• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Solution to SonicWall VPN Client Behind pfsense [Now Up To $200]

Scheduled Pinned Locked Moved Completed Bounties
26 Posts 5 Posters 84.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    Eugene
    last edited by Aug 13, 2009, 10:35 PM

    Yes I did.
    The issue is 'packet from LAN does not go out of WAN'. I can't believe -\\

    http://ru.doc.pfsense.org

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Aug 13, 2009, 10:39 PM

      I was looking back over the thread, and I didn't see where you said what version of pfSense you were running now.

      A lot has changed since the 1.0 days, unfortunately, and a lot has even changed between pfSense 1.2.2 and 1.2.3-RC2.

      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • E
        Eugene
        last edited by Aug 13, 2009, 10:44 PM

        I tried this antient 1.0.1 only because it still alive in my server room and I clearly remember that at those days SonicWall worked through this box. And indeed it works.

        http://ru.doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • M
          mayesjc
          last edited by Aug 13, 2009, 10:45 PM

          I have tried both the automatic and forced NAT-T setting on the client.  While I do not have access to the VPN server, I believe that NAT-T is set on that side as well, because my colleague in Germany (where the server is located) is the one who originally advised me to adjust the NAT-T setting.  As to the version of pfsense, I am running 1.2.3-RC1.

          1 Reply Last reply Reply Quote 0
          • E
            Eugene
            last edited by Aug 14, 2009, 12:03 AM

            I disabled 'scrub' on 1.2-RELEASE and… fragmented packet started to go from LAN to WAN but not natted!
            19:59:42.253327 IP 192.168.7.189.500 > x.x.x.144.500: isakmp: phase 1 I agg
            19:59:42.253745 IP 192.168.7.189 > x.x.x.144: udp
            Normal icmp is natted normally
            20:00:52.032185 IP x.x.x.144 > x.x.x.251: ICMP echo reply, id 26258, seq 30208, length 40
            20:00:52.988798 IP x.x.x.251 > x.x.x.144: ICMP echo request, id 26258, seq 30464, length 40

            http://ru.doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • E
              Eugene
              last edited by Aug 14, 2009, 1:28 AM

              I managed to fix my SonicWall client by doing the following.
              On my XP PC (where SonicWall client is installed) I went to Registry [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
              Interfaces[Adapter ID]] found the virtual adapter installed by SW installation, changed MTU from 1300 to 1500. Then you have to run SW install again, it "repairs" its own installation and only after this "repaie" segmentation disappears as disappears the problem. On pfSense you have to allow only UDP:500, leave 'scrub' off.

              Resume: although the problem at pfSense exists you can avoid it by adjusting MTU on client (as jimp fairly mentioned).

              http://ru.doc.pfsense.org

              1 Reply Last reply Reply Quote 0
              • M
                mayesjc
                last edited by Aug 14, 2009, 2:39 AM

                Done!  Thank you to everyone for their patient help.  I just paid my $200 (Confirmation No. 3HS208994B4607915), and it was well worth it.

                What I did was to ensure that scrub was disabled (it was).  I also chose Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), setting up rules for ports 50, 500, and 4500, which I understand from other sources are used by the SonicWall client.  Of course, I still have the inbound and outbound firewall rules allowing traffic to and from the VPN server's ip address.  Even at that point, the client would not connect.  The final step, which allowed the connection, was to enter 1500 in the MTU field on the WAN interface. (It is a bit fuzzy, but I first set the MTU to 1300.  The software firewall on the XP client then asked me to approve the outbound connection of the SonicWall Client.  That had never happened before.  I clicked OK to allow the connection, but still had no connection.  It was not until I entered 1500 into the MTU that the connection succeeded.)

                I made no changes on the XP client, although NAT Traversal is Forced On.

                Thanks again.

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by Aug 14, 2009, 11:44 AM

                  I didn't get any part of the money :P

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Aug 14, 2009, 11:59 AM

                    @ermal:

                    I didn't get any part of the money :P

                    He must have just made a project donation, and not a payment to any one person.

                    Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • M
                      mayesjc
                      last edited by Aug 14, 2009, 1:17 PM

                      I paid the bounty as a project donation, which is what I though I was supposed to do.  Indeed, I was told specifically to do that on another bounty.  I am very sorry for the misunderstanding and will be sure to clarify that point next time.  It is a great project, and I was happy to help financially.

                      As a practical matter, how else would it get paid when so many people contributed to the eventual solution?

                      1 Reply Last reply Reply Quote 0
                      • J
                        jimp Rebel Alliance Developer Netgate
                        last edited by Aug 14, 2009, 1:33 PM

                        @mayesjc:

                        I paid the bounty as a project donation, which is what I though I was supposed to do.  Indeed, I was told specifically to do that on another bounty.  I am very sorry for the misunderstanding and will be sure to clarify that point next time.  It is a great project, and I was happy to help financially.

                        As a practical matter, how else would it get paid when so many people contributed to the eventual solution?

                        That is, as I understand it, how things have been done lately as an "escrow" sort of deal and then cmb or someone else with access to that can distribute it.

                        As to who gets what, that is up to you, depending on however you see fit to allocate. :-)

                        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        25 out of 26
                        • First post
                          25/26
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received