Adding Routes Between Site to Site VPN?
MikeV
Newbie ✭
I recently had two sites connected via VPN. Site A and Site B. The company added a site (Site C) with a Site-to-Site VPN to Site 2. Site A has not been able to talk to Site B.
Site_C <-> Site_B <-> Site_A
hardware at the sites are:
Site A: TZ500
Site B: TZ400
Site C: NSA2650
How can I solve this?
Category: Entry Level Firewalls
Tagged:
0
Answers
In the VPN policy, you will need to create a group that included both remote networks and entered that into the "Remote Networks" section in the network tab of the VPN policy. Perform this action at both spokes and make sure to update your HUB as well. The linked video has further information as well as the articles below.
https://www.sonicwall.com/support/knowledge-base/how-to-configure-a-site-to-site-vpn-policy-using-main-mode/170504380887908/
https://www.sonicwall.com/support/knowledge-base/types-of-site-to-site-vpn-scenarios-and-configurations/170505702411896/
Hi Mike,
in a SonicWall only scenario I would definitely go with VPN Tunnel Interfaces instead of Site-2-Site. The configuration is straight forward and having routes make it easy to understand. You just create the necessary routing and decide which subnets are routed through which interface.
You can go fully meshed (Tunnel interfaces between A+B, A+C, B+C) or star (B+C, A+C) depending on your connection quality etc.
Just my €.02 :)
--Michael@BWC
Hi Mike,
Depending on the desired and Wan reliability at the site B (let's call this HQ), you can do the traditional Hub and spoke with B being the Hub and Site A and Site C being the spokes. That is usual/traditionally Hub and Spoke config. using usual Policy VPN SAs from Site B towards both Site A and Site C. The cons for that is you depend on the hub (Site B) Wan connection to always be up and in case that's down, A to C and vs will also lose connectivity. Likewise, you usually depend on the CIR at the HUB and especially for the upload rate which is usually a fraction of the download which will affect/bottleneck the throughput to the other spoke.
If below is concern, you can choose the TI to each of the sites which mean you will have destination reachable via two potential paths. In that case you can either use floating with disable the TI when this interface is down or use dynamic routing over TI, such as OSPF to protect yourself from potential asymmetric traffic flow to VPN destinations.
Hope that helps.
Kind regards, Stan.
Solutions Architect at SonicWall. Feel free to @Stan if you have any questions on any product.