TZ270 VPN Tunnel Traffic Issues
tedsch
Newbie ✭
I have two tz270 units that I am setting up to provide a VPN tunnel between sites.
Using 1 wan port and grouped interfaces to X0 for the LAN.
For testing they are both connected to a switch. Site A has a WAN of 10.10.10.4 LAN is 192.168.72.4
Site B has a WAN of 10.10.1.05 and the LAN is 192.168.73.4.
I have a VPN tunnel established between the units but no traffic is flowing between the units. The tunnel was created using a tunnel interface policy.
There is an address object created on each unit that is a zone VPN network type and refers to the network of the remote LAN address. also have a routing rules that is source any destination is the address object created referring to the remote LAN. Next hope is standard route and the interface is set to the the VPN tunnel interface.
Please advise of the next steps or if more information is needed to help me resolve this.
Best Answer
-
CORRECT ANSWER
ThK
Cybersecurity Overlord ✭✭✭
your sslvpn group / user must have rights to target the networks
--Thomas
0
Answers
@tedsch what is your subnet mask? Looks like the Networks are same on both ends.
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-nat-over-vpn-in-a-site-to-site-vpn/170515155805172/
--Thomas
I have put a subnet mask of 255.255.0.0 on the LAN devices that I am testing with.
And the winner is ... @ThK 🏆️ ... 255.255.0.0 overlaps both locations, you should go with 255.255.255.0. You cannot reach the remote network because it's treated as part of the local subnet.
--Michael@BWC
Let me hook things up and give it shot,
The subnet being opened up was the trick.
Thanks for the nudge in the right direction.
Now I would like to be able to connect to one site and manage both from the same Netextender connection. I can connect to one or the other site and manage that site but not both. When I try and connect to the web management interface of site B from site A I get a site can not be reached message. But I can ping the interface of site B from site A.
I have the Management VIA This SA HTTPS enabled for both sites under the VPN policy.
Every dog has his day :-)
Don't forget to add the remote subnet to the SSLVPN client routes [or use tunnel all].
And a route back to your SSLVPN client subnet.
Thanks for the pointers folks!!
Way more help full than trying to get a support contract added to one of the devices so I can ask support a question. Ugg that is a frustrating experience....