Example VPN Setup
Vigor2200/2600 Series to Sonicwall™ Device

Please note : This document is provided as a courtesy only, without warranty or support and does not imply compatibility or endorsement with any 3rd party vendor. For support on a specfic product, you should contact your vendor of that product directly.

Preamble / Pre-requsites

A successful and reliable connection between these two devices is not hard to achieve and makes for a good satellite office solution. If you have gone through these instructions and are still having problems check your network connections to ensure that there isn't some other factor preventing successful operation.

You will need a DrayTek router (any Vigor2200 or 2600 series with VPN facility) and a SonicWall VPN device. Both routers must be correctly configured with outside IP addresses and separate Internal LANs (i.e. the private LAN addresses at each site must be within different subnets).

To prepare make sure you complete the following :

• Install the latest formal release firmware for the Vigor and SonicWall
• Ensure you have and know your Static Public IP address for both Devices (Must allow UDP port 500 (IPSec) and protocol 50 (ESP) and 51 (AH) through). Unless you are going via some other network, of your ISP is being dastardly, these protocols/ports will not be blocked on a typical Internet connection.
• The LAN clients behind Both devices (Vigor and Sonicwall) should be able to access the Internet for regular surfing successfully.

Collate your Information

You will need the following information :

1. Public (WAN) IP address of the Vigor WAN interface
2. Private (LAN) subnet of the Vigor LAN interface & netmask
3. Public (WAN) IP address of the SonicWall WAN interface
4. Private (LAN) subnet of the SonicWall LAN interface & netmask
5. A previously agreed on pre-shared Key

For the purposes of our example, for the above we will assume as follows :

1. Vigor WAN IP address: X.X.X.X
2. Vigor LAN subnet: D.D.D.D & mask 255.255.255.0
3. SonicWall WAN IP address: Y.Y.Y.Y
4. LAN subnet: S.S.S.S & netmask 255.255.255.0
5. Pre-shared key : helloworld

Configure the SonicWall

1. Log in to the SonicWall as admin and go to the VPN section VPN
2. Select the Configure tab
3. Select the [GroupVPN] SA in the Security Association drop down box
4. Disable the [GroupVPN] SA by checking the disabled box (see Note 1)
5. Select "Add SA" in the Security Association drop down box
6. In the "IPSec Keying Mode" drop down box select [IKE using Preshared Key]
7. In the "Name" text box enter a name for your SA (This can be any name you like. In this configuration it does not matter)
8. In the "IPSec Gateway Address" enter the Public IP address of the Vigor WAN interface
9. In the "Phase 1 DH Group" dropdown box select [Group 1]
10. In the "SA Life time (secs)" text box leave as [28800]
11. In the "Phase 1 Encryption/Authentication" drop down box leave as [DES MD5]
12. In the "Phase 2 Encryption/Authentication" drop down box leave as [Encrypt and Authenticate (ESP DES HMAC MD5)]
13. In the "Shared Secret" text box enter 'helloworld' (without the quotes)
14. In the "Destination Networks" section select specify "Network Destinations Below"
15. Click on the "Add Network" button and enter in the Private subnet of the Vigor LAN interface [D.D.D.D] and [255.255.255.0]
16. Leave all the settings as default in the "Advanced" section (see Note 2)
17. Click on the "Update" button

Configure the Vigor

1. Log into the Vigor's web admin interface and go to the VPN setup section.
2. Select the "VPN IKE/IPSec Setup"
3. In the "Dial-In Set up" section:
   • In the "Pre-Shared Key" text box enter 'helloworld' (without the quotes)
   • In the "Re-type Pre-Shared Key" text box enter 'helloworld' again
   • Check the "Medium (AH)" check box (see Note 3)
   • Check the "High (ESP)" check box
   • In the "High (ESP)" drop down box select [both]
4. In the "Dial-Out Set up" section:
   • In the "Pre-Shared Key" text box enter the preshared secret previously agreed on
   • * In the "Re-type Pre-Shared Key" text box enter the preshared secret previously agreed on
   • Click on the OK button
5. Select "Lan-to-Lan Dialler Profiles"
6. Select an empty Profile
7. In the "Profile Name" text box enter a name for your profile (This can be any name you like; it is for reference only but we recommend you use the same of the remote site.
8. Check the "Enable this profile" check box
9. Select "Both" for "Call Direction"
10. In the "Idle Timeout" text box enter [300] (see Note 4)
11. In the "Dial-Out settings" section:
    • In the "Username" text box enter any string of characters (see Note 5)
    • Leave the "Password" text box empty (see Note 5)
    • In the "Dial Number..." field enter the Public IP address of the SonicWall WAN interface
    • Select "IPSec Tunnel"
    • Select "High (ESP)"
    • In the "High (ESP)" drop down box select [DES with Authentication]
    • Leave all other settings as default
12. In the "Dial-In settings" section :
    • In the "Username" text box enter any string of characters (see Note 5)
    • Leave the "Password" text box empty (see Note 5)
    • Leave the "Enable CLID Authentication" check box unchecked
    • Leave the "Peer ISDN Number or Peer VPN Server IP" text box empty
    • In the "Allowed Dial-In Type" section:
      • Uncheck the "ISDN" checkbox
      • Uncheck the "PPTP" checkbox
      • Check the "IPSec" checkbox
      • Uncheck the "L2TP" checkbox
      • Leave all other settings as default
13. In the "TCP/IP Network Settings" section:
    • In "My WAN IP" text box enter [0.0.0.0]
    • In "Remote Gateway IP" text box enter [0.0.0.0]
    • In "Remote Network IP" text box enter the Private subnet of the SonicWall LAN interface [S.S.S.S]
    • In "Remote Gateway IP" text box enter the SonicWall LAN interface subnet mask [255.255.255.0]
    • In the "RIP Direction Dropdown box select [Disable] (see Note 6)
    • In the "For NAT operation, treat remote sub-net as" drop down box select [Private IP]
    • Leave all other settings as default
14. Test the VPN with a ping from the Vigor LAN to the SonicWall LAN. The first couple of pings will always fail (timeout) while the tunnel is still being established ('dialled') if the connection wasn't already up.
15. Check to see if the Vigor has registered a current IPSec connection from the 'VPN Management' screen in the web configurator

Notes :

1. The GroupVPN SA can snatch connections in some circumstances. To simplify this process leave this SA disabled until you have a successful IPSec connection.
2. The settings in the advanced area on the Sonicwall can be left as default. Although in some circumstances some of these settings might be useful, some can make your tunnel inoperable. For the purposes of this document leave all advanced settings at default.
3. The SonicWall requests High (ESP) with MD5 so that is all you need to configure but for the sake of simplicity we leave it on the default settings.
4. If you are experiencing failures such as traffic ceasing to pass through the tunnel due to line/ISP interruption but the Vigor indicates that the tunnel is still up (because the key has not yet expired), then lowering the VPN timeout value can reduce this effect.
5. IPSec does not use username and passwords in the Preshared Key configuration. This is required in order that the Vigor enables pre-shared keys, but it is ignored when setting up the connection. This is no longer necessary in Vigor firmware version later than 2.2.1

This document was produced with assistance from Bridge Partners. Bridge Partners specialise in VPNs and particularly IPSec tunnels. They are available for contract work within or outside the scope of this document. They can be contacted at draytek@bridgepartners.co.uk or www.bridgepartners.co.uk.

© SEG Communications. All trademarks are recognised as owning to their respective owners. All rights reserved. Information and products subject to change at any time without notice.