?
Solved

Sonicwall Site-to-Site VPN - Packet Manipulation

Posted on 2012-09-13
6
Medium Priority
?
1,175 Views
Last Modified: 2012-10-25
Got an interesting one here.  I have a remote office that is connected to my LAN via a site-to-site VPN, run through two Sonicwall firewalls (using the Enhanced OS).  The tunnel is up and running.

We have one problem, regarding communication between specific types of hardware and specific packets.  The hardware itself I know is operating properly

So i did a packet capture on both Sonicwalls, filtering for two problematic devices.  We noticed that the original packet is actually a different size than when it hits the other side of the tunnel.  I know that any type of packet manipulation will break the communication of these devices.

That said, I want the sonicwall to NOT inspect packets on the VPN. We have DPI turned off across the system (using SPI).  My though is to change the "VPN Policy Bound to" from "Zone WAN" to "X0" (LAN interface)

I'm wondering if this work, and if there is anything that might break.
0
Comment
Question by:JamesonJendreas
  • 3
  • 3
6 Comments
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38402673
Dear,

"My though is to change the "VPN Policy Bound to" from "Zone WAN" to "X0" (LAN interface)" This will not work if VPN is working on PUBLIC IP.

Logon to SNA and make sure>

1) Network > Zones (no service enable for VPN)
2) Network>WAN>Avanced (make sure Bandwidth Management is not enable)
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 38405918
OK - that's what I thought.  
I can confirm that no gateway services are enabled for VPN, as well as bandwidth management is not enabled on the WAN interface.

One note, is that I do have 2 WAN interfaces in a LB group.  They both link up to the same actual outbound circuit (single router with two WICs).  This is mainly due to us having two disjoint ranges of static IPs.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38406403
Ohhhhhh,,,,
are you saying ...... "both WAN of SNA connected with same router" if yes this could be the issue...
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:JamesonJendreas
ID: 38406496
So 2 WAN ports on the SNA (x1 and x2).  They each patch into a separate serial interface\WIC that has a defined public IP address, but it's a single router (and single bonded circuit)

The VPN is in main mode, and is using the IP address on X1 interface.  One issue I can have is if packets go out one interface and back in another, will break the hardware i am using (it's a voice product).  

To attempt to get around that, i am thinking of creating a new Zone, and applying that to the X1 interface.  Then, I would bind the VPN policy to that interface, as I do not want the VPN to load balance across the two WAN interfaces.
0
 
LVL 16

Accepted Solution

by:
Syed_M_Usman earned 2000 total points
ID: 38408241
Dear,

"One issue I can have is if packets go out one interface and back in another, will break the hardware i am using (it's a voice product)" i dout this will work

"To attempt to get around that, i am thinking of creating a new Zone, and applying that to the X1 interface." , if you have more bandwidth on X1 you can use X1 as VPN Gateway.
0
 
LVL 1

Author Closing Comment

by:JamesonJendreas
ID: 38535276
Ended up using single interface for the VPN.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This program is used to assist in finding and resolving common problems with wireless connections.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question