Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 40123 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN, UTM to SonicWall, Connection made but no traffic

Bobby Tables

Welcome to my nightmare.

 

On-site UTM, remote office SonicWall.  Before turning on VPN for the entire remote network, I tried to set up just a single host on the same LAN which navigates IPSec phase 1&2 successfully.  The connection is up, but no traffic is being exchanged.

UTM local host is 10.242.3.222
SonicWall local host is 192.168.168.222

                              

 

And on the SonicWall:

 

 

However I have had it configured at one point to be sending through this gateway where the packets and bytes out increment, though there is no receive traffic back.

 

EDIT to show NAT configuration:

 

 

NAT translation is enabled for both hosts.  I have tried manually setting up every NAT and routing configuration I can think of, but no doubt there's something I'm missing since it's connected but can't communicate.

 

I will keep messing about with the NAT and routing configurations, but does it appear I've at least set up the LAN networks correctly for an individual host?  I have to have, because it wouldn't connect otherwise, right?



This thread was automatically locked due to age.
  • 0 in reply to Bobby Tables

    Route from UTM to Sonicwall seems okay and routes over IPSEC

    Like Robert Yount said above, apparently routes for VPN are not shown in Sonicwall, but he also told to:

    He can go under System>Diagnostics and use find network path though.

    What does that give you?

    Also, maybe the default L2TP VPN pool is what's causing all of this. Do you have L2TP over IPsec disabled under Remote access -> L2TP over IPsec?

    If so, can you (just to be sure) change the default VPN Pool (L2TP) to something different and see if that changes something?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    New developments.  I still suspect I'm facing a NAT issue.  L2TP VPN via remote access is and has been disabled.

    I set the checkbox in SonicWall to use the VPN as the default route for only my DC-Roots remote host (overlooked before), which is now configured thus:

    In my head that routes absolutely all traffic through the VPN for my one host.  From the remote context, I still cannot ping Google's 8.8.8.8, but that's probably a firewall issue.  I cannot ping my large local network 192.168.0.0/20 either, HOWEVER I can ping my local wireless network within 10.5.0.0/24.

    That tells me either side is getting confused when trying to route packets from the remote 192.168.168.0/24 (192.168.168.222/32?) to the local 192.168.0.0/20 and vice versa.

    I could still be wrong though, because the wireless network is managed via DHCP through the UTM, and the local network of 192.168.0.0/20 is managed via a DC's DHCP/DNS server.  An extra hop or three.

    Regarding the "Find network path," forgive me if I haven't provided what you're looking for.  I tried a few, starting with a DC:

  • 0 in reply to Bobby Tables

    I'm sorry, but I get a bit lost in all the different subnets and start loosing the overview of what is located where. But since you are mentioning other DHCP servers involved; do these other DHCP servers hand out a default gateway that is either the Sophos UTM (on that side of the connection) or the Sonicwall (on the other side of the connection) or are more routers involved inbetween your hosts (other than the UTM and the Sonicwall).

    If more routers are involved, all of them should know how and where to route packets to other networks....

    Maybe adding a network diagram where you list all the subnets on both sides of UTM and Sonicwall could enlighten a bit.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Yes, sorry for the confusion.  If it's frustrating to someone who knows the network, I can't imagine your frustration coming in cold.  Thanks again btw.

    I seem to have gotten it figured, if only by bashing my keyboard in random sequence.  As mentioned in my last post, I told my SonicWall to forward literally all traffic through the VPN for the 192.168.168.222 remote host.  That along with masquerading and DNAT rules on the UTM side allow me to ping the UTM remotely, as well as browse the internet through the VPN tunnel.

    The rest of the problems I have, such as failing to ping DCs let alone use them for credential authentication (no logon servers available) are likely due to another misconfiguration I should be able to sort out.

     

    Thanks 1000x for your time.  I will post back if I run into more tunneling problems, which I probably will.

     

    EDIT: I have remedied the remaining communication issues by following your original recommendation of disabling NAT traversal options on both appliances.  Though as I said the above NAT rules are in place manually.

     

    And I hope I haven't used the "sugged as an answer" incorrectly.  The above configuration options seem to have resolved my issues.

Unfiltered HTML