cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bbrown21
New Contributor

Routing internet traffic through a VPN, Adtran -> SonicWALL

Jump to solution

Ok, so I'm trying to set up a NetVanta 1335 with Enhanced firmware to route all traffic through a VPN.  I was able to get the Adtran -> SonicWALL VPN up.  I can see on my SonicWALL that the SA is up, and the 1335 also confirms that with show crypto ipsec sa.  However, there's no traffic routing through the VPN tunnel, and I'm unable to reach any subnets on the other side of that tunnel.  For most other sites that I have set up, we build GRE over IPsec tunnels that are Adtran -> Adtran, so that I can route via OSPF.  I'm not sure how I would use the ip route command to tell traffic that it needs to go over the VPN.  Any suggestions?

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Routing internet traffic through a VPN, Adtran -> SonicWALL

Jump to solution

:

Thank you for replying with the configuration.  I believe the reason the probe is failing is because the "source-address" is a private address and not routeable over the public Internet.

probe isComcastUp icmp-echo

  destination 4.2.2.3

  source-address 172.X.X.X

  period 5

  tolerance consecutive fail 4 pass 2

  no shutdown

Please, let me know what other questions you have.

Levi

View solution in original post

0 Kudos
4 Replies
Anonymous
Not applicable

Re: Routing internet traffic through a VPN, Adtran -> SonicWALL

Jump to solution

:

Thank you for asking this question in the support community.  Typically, in this scenario, the problem is either because a route statement is incorrect (i.e. there is not a route to the remote subnet that instructs this traffic to go over the VPN; this is usually done by the default route), or because of NAT Traversal (NAT-T) settings.  Please, review the following post about connecting a VPN to a SonicWall with NAT-T:  https://supportforums.adtran.com/message/2152#2152

If you would like to reply to this post with a copy of the ADTRAN's configuration (please, remember to remove any information that is sensitive to the organization), I will be happy to review it for you.

Levi

Re: Routing internet traffic through a VPN, Adtran -> SonicWALL

Jump to solution

Thanks for getting back to me.  I had seen that post about setting up nat-t for the sonicwall.  After talking about it yesterday, what I need to do it policy based routing to a Cymphonix across the VPN tunnel.  So the VPN tunnel is now looking for HTTP/HTTPS traffic going specifically to that host.  There is a default route to the Comcast public IP with a track so that it will fail to the OSPF default route in the event that Comcast goes out.  I seem to be getting close to what I need, but the ping to 4.2.2.3 is not currently working over the Comcast route.  Any advice would be appreciated!  My current config is:

!

probe isComcastUp icmp-echo

  destination 4.2.2.3

  source-address 172.X.X.X

  period 5

  tolerance consecutive fail 4 pass 2

  no shutdown

!

track "ifComcastUp"

  snmp trap state-change

  test if probe isComcastUp

  no shutdown

!

!

!

ip crypto

!

crypto ike policy 16

  initiate main

  respond anymode

  local-id address 75.X.X.X

  nat-traversal v1 disable

  nat-traversal v2 force

  peer 67.X.X.X

  attribute 16

    encryption aes-128-cbc

    authentication pre-share

    group 2

    lifetime 86400

!

crypto ike remote-id address 67.X.X.X preshared-key SUPER_SECURE_PW ike-policy 16 crypto map vpn-set 16 nat-t v1 disable nat-t v2 force

!

crypto ipsec transform-set TS-16 esp-aes-128-cbc esp-sha-hmac

  mode tunnel

!

crypto map vpn-set 16 ipsec-ike

  match address VPN-Selector16

  set peer 67.X.X.X

  set transform-set TS-16

  set pfs group2

!

!

!

interface switchport 0/24

  no shutdown

  switchport access vlan 75

!

!

interface vlan 1

  ip address  172.X.X.X  255.255.255.0

  ip ffe

  ip access-policy Private

  ip route-cache express

  no shutdown

!

interface vlan 75

  ip address  75.X.X.X  255.255.255.248

  ip ffe

  ip mtu 1500

  ip access-policy Public

  crypto map vpn-set

  no rtp quality-monitoring

  no awcp

  no ip route-cache express

  no shutdown

!

!

!

router ospf

  network 172.X.X.X 0.0.0.255 area 0

!

!

!

ip access-list extended nat-acl

  remark NAT Outbound

  permit ip any  any

!

ip access-list extended private-acl

  permit ip any  any

!

ip access-list extended protect-wan-acl

  remark Allow ICMP and Admin Access

  permit icmp any  host 75.X.X.X

  permit tcp 67.X.X.X 0.0.0.31  host 75.X.X.X eq ssh

  permit tcp 67.X.X.X 0.0.0.31  host 75.X.X.X eq https

!

ip access-list extended self

  permit ip any  any     log

!

ip access-list extended VPN-Selector16

  remark Encrypt Web traffic to Colo NSA-240

  permit tcp any  host 172.X.X.X eq www

  permit tcp any  host 172.X.X.X eq https

  deny   tcp any  any eq www

  deny   tcp any  any eq https

!

!

!

ip policy-class Private

  allow list self self

  allow list private-acl policy Private stateless

  allow list tunnel-acl policy Tunnel stateless

  allow list VPN-Selector16 stateless

  nat source list nat-acl interface vlan 75 overload

!

no ip policy-class Public rpf-check

!

ip policy-class Public

  allow list protect-wan-acl

  allow list VPN-Selector16

  allow reverse list VPN-Selector16

!

!

ip route 0.0.0.0 0.0.0.0 75.X.X.X 15 track ifComcastUp

ip route 4.2.2.3 255.255.255.255 75.X.X.X 10

Anonymous
Not applicable

Re: Routing internet traffic through a VPN, Adtran -> SonicWALL

Jump to solution

:

Thank you for replying with the configuration.  I believe the reason the probe is failing is because the "source-address" is a private address and not routeable over the public Internet.

probe isComcastUp icmp-echo

  destination 4.2.2.3

  source-address 172.X.X.X

  period 5

  tolerance consecutive fail 4 pass 2

  no shutdown

Please, let me know what other questions you have.

Levi

0 Kudos

Re: Routing internet traffic through a VPN, Adtran -> SonicWALL

Jump to solution

Don't know how I missed that.  Thank you again!  In my haste, I was copying/modifying in notepad and then uploading to the router.

I have nothing to add for the moment, since currently I'm waiting to hear back from Cymphonix on how to use their box as a web proxy.  I've been told it can be done, but I see no options on the web manager to enable it.

Since I have nothing else to do, and feel fairly confident that the policy based routing for the VPN should be all that I need to get going for this, I'm going to mark your answer as correct.  Thanks again for the help!