Sonicwall VPN over wireless

[pj]

Archived from groups: comp.dcom.vpn (More info?)

Our relative equipment:

- Sonicwall XPRS2 Firewall w/VPN upgrade
- SafeNet SoftRemote Secure VPN Client (latest build available)
- Integrated Intel Centrino 802.11b/g wireless card

(Windows XP Pro on the laptops)

Our VPN has worked fairly well over ethernet. It's not the newest
global VPN client that Sonicwall offers now, but our hardware doesn't
support that client.

We've been unsuccessful establishing a VPN tunnel/connection when
using wifi. I've tried from a couple locations where we can
successfully connect onto the wireless network and hit the net just
fine, but no VPN. At these locations, I have no trouble establishing
a tunnel and working successfully when I switch to ethernet. Exerpt
from log:

-----------------------
14:16:27.142 Interface added: 137.48.241.28/255.255.252.0 on LAN
"Intel(R) PRO/Wireless 2200BG Network Connection".
14:21:18.341
14:21:18.371 My Connections\GroupVPN 10.0.0.0 - Initiating IKE Phase 1
(IP ADDR=[sonicwall pub addy])
14:21:18.411 My Connections\GroupVPN 10.0.0.0 - SENDING>>>> ISAKMP OAK
AG (SA, KE, NON, ID, VID, VID, VID, VID)
14:21:42.305
14:22:18.557 My Connections\GroupVPN 10.0.0.0 - message not received!
Retransmitting!
14:22:18.557 My Connections\GroupVPN 10.0.0.0 - SENDING>>>> ISAKMP OAK
AG (Retransmission)
------------------------

It loops Phase 1 as such.

I have read a few posts concerning conflicts between IPSec and NAT.
It seems the option to allow NAT Traversal on our Sonicwall is
designed to address this, but we have the same issue whether or not
the option is enabled.

I've tried dinking around with a few other settings on the Sonicwall
and on the client software to no avail. I still have to do some
playing around to see if I can get things to work on my home network
where I have control over the WAP settings, but my concern is with the
posts I read, the fixes were generally concentrated on the router/WAP
settings for the wireless network the client was connecting to
(generally using VPN from home). We're looking to use our laptops as
an "on the road" solution, so we do not have such options. Is there
anything we can do within our power to solve this problem?

Thanks for any ideas,
PJ

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

PJ wrote:

> Our relative equipment:
>
> - Sonicwall XPRS2 Firewall w/VPN upgrade
> - SafeNet SoftRemote Secure VPN Client (latest build available)
> - Integrated Intel Centrino 802.11b/g wireless card
>
> (Windows XP Pro on the laptops)
>
> Our VPN has worked fairly well over ethernet. It's not the newest
> global VPN client that Sonicwall offers now, but our hardware doesn't
> support that client.
>
> We've been unsuccessful establishing a VPN tunnel/connection when
> using wifi. I've tried from a couple locations where we can
> successfully connect onto the wireless network and hit the net just
> fine, but no VPN. At these locations, I have no trouble establishing
> a tunnel and working successfully when I switch to ethernet. Exerpt
> from log:
>
> -----------------------
> 14:16:27.142 Interface added: 137.48.241.28/255.255.252.0 on LAN
> "Intel(R) PRO/Wireless 2200BG Network Connection".
> 14:21:18.341
> 14:21:18.371 My Connections\GroupVPN 10.0.0.0 - Initiating IKE Phase 1
> (IP ADDR=[sonicwall pub addy])
> 14:21:18.411 My Connections\GroupVPN 10.0.0.0 - SENDING>>>> ISAKMP OAK
> AG (SA, KE, NON, ID, VID, VID, VID, VID)
> 14:21:42.305
> 14:22:18.557 My Connections\GroupVPN 10.0.0.0 - message not received!
> Retransmitting!
> 14:22:18.557 My Connections\GroupVPN 10.0.0.0 - SENDING>>>> ISAKMP OAK
> AG (Retransmission)
> ------------------------
>
> It loops Phase 1 as such.
>
> I have read a few posts concerning conflicts between IPSec and NAT.
> It seems the option to allow NAT Traversal on our Sonicwall is
> designed to address this, but we have the same issue whether or not
> the option is enabled.
>

That is for VPN clients inside that sonicwall (ie: users at the corp
office trying to VPN out to someoine else)

Are the wireless locations you are trying from behind NAT firewalls? If
so, i'm afraid you are outta luck - you won't be able to do it.

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Right. Unfortunately, you must be on a separate subnet to use VPN.

"T. Sean Weintz" <sweintz@hanh-ct.org> wrote in message
news:10fg4ciqq44h50e@news.supernews.com...
> PJ wrote:
>
> > Our relative equipment:
> >
> > - Sonicwall XPRS2 Firewall w/VPN upgrade
> > - SafeNet SoftRemote Secure VPN Client (latest build available)
> > - Integrated Intel Centrino 802.11b/g wireless card
> >
> > (Windows XP Pro on the laptops)
> >
> > Our VPN has worked fairly well over ethernet. It's not the newest
> > global VPN client that Sonicwall offers now, but our hardware doesn't
> > support that client.
> >
> > We've been unsuccessful establishing a VPN tunnel/connection when
> > using wifi. I've tried from a couple locations where we can
> > successfully connect onto the wireless network and hit the net just
> > fine, but no VPN. At these locations, I have no trouble establishing
> > a tunnel and working successfully when I switch to ethernet. Exerpt
> > from log:
> >
> > -----------------------
> > 14:16:27.142 Interface added: 137.48.241.28/255.255.252.0 on LAN
> > "Intel(R) PRO/Wireless 2200BG Network Connection".
> > 14:21:18.341
> > 14:21:18.371 My Connections\GroupVPN 10.0.0.0 - Initiating IKE Phase 1
> > (IP ADDR=[sonicwall pub addy])
> > 14:21:18.411 My Connections\GroupVPN 10.0.0.0 - SENDING>>>> ISAKMP OAK
> > AG (SA, KE, NON, ID, VID, VID, VID, VID)
> > 14:21:42.305
> > 14:22:18.557 My Connections\GroupVPN 10.0.0.0 - message not received!
> > Retransmitting!
> > 14:22:18.557 My Connections\GroupVPN 10.0.0.0 - SENDING>>>> ISAKMP OAK
> > AG (Retransmission)
> > ------------------------
> >
> > It loops Phase 1 as such.
> >
> > I have read a few posts concerning conflicts between IPSec and NAT.
> > It seems the option to allow NAT Traversal on our Sonicwall is
> > designed to address this, but we have the same issue whether or not
> > the option is enabled.
> >
>
> That is for VPN clients inside that sonicwall (ie: users at the corp
> office trying to VPN out to someoine else)
>
> Are the wireless locations you are trying from behind NAT firewalls? If
> so, i'm afraid you are outta luck - you won't be able to do it.
>

 

[pj]

Archived from groups: comp.dcom.vpn (More info?)

"J. McGoggin" <johnmcgoggin@hotmail.com> wrote in message news:<u0ZJc.5539$Qu5.2237@newsread2.news.pas.earthlink.net>...
> Right. Unfortunately, you must be on a separate subnet to use VPN.
>


> >
> > Are the wireless locations you are trying from behind NAT firewalls? If
> > so, i'm afraid you are outta luck - you won't be able to do it.
> >


It is pretty common for a remote wifi network to be using NAT, no? It
seems I've never been able to get the VPN to work on a few different
wireless networks, and I'm guessing this is why.

The way I understand this is, it's quite a brick wall. I'm curious as
to how other companies resolve such problems though. I'm sure we're
not the only company with end-users that see an Intel centrino
commercial and expect to have the world at their fingertips from any
park bench in the world without any problems, including secure access
into the corp network. Do a lot of companies just run terminal
server/citrix/PC Anywhere/etc type remote connectivity straight with
no VPN tunnel for wireless clients?

Muchos thanks and thanks to any more ideas,

PJ

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

PJ wrote:

> It is pretty common for a remote wifi network to be using NAT, no? It
> seems I've never been able to get the VPN to work on a few different
> wireless networks, and I'm guessing this is why.
>
> The way I understand this is, it's quite a brick wall. I'm curious as
> to how other companies resolve such problems though. I'm sure we're
> not the only company with end-users that see an Intel centrino
> commercial and expect to have the world at their fingertips from any
> park bench in the world without any problems, including secure access
> into the corp network. Do a lot of companies just run terminal
> server/citrix/PC Anywhere/etc type remote connectivity straight with
> no VPN tunnel for wireless clients?
>
> Muchos thanks and thanks to any more ideas,
>
> PJ

Some NAT boxes do support NAT traversal - but it seems to be very
non-standardized as to how it works. Most of the time you won't be able
to do it.

The way we get around it is exactly what you guessed - Citrix.

-T. Sean Weintz

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

"T. Sean Weintz" <sweintz@hanh-ct.org> wrote:
>PJ wrote:
>
>> It is pretty common for a remote wifi network to be using NAT, no? It
>> seems I've never been able to get the VPN to work on a few different
>> wireless networks, and I'm guessing this is why.
>>
>> The way I understand this is, it's quite a brick wall. I'm curious as
>> to how other companies resolve such problems though. I'm sure we're
>> not the only company with end-users that see an Intel centrino
>> commercial and expect to have the world at their fingertips from any
>> park bench in the world without any problems, including secure access
>> into the corp network. Do a lot of companies just run terminal
>> server/citrix/PC Anywhere/etc type remote connectivity straight with
>> no VPN tunnel for wireless clients?
>>
>> Muchos thanks and thanks to any more ideas,
>>
>> PJ
>
>Some NAT boxes do support NAT traversal - but it seems to be very
>non-standardized as to how it works. Most of the time you won't be able
>to do it.
>
>The way we get around it is exactly what you guessed - Citrix.
>
>-T. Sean Weintz

Implementing NAT traversal is not only non-standards conforming but also
might get some gorrilas on their backs.

The only proven VPN implementation is based on IPsec, the real solid
standard. See http://vpnc.org for standards details.

We implement a mix of IPsec and ssh (openssh, to be exact)
interoperations to, we believe, really fortify VPN over NAT. We secure
both authorization into the wireless network and the traffic.

As you said, if you really just need to remotely connect with some
security, there are lots of Windoze tools.

------------------------------------------------
The leader in Green VPN solutions
http://strongsolutions.addr.com/
------------------------------------------------