4 Replies Latest reply on Aug 27, 2013 12:16 PM by bbrown21

    Routing internet traffic through a VPN, Adtran -> SonicWALL

    bbrown21 New Member

      Ok, so I'm trying to set up a NetVanta 1335 with Enhanced firmware to route all traffic through a VPN.  I was able to get the Adtran -> SonicWALL VPN up.  I can see on my SonicWALL that the SA is up, and the 1335 also confirms that with show crypto ipsec sa.  However, there's no traffic routing through the VPN tunnel, and I'm unable to reach any subnets on the other side of that tunnel.  For most other sites that I have set up, we build GRE over IPsec tunnels that are Adtran -> Adtran, so that I can route via OSPF.  I'm not sure how I would use the ip route command to tell traffic that it needs to go over the VPN.  Any suggestions?

        • Re: Routing internet traffic through a VPN, Adtran -> SonicWALL
          levi Employee

          bbrown21:

           

          Thank you for asking this question in the support community.  Typically, in this scenario, the problem is either because a route statement is incorrect (i.e. there is not a route to the remote subnet that instructs this traffic to go over the VPN; this is usually done by the default route), or because of NAT Traversal (NAT-T) settings.  Please, review the following post about connecting a VPN to a SonicWall with NAT-T:  https://supportforums.adtran.com/message/2152#2152

           

          If you would like to reply to this post with a copy of the ADTRAN's configuration (please, remember to remove any information that is sensitive to the organization), I will be happy to review it for you.

           

          Levi

          1 of 1 people found this helpful
            • Re: Routing internet traffic through a VPN, Adtran -> SonicWALL
              bbrown21 New Member

              Thanks for getting back to me.  I had seen that post about setting up nat-t for the sonicwall.  After talking about it yesterday, what I need to do it policy based routing to a Cymphonix across the VPN tunnel.  So the VPN tunnel is now looking for HTTP/HTTPS traffic going specifically to that host.  There is a default route to the Comcast public IP with a track so that it will fail to the OSPF default route in the event that Comcast goes out.  I seem to be getting close to what I need, but the ping to 4.2.2.3 is not currently working over the Comcast route.  Any advice would be appreciated!  My current config is:

               

              !

              probe isComcastUp icmp-echo

                destination 4.2.2.3

                source-address 172.X.X.X

                period 5

                tolerance consecutive fail 4 pass 2

                no shutdown

              !

              track "ifComcastUp"

                snmp trap state-change

                test if probe isComcastUp

                no shutdown

              !

              !

              !

              ip crypto

              !

              crypto ike policy 16

                initiate main

                respond anymode

                local-id address 75.X.X.X

                nat-traversal v1 disable

                nat-traversal v2 force

                peer 67.X.X.X

                attribute 16

                  encryption aes-128-cbc

                  authentication pre-share

                  group 2

                  lifetime 86400

              !

              crypto ike remote-id address 67.X.X.X preshared-key SUPER_SECURE_PW ike-policy 16 crypto map vpn-set 16 nat-t v1 disable nat-t v2 force

              !

              crypto ipsec transform-set TS-16 esp-aes-128-cbc esp-sha-hmac

                mode tunnel

              !

              crypto map vpn-set 16 ipsec-ike

                match address VPN-Selector16

                set peer 67.X.X.X

                set transform-set TS-16

                set pfs group2

              !

              !

              !

              interface switchport 0/24

                no shutdown

                switchport access vlan 75

              !

              !

              interface vlan 1

                ip address  172.X.X.X  255.255.255.0

                ip ffe

                ip access-policy Private

                ip route-cache express

                no shutdown

              !

              interface vlan 75

                ip address  75.X.X.X  255.255.255.248

                ip ffe

                ip mtu 1500

                ip access-policy Public

                crypto map vpn-set

                no rtp quality-monitoring

                no awcp

                no ip route-cache express

                no shutdown

              !

              !

              !

              router ospf

                network 172.X.X.X 0.0.0.255 area 0

              !

              !

              !

              ip access-list extended nat-acl

                remark NAT Outbound

                permit ip any  any

              !

              ip access-list extended private-acl

                permit ip any  any

              !

              ip access-list extended protect-wan-acl

                remark Allow ICMP and Admin Access

                permit icmp any  host 75.X.X.X

                permit tcp 67.X.X.X 0.0.0.31  host 75.X.X.X eq ssh

                permit tcp 67.X.X.X 0.0.0.31  host 75.X.X.X eq https

              !

              ip access-list extended self

                permit ip any  any     log

              !

              ip access-list extended VPN-Selector16

                remark Encrypt Web traffic to Colo NSA-240

                permit tcp any  host 172.X.X.X eq www

                permit tcp any  host 172.X.X.X eq https

                deny   tcp any  any eq www

                deny   tcp any  any eq https

              !

              !

              !

              ip policy-class Private

                allow list self self

                allow list private-acl policy Private stateless

                allow list tunnel-acl policy Tunnel stateless

                allow list VPN-Selector16 stateless

                nat source list nat-acl interface vlan 75 overload

              !

              no ip policy-class Public rpf-check

              !

              ip policy-class Public

                allow list protect-wan-acl

                allow list VPN-Selector16

                allow reverse list VPN-Selector16

              !

              !

              ip route 0.0.0.0 0.0.0.0 75.X.X.X 15 track ifComcastUp

              ip route 4.2.2.3 255.255.255.255 75.X.X.X 10

                • Re: Routing internet traffic through a VPN, Adtran -> SonicWALL
                  levi Employee

                  bbrown21:

                   

                  Thank you for replying with the configuration.  I believe the reason the probe is failing is because the "source-address" is a private address and not routeable over the public Internet.

                   

                  probe isComcastUp icmp-echo

                    destination 4.2.2.3

                    source-address 172.X.X.X

                    period 5

                    tolerance consecutive fail 4 pass 2

                    no shutdown

                   

                  Please, let me know what other questions you have.

                   

                  Levi

                    • Re: Routing internet traffic through a VPN, Adtran -> SonicWALL
                      bbrown21 New Member

                      Don't know how I missed that.  Thank you again!  In my haste, I was copying/modifying in notepad and then uploading to the router.

                      I have nothing to add for the moment, since currently I'm waiting to hear back from Cymphonix on how to use their box as a web proxy.  I've been told it can be done, but I see no options on the web manager to enable it.

                      Since I have nothing else to do, and feel fairly confident that the policy based routing for the VPN should be all that I need to get going for this, I'm going to mark your answer as correct.  Thanks again for the help!