Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Dynamic Route Based VPN in SonicOS 5.9.0 - Basic Config

03/26/2020 758 People found this article helpful 99,867 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Beginning with SonicOS 5.9.0, configuring dynamic route based VPN has changed from previous versions. In the new configuration method, a Tunnel Interface must be configured under Network | Interfaces page and OSPF configured on the Tunnel Interface under Network | Routing | Advanced Routing page.

    This articles describes the basic method to perform this task.

    Resolution

    Tasklist:

    Dynamic route based VPN configuration is a four step process:

    • The first step involves creating a Tunnel Interface VPN policy . The crypto suites used to secure the traffic between two end-points are defined in the policy.
    • The second step is to create a new Tunnel Interface under Network | Interfaces.
    • The third step involves configuring OSPF for the Tunnel Interface under Network |Routing.
    • The fourth step involves creating access rules from LAN/DMZ to VPN and from VPN to LAN/DMZ to allow traffic over the VPN.

    In this scenario a Dynamic Route-based VPN is configured between an NSA 2400 (Site A) and an NSA 220 (Site B). For this article, we'll be using the following IP addresses as examples to demonstrate the VPN configuration. You can use these examples to create VPN policies for your network, substituting your IP addresses for the examples shown here:

    Site A - NSA 2400

    WAN (X1): 1.1.1.1
    LAN (X0) Subnet: 10.10.10.0/24
    Tunnel Interface IP: 192.168.1.1/24

    Site B - NSA 220

    WAN (X1): 2.2.2.2
    LAN (X0) Subnet: 192.168.168.0/24
    Tunnel Interface IP:  
    192.168.1.2/24

    Site A (NSA 2400) Configuration

    1. Adding a Tunnel Interface VPN policy
    2. Create and configure a tunnel interface
    3. Configuring OSPF for a Tunnel Interface
    4. Adding rules to allow traffic over the VPN

    Site B (NSA 220) Configuration

    1. Adding a Tunnel Interface VPN policy
    2. Create and configure a tunnel interface
    3. Configuring OSPF for a Tunnel Interface
    4. Adding rules to allow traffic over the VPN

    Tunnel Status, OSPF Neighborship, Dynamic Routes

    Troubleshooting


    Procedure:

    Site A (NSA 2400) Configuration

    1. Adding a Tunnel Interface
    2. Create and configure a Tunnel Interface
    3. Configuring OSPF for a Tunnel Interface
    4. Adding rules to allow traffic over the VPN

    Adding a Tunnel Interface VPN policy
     

    01. Login to the SonicWall management interface.
    02. Navigate to the VPN | Settings page.
    03. Click on the Add button to create a tunnel interface VPN as per the screen shots.
    Image
    Image   Image

    Create and configure a Tunnel Interface
     

    01. Navigate to the Network | Interfaces page.
    02. Select Tunnel Interface from the Add Interface drop-down menu to open the Add Tunnel Interface window.
    Image
    03. The Zone will be pre-selected with VPN.
    04. Under VPN Policy, select the VPN policy created earlier.
    05. Mode / IP Assignment will be pre-selected with Static IP Mode.
    06. Under IP Address and Subnet Mask, enter an IP address and subnet mask. The remote site must be in the same subnet as this IP address.
    07. Click on OK to save.
      Image 


    Configuring OSPF for a Tunnel Interface
     

    01. Navigate to the Network | Routing Page.
    02. Click on the drop-down under Routing Mode and select Advanced Routing.
    03. Click on OK on the warning window.
    04. The tunnel interface created earlier will be visible now.
    Image
    05. Click on the Configure OSPF button on the Tunnel Interface to open the OSPF configuration window.
    06. Enter information as per the screenshot in the OSPFv2 Configuration window
    07. The OSPF Router ID must be a unique IP address in your network.
    08. Click on OK to save the settings.
    Image

     


    Adding rules to allow traffic over the VPN

    Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.

    01. Navigate to Network| Address Objects

    02. Click on Add to create an address object for the destination network (see screenshot below)

    Image

    Image

    03. Navigate to Firewall | Access Rules
    04. Go to LAN to VPN 
    05. Create an access rule as per the screenshot.
    Image
    06. Navigate to VPN to LAN
    07.
    Create an access rule as per the screenshot.
    Image

     


    Site B (NSA 220) Configuration

    1. Adding a Tunnel Interface
    2. Create and configure a Tunnel Interface
    3. Configuring OSPF for a Tunnel Interface
    4. Adding rules to allow traffic over the VPN

    Adding a Tunnel Interface VPN policy

    01. Login to the SonicWall management interface.
    02. Navigate to the VPN | Settings page.
    03. Click on the Add button to create a tunnel interface VPN as per the screen shots.

    Image
    Image 
    Image

    Create and configure a Tunnel Interface

    01. Navigate to the Network | Interfaces page.
    02. Select Tunnel Interface from the Add Interface drop-down menu to open the Add Tunnel Interface window.

    Image

    03. In the Add Tunnel Interface window, the Zone will be pre-selected with VPN.
    04. Under VPN Policy, select the VPN policy created earlier.
    05. Mode / IP Assignment will be pre-selected with Static IP Mode.
    06. Under IP Address and Subnet Mask, enter an IP address and subnet mask. The remote site must be in the same subnet as this IP address.
    07. Click on OK to save.

    Image



    Configuring OSPF for a Tunnel Interface

    01. Navigate to the Network | Routing Page.
    02. Click on the drop-down under Routing Mode and select Advanced Routing.
    03. Click on OK on the warning window.
    04. The Tunnel Interface created earlier will be visible now.
    05. Click on the Configure OSPF button on the Tunnel Interface to open the OSPF configuration window.
    06. Enter information as per the screenshot in the OSPFv2 Configuration window
    07. The OSPF Router ID must be a unique IP address in your network.
    08. Click on OK to save the settings.
    Image


    Adding rules to allow traffic over the VPN

    Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.

    01. Navigate to Network | Address Objects
    02. Click on Add to create an address object for the destination networks and group them (see screenshot below)
    Image
    03. Navigate to Firewall | Access Rules
    04.
    Go to LAN to VPN 
    05. Create an access rule as per the screenshot.
    Image
    06. Navigate to VPN to LAN
    07.
    Create an access rule as per the screenshot.
    Image


    OSPF Neighborship, Dynamic Routes

    The VPN tunnel status will be green as soon as the the configuration of the VPN Tunnel Interface policies are completed on both sites.

    The screenshots below shows the OSPF neighborship status on both sites and also the dynamically learned routes from each other.

    Site A
    Image

    Site B
    Image

    Testing

    Test by pinging an IP address from one site to another. Only the subnets defined in the access rules will be accessible.


    Troubleshooting

    Check the following when the VPN tunnel is not up:

    1. Gateway IP address.
    2. Pre-shared secret
    3. Proposal mismatch

    Check the following when the VPN tunnel is up but the VPN Tunnel Interface is unable to form neighborship:

    1. Make sure the interface the VPN is bound to is not configured in L2 Bridged Mode.
    2. Make sure the VPN Tunnel Interfaces are in the same OSPF Area
    3. OSPFv2 Areas Type must have the same area type on both sites. (Normal, Stub Area, Totally Stubby Area, Not-So-Stubby Area, Totally Stubby NSSA)
    4. OSPF Router-ID should not be duplicate.
    5. The Tunnel Interfaces created should be configured with an IP addresses in the same subnet.

    Check the following when the VPN Tunnel Interface has formed neighborship but dynamic routes are not present:

    1. Make sure the local and destination networks are not overlapping.
    2. Make sure Redistribute Connected Networks is checked in the OSPFv2 Configuration.

    Check the following when unable to pass traffic across the tunnel even after neighborship is formed

    1. Make sure OSPF has dynamically learnt the routes to the remote networks. Look under Route Policies on the Network | Routing page.
    2. Make sure access rules have been created from local network zones to the VPN zone.
    3. Make sure access rules have been created from the VPN zone to local network zones.
    4. The zone of local network address objects should match the zone to which that network belongs to. For eg. LAN, DMZ etc
    5. The destination network should be assigned zone VPN .
    6. Make sure no conflicting rules with higher priority are present.
    7. Make sure no conflicting static routes are present in the routing table. Check under Route Policies on the Network | Routing page.

    Related Articles

    • How to configure SSLVPN Tunnel all mode for one or more particular users (Local or Domain users)
    • How to disable TOTP for a Local User with admin privileges via CLI.
    • Parserror on Event logs.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:957d8e7b1ca3887eccd6a78a7ba67e6e-76