Cannot pass traffic to LAN devices through a VPN tunnel

Article:TECH80833  |  Created: 2003-01-23  |  Updated: 2009-01-26  |  Article URL http://www.symantec.com/docs/TECH80833
Article Type
Technical Solution


Issue



You configured the VPN connections to a Symantec Firewall/VPN (SFVPN) appliance or Symantec Enterprise Firewall product (Symantec Enterprise Firewall, Symantec VelociRaptor, or Symantec Gateway Security appliance). You confirmed that you can pass traffic (by pinging) to the internal IP address of the Symantec VPN server through the tunnel. However, traffic to other addresses on the remote network does not appear to pass through the tunnel.


Solution



This problem may be the result of an internal default gateway configuration on the internal network.

If the devices you are trying to access through the VPN tunnel do not use the internal IP address of the Symantec VPN server as their default gateway (either directly or indirectly), then traffic to those devices fails.

Because computers connecting through a VPN tunnel maintain their original IP address through the tunnel, responses to traffic coming out of the tunnel must be able to return to the SFVPN for routing through the tunnel. If the internal computers use another gateway or firewall address (or an internal router configured as such) as their default gateway, then the traffic returning from those hosts may not exit through the SFVPN causing the connection to fail.

Example:
A VPN client with an IP address of 200.1.1.1 connects a tunnel to an SFVPN appliance with a tunnel of 192.168.0.0/24. As a result, all traffic from the client to the 192.168.0.0/24 network goes through the VPN connection.

If the VPN client pings a server behind the SFVPN appliance that has an IP address of 192.168.0.2, the ping has a source address of 200.1.1.1 and a destination of 192.168.0.2.

The computer at 192.168.0.2 receives the packet and responds to 200.1.1.1. If the computer at 192.168.0.2 has a default gateway of the SFVPN's internal interface (192.168.0.1, by default), then the packet returns to the SFVPN appliance, it is encrypted, and then routed through the tunnel to the VPN client.
However, if 192.168.0.2 has a different default gateway (either another router or firewall/gateway, such as 192.168.0.99 in the example below), the packet is forwarded to the other gateway's IP address and dropped at the device or routed elsewhere (and does not return through the VPN tunnel).



Resolution:
Symantec Enterprise Firewall products allow you to incorporate network address translation (NAT) for VPN traffic to alleviate this problem. When NAT is used on the VPN tunnel, the traffic entering the internal network appears to original from an address on that network and, therefore, does not go out through the default gateway.

SFVPN appliances are not capable of performing NAT for VPN tunnel connections. All VPN tunnel connections maintain the original address as a source for inbound traffic through the tunnel. Internal computers not configured to route traffic back to the SFVPN through default gateways fail to respond properly to requests through the VPN tunnel.

If NAT is a required situation for your network based on the routing criteria or limitations stated above, you should use a Symantec Enterprise Firewall product (Symantec Enterprise Firewall/VPN, Symantec VelociRaptor, or Symantec Gateway Security appliance) for VPN connections instead.






Legacy ID



2003012311400354


Article URL http://www.symantec.com/docs/TECH80833


Terms of use for this information are found in Legal Notices