Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Site to Site VPN Multiple Destination Subnets

I have a Site to Site VPN that works great with a single /24 destination subnet. All traffic passes. But when I add another Destination Subnet to the Address Group, traffic will no longer pass correctly. The VPN shows UP, but traffic is dropped. One destination is /24 and the other destination is /29 , both objects are in the VPN Zone, and are in same Address Group. Is there an issue with /24 and /29 destination subnets on the same Site to Site VPN?

Category: Mid Range Firewalls
Reply
Tagged:

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Not sure why they took down the KB but here is a cached version of it, have you seen it?

    There should be no reason a /29 would be a problem as long as its in the IANA designated private subnets.

  • DubbyaDubbya Newbie ✭

    Adding the subnet works fine and is already done correctly. The issue is existing working traffic flow is blocked once the /29 is added as second destination subnet.

  • DubbyaDubbya Newbie ✭

    Adding the subnet works fine and is already done correctly. The issue is existing working traffic flow is blocked once the /29 is added as second destination subnet.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Are the subnets overlapping? Have you double checked the access rules?

  • Its hard to say where is the issue without you IP structure, but there my work if it can help.

    You can pass packet from one subnet to many subnet, I'm doing it whit Site to Site and VTI.

    something like :

    10.100.0.0/16 <----> 10.10.0.0/16, 10.20.0.0/16, 10.30.0.0/16, etc.


    in Site to Site, I have a object for each network. You can une a summary network (in my case 10.0.0.0/8) but if I remember only one router (firewall) was able to build the tunnel.


    VTI is more convenient for me cause I have a lot of Subnet and I can pass all my traffic (internet included) in my VPN with "one" rule

  • I battled with about the same problem for a week in a customer network before Xmas, as

    (Phony IPs to keep security)

    I have a site to site VPN that been ok for 4-5 years, have to get a second LAN to respond on both sides for some reasons.

    Main is 1.1.1.1, secondary is 2.2.2.2, VPN up

    on the same public IPs I have put a new 3.3.3.3 on main to get to 4.4.4.4 on secondary,

    config was easy, VPN was up everywhere, but I lost Ping on my previous and on my new VPN, until I checked "enable Netbios broadcast" on both Sonicwalls (VPN/base settings/VPN policies/advanced), and added a route on main to direct trafic from the 1.1.1.1 subnet to 2.2.2.2 and from 3.3.3.3 subnet to 4.4.4.4 (Neywork/routing/route policies).

    It created an adress group names IphDestPolicyAuto_0 on both, containing the remote lan group IP. and now I get my ping and links ok everywhere

    hope it helps

Sign In or Register to comment.