SonicWall tz 205 L2PT VPN cannot access any hosts

I have a SonicWall TZ205, when I connect using the GlobalVPN Connector on a Windows PC everything is fine and I can access the internal network hosts and we-sites.

But when I connect on my MAC using L2TP I can connect to the VPN but cannot browse any of the network servers or intranet pages etc. I just get a not found error
BrianFordAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
L2TP needs other configurations, not for GlobalVPN clients. see the instruction below.

Configuring the L2TP Server in SonicOS
http://www.sonicwall.com/downloads/Configuring_the_L2TP_Server_in_SonicOS.pdf
BrianFordAuthor Commented:
Thanks

Your link isn't working for me,.

I have followed the setup instructions located here: https://support.software.dell.com/kb/sw11409

but it still doesn't work.
bbaoIT ConsultantCommented:
it's a bit strange that the given PDF link works well here. the PDF gives the instructions on how to configure L2TP on the SonicWALL as well as the how to configure your Windows computer to access the L2TP server.

would you like to post your configuration in screenshots? you may mark the sensitive info such as IPs and credentials, if any.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BrianFordAuthor Commented:
Unfortunately when I try your link it just re-directs to http://www.sonicwall.com/us/en/

Would you be able to attach the PDF here?

Actually my problem is not with the Windows PC's they work fine with the Global Client.

The problem is with MACs as there is no Global client from SonicWall for the MAC,

L2TP screenshots attached, I'm no expert on this so I've probably not shown you what you need :)
Screen-Shot-1.png
Screen-Shot-2.png
Screen-Shot-3.png
bbaoIT ConsultantCommented:
it seems EE does not allow members to upload any files except images, hence i can't share it to you. anyway, try this one:

http://www.sonicwall.com/downloads/SonicWALL_SonicOS_Standard_3.1_Administrators_Guide.pdf

your screenshots against L2TP settings look fine for me but some more important settings are not posted such as L2TP Users, firewall rules and NAT policies against L2TP clients.

> But when I connect on my MAC using L2TP I can connect to the VPN

once connected, are you able to green status under VPN status? if so, both L2TP connection and users settings should be okay.

> but cannot browse any of the network servers or intranet pages etc

it seems you haven't allowed L2TP users to access intranet and the Internet at NAT Policy and Firewall sections. you should explicitly allow L2TP clients to access LAN and the Internet at the matrix of firewall rules.
BrianFordAuthor Commented:
Yes I get the green 'connected' status light.
Screen-Shot-5.png
bbaoIT ConsultantCommented:
>> are you able to green status under VPN status?
> Yes I get the green 'connected' status
light.

sorry i missed typing "see" but you did understand. :-)) no idea why i always miss typing something while answering from a mobile phone.

regarding your screenshot, what section is it from? can you also capture the column name as i can't determine the rule. FYI i don't have a SonicWALL device with me at the moment.
BrianFordAuthor Commented:
Sorry, I meant to add the col names, this is from the Firewall - Access Rules - Matrix and the col names in order are: Source, Destination, Service, Action, Users.

I also just uploaded a screenshot of the active L2TP connection (screen shot 6)
Screen-Shot-6.png
bbaoIT ConsultantCommented:
which section of the firewall rules is it? e.g. LAN to WAN, VPN to WAN, or VPN to LAN...?

the L2TP connection screen looks good. does the given user belong to the groups who are eligible to access LAN and the Internet?

anyway, per the described symptom, it should be an issue in firewall rules or access permissions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BrianFordAuthor Commented:
This was the VPN to LAN section, the user a 'Local User' and has access to 'LAN Subnets'. The VPN setup has "Split Tunnel' which I believe gives access to LAN and the outside world correct?

I'm sure you are correct in where the issue lies but it's a little out of my expertise at this point, there are so many rules in there and I don't know which one I should be checking or how to simply create one with the correct parameters.

Thanks again for trying to help
BrianFordAuthor Commented:
I FOUND IT :)

The issue lay with the order of authentication in the client setup of the VPN, I needed to move PAP to the top of the list. I found this section in the help documentation:

Configuring L2TP to use LDAP for MacOS and iOS Connections

Some care must be taken when configuring devices running MacOS or Apple iOS (iPad/iPhone/iPod touch) for L2TP connections using either LDAP or RADIUS. This is because iOS devices accept the first supported authentication protocol that is proposed by the server. In SonicOS, the default authentication protocol order was changed in SonicOS beginning in releases 5.8.0.8 and 5.8.1.1. Here are the default authentication protocol orders:

• Prior to 5.8.0.8 and 5.8.1.1: CHAP, PAP, MS-CHAP, MS-CHAPv2.

• 5.8.0.8 and 5.8.1.1 and above: MS-CHAPv2, CHAP, MS-CHAP, PAP.

Note Upgrades from previous firmware versions will retain the original ordering. The new ordering is set on new installations only.

This change in default authentication protocol order, combined with the iOS behavior of accepting the first supported authentication protocol will default to SonicOS and iOS devices using RADIUS authentication (because Active Directory does not support CHAP, MS-CHAP, or MS-CHAPv2).

To force L2TP connections from iOS devices to use LDAP instead of RADIUS, follow the steps outlined below.

1. Navigate to the VPN > L2TP Server page.

2. Click Configure.

3. Click on the PPP tab.

4. Ensure that PAP is moved to the top of the list.

5. Click OK
VPNSETUP.png
BrianFordAuthor Commented:
Pointed me in the right direction, thank you
bbaoIT ConsultantCommented:
good on you and thanks for the points. :)
BrianFordAuthor Commented:
You are welcome
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.