GVPN client fails to connect with PPPoE + fixed IP
Hi all,
I'm a real newbie with sonicwall so please be gentle :-)
So I have a TZ670 running the latest firmware 7.0.1-R1456.
The Internet connection is BT Infinity FTTC & I have multiple fixed IP addresses assigned by BT
The Internet connection is allocated a dynamic IP at the time the TZ670 connects, with the fixed IP addresses routed over that connection
I have set up the X2 interface to successfully connect to the Internet and, following Sonicwall documentation, have put one of my fixed IP addresses in the 'Specify IP Address' in the X2 interface.
After working through the Sonicwall documentation regarding setting up both Group VPN and the GVPN client I have a successful VPN tunnel between my client and the TZ670.
However, this only works if I use the dynamic IP allocated to the X2 interface in the peer list of the GVPN client
If I use the fixed IP address that I have specified in the X2 interface, in the peer list of the GVPN client the connection fails with "The peer is not responding to phase 1 ISAKMP requests"
If I look at the packet monitor I can see packets coming in from my client for port 500 that are being dropped.
I assume that I need to do some more setup, perhaps in Objects and / or Policies to allow the packets.
If my assumption is correct exactly how and what do I need to configure to allow the GVPN connection to work to the fixed IP?
My apologies for the long winded post but I wanted to be clear exactly how things were setup and what was / was not working so I'm not wasting peoples valuable time.
Many thanks.
Ian.
Best Answer
-
TKWITS Community Legend ✭✭✭✭✭
That makes some sense with IPv6, but still seems a bit silly to me. The OP did not mention which IP version they are working with...
All this doesn't help the actual issue which SHIPRASAHU93 addressed. Either way you'd need another piece of hardware to hand off the 'routed subnet' to the Sonicwall. Your ISP might provide a managed device to do that for you.
0
Answers
Hello @IanJ,
Welcome to the SonicWall Community.
Unfortunately, the site-to-site VPN, GVPN, and SSLVPN can only be made to IP addresses configured physically on the WAN interface on the firewall. There are default access rules in place that point to WAN Interface IP and creating custom rules will not help.
This is by design and I think that is the reason you are seeing the dropped packets. You can utilize the Dynamic DNS feature if you would like to bind the dynamic address to a domain name and then use that for making VPN connections. Otherwise, the static IP needs to be configured on the X2 interface directly to make this work.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Thank you for your rapid response.
That is more than a little disappointing TBH.
My old Draytek 3900 at a cost of £500 could do this out of the box but the sonicwall that cost us £2.5k can't and I have to resort to DDNS to 'work around ' the issue.
So is there really no other way I can make this work?
Ian.
I have never seen an ISP provide what you are describing: fixed IPs routed to a dynamic. I don't know why anyone would do this, but thats besides the point.
Can you provide more description of your physical connection to the ISP? Are you connecting only X2 to their equipment? Why not X1? You stated that you assigned a static address to X2 but then stated its using the dynamic address, which is it?
Hi TKWITS
For clarity, we have a BT Infinity FTTC Broadband with a range of 8 fixed IP addresses, 5 of which are usable. The connection is provisioned as a PPPOE and at connection time a dynamic IP address is allocated. The 8 statics being routed to that dynamic address.
Yes, I'm only connecting X2 to the ISP's equipment.
I've reserved X1 for use when the TZ670 goes into production.
So, as stated, upon connection to the ISP I am allocated a dynamic IP address. Within the X2 interface setup there is a field "Specify IP Address", this is where I have put a static IP address from the (usable) range allocated by the ISP.
HTH
Ian
This is not that uncommon a scenario, especially with IPv6 where you get a link-local address allocated with IPv6CP, and the provider routes your global network(s) to that.
If the issue is that the Sonicwall is not listening on an IP in the routed subnet, you could try something hacky like adding a VLAN subinterface to X2, put it in Zone WAN and assign an IP to it from the routed subnet. I am not sure what you would set the default gateway to in order for this to work, however. It's possible that it won't work even if you got every setting correct because it's not designed to work like that. Worth a shot though.
Alternatively, put your Draytek back in to handle the PPP login and put the routed subnet on the LAN side of the Draytek. Not ideal, obviously, but it will fix the immediate issue.