What's new

Difficult Routing Scenario - Point to Point to VPN Tunnel

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
Here's my situation. Please help.

3 Offices
Office A
Office B
Office C

Office A and B are connected via Point To Point, using Cisco routers.
Office B and C are connected via Sonicwall VPN tunnel.

A to B connection works perfectly
B to C connection works perfectly

I can't seem to set up a route to allow Office A to reach Office C (which clearly must pass through B)

Office A
Cisco 1741 (cisco A)
Point to point tunnel

Office B
Cisco 1741 (cisco B)
Point to point tunnel

Sonicwall TZ170 (sonicwall B)
VPN to Office C

Office C
Sonicwall TZ170 (sonicwall C)
VPN to Office B

From Office A
goes through Cisco A and Cisco B and reaches Sonicwall B
then sonicwall B routes it to the internet rather than across the VPN tunnel to Sonicwall C

Looking at the routing table in the sonicwalls, it does not show anything related to the VPN tunnel. The vpn tunnel works as expected but the routing that it performs is not mentioned in the routing table. Adding a static route to the routing table on the sonicwall only seems to break the vpn connection. Perhaps I am doing it wrong.
My first advice is of course what you've tried, having a look at the routing tables to see where everything's wanting to go. I've worked with TZ-170's a fair bit, and I've never had issues routing across a VPN. Perhaps try completely deleting the VPN connection and re-establishing it. Office B should have a routing entry in the sonicwall pointing Office C 192 traffic through the tunnel. It seems like the routers know where to forward packets appropriately except for the Sonicwall at B.

But sonicwall's can be a little funky when doing advanced routing and VPN's so it doesn't surprise me that a static route is breaking the VPN tunnel.
The Answer

No one in the whole wide world had the answer so I figured it out myself.:D

Hub and spoke vpn - Office B is the Hub, A and C are Spokes

Making the Connections:
The security associations can be created to enable the hub and spoke VPN. Each spoke will need only
one VPN policy pointing to the hub. The hub will require two VPN policies, one to each spoke. Each
policy is created on the VPN > Settings page in the usual manner for any site-to-site tunnel, with the
exception of the Network and Advanced tabs as shown below.

Spoke A VPN Policy
On the Network tab for this VPN policy, specify the networks and with a subnet mask
of as the destination networks.

Hub B VPN Policy
There should be two policies defined on the hub SonicWALL, one pointing to Spoke A and the other to
Branch Office A LAN A Subnet
WAN A IP Address
Corporate Office (hub) B LAN B Subnet
WAN B IP Address
Branch Office C LAN C Subnet
WAN C IP Address

Spoke C. Specify the destination networks on the Network tab for each policy as follows:
• Spoke A policy
Destination Network:
Subnet mask
• Spoke C policy
Destination Network:
Subnet mask

For each policy defined on the hub, select the Advanced tab and tick the “Forward Packets to Remote
VPNs” check box.

Spoke C VPN Policy
On the Network tab for this VPN policy, specify the and networks with a subnet mask
of as the destination network.

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!