decrypt it. After the peer decrypts each VPN packet, it will utilize its own routing table to send the traffic on its way.
If by gateway IP address you imply the specific gateway IP address defined at each peer member to point the tunnel to the opposite member, these tunnels can be bound to a specific interface on the local FW, pointing to a specific peer address at the remote side. This allows you to create dual tunnels between the same two FW appliances for a redundant tunnel configuration where you can configure ECMP routing between each FW appliance.
What is the point of creating the virtual interface and giving it an IP? It seems to work fine without doing that step?
Yes, that’s called a « unnumbered tunnel interface »
On the todo list to dig into that :-)
@Jean-Pier Talbot I created each step but I don't know why it didn't create the access rules automaticly even if the checmark was on. and I can't ping. The Green light is there but that it I can't do nothing else. :( I don't know why
You will need to create the access rule.
You need:
Vpn
Interface
Route
Access rule
If you can’t get it to work. Call sonicwall tech support. They are there to help and hold time, if any, is a single digit minute wait time :-)
Hello, and thank you for your videos. We are using TI VPN without adding the Interface(11:35). We are only using Routing policy. Is working without issues. Is our configuration supported o is better to add a VPN Interface? And if yes, why?
Good one. I would expect an interface would be needed as it’s called « tunnel interface »
The sonicwall KB shows the creation of the interface. So I would expect the interface to be needed in order to be supported.
We also use route based VPN without a tunnel interface existing one works but I can’t create a new working without tunnel interface let me know how this works without a tunnel interface being added
Hello Jean-Pier, your videos are outstanding, here is a request for you, I would like to see an SMA video configuring SSL Certificate with Letsencrypt. Thank you in advance, #KeepItUp
Thanks for your good feedback. Much appreciated!
Sigh… yeah, honestly certificate is my weakness. But fair request. :-)
@@JeanPierTalbot Brother, in my opinion, what put you on the map was your SMA videos, also your videos have good content, you have very good SonicWall content which is hard to find. #KeepItUp
Hello sir,
I need a solution for my scenario I have two different sites one is ho another one is remote they are having two different isp's one isp have provided a public which I can use it for tunnel vpn
But the other side isp can't provide a public ip is it possible to create tunnel vpn between them please give me the needful solution.
Sure thing!
The site that has a public IP would need to be a fix IP. Then configure the vpn just like if one side have a dynamic IP (like I showed in my video on how to do a site to site vpn)
Is there a way to limit communication to a single ip and port through access policy
Of course!
In this video I create a Any access rule. Just create the access rules you want instead :-)
@@JeanPierTalbot nice.. I saw it.. Am going to implement 1 but the other side is not using sonicwall... And I wanted to Limit traffic to one the host concerned and protocol
You don’t need to have the access rules the same on both firewall. The other can be set to allow everything in and out and the other firewall to be very specific in what’s allowed
Thanks
The tunnel is up but I am unable to reach any services.. I tried applying an access rule from VPN to my zone targeting my desired ip.. Still no luck.. Although you can see traffic on the access rule as last hit
Will this work if the other router is not a sonicwall router?
Hi Pilon,
good one, I don't know. I would suggest you ping your local SonicWall SE, he will be able to review that with you and maybe find different solutions if it's not supported.
how to solve this msg error on vpn tunnel betwen tow sonicwall firewall: IKE Initiator: Remote party Timeout - Retransmitting IKE Request.
Generally speaking, it’s because the other firewall didn’t answer to the initial request to build a vpn.
Could be miss configuration of IP or some ISP will block vpn when you don’t have a busineee internet line (I have seen it in Canada)
thx for the video.
how can.i create site to site vpn , nat out with a virtual ip and contact other site ip.
Natting trafic in a tunnel is uncommon, but it can be done. Go into the nat policies and create a nat policy from your lan to the vpn subnet. Depending on your setup, you might probably want to create the corespondent reverse nat policy. Not something I can go in details here. Best would be to contact a sonicwall reseller that offer professional service.
@@JeanPierTalbot thanks for answering.
yes.for the nat policies, is there any easy way on create both way policies?
Price Vista
Hello Jean-Pier, I have been a loyal fan of SonicWall since the TZ170 days. I enjoy and have learned a lot from your videos...Thanks... I do have a question. I have a total of 14 locations with a mix of SOHO250 and TZ370, all interconnected using Route-Base VPN. In most locations, I have two ISP using failover I would like your advice and best practice in creating a full failover for the site-to-site VPN.
E.g.
Current tunnels
Site-1 X1 to Site-2 X1
Site-1 X2 to Site-2 X2
I would like to configure it as follow
Site-1 X1 to Site-2 X1
Site-1 X2 to Site-2 X2
Site-1 X1 to Site-2 X2
Site-1 X2 to Site-2 X1
The idea is to ensure a tunnel will always be up as long as one of the ISP is working at any site
thanks
Rudy
Send me an email, I’ll put you in touch with the local SE in your territory
I was wondering if you ever did accomplish this as I am thinking of doing the same but with SW's SDWAN