VPN SITE TO SITE

Hi

I had created a SITE to SITE VPN between a PFSENSE anda Sonic Wall TZ400.The VPN is up no problem. The only thing is that I cannot open ressources like folders, rdp or ping from one side to another. Anybody knows where I should look to fix this issu?

Thanks
jpmoreauAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi jpmoreau,

What is the make/model of both firewalls?

I take it traffic is not passing at all?
0
jpmoreauAuthor Commented:
I have PFSENSE on 2.4 on one site and a
SonicWall TZ400 on they other side. Correct the traffic is not passing
0
Blue Street TechLast KnightCommented:
1. In the SonicWALL, check the log monitor and see if any error/prevention/block/failed related to the traffic, e.g. IP spoof dropped alerts in the log. Then try to find out why the ICMP packets are dropped as IP Spoofs. If this is the case let me know and we can further diagnose this but I provided the IP Spoofing as an example of how to drill down into troubleshooting this.

2. Capture the packets (Dashboard or System > Packet Monitor) on the firewall's WAN interfaces and verify packets can be sent out from the WAN interface correctly. In this case, while pinging from LAN side of SonicWALL to the remote gateway, the SonicWALL is generating an ICMP Redirect packet. So it looks like a routing issue rather than a S2S (Site-to-Site) VPN one.

3. Then navigate to Network > Routing, and check the Route Policies. From the Route Policy entry look for the PFSENSE Address Object under the Destination column and verify the subnet mask is correct. For example if it has a 31-Bit subnet mask this will cause no traffic to pass since 31-Bit subnet mask is not supported by SonicOS unless your SonicOS version is 6.2.7.1 or greater. In this case, the SonicWALL does not recognize the traffic from the PFSENSE network.

4. Dial in your MTU on both firewalls, here's how: https://www.experts-exchange.com/articles/12615/Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.html

Reduce the VPN proposals to the lowest security settings in order to establish a baseline, DH Group 1, 3DES, SHA1, No Perfect Secrecy, etc. Make sure the local & remote networks are setup correctly. Verify the Address Objects are correct for the respective networks.

Let me know what you find and if you have any questions!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

jpmoreauAuthor Commented:
I erased all my VPN on both sides and rebuild them. Now I can ping from PFSENSE to SonicWall but not from SonicWall to PFSENSE. The same for opening directory and everything
0
Fred MarshallPrincipalCommented:
Not all VPNs are created equal.  The subnets are different, right?  

The Windows firewall can affect File and Printer sharing between subnets.  If that's the issue then adding Scope to the File and Printer sharing rules may fix it.  
You would have "local subnet" and then you would add the other subnet to Incoming Rules / Remote Address in addition.
0
Blue Street TechLast KnightCommented:
Again, JP, what are you seeing in the logs?

What has the packet capture shown? Have you set one up for the VPN?

These are the starting points to troubleshooting this. I laid out everything in my previous comment above.

If you need help in performing any of these...simply ask!
0
jpmoreauAuthor Commented:
I don't need this VPN anymore.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.