Question

  • Creator
    Topic
  • #2264467

    How to setup SonicWall Tele3 SP to use Windows XP VPN?

    Locked

    by fwang ·

    We need use XP VPN to connect to Windows 2003 server, the server is after a SonicWall Tele3 SP, when connect with XP VPN, got following error:

    800

    The connection to the VPN server could not be established using either PPTP or L2TP. One or more of the following circumstances might have caused this error:

    Anyone knows how to setup the Sonicwall to make XP VPN work?

    Thanks!

All Answers

  • Author
    Replies
    • #2485929

      Clarifications

      by fwang ·

      In reply to How to setup SonicWall Tele3 SP to use Windows XP VPN?

      Clarifications

    • #2507042

      Also trying VPN connection to TELE3 SP

      by gazza73 ·

      In reply to How to setup SonicWall Tele3 SP to use Windows XP VPN?

      Just wanting to contact anybody doing this too. We have a TELE3 Sp unit, which works fine, but has NOT got the licence yet for Global VPN client. We are right now trying to buy the licence add-on and are having trouble getting somebody in Sonicwall to advise if they will give us one, because the product (hardware) is end-of-life. I’m hoping they will just sell us the latest licence, PROVIDED thay can confirm that such a licence will allow us to turn on the feature (tick box) that permits us to run VPN from a remote dumb WIndows XP workstation. I’m quite prepared to advise you how we go with VPN connections. My immediate concern (apart from whether they’ll sell me the licence, and whether they have a CD or whatever is needed to turn it on)(, is whether the TEL3 will allow access from a really dumb VPN session over the ADSL (DSL) link from a remote internet connected user, just running Windows VPn Adapter dial-up session? Is that what you are trying to do? If it is, then my guess is that the TELE3 unit, with its complexity and desire for full encryption, requires such a dumb VPN session to be setup from the remote end with DATA encryption turned on for both the login and the data transfer aspects. I do a lot of VPN work with Windows and UNIX and yep… these settings can be tricky. Would appreciate discussing your experiences, and also ask if you had the licence for Global VPN for a long time, or updated it after end-o-life like I’m trying to do. Gary Pope (Australia) gaz@alchester.com.au

      • #2507017

        We will never buy any Sonic product!

        by fwang ·

        In reply to Also trying VPN connection to TELE3 SP

        Called Sonic and was told that they will not provide us any solution before we renew our service contract. We did pay for the hardware and they don’t even give you a single clue!

        Why both with their Global VPN when Win2K/XP already have it built-in?

        Just go to Access=>Add Service
        add PPTP service with port 1723, map to your VPN server, set the Rules to allow WAN to Server connection. The client setup is easy, just put server IP and domain then you all set.

        • #2506981

          clarifying the VPN for Sonic TELE3

          by gazza73 ·

          In reply to We will never buy any Sonic product!

          Saw your reply whilst I was at the customer site. Sorry, but I am not absolutely sure of what you are saying in the 24/1/07 post. Are you saying we only need to add a service to the existing old TELE3 unit? WE don’t have a global VPN client licence for our TEL3, and I am assuming we need one, and have to turn something ON before the TEL3 will listen to any incoming remote requests to make a connection to it (such as me, as a support person trying to VPN over to the TELE3 at my customer’s office. Please confirm what you mean by Access–> add service.

          By the way – thanks so much for responding this morning. (Thurs 2PM Australia time, and I am at the customer’s site now).

          Gary

        • #2508131

          VPN settings for TELE3

          by fwang ·

          In reply to clarifying the VPN for Sonic TELE3

          Gary,

          Once you clicked on “Access” on the left, you should be able to see 6 tabs on the right window, click the second tab “Add Service”, then select PPTP from the “Add a know service” list, I’m using 1723-1723 for the “Port Range”, “Protocol” is TCP(6). Then click “Add”.

          Now click the third tab (Rules), “Add New Rule…”, select Allow in “Action”, PPTP for “Service”, *, * for “Source”, LAN, your VPN server IP for “Destination”, I used All for “Users Allowed”, other options I keeped the default values.

          That’s all settings I did on the firewall.

          But before you make those changes. I will suggest you to create a VPN connection on your LAN (without go through the firewall), just to make sure the VPN server can be connected from client machine.

          BTW, for Win2K client, you may need to set the “Type of VPN” to PPTP VPN (Properties=>Networking), the default “Automatic” seems only works for XP boxes in our office.

          Good luck!

        • #2508014

          Sonic client VPN versus Windows VPN

          by gazza73 ·

          In reply to VPN settings for TELE3

          We got a good email reply from SONIC last night. They’ve told me I can purchase 01-SSC-5316 ? 5 concurrent user license for the end-of-life TELE3P. From their email explanation, I have only now realised that Sonicwall provide a piece of client software that you have to install on any of the potential remote XP boxes that want to initiate a VPN session. And of course, the above part number installs a licence onto the Sonicwall TELE3 unit which then permits up to 5 concurrent VPN sessions to actaully occur. At the moment we have no such licences, and therefore (I guess) that is why the TELE3 administration menus don’t have the ‘access’ button that you describe at all. Can you confirm for me, that you are already licenced for the Global VPN client softwrae, and that without such software, you would lacka menu option called ‘access’?

          Your explanation of 25/1 talks about running a VPN on the LAN itself – I don’t understand what you are trying to do in that step. If you are sitting in the same building as the TELE3 unit (on the local LAN), then you are already local – you can’t run a VPN inhouse can you?

          Anyway just to see if we are talking the right language on this with you, I am familiar with dumb WIndows VPN arrangements where you have some sort of VPN enabled router (or UNix server mainly with me), and to run a VPN from a remote site, you create a VPN dial-up session that speicfies the visible domain/hostname of the target server, and all you need is a login/password and run Microsoft encryption (or not).

          But with Sonicwall, I beleive you have to be running the Sonicwall CLIENT software on the remote XP box, and that client software is more complex/capable of interacting witht he corresponding software for VPN loaded/licenced on the TELE3. So that is a totally different ballgame.

          Can you spell out the basics of what you are doing again, and clarify whether you are running ANY Sonic VPN licenced software at all at either end, when you are describing your port 1723 mechanism?

          Sorry to labour the points on all this, but I thing I’ve missed a vital underlying step here, and therefore I can’t see how you are achieving the results that you have.

          Gary

        • #2507774

          Our Sonicwall info

          by fwang ·

          In reply to Sonic client VPN versus Windows VPN

          Our sonicwall is purchased long time ago before I came to this company. Here is the license info from General=>Security Services:
          Security Service Status Count Expiration Date
          Nodes/Users Licensed 25
          Complete AV
          Network Anti-Virus Not Licensed
          Server Anti-Virus Not Licensed
          Content Filter Not Licensed
          Premium Content Filtering Service Not Licensed
          E-Mail Filtering Service Not Licensed
          VPN Licensed
          Global VPN Client Not Licensed
          Global VPN Client Enterprise Not Licensed
          Global Security Client Not Licensed
          ViewPoint Not Licensed

          as you can see, we only have 25 Nodes/Users license and VPN license, we do not have any Global VPN license. That’s why I didn’t use any Sonic software. All the VPN connections are using Win2K/XP’s built-in VPN connection function. The Win2K/XP VPN connection number are only limited by the ports opened on VPN server which can be easily configured.

          Once you enter the Sonicwall management webpage, you should be able to see the menu on the left-hand side, ours are:
          General
          Log
          Filter
          Tools
          Access
          Advanced
          DHCP
          VPN
          Anti-Virus
          E-mail Filter
          High Availability
          Modem

          If you have the same model (Sonicwall TELE3 SP) and same license (or more) as ours, you should have the same menu.

          Access menu is used to setup port forwarding, not only for VPN, also for HTTP, FTP, SMTP and others. I can’t image how can you make it work without this menu item.

        • #2507606

          Tele3 ACCESS menu

          by gazza73 ·

          In reply to Our Sonicwall info

          You’re right – I took another look at the site today – it has the accedss button you refer to.

          So I’ll give your idea a go by opening the VPN ports and seeing if we can remotely VPN. In Australia, 26th Jan (Friday) is a holiday. I may ge back to the site on Monday 29th, and try your idea, and let you know how it goes, and then we can compare notes on your original POST error that started this dialogue. Thanks for your timely replies – much appreciated.

          Gary

    • #2506567

      Windows VPN access thru TELE3 – another experience

      by gazza73 ·

      In reply to How to setup SonicWall Tele3 SP to use Windows XP VPN?

      Just getting back to you to tell you we’ve managed to experience the same 800 error. In our case, we have three NT4 Servers and one Server2003. None of them are configured for VPN Server, and in the case ofthe NT4 units, we don’t want to modify those. IN the case of the Server2003, it is a protected database machine – and that presents us with a dilemma about considering it as a VPN server. Ideally, for security, we would not want to have a VPN server (software) running on the inside of a firewall in the first place. But all that aside, we went to the trouble of simulating your situation. Opening the ports according to your instructions ultimately made sence to us. The part that threw us for a while was your instruction about ‘…I used All for “users allows”.. ‘. We nominated a static IP of a remote site as the only permissible user for security.

      The VPN Server IP you mentioned, would need to be the IP of a Windows Server on the LAN side of your network. Of course we don’t have one. So I was trying to use the TELE3 unit as the VPN server (even though we have no Global VPN Client licence installed).

      Anyway it made us think about the issue more for you. My guess is the 800 error is due to the fact that either there is NO VPN server available at all (or is incorrectly configured) – OR there is no permissible route thru the TELE3 to in fact reach/see your VPN Server running on the Windows Server behind the TELE3.

      One suggestion, to see if it is the last point, is to UNTICK the deny items for a breif moment, to make sure there is no mixup of permissions on the TELE3 preventing your remote windows VPN client from breaking thru the TEL3 to go in search of the Windows Server based VPN Server service laying behind the TELE3.

      I beleive we were getting the 800 error simply because we had no valid VPN server software/service running at all.

      Does that throw any light on your problem?

      Given our NT4 issues and concerns about VPN on LAN, we’re opting to buy the Global VPN client licence and going the proprietary method.

      Keep in touch.

      Gary
      gaz@alchester.com.au

      • #2504058

        I believe you still need a VPN server

        by fwang ·

        In reply to Windows VPN access thru TELE3 – another experience

        Here is the SonicWALL SSL VPN Handshake Procedure steps I copied from their administrator guide:
        Step 1 When a user attempts to connect to the SonicWALL SSL-VPN appliance, the user?s web browser sends
        the appliance encryption information, such as the types of encryption the browser supports.
        Step 2 The appliance sends the user its own encryption information, including an SSL certificate with a public
        encryption key.
        Step 3 The web browser validates the SSL certificate with the Certificate Authority identified by the SSL
        certificate.
        Step 4 The web browser then generates a pre-master encryption key, encrypts the pre-master key using the
        public key included with the SSL certificate and sends the encrypted pre-master key to the SSL-VPN
        gateway.
        Step 5 The SSL-VPN gateway uses the pre-master key to create a master key and sends the new master key to
        the user?s web browser.
        Step 6 The browser and the SSL-VPN gateway use the master key and the agreed upon encryption algorithm to
        establish an SSL connection. From this point on, the user and the SSL-VPN gateway will encrypt and
        decrypt data using the same encryption key. This is called symmetric encryption.
        Step 7 Once the SSL connection is established, the SSL-VPN gateway will encrypt and send the web browser
        the SSL-VPN gateway Login page.
        Step 8 The user submits his user name, password, and domain name.
        Step 9 If the user?s domain name requires authentication through a RADIUS, LDAP, NT Domain, or Active
        Directory Server, the SSL-VPN gateway forwards the user?s information to the appropriate server for
        authentication.
        Step 10 Once authenticated, the user can access the SSL-VPN portal.

        Note step 9, VPN forwards user’s information to the appropriate server. In fact, VPN just builds a tunnel between your client PC and server, without a domain server, it’s hard to image how to share your network resources.

        We are using a Windows 2003 server as VPN server, all clients PC are using VPN connection built-in Win2K or XP.

        Talking about limited IP access, you can simply set it up in the Access=>Rules. Our users will connect VPN from different locations, that why we are using * as source. If you only have one ip to connect to the Sonicwall VPN, you can set that ip as source. This way, no other ip will be able to connect to your VPN server.

        • #2493865

          Where to now? we’re on Global VPN OK. Are you still getting error 800?

          by gazza73 ·

          In reply to I believe you still need a VPN server

          By the way, I don’t know your name, I’m Gary.

          Anyway, from your 10th post, I’m not sure if you still have your error 800? My 31/1 post was to outline some thoughts on error 800 – anything new to report?

          Meantime on 3rd and 4th Feb, we got Sonicwall Global VPN client v3.10 running from remote sites to the server OK, and using static IP limitations OK. We did have some funny results from trying to ‘stick’ a username/password into the TELE3 unit for those persons we expect to do remote VPN logins. There are two buttons on the Users/access page – one to update the new user settings that you enter, and the other, to just update the whole page. I’m not convinced whether new user names can be added to the TEL when you are not local – but even stating that in this email sounds strange. But we had many many goes at trying to insert a new user into that section, and it wasn’t till I drove to the site to enter it, did it stay there and be usable via Global VPN remotely (later).

          Anyway, we’re up and running with v3.10.

          Can we help you further with your original ewrror 800? I can only think the error is because the TELE box can’t locate any VPN servers on the other side (ie: your Server 2003 box).

          One other point. We had to open port 500 for UDP in both directions between the internal LAN address of the TELE, and with external static IP of the remote workstation seeking VPN connection. (That was to get phase 1 negotiation of the Global VPN software to work).

          Any worth opening that port in case traffic needs to pass ‘thru’ the TELE, even for your Windows VPN Server sitting behind.

          Keep in touch.

          GARY
          gaz@alchester.com.au Australia.

        • #2494834

          800 problem has been solved on the second post

          by fwang ·

          In reply to Where to now? we’re on Global VPN OK. Are you still getting error 800?

          Hi, Gary, my name is Frank.

          Glad to hear your VPN is up and running.

          I figured it out by myself on the second day I posted this thread. All I did is to open port 1723 and forward PPTP service to my Windows 2003 VPN server. Everything works fine since. I didn’t open port 500. Guess that’s for the Global VPN only.

          With Window’s VPN client, I don’t have to setup any user account. All connection will be required to login with user’s domain account and password which are already setup on server. Once user logged in, they just like on LAN (with slower speed of cause), easy and clean. But with the Global VPN, could be a total different story, don’t want to deal with it and don’t want to bother with it.

        • #2496881

          Good news all round. Catch you again

          by gazza73 ·

          In reply to 800 problem has been solved on the second post

          Frank. So we’re both in business with VPN in different ways (Sonic versus Microsoft). So all done. Thanks for the continuous feedback, in amongst exploring yours and my scenarios, we both seemed to have uncovered some of the mysteries and settings – all good!
          Thanks.

          Gary

Viewing 2 reply threads