How can I configure Numbered Tunnel Interface VPN (Route-Based VPN) in SonicOS?
10/14/2021 189 People found this article helpful 413,620 Views
Description
From SonicOS, the routing protocol can use a numbered tunnel interface to establish a routing session. To support this requirement, the SonicOS administrator adds an interface in the VPN zone with an IP address from a private subnet assigned to it. This numbered tunnel interface can be used for the routing protocol session.
After a numbered tunnel interface is added to the interface list, a static route policy can use it as the interface in a static route policy configuration for a static route based VPN. Routing protocols (OSPF, RIP, and BGP) can use it for dynamic route based VPN.
To configure a Numbered VPN Tunnel Interface, follow the steps below:
Numbered VPN Tunnel Interfaces are supported on SonicOS 5.9, SonicOS 6.2.5.1 and up
Numbered VPN Tunnel Interface was available since SonicOS 6.2.4.0 for beta but was officially released in SonicOS 6.2.5.1.
- Configuring the VPN Policy
- Configuring the Tunnel Interface
- Configuring the Route Policy
- Configuring the Access Rules
SonicOS GEN5 and GEN6 also support Unnumbered Tunnel Interfaces.
- For an example of an Unnumbered Tunnel Interface VPN with Advance Routing, see KB 170505993844965.
- For an example of an Unnumbered Tunnel Interface VPN with Static Routing (Static Route Based VPN), see KB 170505633799556.
IP Addresses used in this article
| Site A (NSA 3600) | Site B (TZ400w) |
WAN IP | X1: 10.103.20.94 | X1: 10.103.20.200 |
Tunnel IP | 1.1.1.1 | 1.1.1.2 |
Local Network | 192.168.136.0/24 | 192.168.41.0/24 |
Peer Network(VPN) | 192.168.41.0/24 | 192.168.136.0/24 |
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Configuring the VPN Policy
- Log into the SonicWall management Interface. Navigate to Manage | Objects | Address Objects, click ADD button to create address objects for VPN subnets.
Site A | Site B
|
| |
- Navigate to Manage | VPN | Base Settings and click Add. The VPN Policy window is displayed. Follow images below to configure the policies.
NOTE:When configuring a Numbered Tunnel Interface VPN, do not select Allow Advance Routing in the VPN Policy Advance tab. This option is use for a Unnumbered Tunnel Interface with Advance Routing only.
Site A | Site B
|
| |
NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
Configuring the Tunnel Interface
- Navigate to Manage | Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel interfaces on both appliances.
Site A | Site B |
| |
Configuring the Route Policy
- Navigate to Manage | Network | Routing to manage Advance Routing and Static Routes.
- To create a static route, scroll down to Route Policies click Add.
- The Static Route Policy example shown below is one in which the source is X0 Subnet, and the destination is the remote subnet, the service is Any, and the Interface is set to the name of the previously-created VPN Tunnel Interface.
Site A | Site B |
| |
To enable Advance Routing
- Navigate to Manage | Network | Routing | Settings, in Routing Mode select Advanced Routing and OK to the warning popup.
- To Configure OSPF for the VPN Interface, click OSPFv2 or OSPFv3 and select the interface where you want to enable OSPF and click OK.
- Navigate to Manage | Network | Routing and press the Settings Icon near the Search bar to configure OSPF settings.
Configuring the Access Rules
- Navigate to Manage | Rules | Access Rules, allow the traffic between LAN and VPN so that remote VPN sources can be reachable.
NOTE: Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Configuring the VPN Policy
- Log into the SonicWall management Interface. Navigate to Network | Address Objects, click ADD button to create address objects for VPN subnets.
Site A | Site B
|
| |
- Navigate to VPN | Settings and click Add. The VPN policy window is displayed. Follow images below to configure the policies.
NOTE: When configuring a Numbered Tunnel Interface VPN, do not select Allow Advance Routing in the VPN Policy Advance tab. This option is use for a Unnumbered Tunnel Interface with Advance Routing only.
Site A | Site B
|
| |
NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
Configuring the Tunnel Interface
- Navigate to Network | Interfaces, under Add Interface field, select VPN Tunnel Interface to create the VPN tunnel Interfaces on both appliances.
Site A | Site B |
| |
Configuring the Route Policy
- Navigate to Network | Routing to manage Advance Routing and Static Routes.
- To create a Static Route, scroll down to Route Policies, click Add.
- The Static Route Policy example shown below is one in which the source is X0 Subnet, and the destination is the remote subnet, the service is Any, and the Interface is set to the name of the previously-created VPN Tunnel Interface.
Site A | Site B |
| |
To enable Advance Routing
- Navigate to Network | Routing, in Routing Mode select Advanced Routing and click OK to the warning popup.
- To Configure OSPF for the VPN Interface, click Configure OSPF icon.
- Enable OSPF from the OSPF drop down menu and select OK.
Configuring the Access Rules
Related Articles
Categories