JamesonJendreas
asked on
Sonicwall Site-to-Site VPN - Packet Manipulation
Got an interesting one here. I have a remote office that is connected to my LAN via a site-to-site VPN, run through two Sonicwall firewalls (using the Enhanced OS). The tunnel is up and running.
We have one problem, regarding communication between specific types of hardware and specific packets. The hardware itself I know is operating properly
So i did a packet capture on both Sonicwalls, filtering for two problematic devices. We noticed that the original packet is actually a different size than when it hits the other side of the tunnel. I know that any type of packet manipulation will break the communication of these devices.
That said, I want the sonicwall to NOT inspect packets on the VPN. We have DPI turned off across the system (using SPI). My though is to change the "VPN Policy Bound to" from "Zone WAN" to "X0" (LAN interface)
I'm wondering if this work, and if there is anything that might break.
We have one problem, regarding communication between specific types of hardware and specific packets. The hardware itself I know is operating properly
So i did a packet capture on both Sonicwalls, filtering for two problematic devices. We noticed that the original packet is actually a different size than when it hits the other side of the tunnel. I know that any type of packet manipulation will break the communication of these devices.
That said, I want the sonicwall to NOT inspect packets on the VPN. We have DPI turned off across the system (using SPI). My though is to change the "VPN Policy Bound to" from "Zone WAN" to "X0" (LAN interface)
I'm wondering if this work, and if there is anything that might break.
ASKER
OK - that's what I thought.
I can confirm that no gateway services are enabled for VPN, as well as bandwidth management is not enabled on the WAN interface.
One note, is that I do have 2 WAN interfaces in a LB group. They both link up to the same actual outbound circuit (single router with two WICs). This is mainly due to us having two disjoint ranges of static IPs.
I can confirm that no gateway services are enabled for VPN, as well as bandwidth management is not enabled on the WAN interface.
One note, is that I do have 2 WAN interfaces in a LB group. They both link up to the same actual outbound circuit (single router with two WICs). This is mainly due to us having two disjoint ranges of static IPs.
Ohhhhhh,,,,
are you saying ...... "both WAN of SNA connected with same router" if yes this could be the issue...
are you saying ...... "both WAN of SNA connected with same router" if yes this could be the issue...
ASKER
So 2 WAN ports on the SNA (x1 and x2). They each patch into a separate serial interface\WIC that has a defined public IP address, but it's a single router (and single bonded circuit)
The VPN is in main mode, and is using the IP address on X1 interface. One issue I can have is if packets go out one interface and back in another, will break the hardware i am using (it's a voice product).
To attempt to get around that, i am thinking of creating a new Zone, and applying that to the X1 interface. Then, I would bind the VPN policy to that interface, as I do not want the VPN to load balance across the two WAN interfaces.
The VPN is in main mode, and is using the IP address on X1 interface. One issue I can have is if packets go out one interface and back in another, will break the hardware i am using (it's a voice product).
To attempt to get around that, i am thinking of creating a new Zone, and applying that to the X1 interface. Then, I would bind the VPN policy to that interface, as I do not want the VPN to load balance across the two WAN interfaces.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ended up using single interface for the VPN.
"My though is to change the "VPN Policy Bound to" from "Zone WAN" to "X0" (LAN interface)" This will not work if VPN is working on PUBLIC IP.
Logon to SNA and make sure>
1) Network > Zones (no service enable for VPN)
2) Network>WAN>Avanced (make sure Bandwidth Management is not enable)