6

So, I have an established IPSec Site to Site tunnel.

Site A has a SonicWall, Site B has a EdgeRouter.

The first tunnel consists of Site A's NATed ips to Site B's NATed ips.

Everything works as expected.

Next, I have a public IP range that Site B needs to access, but, requests need to look like they have come from Site A. When I set up this tunnel, I can just see traffic drop at the gateway.

I can't access any of these ips. Due to the fact that it works fine in the same config for lan to lan, I believe it could be a NAT issue - but I am not certain, nor know how to diagnose further.

This could be a red herring as I wasn't very confident... I have tried putting in "allow all" rules on VPN>WAN/WAN>VPN, then filter to an individual IP, then ping it from site B... I see dropped packets.

Can anyone offer any advice here?

William Hilsum
  • 3,536
  • 6
  • 29
  • 39

3 Answers3

2

If I understand your question, you are trying to do this:

Server A - Router A - VPN - Router B - Site B

You need Site B to be able to access Server A (which is a public IP) over the VPN, but you need the source address to look like it is coming from Site A?

You'll need to specify traffic going to Server A to go over the VPN on Router B. On Router A, you'll need to specify the return traffic to go over the VPN. Next, on Router A, you'll need to configure the NAT rule, to change the SRC IP of the traffic coming from Site B and going to Server A to an IP address that Server A will accept.

emynd
  • 226
  • 1
  • 3
  • Just to make sure we are on the same page... the public ip range is not actually located at Site A, What I need is similar to putting a vpn tunnel for the ip of "whatismyip.com", then going to that website from site b and it showing the address of site A, I believed it was a NAT rule, my problem is I have been trying all day to configure it and not having much luck... I really need a step-by-step guide for SonicWall as I believe I have tried pretty much everything (including what you said) without much luck. – William Hilsum Jun 03 '13 at 02:46
  • if you just modify the `SRC IP` from `site B hosts`, to `Site A IP`, the return traffic from the `Public IP Range` will go to `Site A` and be dropped. As `Site A` won't be expecting traffic from the Website. I don't know Sonicwall very much, but the idea I said in my reply will still stand. You'll need to send `Site B` traffic destined for `Public IP Range` over the `VPN` and `NAT` the `SRC IP` on `Router A`. When the return traffic comes back, it will be `UNNAT'd`, sent over the VPN, and then sent to its dst. – emynd Jun 03 '13 at 12:23
2

So, you just need to route requests to a certain range on the Internet via the tunnel? Can you add a static route for that range?

As a workaround, set up a proxy server at Site A and have machines at Site B use that for the certain sites.

Think simpler!

MikeyB
  • 39,291
  • 10
  • 105
  • 189
  • I have already thought about that :( I have tried setting a static route in Site B for the entire range and stuck the gateway of Site A as the next hop... However, I think there is still the issue of NAT when the requests have to leave Site A to the network... I don't think it is being applied by the SonicWall, so, the packets get dropped :( – William Hilsum Jun 03 '13 at 05:03
  • Proxy server! Do eeeeet! – MikeyB Jun 04 '13 at 01:19
1

To come back to an old question I posted:

The answer is... Get a new router!

I wasted far too much time on this... It turns out that MANY off the shelf routers, just can't cope. Sonicwall and Juniper are just a few that failed.

The problem is, you have to define your WAN and LAN, and IPSEC/VPN interfaces are attached to WAN, then, if there is a bit of crossover or you need a setup out of the ordinary, it just fails and can't route properly.

In the end, I found Vyatta and EdgeOS (fork from Vyatta) handle this setup brilliantly, you simply state which subnets to forward, which interface the tunnel should be on - and it just works as expected.

William Hilsum
  • 3,536
  • 6
  • 29
  • 39