This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN, UTM to SonicWall, Connection made but no traffic

Welcome to my nightmare.

 

On-site UTM, remote office SonicWall.  Before turning on VPN for the entire remote network, I tried to set up just a single host on the same LAN which navigates IPSec phase 1&2 successfully.  The connection is up, but no traffic is being exchanged.

UTM local host is 10.242.3.222
SonicWall local host is 192.168.168.222

                               

 

And on the SonicWall:

 

 

However I have had it configured at one point to be sending through this gateway where the packets and bytes out increment, though there is no receive traffic back.

 

EDIT to show NAT configuration:

 

 

NAT translation is enabled for both hosts.  I have tried manually setting up every NAT and routing configuration I can think of, but no doubt there's something I'm missing since it's connected but can't communicate.

 

I will keep messing about with the NAT and routing configurations, but does it appear I've at least set up the LAN networks correctly for an individual host?  I have to have, because it wouldn't connect otherwise, right?



This thread was automatically locked due to age.
  • I have a few Sonicwall connections.  I have never had to setup a NAT rule.  Some differences I notice between our configs in the UTM.

    Remote Gateway - I don't have MTU discovery or ECN enabled.  

    Connections - I have strict routing enabled.

  • Thanks for the reply.  I've made those changes but still no traffic.  For good measure I tried removing all custom NAT rules I implemented in case they were mucking up the traffic, but that doesn't seem to have made any change either.

  • What zone do you have the remote host in on the Sonicwall?  I usually use VPN.  

    If you can, setup the VPN for the entire subnet on both sides temporarily.  Then at least you can try pinging between the 2 routers.

  • Mine is VPN as well.  I've tried a range of 192.168.168.222-192.168.168.222 as well as a host definition of 192.168.168.222/32 which to me is functionally identical, but I didn't know if the SonicWall would consider it differently.

     

    I will try to set up an entire /24 subnet.  As far as you know, is it possible to run a /32 individual host site-to-site vpn?

  • I'm not sure why you are using NAT. Are 192.168.168.222 and 10.242.3.222 also the actual IP-address at their respective local networks? If so, then no NAT should be needed. If you have different "real" local addresses, than you might need NAT.

    In UTM did you tick the box to "bind tunnel to local interface" or didn't you? If you did, then there will be no route to the remote host/network. If the VPN is the only connection between the two hosts, then make sure to just turn this option off...


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yes the machine on the remote network is 192.168.168.222. The DHCP server is configured to hand out addresses from 0-167, GW .168, so I figured picking .222 would avoid any IP conflicts.  This setting works fine for ingress/egress communication from this remote host to the internet.  Clients within the DHCP scope can communicate with it as well.

     

    I want to connect this single host to my local network at 10.242.3.222 (which is otherwise an unused IP) via S2S VPN.   This falls within the default L2TP subnet (10.242.3.0/24), unused in my configuration but not sure if that is cludging things up so I mentioned it.

     

    I have again tried disabling all NAT traversal but the traffic will still not get routed through the gateway, which is why I thought I needed either a NAT or routing rule in the first place.  

    I searched all over but didn't find the 'bind tunnel to local interface' tickbox so I'm going to assume that's disabled if it's the default setting.

  • I now see in your own picture above that this option is unchecked (which is good).

    Can you give us a screenshot of

    Support -> Advanced -> Route table

    (You can hide details not related to the remote subnet, but check whether there are multiple entries using the same subnet(s).

    I don't know Sonicwall, but if possible can you also list a route table from that?

    This way it's possible to determine if the routes to the other network from both firewalls are correctly in the route table.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Bind tunnel to local interface doesn't show if strict routing is enabled.  I always had issues if strict routing isn't enabled.  I am connecting to 3 different Sonicwalls and have strict routing enabled on all of them.  Make sure the hosts are pingable, run a ping from each side and check the firewall logs to make sure it's not an issue there.  SW always adds the rule automatically as will the UTM if auto firewall rule is selected.

  • On the Sonicwall routes are shown in Network>Routing, but VPN routes are not shown.  There are route based VPNs, but not needed for this setup.

    He can go under System>Diagnostics and use find network path though.

     

  • Thanks for clearing up RE: strict routing & bind tunnel.

     

    OK, here is my UTM route table.  It does not seem to have the 10.242.3.222/32 subnet in it that I'm using for the local subnet.  The remote subnet that I'm creating the link to (192.168.168.222/32) is first in the list.

    10.242.2.0/24 is my SSL VPN subnet (default) that is successfully working through both the OpenVPN client and the Sophos-branded OpenVPN client.

     

     

     

    SonicWall route table in its current state, though I have to preface I have tried creating routes direct from my 192.168.168.222 which in the remote site's context is a local address, and I feel I've iterated many settings...no doubt I'm missing something though.

    For every setting I've tried, I've given it a metric of 1.

     

    Even with the apparent wrong route configuration in SonicWall, the VPN tunnel is still up.  My traffic on the remote machine (192.168.168.222) is still traversing through the LAN to, say, ping Google successfully.  No ability to contact interfaces in my tunnel's LAN though, though I can ping the public IP's gateway from 192.168.168.222.

    Obviously some communication is working as I can manage my SonicWall remotely (HTTP/S), and can even manage my ESXi box remotely...though this is a temporary rule because it's no doubt bad practice.

     

    Let me know if I can provide more information.  Your recommendation of what the SonicWall's route should look like for my 192.168.168.222 machine would no doubt help a lot.