VPN SITE TO SITE

jpmoreau
jpmoreau used Ask the Experts™
on
Hi

I had created a SITE to SITE VPN between a PFSENSE anda Sonic Wall TZ400.The VPN is up no problem. The only thing is that I cannot open ressources like folders, rdp or ping from one side to another. Anybody knows where I should look to fix this issu?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Hi jpmoreau,

What is the make/model of both firewalls?

I take it traffic is not passing at all?

Author

Commented:
I have PFSENSE on 2.4 on one site and a
SonicWall TZ400 on they other side. Correct the traffic is not passing
Last Knight
Distinguished Expert 2018
Commented:
1. In the SonicWALL, check the log monitor and see if any error/prevention/block/failed related to the traffic, e.g. IP spoof dropped alerts in the log. Then try to find out why the ICMP packets are dropped as IP Spoofs. If this is the case let me know and we can further diagnose this but I provided the IP Spoofing as an example of how to drill down into troubleshooting this.

2. Capture the packets (Dashboard or System > Packet Monitor) on the firewall's WAN interfaces and verify packets can be sent out from the WAN interface correctly. In this case, while pinging from LAN side of SonicWALL to the remote gateway, the SonicWALL is generating an ICMP Redirect packet. So it looks like a routing issue rather than a S2S (Site-to-Site) VPN one.

3. Then navigate to Network > Routing, and check the Route Policies. From the Route Policy entry look for the PFSENSE Address Object under the Destination column and verify the subnet mask is correct. For example if it has a 31-Bit subnet mask this will cause no traffic to pass since 31-Bit subnet mask is not supported by SonicOS unless your SonicOS version is 6.2.7.1 or greater. In this case, the SonicWALL does not recognize the traffic from the PFSENSE network.

4. Dial in your MTU on both firewalls, here's how: https://www.experts-exchange.com/articles/12615/Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.html

Reduce the VPN proposals to the lowest security settings in order to establish a baseline, DH Group 1, 3DES, SHA1, No Perfect Secrecy, etc. Make sure the local & remote networks are setup correctly. Verify the Address Objects are correct for the respective networks.

Let me know what you find and if you have any questions!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I erased all my VPN on both sides and rebuild them. Now I can ping from PFSENSE to SonicWall but not from SonicWall to PFSENSE. The same for opening directory and everything
Not all VPNs are created equal.  The subnets are different, right?  

The Windows firewall can affect File and Printer sharing between subnets.  If that's the issue then adding Scope to the File and Printer sharing rules may fix it.  
You would have "local subnet" and then you would add the other subnet to Incoming Rules / Remote Address in addition.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Again, JP, what are you seeing in the logs?

What has the packet capture shown? Have you set one up for the VPN?

These are the starting points to troubleshooting this. I laid out everything in my previous comment above.

If you need help in performing any of these...simply ask!

Author

Commented:
I don't need this VPN anymore.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial