I inherited the management of a Sonicwall NSA 4600 that is running SonicOS 6.2.7 and I'm having some issues getting the L2TP VPN to work properly when using it from a MacBook. The Windows clients are using GlobalVPN so I haven't had any issues with those clients.
To give some information on the setup, the following interfaces are setup:
| Name | Zone | IP Address | Mask |
|---|---|---|---|
| X0 | LAN | 10.0.0.1 | 255.255.255.0 |
| X1 | WAN | x.x.x.x | x.x.x.x |
| X3 | LAN | 10.0.1.1 | 255.255.255.0 |
X0 is configured and enabled but no cable is connected to the interface. X3 however is the primary LAN subnet and the subnet that end users need to access resources on.
I have tried to setup L2TP IP Pools on both the X0 and the X3 subnet. When I do that, I'm able to access resources that are on the X3 subnet except when end users connect from a remote LAN that is also in the 10.0.0.0/8 subnet range. When end users connect to the VPN from a remote LAN that is inside of 10.0.0.0/8 then they are unable to access resources on the 10.0.1.0/24 subnet.
I did some investigating trying to figure out what was happened and found the following on a test MacBook.
I'll use the following information in my example: MacBook Remote IP: 10.10.10.10/24 MacBook Remote Gateway: 10.10.10.1 MacBook VPN IP: 10.0.1.50/24
Destination Gateway netif default 10.10.10.1 en0 default link#14 ppp0 10 en0 en0 10.0.0.1 10.0.1.50 pp0
If I look at the output of 'ifconfig' then I see that the 'ppp0' interface has the following output:
inet 10.0.1.50 --> 10.0.0.1
From what I can tell the issue is that the L2TP VPN keeps attached to X0 instead of X3. Since the VPN is attaching to X0 instead of X3 then the MacBook's routing table is only creating a route for the 10.0.0.0/24 subnet and then all other 10.0.0.0/8 traffic is going to the default route of the remote LAN. The MacBook's routing table never creates a route for 10.0.1.0/24. I have tried to disable split tunnelling but the summarized 10.0.0.0/8 route still remains.
I've tried contacting Sonicwall support but they have been slow to respond. Any help would be appreciated. Thanks.
No comments:
Post a Comment