Located in Boston MA 02216.
+1-855-55-RDAIT

pfSense and SonicWall VPN problem with multiple subnets

I was setting up some VPN's the other day, and I came across a strange problem. Whenever I had more than 1 subnet going across a VPN across a SonicWall NSA device, it would not bring up both phase 2 entries/subnets. It would only reliably bring up one at a time! It did not matter how I set it up, it just wouldn't work. I was using a Netgate pfSense virtual appliance and I couldn't understand why this was, clearly the settings were correct because it would bring up one of the tunnels.

Some background

I had heard of this problem before, using Cisco ASA and ASA-X devices going to SonicWall firewalls. At the time I was able to work around the problem by superscoping the VPN tunnel. What I mean is that instead of a VPN going to 10.0.0.0/24 and 10.0.200.0/24 I instead made a single tunnel to 10.0.0.0/16. Clearly this is not always possible to do, but at the time I was able to use such a large scope. As it turns out, this is a known SonicWall bug as well as a known Cisco bug. The issue is that the Cisco ASA and SonicWall devices are not able to handle multiple IKEv2 subnets in single phase2 tunnel.

The problem

I had 2 different subnets that I was not able to simply superscope as I had done before. I had to figure out a way to get both phase2 entries to work. Trying to create a 2nd phase1 entry with its own phase2 entry does not work, SonicWall warns you that it overwrites the previous phase1 entry when there are multiple to the same destination IP.

How to fix

The phase2 tunnel must be split! Luckily, pfSense has an option to do this under the phase1 definition there is now a "Split Connections" and says "Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per child SA.". This is exactly what I want to do! This now works properly with older devices that don't support multiple phase2 entries correctly. Yay for Netgate pfSense!

For more information

For more information on how RDAIT can help your business with your firewall, contact us today! We can help with many different brands, whether it is Netgate, SonicWall, Cisco, Palo Alto, etc.

No Comments Yet.

Leave a comment

You must be Logged in to post a comment.