VPN tunnel not working over secondary WAN IP
hi,
I have a site to site VPN in place between site A and site B (both with Sonicwall NSA 3700) and that's working fine. Due to reasons, at site B I need to connect the Sonicwall directly to a 3rd party (Fortigate…) at the same site to access a particular server/subnet of theirs. Traffic between the 3rd party firewall and the local Site B is working fine but I cannot get any traffic from site A to talk to the 3rd party.
After speaking to a network consultant and Sonicwall support, both suggested using a VPN tunnel. As there is already a Site to Site VPN in place you cannot use the same WAN IP. So as we have spare public IPs, I have assigned the spare public IPs for Sites A and B and created a VPN tunnel but it shows as down. Sonicwall support said they are not 'listening' and I should fix that which is not helpful. The public IPs are definitely ours as they have been used previously for other services (yes the old access policies and NAT rules were removed)
Has anyone else had any experience using a VPN tunnel over a 'secondary' WAN IP or had a similar issue? Just don't see any traffic in packet monitor, the green icon that shows VPN being online is not there and the route policies are greyed out (which means the tunnel is down)
thanks
Best Answer
-
stevmorr Newbie ✭
I resolved this by…buying another Sonicwall and creating the tunnel from there 🤣 problem solved. Seems like it is just not possible doing what I was trying to do.
0
Answers
IME you cannot get the firewall to listen for IPsec on anything other than its own interface IPs. Surely the extent of Sonicwall support's advice was not just "should fix that"? I know they're pretty bad, but not that bad…
Why wouldn't you just use a single VPN tunnel, with the appropriate ACLs in place to control what goes where? A second tunnel for different networks seems unnecessarily complicated to me.
If using policy based VPN, why don't you add the third part subnet into the encryption domain of both site A and B ?
I'm assuming that the site B firewall already has a route to the third party subnet
thanks for your response. They said I need to find a fix for the public IPs not listening but I cannot find a solution.
For reasons I cannot explain, I cannot get traffic to pass from Site A via Site B to the 3rd party firewall over the existing Site to Site VPN. If for instance I run a ping from Site A to the 3rd party firewall it doesn't even show on the packet trace. If it did I could at least troubleshoot but not getting anything. The only other solution would be a site to site VPN between site A and the 3rd party directly but the 3rd party are refusing to allow internet access for security so that is not an option.
I have and it just doesn't work. If I run a ping or tracert from site A to the 3rd party subnet it doesn't leave site A. I have tried all manner of NAT rules, policies and routes and cannot get it to work.
Multiple subnets in VPN policies with different levels of access control is bread-and-butter stuff for SonicOS.
I am guessing here, so I think a diagram might help, but did you ask the third party to create a static route so their replies go the right way?