Adding a wireless network to a site to site VPN (SonicOS Enhanced)
05/09/2023 767 People found this article helpful 484,521 Views
Description
Adding a wireless network to a site to site VPN (SonicOS Enhanced)
Resolution
Feature/Application:
Allow for a site to site VPN connection with access to a wireless network at one side.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Procedure:
This configuration will be based on a site to site VPN in which both sides have a static WAN IP, SonicOS Enhanced is being used, the VPN is configured in Main Mode and one side also has a wireless network.
Site A has a WAN IP of 10.10.10.10 and a LAN subnet of 192.168.1.0/24.
Site B has a WAN IP of 10.11.11.11 and a LAN subnet of 192.168.11.0/24 and a WLAN (Wireless Network) of 172.16.32.0/24
When configuring the destination network on the VPN policy at Site A, two address objects must be created. One for Site B LAN, and one for Site B WLAN. Both address objects should be set to zone VPN and then placed in an address group. The newly created address group should be used as the destination network on the VPN policy at Site A. The local network can be set to LAN Primary subnet or X0 Subnet in this instance.
Navigate to Objects - Match Objects - Addresses - Address Objects - Add
Navigate to Objects - Match Objects - Addresses - Address Groups - Add
When configuring the VPN policy at Site B, only one address object must be created for the destination network. It can be called Site A LAN and should have the zone assignment set to VPN. An address group can be created for the local network setting in the VPN policy or a default one can be used. If creating one, place X0 subnet or LAN Primary Subnet along with WLAN subnet into the group and then use it for the local network on the VPN policy. If a default one is preferred, Firewalled Subnets can be used in many cases. Please review what is included in this group by checking the Objects - Match Objects - Addresses page.
Adding WLAN and LAN as the local network on the Site B VPN policy will allow access to both networks for traffic coming through the VPN tunnel. By adding the Site B WLAN and Site B LAN to the destination at Site A will allow traffic to pass over the VPN.
How to Test:
Ping via IP from a wireless computer to a host at site A. Likewise, ping a wireless computer ip address from a Site A host.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Procedure:
This configuration will be based on a site to site VPN in which both sides have a static WAN IP, SonicOS Enhanced is being used, the VPN is configured in Main Mode and one side also has a wireless network.
Site A has a WAN IP of 10.10.10.10 and a LAN subnet of 192.168.1.0/24.
Site B has a WAN IP of 10.11.11.11 and a LAN subnet of 192.168.11.0/24 and a WLAN (Wireless Network) of 172.16.32.0/24
When configuring the destination network on the VPN policy at Site A, two address objects must be created. One for Site B LAN, and one for Site B WLAN. Both address objects should be set to zone VPN and then placed in an address group. The newly created address group should be used as the destination network on the VPN policy at Site A. The local network can be set to LAN Primary subnet or X0 Subnet in this instance.
Navigate to Manage - Policies - Objects - Address objects - Add
Navigate to Manage - Policies - Objects - Address Objects - Address Groups - Add
When configuring the VPN policy at Site B, only one address object must be created for the destination network. It can be called Site A LAN and should have the zone assignment set to VPN. An address group can be created for the local network setting in the VPN policy or a default one can be used. If creating one, place X0 subnet or LAN Primary Subnet along with WLAN subnet into the group and then use it for the local network on the VPN policy. If a default one is preferred, Firewalled Subnets can be used in many cases. Please review what is included in this group by checking the Manage -Policies - Objects page.
Adding WLAN and LAN as the local network on the Site B VPN policy will allow access to both networks for traffic coming through the VPN tunnel. By adding the Site B WLAN and Site B LAN to the destination at Site A will allow traffic to pass over the VPN.
How to Test:
Ping via IP from a wireless computer to a host at site A. Likewise, ping a wireless computer ip address from a Site A host.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Procedure:
This configuration will be based on a site to site VPN in which both sides have a static WAN IP, SonicOS Enhanced is being used, the VPN is configured in Main Mode and one side also has a wireless network.
Site A has a WAN IP of 10.10.10.10 and a LAN subnet of 192.168.1.0/24.
Site B has a WAN IP of 10.11.11.11 and a LAN subnet of 192.168.11.0/24 and a WLAN (Wireless Network) of 172.16.32.0/24
When configuring the destination network on the VPN policy at Site A, two address objects must be created. One for Site B LAN, and one for Site B WLAN. Both address objects should be set to zone VPN and then placed in an address group. The newly created address group should be used as the destination network on the VPN policy at Site A. The local network can be set to LAN Primary subnet or X0 Subnet in this instance.
When configuring the VPN policy at Site B, only one address object must be created for the destination network. It can be called Site A LAN and should have the zone assignment set to VPN. An address group can be created for the local network setting in the VPN policy or a default one can be used. If creating one, place X0 subnet or LAN Primary Subnet along with WLAN subnet into the group and then use it for the local network on the VPN policy. If a default one is preferred, Firewalled Subnets can be used in many cases. Please review what is included in this group by checking the Network > Address Objects page.
Adding WLAN and LAN as the local network on the Site B VPN policy will allow access to both networks for traffic coming through the VPN tunnel. By adding the Site B WLAN and Site B LAN to the destination at Site A will allow traffic to pass over the VPN.
How to Test:
Ping via IP from a wireless computer to a host at site A. Likewise, ping a wireless computer ip address from a Site A host.
Related Articles
Categories