Difficult Routing Scenario - Point to Point to VPN Tunnel

[mrsassy]

Here's my situation. Please help.

3 Offices
Office A
Office B
Office C

Office A and B are connected via Point To Point, using Cisco routers.
Office B and C are connected via Sonicwall VPN tunnel.

A to B connection works perfectly
B to C connection works perfectly

Problem:
I can't seem to set up a route to allow Office A to reach Office C (which clearly must pass through B)

Details:
Office A
Cisco 1741 (cisco A)
LAN 192.168.6.254
Point to point tunnel 172.16.1.1

Office B
Cisco 1741 (cisco B)
LAN 10.7.7.254
Point to point tunnel 172.16.1.2

Sonicwall TZ170 (sonicwall B)
LAN 10.7.7.1
VPN to Office C

Office C
Sonicwall TZ170 (sonicwall C)
LAN 192.168.5.1
VPN to Office B

Tests:
From Office A
tracert 192.168.5.1
goes through Cisco A and Cisco B and reaches Sonicwall B
then sonicwall B routes it to the internet rather than across the VPN tunnel to Sonicwall C

Looking at the routing table in the sonicwalls, it does not show anything related to the VPN tunnel. The vpn tunnel works as expected but the routing that it performs is not mentioned in the routing table. Adding a static route to the routing table on the sonicwall only seems to break the vpn connection. Perhaps I am doing it wrong.

 

[scotty]

My first advice is of course what you've tried, having a look at the routing tables to see where everything's wanting to go. I've worked with TZ-170's a fair bit, and I've never had issues routing across a VPN. Perhaps try completely deleting the VPN connection and re-establishing it. Office B should have a routing entry in the sonicwall pointing Office C 192 traffic through the tunnel. It seems like the routers know where to forward packets appropriately except for the Sonicwall at B.

But sonicwall's can be a little funky when doing advanced routing and VPN's so it doesn't surprise me that a static route is breaking the VPN tunnel.

 

[mrsassy]

The Answer

No one in the whole wide world had the answer so I figured it out myself.

Hub and spoke vpn - Office B is the Hub, A and C are Spokes

Making the Connections:
The security associations can be created to enable the hub and spoke VPN. Each spoke will need only
one VPN policy pointing to the hub. The hub will require two VPN policies, one to each spoke. Each
policy is created on the VPN > Settings page in the usual manner for any site-to-site tunnel, with the
exception of the Network and Advanced tabs as shown below.

Spoke A VPN Policy
On the Network tab for this VPN policy, specify the networks 10.7.7.0 and 192.168.5.0 with a subnet mask
of 255.255.255.0 as the destination networks.

Hub B VPN Policy
There should be two policies defined on the hub SonicWALL, one pointing to Spoke A and the other to
Branch Office A LAN A Subnet 192.168.6.0/24
WAN A IP Address 192.168.1.1/24
Corporate Office (hub) B LAN B Subnet 10.7.7.0/24
WAN B IP Address 192.168.2.1/24
Branch Office C LAN C Subnet 192.168.5.0./24
WAN C IP Address 192.168.3.1./24

Spoke C. Specify the destination networks on the Network tab for each policy as follows:
• Spoke A policy
Destination Network: 192.168.6.0
Subnet mask 255.255.255.0
• Spoke C policy
Destination Network: 192.168.5.0
Subnet mask 255.255.255.0

For each policy defined on the hub, select the Advanced tab and tick the “Forward Packets to Remote
VPNs” check box.

Spoke C VPN Policy
On the Network tab for this VPN policy, specify the 192.168.6.0 and 10.7.7.0 networks with a subnet mask
of 255.255.255.0 as the destination network.