Home to Office VPN Problem

[ThunderForest]

Home (Client):
Typical Comcast broadband modem
Win 98 PC
Sonicwall VPN Global Client

Office LAN
Efficient 5851 DSL Router NAT Enabled, 1 static IP
w/IKE IPSec keys
Firewall: Sonicwall TZ-170 w/VPN enabled

Sonicwall knowledgebase mentions I need to open UDP port 500 for IKE and IP Protocol 50 for IPSec on the 5851 router. I think that means something like:

eth ip filter append input accept -p udp -sp 500 -dp 500 1
eth ip filter append input accept -p 50 1
eth ip filter append output accept -p udp -sp 500 -dp 500 1
eth ip filter append output accept -p 50 1

When I attempt to connect from home the Sonicwall client, the log says:
The peer is not responding to phase 1 ISAKMP requests

The DSL router also shows no activity, let alone the TZ-170. I'm hoping I don't need to entirely configure the 5851 for VPN, and instead just pass through it. Do I need to port forward on the 5851 to the TZ-170? If so, what port(s)? Also, considering the 5851 config, can only one client at a time access the LAN? I appreciate any input. Thanks.

Getting answers before I'm asked
is why I go to Tek-Tips.

http://www.thunderforest.bizland.com

 

[ROUTERKID1]

Try to ping the public ip address of the VPN server from home.

 

[ThunderForest]

Thanks for the reply. So much has happened and it has been a nightmare thus far. Learning quite a bit, though. Forget the eth ip commands above. All I needed to do was port forward UDP 500. I finally appeared to complete phase 2 when at home, but the firewall log told me the payload could not complete. Sonicwall told me the DSL router needed the bridge enabled so the TZ-170 could be the WAN IP and do NAT. That was done, and then the TZ-170 could not process inbound or outbound. No eMail, no internet. Since the bridge was enabled on the router, I could no longer telnet to it or use the management interface. Had to hyperterminal, but I didn't have the DB9 to RJ45 cable. Turned out to be a hard to find item. Panic mode. Internet was down for nearly 24 hours. This morning at work I found the cable in an old router box, connected to the router, and disabled the bridge. All is back to normal. Efficient told me to check with Covad (ISP) to see if the circuit is compatible for a bridge. That's where I'm at. Square one, that is. I will say that, despite all, both SonicWall and Efficient tech support has been quite good.

Getting answers before I'm asked
is why I go to Tek-Tips.

http://www.thunderforest.bizland.com

 

[LloydSev]

you are behind a firewall performing NAT.. you may need to enable NAT Traversal on the sonicwall firewall.

Computer/Network Technician
CCNA

 

[ThunderForest]

I did have that enabled on the SonicWall. With Sonicwall tech support I tried, I believe, nearly every combination, NAT w/DHCP, w/PPPoE. As far as the 5851 DSL router goes, other than getting the IKE and IPSec keys, I haven't set any VPN configurations on it. SonicWall documentation didn't mention anything about that, but I wonder if that's what the problem is. I really would like to avoid bridging the router.

Getting answers before I'm asked
is why I go to Tek-Tips.

http://www.thunderforest.bizland.com

 

[zzumot]

Hello,
I have the same setup as you do. Here are the firewall rules that worked for me. I hope they help.
#VPN
eth ip filter append input accept -c 0 -p udp -tcp syn -tcp ack -dp 500 0
eth ip filter append input accept -c 0 -p udp -tcp ack -dp 500 0
eth ip filter append input accept -c 0 -p udp -tcp syn -tcp ack -dp 50 0
eth ip filter append input accept -c 0 -p udp -tcp ack -dp 50 0

#VPN
remote ipfilter append input accept -c 0 -p udp -sp 500 -dp 500 internet
remote ipfilter append input accept -c 0 -p udp -sp 50 -dp 50 internet