Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring a Tunnel Interface VPN with DHCP Relay using IP Helper

10/14/2021 785 People found this article helpful 105,937 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Configuring a Tunnel Interface VPN with DHCP Relay using IP Helper.

    Resolution

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

    Step 1: Configure the Tunnel Interface VPN Policy on each unit. This is done under Network |IPSec VPN | Rules and Settings.

    On the General tab of the new VPN Policy configuration window, configure the following settings.

    • Policy Type: Tunnel Interface
    • Authentication Method: IKE using Preshared Secret
    • Name: Enter a desired policy name
    • IPSec Primary Gateway Name/Address: Enter the remote unit’s WAN IP.
    • Enter a shared secret that will be used on each side of the tunnel.


    General tab (Central site):

                     Image


    General tab (Remote site):

                    Image

     Enter your desired Proposal settings on each side of the tunnel. An example of the Proposals tab is shown below:


                 Image


    On the Advanced tab, configure Keep Alive, Management via this SA, and any other desired options. Ensure the VPN Policy bound To dropdown menu is set to the WAN Interface that the tunnel will use to connect. In this example, the X1 WAN Interface is used on the Central site, while the Remote site uses X1 WAN:



    Advanced Tab(Central Site):

    Image



    Advanced Tab(Remote Site):

              Image


    Once complete, the tunnel will be established, and will look like this:




    Central Site:

            Image

    Step 2:  Create routes on each unit. This can be done under Policy | Rules and Policies | Routing Rules. Options include Route-All VPN (all Internet traffic routes through the Central site over the tunnel) and the more traditional Split Tunnel VPN (only traffic destined for a remote subnet routes through the tunnel).

    Address Objects can be created while creating routes, or can be done before creating routes, under Objects|Match Objects | Addresses.

    Step 2a – Central site routes:

    In the example below, the Remote site has 2 networks: 1 LAN and 1 VLAN under X0. I have added one route per remote network.

           Image


    Note: Create one route per remote network. The example below only shows one network route, but as shown above, two routes were created since two networks need to communicate over the tunnel.

    Detailed route configuration:

    • Source: Any
    • Destination: Remote network Address Object. The Object should be assigned to the VPN Zone.
    • Service: Any
    • Interface: Select the Tunnel Interface name from the dropdown list.
    • Allow Automatic Access Rule creation for simplicity, or disable it for granularity.


      Image              Image


                                                                             Image

    • The Same step can be configured on the remote site as well, specifying the correct tunnel interface.


    Note: If using the Route-All option, a NAT Policy must be created on the Central site for translation to the WAN IP.  An example NAT Policy for the Remote site’s X0 LAN can be found below.


                Image                Image


    Split Tunnel Option: In this example, only one network exists on the Central site, thus only one route is created.

    Image                       Image


    Step 3: On the Remote site, enable IP Helper and create IP Helper Policies for DHCP Relay. Options include DHCP Relay to the Central firewall’s internal DHCP server and DHCP Relay to an external DHCP server behind the Central firewall.

    Step 3a: Enable IP Helper and DHCP Protocol Support. An example is shown below.


    Under Network | System| IP Helper


                         Image

    Step 3b: Configure an IP Helper Policy for each network that requires remote DHCP.

    Internal DHCP Option:In this example, DHCP is relayed to the X0 LAN IP of the Central site. The Central firewall’s internal DHCP server provides DHCP to remote VPN systems.


                         Image

    External DHCP Option:   In this example, DHCP is relayed to the Central site’s LAN DHCP server. The LAN server at the Central site provides DHCP to remote VPN systems.

                          Image


    Step 4: Configure DHCP scopes for each remote network. Each network requires it’s own DHCP scope on the DHCP server.

    Note: DHCP Leases will be displayed on the Remote site firewall, on the Network | System| IP Helper page, as well as on the server which provided the lease.

    Internal DHCP configuration:

    If you plan to use the Central firewall’s internal DHCP server, you will need to create a scope for each remote subnet, as shown below. This can be done on the Network >System> DHCP Server page. The scope must be large enough to support all of the DHCP clients on the remote network.

    Note: Do not use the “Interface Pre-Populate” option. This will populate the DHCP scope configuration with information from the selected interface. Once the scope has been added, you will notice that the Interface reads “N/A”.

    Note: Leases can be found on the Network | System | DHCP Server Lease Scopes.


    Image


    External DHCP configuration:

    If you plan to use an external DHCP server, you will need to create a scope for each remote subnet on the DHCP server, as shown in the screenshots below. The screenshots are taken from Windows 2003 Server.

    Configure the Scope’s name and description.


            Image


    Configure the desired IP Range. Set the appropriate Subnet Mask.

            Image

    Set a DHCP Lease Duration.

            Image

    Configure the DHCP options.

           Image

    Enter the Default Gateway IP that each DHCP client will use.

            Image

    Enter the IPs of any DNS servers you would like to use.

          Image

    Enter the IPs of any WINS servers you would like to use.

           Image

    Activate the scope.

         Image

    Below, the screenshots show the three configured (and active) scopes for the remote subnets, and two leases provided by the server to remote client systems.

          


           Image                       Image





    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

     




    Step 1: Configure the Tunnel Interface VPN Policy on each unit. This is done under Manage |VPN | Base Settings.

    On the General tab of the new VPN Policy configuration window, configure the following settings.

    • Policy Type: Tunnel Interface
    • Authentication Method: IKE using Preshared Secret
    • Name: Enter a desired policy name
    • IPSec Primary Gateway Name/Address: Enter the remote unit’s WAN IP.
    • Enter a shared secret that will be used on each side of the tunnel.

    General tab (Central site):
    Image

    General tab (Remote site):
    Image
     
    Enter your desired Proposal settings on each side of the tunnel. An example of the Proposals tab is shown below:
    Image
     
     
    On the Advanced tab, configure Keep Alive, Management via this SA, and any other desired options. Ensure the VPN Policy Bound To dropdown menu is set to the WAN Interface that the tunnel will use to connect. In this example, the X6 WAN Interface is used on the Central site, while the Remote site uses X1 WAN.
     

    Advanced tab (Central site):

    Image

    Advanced tab (Remote site):
    Image

    Once complete, the tunnel will be established, and will look like this:


    Central:

    Image
    Remote:

    Image

    Step 2:  Create routes on each unit. This can be done under Network | Routing. Options include Route-All VPN (all Internet traffic routes through the Central site over the tunnel) and the more traditional Split Tunnel VPN (only traffic destined for a remote subnet routes through the tunnel). Address Objects can be created while creating routes, or can be done before creating routes, under Network |Address Objects.

    Step 2a – Central site routes:

    In the example below, the Remote site has 3 networks: 2 LANs (X0 and X2), and 1 WLAN (W0). I have added one route per remote network.
    Image


    Note: Create one route per remote network. The example below only shows one network route, but as shown above, three routes were created since three networks need to communicate over the tunnel.

    Detailed route configuration:

    • Source: Any
    • Destination: Remote network Address Object. The Object should be assigned to the VPN Zone.
    • Service: Any
    • Interface: Select the Tunnel Interface name from the dropdown list.
    • Allow Automatic Access Rule creation for simplicity, or disable it for granularity.

    Image

    Step 2b – Remote site routes:

    Route-All Option:

    Image

    Note: If using the Route-All option, a NAT Policy must be created on the Central site for translation to the WAN IP.  An example NAT Policy for the Remote site’s X0 LAN can be found below.

    Image

    Split Tunnel Option:

    In this example, only one network exists on the Central site, thus only one route is created.
    Image


    Step 3: On the Remote site, enable IP Helper and create IP Helper Policies for DHCP Relay. Options include DHCP Relay to the Central firewall’s internal DHCP server and DHCP Relay to an external DHCP server behind the Central firewall.

    Step 3a: Enable IP Helper and DHCP Protocol Support. An example is shown below.

    Under Manage | Network | IP Helper
    Image


    Step 3b: Configure an IP Helper Policy for each network that requires remote DHCP.
     
    Internal DHCP Option:

    In this example, DHCP is relayed to the X0 LAN IP of the Central site. The Central firewall’s internal DHCP server provides DHCP to remote VPN systems.
    Image


    External DHCP Option:

    In this example, DHCP is relayed to the Central site’s LAN DHCP server. The LAN server at the Central site provides DHCP to remote VPN systems.

    Image

    Step 4: Configure DHCP scopes for each remote network. Each network requires it’s own DHCP scope on the DHCP server.

    Note: DHCP Leases will be displayed on the Remote site firewall, on the Network > IP Helper page, as well as on the server which provided the lease.

    Internal DHCP configuration:

    If you plan to use the Central firewall’s internal DHCP server, you will need to create a scope for each remote subnet, as shown below. This can be done on the Network > DHCP Server page. The scope must be large enough to support all of the DHCP clients on the remote network.

    Note: Do not use the “Interface Pre-Populate” option. This will populate the DHCP scope configuration with information from the selected interface. Once the scope has been added, you will notice that the Interface reads “N/A”.

    Note: Leases can be found on the Network | DHCP Server page.

    Image

    External DHCP configuration:

    If you plan to use an external DHCP server, you will need to create a scope for each remote subnet on the DHCP server, as shown in the screenshots below. The screenshots are taken from Windows 2003 Server.

    Configure the Scope’s name and description.
    Image
     
    Configure the desired IP Range. Set the appropriate Subnet Mask.

    Image
     
    Set a DHCP Lease Duration.
    Image

    Configure the DHCP options.
    Image
     
    Enter the Default Gateway IP that each DHCP client will use.
    Image

    Enter the IPs of any DNS servers you would like to use.
    Image

    Enter the IPs of any WINS servers you would like to use.
    Image

    Activate the scope.
    Image

    Below, the screenshots show the three configured (and active) scopes for the remote subnets, and two leases provided by the server to remote client systems.
    ImageImage





    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.


    Step 1: Configure the Tunnel Interface VPN Policy on each unit. This is done under VPN > Settings.

    On the General tab of the new VPN Policy configuration window, configure the following settings.

    • Policy Type: Tunnel Interface
    • Authentication Method: IKE using Preshared Secret
    • Name: Enter a desired policy name
    • IPSec Primary Gateway Name/Address: Enter the remote unit’s WAN IP.
    • Enter a shared secret that will be used on each side of the tunnel.

    General tab (Central site):
    Image

    General tab (Remote site):
    Image
     
    Enter your desired Proposal settings on each side of the tunnel. An example of the Proposals tab is shown below:
    Image
     
     
    On the Advanced tab, configure Keep Alive, Management via this SA, and any other desired options. Ensure the VPN Policy Bound To dropdown menu is set to the WAN Interface that the tunnel will use to connect. In this example, the X6 WAN Interface is used on the Central site, while the Remote site uses X1 WAN.
     
    Advanced tab (Central site):
    Image

    Advanced tab (Remote site):
    Image

    Once complete, the tunnel will be established, and will look like this:

    Central:
    Image
    Remote:

    Image

    Step 2:  Create routes on each unit. This can be done under Network > Routing. Options include Route-All VPN (all Internet traffic routes through the Central site over the tunnel) and the more traditional Split Tunnel VPN (only traffic destined for a remote subnet routes through the tunnel). Address Objects can be created while creating routes, or can be done before creating routes, under Network > Address Objects.

    Step 2a – Central site routes:

    In the example below, the Remote site has 3 networks: 2 LANs (X0 and X2), and 1 WLAN (W0). I have added one route per remote network.
    Image


    Note: Create one route per remote network. The example below only shows one network route, but as shown above, three routes were created since three networks need to communicate over the tunnel.

    Detailed route configuration:

    • Source: Any
    • Destination: Remote network Address Object. The Object should be assigned to the VPN Zone.
    • Service: Any
    • Interface: Select the Tunnel Interface name from the dropdown list.
    • Allow Automatic Access Rule creation for simplicity, or disable it for granularity.

    Image

    Step 2b – Remote site routes:

    Route-All Option:

    Image

    Note: If using the Route-All option, a NAT Policy must be created on the Central site for translation to the WAN IP.  An example NAT Policy for the Remote site’s X0 LAN can be found below.

    Image

    Split Tunnel Option:

    In this example, only one network exists on the Central site, thus only one route is created.
    Image


    Step 3: On the Remote site, enable IP Helper and create IP Helper Policies for DHCP Relay. Options include DHCP Relay to the Central firewall’s internal DHCP server and DHCP Relay to an external DHCP server behind the Central firewall.

    Step 3a: Enable IP Helper and DHCP Protocol Support. An example is shown below.
    Image


    Step 3b: Configure an IP Helper Policy for each network that requires remote DHCP.
     
    Internal DHCP Option:

    In this example, DHCP is relayed to the X0 LAN IP of the Central site. The Central firewall’s internal DHCP server provides DHCP to remote VPN systems.
    Image


    External DHCP Option:

    In this example, DHCP is relayed to the Central site’s LAN DHCP server. The LAN server at the Central site provides DHCP to remote VPN systems.

    Image

    Step 4: Configure DHCP scopes for each remote network. Each network requires it’s own DHCP scope on the DHCP server.

    Note: DHCP Leases will be displayed on the Remote site firewall, on the Network > IP Helper page, as well as on the server which provided the lease.

    Internal DHCP configuration:

    If you plan to use the Central firewall’s internal DHCP server, you will need to create a scope for each remote subnet, as shown below. This can be done on the Network > DHCP Server page. The scope must be large enough to support all of the DHCP clients on the remote network.

    Note: Do not use the “Interface Pre-Populate” option. This will populate the DHCP scope configuration with information from the selected interface. Once the scope has been added, you will notice that the Interface reads “N/A”.

    Note: Leases can be found on the Network > DHCP Server page.

    Image

    External DHCP configuration:

    If you plan to use an external DHCP server, you will need to create a scope for each remote subnet on the DHCP server, as shown in the screenshots below. The screenshots are taken from Windows 2003 Server.

    Configure the Scope’s name and description.
    Image
     
    Configure the desired IP Range. Set the appropriate Subnet Mask.

    Image
     
    Set a DHCP Lease Duration.
    Image

    Configure the DHCP options.
    Image
     
    Enter the Default Gateway IP that each DHCP client will use.
    Image

    Enter the IPs of any DNS servers you would like to use.
    Image

    Enter the IPs of any WINS servers you would like to use.
    Image

    Activate the scope.
    Image

    Below, the screenshots show the three configured (and active) scopes for the remote subnets, and two leases provided by the server to remote client systems.
    ImageImage


    Related Articles

    • SSL Control and DPI-SSL Compatibility
    • FIPS Mode: Radius protected with IPSEC VPN
    • Maximum DHCP Leases

    Categories

    • Firewalls > SonicWall NSA Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > TZ Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:957d8e7b1ca3887eccd6a78a7ba67e6e-76