This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN, UTM to SonicWall, Connection made but no traffic

Welcome to my nightmare.

 

On-site UTM, remote office SonicWall.  Before turning on VPN for the entire remote network, I tried to set up just a single host on the same LAN which navigates IPSec phase 1&2 successfully.  The connection is up, but no traffic is being exchanged.

UTM local host is 10.242.3.222
SonicWall local host is 192.168.168.222

                               

 

And on the SonicWall:

 

 

However I have had it configured at one point to be sending through this gateway where the packets and bytes out increment, though there is no receive traffic back.

 

EDIT to show NAT configuration:

 

 

NAT translation is enabled for both hosts.  I have tried manually setting up every NAT and routing configuration I can think of, but no doubt there's something I'm missing since it's connected but can't communicate.

 

I will keep messing about with the NAT and routing configurations, but does it appear I've at least set up the LAN networks correctly for an individual host?  I have to have, because it wouldn't connect otherwise, right?



This thread was automatically locked due to age.
Parents
  • I'm not sure why you are using NAT. Are 192.168.168.222 and 10.242.3.222 also the actual IP-address at their respective local networks? If so, then no NAT should be needed. If you have different "real" local addresses, than you might need NAT.

    In UTM did you tick the box to "bind tunnel to local interface" or didn't you? If you did, then there will be no route to the remote host/network. If the VPN is the only connection between the two hosts, then make sure to just turn this option off...


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yes the machine on the remote network is 192.168.168.222. The DHCP server is configured to hand out addresses from 0-167, GW .168, so I figured picking .222 would avoid any IP conflicts.  This setting works fine for ingress/egress communication from this remote host to the internet.  Clients within the DHCP scope can communicate with it as well.

     

    I want to connect this single host to my local network at 10.242.3.222 (which is otherwise an unused IP) via S2S VPN.   This falls within the default L2TP subnet (10.242.3.0/24), unused in my configuration but not sure if that is cludging things up so I mentioned it.

     

    I have again tried disabling all NAT traversal but the traffic will still not get routed through the gateway, which is why I thought I needed either a NAT or routing rule in the first place.  

    I searched all over but didn't find the 'bind tunnel to local interface' tickbox so I'm going to assume that's disabled if it's the default setting.

  • I now see in your own picture above that this option is unchecked (which is good).

    Can you give us a screenshot of

    Support -> Advanced -> Route table

    (You can hide details not related to the remote subnet, but check whether there are multiple entries using the same subnet(s).

    I don't know Sonicwall, but if possible can you also list a route table from that?

    This way it's possible to determine if the routes to the other network from both firewalls are correctly in the route table.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Bind tunnel to local interface doesn't show if strict routing is enabled.  I always had issues if strict routing isn't enabled.  I am connecting to 3 different Sonicwalls and have strict routing enabled on all of them.  Make sure the hosts are pingable, run a ping from each side and check the firewall logs to make sure it's not an issue there.  SW always adds the rule automatically as will the UTM if auto firewall rule is selected.

Reply
  • Bind tunnel to local interface doesn't show if strict routing is enabled.  I always had issues if strict routing isn't enabled.  I am connecting to 3 different Sonicwalls and have strict routing enabled on all of them.  Make sure the hosts are pingable, run a ping from each side and check the firewall logs to make sure it's not an issue there.  SW always adds the rule automatically as will the UTM if auto firewall rule is selected.

Children
No Data