Site to Site VPN using TX570s
I want to pick everyone's brain a bit before getting with support, but here is my situation. Currently I have two properties that are connected via dark fiber configured as trunk ports going into Cisco 4507R at each end. This link might be going away soon, and I have been tasked to get a VPN running between the sites. I have been able to create the VPN and test it in a lab scenario using the documentation from the KBs for SonicOS 7to create the IPSec VPN Site to Site and have IP traffic passing over our two ISPs that will be used (I have them tagged here at my main site). I have moved the 2nd TZ 570 to the other site. The tunnel came right up. I have created multiple sub interfaces for VLANs I need to be passed over this link on both units. However I am unsuccessful at bringing this up. I also have a Sophos Next Gen firewall that handles the VLAN routing, and I have checked it and modified to to where I think it should take care of things but it does not. I guess my main thing is, is there anything special I need to do to make sure VLAN traffic is passing over the VPN? If I can get some kind of verification there, it will allow me to focus on other areas like routing. Thanks in advance!
Answers
Hello @Charper,
Welcome to the SonicWall community.
I would like to know what networks are included in the local network and remote network fields in the Site to Site VPN configured.
If you have used an address group like LAN subnets that only includes the physically connected networks and not the routed networks. So, I would suggest creating a group and making all the networks that need to pass through the VPN are added and selected under the policy.
The access rules then get auto-added as per the networks mentioned in the policy.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hey Shipra Sahu -
Thanks for the response, and I believe I understand what you are getting at. You are correct, I do have it set as LAN Subnets. But I want to just clarify one thing though. After looking at the existing LAN Subnets Address Group, it lists all the VLAN sub-interfaces I created and setting their type to network. With that in mind, would that not serve the same purpose? I am going to run a test today (going to take the system down for a brief windows today vs. 11pm tonight) using a new Address Group that you suggested. Will update this based on my findings.
Thanks again!
@CHARPER
Site 2 site VPN's they are like routers, they do not see VLAN's
What you can do: set up a site to site VPN and use a subnet for each VLAN connection .
We use the Mikrotik EoIP behind the Sonicwall to pass VLAN'S over the Site-to-site VPN.
.
@Charper,
You are right. If you see all the VLAN networks as well in the address group, then we should be good.
I would suggest sending some ping traffic across the VPN and monitoring using the packet monitor tool to see what could be the problem.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Sorry its been a bit since replying. I had a personal emergency to deal with. What I discovered on my end, which I will update you on later once I make some changes, is our Cisco 4507R is not playing nice with the Sonicwall. My initial testing was on a Cisco 500X and everything looked promising. However after working on it Wednesday I discovered I could remote access from the public side (a temp measure till its resolved) but not internally. Then realized I had no traffic reaching the devices. I am in the middle of placing a 500X at each location to be the 'middle man' for testing my theory out. I'll keep you posted and thanks for your advice!