News
:
This forum is now permanently frozen.
m0n0wall Forum
>
m0n0wall Support (English)
>
Firewall/NAT
Topic: Sonicwall Global VPN Client only ping pass
Pages: [
1
]
Topic: Sonicwall Global VPN Client only ping pass (Read 2276 times)
Sonicwall Global VPN Client only ping pass
« on: December 01, 2013, 13:14:12 »
mr.sarge
Posts: 13
Hi,
i can establish successful a VPN connection (GVC 4.8.6 to NSA 2400) but only ping to the hosts pass (no RDP, telnet etc. possible)
In the firewall-Log I see entries like this (telnet):
X 13:03:56.789608 LAN 192.168.1.130, port 50775 10.0.10.13, port 25 TCP
Tried the option "bypass firewall rules on same subnet", static routes and different firewall rules (without success).
Any ideas what can be the problem?
thanks!
Re: Sonicwall Global VPN Client only ping pass
« Reply #1 on: December 02, 2013, 00:13:44 »
Lee Sharp
Posts: 517
We really need a LOT more information to even begin troubleshooting this.
Re: Sonicwall Global VPN Client only ping pass
« Reply #2 on: December 02, 2013, 15:37:41 »
mr.sarge
Posts: 13
Hi,
the configuration looks like this.
Main office:
Sonicwall NSA 2400 - SonicOS Enhanced 5.8.1.4-43o
Network: 10.0.0.0/16
WAN GroupVPN:
IKE Phase1
DH Group 2, 3DES, SHA1, 28800
Ipsec Phase2
ESP, 3DES, SHA1 , 28800
Client Authentication:
Allow Unauthenticatd VPN Client Access: Firewalled Subnets
Home office:
Fritzbox 7270, Monowall 1.32
Network 192.168.1.0/24
LAN IP Monowall: 192.168.1.254
WAN IP Monowall: 192.168.2.1
GW Monowall: 192.168.2.254
LAN IP Fritzbox: 192.168.2.254
WAN IP Fritzbox: ISP
LAN IP PC: 192.168.1.130
best regards,
Sarge
Re: Sonicwall Global VPN Client only ping pass
« Reply #3 on: December 03, 2013, 02:48:34 »
Lee Sharp
Posts: 517
You are dual NATting and the remote site may not be able to get back to the m0n0wall. Does it have a path? (Also, on the WAN config make sure you are not filtering private IPs.)
Also, upgrade your firmware. 1.34 has a few bug fixes over 1.32...
Re: Sonicwall Global VPN Client only ping pass
« Reply #4 on: December 03, 2013, 21:20:27 »
mr.sarge
Posts: 13
Hello Lee, thanks for your information.
upgraded to 1.34, private IPs are not filtered.
When I open the VPN tunnel, the Phase 2 completes successful, I can make a PING to ANY host (10.0.x.x), but nothing else (see also the Sonicwall GVC Log)
2013/12/03 21:08:45:056 Information 217.199.26.57 Starting ISAKMP phase 2 negotiation with 10.0.0.0/255.255.0.0:Any:Any:N/A.
2013/12/03 21:08:45:056 Information 217.199.26.57 Starting quick mode phase 2 exchange.
2013/12/03 21:08:45:118 Information 217.199.26.57 The SA lifetime for phase 2 is 28800 seconds.
2013/12/03 21:08:45:118 Information 217.199.26.57 Phase 2 with 10.0.0.0/255.255.0.0:Any:Any:N/A has completed.
Whe I make a telnet to 10.0.10.13 25, the traffic will be blocked as you can see in the Firewall-Log:
I have no idea where I have to insert a rule because I already allowed from lan to any !?
X 21:37:50.344858 LAN 192.168.1.130, port 49879 10.0.10.13, port 25 TCP
What do you mean with "does it have a path"?
best regards,
Sarge
GVCLog.txt
(12.15 KB - downloaded 279 times.)
«
Last Edit: December 03, 2013, 21:42:53 by mr.sarge
»
Re: Sonicwall Global VPN Client only ping pass
« Reply #5 on: December 04, 2013, 18:08:12 »
Lee Sharp
Posts: 517
Check the option to allow fragmented ipsec packets.
Re: Sonicwall Global VPN Client only ping pass
« Reply #6 on: December 06, 2013, 15:43:24 »
mr.sarge
Posts: 13
Hi,
fragmented ipsec packets are allowed. At the weekend I'll try ShrewSoft VPN Client, maybe with with this client I don't have problems.
bes regards,
Sarge
Re: Sonicwall Global VPN Client only ping pass
« Reply #7 on: December 09, 2013, 07:55:47 »
mr.sarge
Posts: 13
figured it out: had to configure and use DHCP over VPN and local users on the Sonicwall. Otherwise doesn't work with Sonicwall GVC. Before I used Greenbow VPN Client without any problems
best regards,
Sarge
Pages: [
1
]