site to site VPN with 2 lan subnets

December 31, 2008 at 08:32:47
Specs: sonicwall, enhanced os 4.
I will appreciate your technical expertise on this issue that we encounter. The customer has a Sonicwall pro 2040 enhance o/s ver 4.0.10.15e. Our office has a Fotigate 100A. We manage to link up the Site to site VPN between the 2 firewalls. Sonicwall all local lan subnets are able to reach our private LAN network behind the Fortigate without any problem. From our private network (Fortigate) we can reach the LAN interface and the same subnet of the Sonicwall without any authentication processes.

However we are not able to reach the subnet other that the lan interface subnet of the Sonicwall. The authentication process are needed before we are allow to reach the other subnets located at 20 remote locations island wide (all having different subnets). The authentication only allow 2 hrs where a re login is require again. Being a site to Site VPN connection we cannot afford this. The authentications are for the company policy for internal user to authenticate before there are allow to access the remote location and the Internet. This has affected the site to site VPN as well. We cannot find any settings to bypass this restriction or exempt out filter. Need your advise on this.

(FYI)

SonicWall

10.100.x.x (directly connecting with sonicwall Firewall)

10.101.x.x (connected with remote location) (there is routing from Firewall to Router vice visa)

Fortigate

172.17.x.x

When I access from my private Lan network behind the Fortigate to 10.101.x.x (Sonicwall), below picture (policy login redirect) will appear.

When I access to 10.100.x.x, there is no problem.


See More: site to site VPN with 2 lan subnets

Report •


#1
December 31, 2008 at 08:54:18
Your description of your topology isn't clear.

You say lan segments beyond the sonicwall.

But then you mention authenication which is done on a client vpn basis. After all the site to site is already setup with passkeys.

I have a site to site vpn which allows the remote office to network with sites beyond the sonicwall that are also behind routers. No authenication required for the remote office to access any of our wan resources.

We also use the same sonicwall for client vpn access.

It is unclear if your authenication issue is on the lan side of the sonicwall or if you are expecting the sonicwall to host the site to site vpn and then bounce it out to the remote site connections that are under the authenication restriction.

'tis the season to be of good cheer. Wishing one and all happy times with family and friends.


Report •

#2
December 31, 2008 at 10:04:27
Ok. I will tell brief again.

Sonicwall site:
There are HQ and outlets.
Outlets: 20 outlets are connecting with IPVPN(MPLS) that is support by ISP. Outlets Lan Network is 10.101.x.x
There are one CE routers in HQ.
one of the router subnet is 10.100.x.x(for HQ lan) and other subnet is 10.101.x.x (for outlets).

HQ: Hq local network is 10.100.x.x that is direct connecting by Sonicwall Firewall.
There is routing from Sonicwall FW to IPVPN CE Router vice visa. So,all HQ lan network is pingable to all outlets vice visa.
I told above is their Internal Network.

When the outlet users or HQ users need to access internet, the users must pass through by Sonicwall Firewall. If the user need to access internet, the user must login(Authentication)to Sonicwall firewall.(local database is stored in Sonicwall).
Login policy life time is assigned for 2 hours only.


Fortigate site:
Local network address is 172.17.x.x.

From Fortigate Lan Network want to ping to Sonicwall lan both subnets.
So, I created VPN tunnel. After VPN tunnel is established, I can access to 10.100.x.x that is directly connected by firewall.
I can't access to 10.101.x.x that is outlets network. But after I login (authentication user) to sonicwall, i can access to 10.101.x.x (outlets network).

(10.100.x.x and 10.101.x.x both subnets can ping to 172.17.x.x network)

I want to acceess 10.101.x.x(outlets network) without authentication user login to sonicwall firewall.

So Where is the problem and how to solve? Pls suggest me.
I m not familiar with Sonicwall Enhanced OS Firewall.


Report •

#3
December 31, 2008 at 11:06:40
"But after I login (authentication user) to sonicwall, i can access to 10.101.x.x (outlets network)."

That is NOT a site to site vpn. That is a client vpn access which is what you have setup for users for accessing the internet. You want device to device vpn not client to device vpn. Site to site vpn does not require user authenication. It is transparent to the user.

This is where the problem resides. I suspect the problem is the Fortigate.

Looking here:
http://www.thaibizhost.com/fortinet...

I see no mention of site to site vpn support. You may need to replace it with another sonicwall.

If you can make a site to site vpn then on the sonicwall site you need to setup the routes/rules to the other subnets per the site to site link.

PS. with a current sonicwall maintenance subscription you get free tech support.

'tis the season to be of good cheer. Wishing one and all happy times with family and friends.


Report •

Related Solutions

#4
December 31, 2008 at 22:21:11
Sonicwall Firewall is expire for maintenance subscription. Also, I m third party for sonicwall firewall configuration.

My site is Fortigate Firewall. I have created Site to Site VPN (Sonicwall 10.100.x.x to Fortigate 172.17.x.x).
As I said before after established VPN I can access 10.100.x.x.But when I access to 10.101.x.x network from browser eg.(http://10.101.x.x) the page is changed to (http://10.100.x.x/polLoginRedirect.html). Without authentication user login to sonicwall firewall, i can't access such as ping,browsing.

PS. I also create site to site VPN(phase 2) from 10.101.x.x(sonicwall) to 172.17.x.x(fortigate). VPN Tunnel is established but i can't still ping or other access without authentication login to sonicwall.
Do you have any Idea? Thanks for your post.
Sorry for my poor English.


Report •

#5
January 4, 2009 at 12:13:42
once you create the site to site vpn you need to establish rules at each end that allow that vpn traffic full access to the lans on either side. This is what appears to be stopping your lan access after your site to site vpn is established.

Look at the rules for the vpn clients access and duplicate the rules for lan access.

'tis the season to be of good cheer. Wishing one and all happy times with family and friends.


Report •


Ask Question