Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 12730 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems setting up a site to site IPSEC VPN with SonicWall on an XG

Kevin Castillo

I have been able to establish various IPSEC VPN's with different settings and policies and the VPN actually establishes the VPN and I can ping to the SonicWALL but the SonicWALL network can not ping the XG. 

 

I have setup Firewall Rules and everything is setup correctly but I am unable to get past this hurdle. 

 

Does anyone have any pointers on what to check or if there is an issue with setting up IPSEC VPN's with SonicWALL Devices? The SonicWALL device already does have multiple VPNs setup with other devices and it does not seem to have any issues. 



This thread was automatically locked due to age.
Parents
  • +1

    Kevin,

    Use the method 2 from the following kb:

    Use network instead of single ip.

    Regards

  • 0 in reply to lferrara

    Thanks for the help but I'm still in the same bind, 

    Seems like the routing is in place but the firewall is just not letting it through.

    I ran the following commands per the article on the Sophos: 

    system ipsec_route add net 192.168.3.0/255.255.255.0 tunnelname hst2

    set advanced-firewall sys-traffic-nat add destination 192.168.3.0 netmask 255.255.255.0 snatip 192.168.100.1

    Sophos IP is 192.168.100.1 and the remote network is 192.168.3.0/24 

     

    Logs and settings:

     

    console> show advanced-firewall
    Strict Policy : on
    FtpBounce Prevention : control
    Tcp Conn. Establishment Idle Timeout : 10800
    Fragmented Traffic Policy : allow
    Midstream Connection Pickup : off
    TCP Seq Checking : on
    TCP Window Scaling : on
    TCP Appropriate Byte Count : on
    TCP Selective Acknowledgements : on
    TCP Forward RTO-Recovery[F-RTO] : off
    TCP TIMESTAMPS : off
    Strict ICMP Tracking : on


    Bypass Stateful Firewall
    ------------------------
    Source Genmask Destination Genmask


    NAT policy for system originated traffic
    ---------------------
    Destination Network Destination Netmask Interface SNAT IP
    192.168.3.0 255.255.255.0 192.168.3.1

    console>

    console> system ipsec_route show
    tunnelname host/network netmask
    HST2 192.168.3.0 255.255.255.0

    console>

    Drop Packet Capture

    2016-12-05 10:13:05 0103021 IP 192.168.3.22. > 192.168.100.1. :proto ICMP: echo request seq 5914
    0x0000: 4500 003c 4cbe 0000 7f01 069b c0a8 0316 E..<L...........
    0x0010: c0a8 6401 0800 3641 0001 171a 6162 6364 ..d...6A....abcd
    0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
    0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi
    Date=2016-12-05 Time=10:13:05 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=ipsec0 out_dev= inzone_id=5 outzone_id=4 source_mac=44:94:fc:1c:a0:54 dest_mac=00:1a:8c:47:b6:c1 l3_protocol=IP source_ip=192.168.3.22 dest_ip=192.168.100.1 l4_protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=512 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=2040308128 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

     

    Thanks again for the help!

  • +1 in reply to Kevin Castillo

    After going through the logs again I found that the ACL was setup to not allow PING and DNS, rookie mistake. 

     

    For any others that run into this issue, in order to fix it you set the ACL's in System>Administration>Device Access

Reply Children
No Data