Dynamic Route Based VPN in SonicOS 5.9.0 - Basic Config
03/26/2020 
758 
13231
DESCRIPTION:
Beginning with SonicOS 5.9.0, configuring dynamic route based VPN has changed from previous versions. In the new configuration method, a Tunnel Interface must be configured under Network | Interfaces page and OSPF configured on the Tunnel Interface under Network | Routing | Advanced Routing page.
This articles describes the basic method to perform this task.
RESOLUTION:
Tasklist:
Dynamic route based VPN configuration is a four step process:
- The first step involves creating a Tunnel Interface VPN policy . The crypto suites used to secure the traffic between two end-points are defined in the policy.
- The second step is to create a new Tunnel Interface under Network | Interfaces.
- The third step involves configuring OSPF for the Tunnel Interface under Network |Routing.
- The fourth step involves creating access rules from LAN/DMZ to VPN and from VPN to LAN/DMZ to allow traffic over the VPN.
In this scenario a Dynamic Route-based VPN is configured between an NSA 2400 (Site A) and an NSA 220 (Site B). For this article, we'll be using the following IP addresses as examples to demonstrate the VPN configuration. You can use these examples to create VPN policies for your network, substituting your IP addresses for the examples shown here:
Site A - NSA 2400
WAN (X1): 1.1.1.1
LAN (X0) Subnet: 10.10.10.0/24
Tunnel Interface IP: 192.168.1.1/24
Site B - NSA 220
WAN (X1): 2.2.2.2
LAN (X0) Subnet: 192.168.168.0/24
Tunnel Interface IP: 192.168.1.2/24
Site A (NSA 2400) Configuration
- Adding a Tunnel Interface VPN policy
- Create and configure a tunnel interface
- Configuring OSPF for a Tunnel Interface
- Adding rules to allow traffic over the VPN
Site B (NSA 220) Configuration
- Adding a Tunnel Interface VPN policy
- Create and configure a tunnel interface
- Configuring OSPF for a Tunnel Interface
- Adding rules to allow traffic over the VPN
Tunnel Status, OSPF Neighborship, Dynamic Routes
Troubleshooting
Procedure:
Site A (NSA 2400) Configuration
- Adding a Tunnel Interface
- Create and configure a Tunnel Interface
- Configuring OSPF for a Tunnel Interface
- Adding rules to allow traffic over the VPN
Adding a Tunnel Interface VPN policy
01. Login to the SonicWall management interface.
02. Navigate to the
VPN
|
Settings page.
03. Click on the
Add button to create a tunnel interface VPN as per the screen shots.
Create and configure a Tunnel Interface
01. Navigate to the
Network
|
Interfaces page.
02. Select
Tunnel Interface from the
Add Interface drop-down menu to open the
Add Tunnel Interface window.
03. The
Zone will be pre-selected with VPN.
04. Under
VPN Policy, select the VPN policy created earlier.
05.
Mode / IP Assignment will be pre-selected with
Static IP Mode.
06. Under
IP Address and
Subnet Mask, enter an IP address and subnet mask. The remote site must be in the same subnet as this IP address.
07. Click on
OK to save.
Configuring OSPF for a Tunnel Interface
01. Navigate to the Network
|
Routing Page.
02.
Click on the drop-down under Routing Mode and select Advanced Routing.
03.
Click on OK on the warning window.
04.
The tunnel interface created earlier will be visible now.
05. Click on the
Configure OSPF button on the
Tunnel Interface to open the OSPF configuration window.
06. Enter information as per the screenshot in the
OSPFv2 Configuration window
07. The
OSPF Router ID must be a unique IP address in your network.
08. Click on
OK to save the settings.
Adding rules to allow traffic over the VPN
Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.
01. Navigate to Network| Address Objects
02. Click on Add to create an address object for the destination network (see screenshot below)
03. Navigate to Firewall
|
Access Rules
04.
Go to LAN to VPN
05.
Create an access rule as per the screenshot.
06. Navigate to VPN to LAN
07.
Create an access rule as per the screenshot.
Site B (NSA 220) Configuration
- Adding a Tunnel Interface
- Create and configure a Tunnel Interface
- Configuring OSPF for a Tunnel Interface
- Adding rules to allow traffic over the VPN
Adding a Tunnel Interface VPN policy
01. Login to the SonicWall management interface.
02. Navigate to the VPN | Settings page.
03. Click on the Add button to create a tunnel interface VPN as per the screen shots.
Create and configure a Tunnel Interface
01. Navigate to the Network | Interfaces page.
02. Select Tunnel Interface from the Add Interface drop-down menu to open the Add Tunnel Interface window.
03. In the Add Tunnel Interface window, the Zone will be pre-selected with VPN.
04. Under VPN Policy, select the VPN policy created earlier.
05. Mode / IP Assignment will be pre-selected with Static IP Mode.
06. Under IP Address and Subnet Mask, enter an IP address and subnet mask. The remote site must be in the same subnet as this IP address.
07. Click on OK to save.
Configuring OSPF for a Tunnel Interface
01. Navigate to the Network | Routing Page.
02. Click on the drop-down under Routing Mode and select Advanced Routing.
03. Click on OK on the warning window.
04. The Tunnel Interface created earlier will be visible now.
05. Click on the Configure OSPF button on the Tunnel Interface to open the OSPF configuration window.
06. Enter information as per the screenshot in the OSPFv2 Configuration window
07. The OSPF Router ID must be a unique IP address in your network.
08. Click on OK to save the settings.
Adding rules to allow traffic over the VPN
Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.
01. Navigate to
Network
|
Address Objects
02. Click on
Add to create an address object for the destination networks and group them (see screenshot below)
03. Navigate to Firewall
|
Access Rules
04.
Go to LAN to VPN
05.
Create an access rule as per the screenshot.
06. Navigate to VPN to LAN
07.
Create an access rule as per the screenshot.
OSPF Neighborship, Dynamic Routes
The VPN tunnel status will be green as soon as the the configuration of the VPN Tunnel Interface policies are completed on both sites.
The screenshots below shows the OSPF neighborship status on both sites and also the dynamically learned routes from each other.
Site A
Site B
Testing
Test by pinging an IP address from one site to another. Only the subnets defined in the access rules will be accessible.
Troubleshooting
Check the following when the VPN tunnel is not up:
- Gateway IP address.
- Pre-shared secret
- Proposal mismatch
Check the following when the VPN tunnel is up but the VPN Tunnel Interface is unable to form neighborship:
- Make sure the interface the VPN is bound to is not configured in L2 Bridged Mode.
- Make sure the VPN Tunnel Interfaces are in the same OSPF Area
- OSPFv2 Areas Type must have the same area type on both sites. (Normal, Stub Area, Totally Stubby Area, Not-So-Stubby Area, Totally Stubby NSSA)
- OSPF Router-ID should not be duplicate.
- The Tunnel Interfaces created should be configured with an IP addresses in the same subnet.
Check the following when the VPN Tunnel Interface has formed neighborship but dynamic routes are not present:
- Make sure the local and destination networks are not overlapping.
- Make sure Redistribute Connected Networks is checked in the OSPFv2 Configuration.
Check the following when unable to pass traffic across the tunnel even after neighborship is formed
- Make sure OSPF has dynamically learnt the routes to the remote networks. Look under Route Policies on the Network | Routing page.
- Make sure access rules have been created from local network zones to the VPN zone.
- Make sure access rules have been created from the VPN zone to local network zones.
- The zone of local network address objects should match the zone to which that network belongs to. For eg. LAN, DMZ etc
- The destination network should be assigned zone VPN .
- Make sure no conflicting rules with higher priority are present.
- Make sure no conflicting static routes are present in the routing table. Check under Route Policies on the Network | Routing page.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
