Ok, so I'm trying to set up a NetVanta 1335 with Enhanced firmware to route all traffic through a VPN. I was able to get the Adtran -> SonicWALL VPN up. I can see on my SonicWALL that the SA is up, and the 1335 also confirms that with show crypto ipsec sa. However, there's no traffic routing through the VPN tunnel, and I'm unable to reach any subnets on the other side of that tunnel. For most other sites that I have set up, we build GRE over IPsec tunnels that are Adtran -> Adtran, so that I can route via OSPF. I'm not sure how I would use the ip route command to tell traffic that it needs to go over the VPN. Any suggestions?
Thank you for replying with the configuration. I believe the reason the probe is failing is because the "source-address" is a private address and not routeable over the public Internet.
probe isComcastUp icmp-echo
destination 4.2.2.3
source-address 172.X.X.X
period 5
tolerance consecutive fail 4 pass 2
no shutdown
Please, let me know what other questions you have.
Levi
Thank you for asking this question in the support community. Typically, in this scenario, the problem is either because a route statement is incorrect (i.e. there is not a route to the remote subnet that instructs this traffic to go over the VPN; this is usually done by the default route), or because of NAT Traversal (NAT-T) settings. Please, review the following post about connecting a VPN to a SonicWall with NAT-T: https://supportforums.adtran.com/message/2152#2152
If you would like to reply to this post with a copy of the ADTRAN's configuration (please, remember to remove any information that is sensitive to the organization), I will be happy to review it for you.
Levi
Thanks for getting back to me. I had seen that post about setting up nat-t for the sonicwall. After talking about it yesterday, what I need to do it policy based routing to a Cymphonix across the VPN tunnel. So the VPN tunnel is now looking for HTTP/HTTPS traffic going specifically to that host. There is a default route to the Comcast public IP with a track so that it will fail to the OSPF default route in the event that Comcast goes out. I seem to be getting close to what I need, but the ping to 4.2.2.3 is not currently working over the Comcast route. Any advice would be appreciated! My current config is:
!
probe isComcastUp icmp-echo
destination 4.2.2.3
source-address 172.X.X.X
period 5
tolerance consecutive fail 4 pass 2
no shutdown
!
track "ifComcastUp"
snmp trap state-change
test if probe isComcastUp
no shutdown
!
!
!
ip crypto
!
crypto ike policy 16
initiate main
respond anymode
local-id address 75.X.X.X
nat-traversal v1 disable
nat-traversal v2 force
peer 67.X.X.X
attribute 16
encryption aes-128-cbc
authentication pre-share
group 2
lifetime 86400
!
crypto ike remote-id address 67.X.X.X preshared-key SUPER_SECURE_PW ike-policy 16 crypto map vpn-set 16 nat-t v1 disable nat-t v2 force
!
crypto ipsec transform-set TS-16 esp-aes-128-cbc esp-sha-hmac
mode tunnel
!
crypto map vpn-set 16 ipsec-ike
match address VPN-Selector16
set peer 67.X.X.X
set transform-set TS-16
set pfs group2
!
!
!
interface switchport 0/24
no shutdown
switchport access vlan 75
!
!
interface vlan 1
ip address 172.X.X.X 255.255.255.0
ip ffe
ip access-policy Private
ip route-cache express
no shutdown
!
interface vlan 75
ip address 75.X.X.X 255.255.255.248
ip ffe
ip mtu 1500
ip access-policy Public
crypto map vpn-set
no rtp quality-monitoring
no awcp
no ip route-cache express
no shutdown
!
!
!
router ospf
network 172.X.X.X 0.0.0.255 area 0
!
!
!
ip access-list extended nat-acl
remark NAT Outbound
permit ip any any
!
ip access-list extended private-acl
permit ip any any
!
ip access-list extended protect-wan-acl
remark Allow ICMP and Admin Access
permit icmp any host 75.X.X.X
permit tcp 67.X.X.X 0.0.0.31 host 75.X.X.X eq ssh
permit tcp 67.X.X.X 0.0.0.31 host 75.X.X.X eq https
!
ip access-list extended self
permit ip any any log
!
ip access-list extended VPN-Selector16
remark Encrypt Web traffic to Colo NSA-240
permit tcp any host 172.X.X.X eq www
permit tcp any host 172.X.X.X eq https
deny tcp any any eq www
deny tcp any any eq https
!
!
!
ip policy-class Private
allow list self self
allow list private-acl policy Private stateless
allow list tunnel-acl policy Tunnel stateless
allow list VPN-Selector16 stateless
nat source list nat-acl interface vlan 75 overload
!
no ip policy-class Public rpf-check
!
ip policy-class Public
allow list protect-wan-acl
allow list VPN-Selector16
allow reverse list VPN-Selector16
!
!
ip route 0.0.0.0 0.0.0.0 75.X.X.X 15 track ifComcastUp
ip route 4.2.2.3 255.255.255.255 75.X.X.X 10
Thank you for replying with the configuration. I believe the reason the probe is failing is because the "source-address" is a private address and not routeable over the public Internet.
probe isComcastUp icmp-echo
destination 4.2.2.3
source-address 172.X.X.X
period 5
tolerance consecutive fail 4 pass 2
no shutdown
Please, let me know what other questions you have.
Levi
Don't know how I missed that. Thank you again! In my haste, I was copying/modifying in notepad and then uploading to the router.
I have nothing to add for the moment, since currently I'm waiting to hear back from Cymphonix on how to use their box as a web proxy. I've been told it can be done, but I see no options on the web manager to enable it.
Since I have nothing else to do, and feel fairly confident that the policy based routing for the VPN should be all that I need to get going for this, I'm going to mark your answer as correct. Thanks again for the help!