News: This forum is now permanently frozen.
Pages: [1]
Topic: Sonicwall Global VPN Client only ping pass  (Read 2276 times)
« on: December 01, 2013, 13:14:12 »
mr.sarge *
Posts: 13

Hi,

i can establish successful a VPN connection (GVC 4.8.6 to NSA 2400) but only ping to the hosts pass (no RDP, telnet etc. possible)
In the firewall-Log I see entries like this (telnet):

X 13:03:56.789608    LAN    192.168.1.130, port 50775    10.0.10.13, port 25    TCP

Tried the option "bypass firewall rules on same subnet", static routes and different firewall rules (without success).

Any ideas what can be the problem?

thanks!
« Reply #1 on: December 02, 2013, 00:13:44 »
Lee Sharp *****
Posts: 517

We really need a LOT more information to even begin troubleshooting this.
« Reply #2 on: December 02, 2013, 15:37:41 »
mr.sarge *
Posts: 13

Hi,

the configuration looks like this.

Main office:
Sonicwall NSA 2400 - SonicOS Enhanced 5.8.1.4-43o
Network: 10.0.0.0/16

WAN GroupVPN:
IKE Phase1
DH Group 2, 3DES, SHA1, 28800

Ipsec Phase2
ESP, 3DES, SHA1 , 28800

Client Authentication:
Allow Unauthenticatd VPN Client Access: Firewalled Subnets


Home office:

Fritzbox 7270, Monowall 1.32
Network 192.168.1.0/24

LAN IP Monowall: 192.168.1.254
WAN IP Monowall: 192.168.2.1
GW Monowall: 192.168.2.254

LAN IP Fritzbox: 192.168.2.254
WAN IP Fritzbox: ISP

LAN IP PC: 192.168.1.130


best regards,

Sarge
« Reply #3 on: December 03, 2013, 02:48:34 »
Lee Sharp *****
Posts: 517

You are dual NATting and the remote site may not be able to get back to the m0n0wall.  Does it have a path?  (Also, on the WAN config make sure you are not filtering private IPs.)

Also, upgrade your firmware.  1.34 has a few bug fixes over 1.32...
« Reply #4 on: December 03, 2013, 21:20:27 »
mr.sarge *
Posts: 13

Hello Lee, thanks for your information.

upgraded to 1.34, private IPs are not filtered.

When I open the VPN tunnel, the Phase 2 completes successful, I can make a PING to ANY host (10.0.x.x), but nothing else (see also the Sonicwall GVC Log)

2013/12/03 21:08:45:056   Information   217.199.26.57   Starting ISAKMP phase 2 negotiation with 10.0.0.0/255.255.0.0:Any:Any:N/A.
2013/12/03 21:08:45:056   Information   217.199.26.57   Starting quick mode phase 2 exchange.
2013/12/03 21:08:45:118   Information   217.199.26.57   The SA lifetime for phase 2 is 28800 seconds.
2013/12/03 21:08:45:118   Information   217.199.26.57   Phase 2 with 10.0.0.0/255.255.0.0:Any:Any:N/A has completed.

Whe I make a telnet to 10.0.10.13 25, the traffic will be blocked as you can see in the Firewall-Log:
I have no idea where I have to insert a rule because I already allowed from lan to any !?

X 21:37:50.344858    LAN    192.168.1.130, port 49879    10.0.10.13, port 25    TCP

What do you mean with "does it have a path"?

best regards,

Sarge


* GVCLog.txt (12.15 KB - downloaded 279 times.)
« Last Edit: December 03, 2013, 21:42:53 by mr.sarge »
« Reply #5 on: December 04, 2013, 18:08:12 »
Lee Sharp *****
Posts: 517

Check the option to allow fragmented ipsec packets.
« Reply #6 on: December 06, 2013, 15:43:24 »
mr.sarge *
Posts: 13

Hi,

fragmented ipsec packets are allowed. At the weekend I'll try ShrewSoft VPN Client, maybe with with this client I don't have problems.

bes regards,

Sarge
« Reply #7 on: December 09, 2013, 07:55:47 »
mr.sarge *
Posts: 13

figured it out: had to configure and use DHCP over VPN and local users on the Sonicwall. Otherwise doesn't work with Sonicwall GVC. Before I used Greenbow VPN Client without any problems

best regards,

Sarge
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines