SonicWALL GVC clients cannot traverse site-to-site link

Hey folks,

I've got two VPNs set up right now: 1) a site-to-site tunnel between my
main office (Chicago) and a branch (Toronto), and 2) the GVC allowing
on-the-road or at-home access for employees to login to Chicago.
There's a SonicWALL TZ-170 here in Chicago and a Netscreen N25 in
Toronto.

The global clients can access resources in Chicago just fine. And the
computers that are in the Chicago office can access Toronto resources
across the site-to-site VPN just fine, too (and vice-versa). The GVC
clients are leasing DHCP addresses directly from my DHCP server, NOT
from the SonicWALL.

Unfortunately, the global clients cannot "pass through" this
site-to-site tunnel. By this, I mean that my on-the-road users can't
see any Toronto stuff whatsoever. I tried implementing a few firewall
rules to allow traffic from the VPN DHCP lease subnet to the Toronto
destination subnet, but those didn't work. I probably did them wrong
though...am I on the right track with that, or is something else going
on?

I was under the impression that since the GVC clients have virtual
addresses in the LAN subnets scope (due to their receiving IPs from the
DHCP server on the LAN subnet) that they would be "in" the firewall
already and I wouldn't have to set any new rules up to allow this
traversal between VPN links. Am I way off, here?

I've done a fair amount of searching through the forums here but
haven't seen a question like mine quite yet. Then again, I'm rather
terrible at searches, so please forgive me if I overlooked one (or
many!).

Thanks very much for your support!!

John

Re: SonicWALL GVC clients cannot traverse site-to-site link

snoconegod@gmail.com wrote:
> Hey folks,
>
> I've got two VPNs set up right now: 1) a site-to-site tunnel between my
> main office (Chicago) and a branch (Toronto), and 2) the GVC allowing
> on-the-road or at-home access for employees to login to Chicago.
> There's a SonicWALL TZ-170 here in Chicago and a Netscreen N25 in
> Toronto.
>
> The global clients can access resources in Chicago just fine. And the
> computers that are in the Chicago office can access Toronto resources
> across the site-to-site VPN just fine, too (and vice-versa). The GVC
> clients are leasing DHCP addresses directly from my DHCP server, NOT
> from the SonicWALL.
>
> Unfortunately, the global clients cannot "pass through" this
> site-to-site tunnel. By this, I mean that my on-the-road users can't
> see any Toronto stuff whatsoever. I tried implementing a few firewall
> rules to allow traffic from the VPN DHCP lease subnet to the Toronto
> destination subnet, but those didn't work. I probably did them wrong
> though...am I on the right track with that, or is something else going
> on?
>
> I was under the impression that since the GVC clients have virtual
> addresses in the LAN subnets scope (due to their receiving IPs from the
> DHCP server on the LAN subnet) that they would be "in" the firewall
> already and I wouldn't have to set any new rules up to allow this
> traversal between VPN links. Am I way off, here?
>
> I've done a fair amount of searching through the forums here but
> haven't seen a question like mine quite yet. Then again, I'm rather
> terrible at searches, so please forgive me if I overlooked one (or
> many!).
>
> Thanks very much for your support!!
>
> John
>

hi,
i am not sure if you can "tunnel through a tunnel" with the 170,

do you see any errors in either the tz170 or the gvc log?
why don't you add a second profile to the gvc clients with Toronto being the endpoint?

M

Re: SonicWALL GVC clients cannot traverse site-to-site link

Heya, Mak...

Turns out you can do this w/o creating a separate VPN profile. The
folks at SonicWALL's forum told me to query "gvc hub and spoke SonicOS
Enhanced" in the Knowledgebase. All I had to do was add the Toronto
subnet to the list of allowed resources in my VPN users group. Thanks
anyway!

John