How can I configure a 'Route all Traffic' WAN GroupVPN policy?
03/26/2020 352 21256
This article will show users how to configure a 'Route all Traffic' WAN GroupVPN Policy on a SonicWall UTM appliance. The result is that remote computers with SonicWall Global VPN Client (GVC) software connected to the policy will route all Internet traffic through its VPN connection to the UTM network. Once traffic from remote users' GVC computers to the UTM network is decrypted and encapsulated from the VPN, the original destinations of the traffic from the remote computer are honored and used for routing. Traffic from the GVC client destined for the Internet will be routed to the UTM device's WAN gateway router and traffic destined for the LAN and other internal networks will be routed as per the routing logic which applies to local hosts. Routing All Traffic through the SonicWall allows an administrator to protect a user by enforcing Intrusion Prevention, Gateway Anti-Virus, Anti-Spyware, Client Anti-Virus, Content Filtering, and other policies on remote users’ traffic.
The related configurations on the UTM appliance which has subscriptions for the various Security Services mentioned above are done in the Network | Zones screen. There are enforcement checkboxes for the various Security Services, and usually they are turned on the for the LAN and WAN zones. To accomplish the above mentioned protection of traffic coming across a 'Route all Traffic' WAN GroupVPN Policy, the administrator must enable the VPN zone enforcements for the Intrusion Prevention, Gateway Anti-Virus, Anti-Spyware, Client Anti-Virus, and / or Content Filtering services. The examples in this article use the default access rules which are created when enabling the WAN Group VPN. These default access rules allow all VPN Traffic to pass to the LAN and WAN.
Before You Begin
Decide if you are using an LDAP server or Local Users for authentication.
Decide if you are using the SonicWall Internal DHCP server or an External DHCP server.
Navigate to Users | Local Users screen; for each user, there is a list of assigned network objects in the VPN Access tab. This is what dictates the type of GVC policy they have. (not needed if using LDAP).
Click Add User
For Global VPN Client users who need to have a route all Policy, you must include the object WAN RemoteAccess Networks ; this object has a value of 0.0.0.0 and is what makes the user's policy a route all Global VPN client policy.
Configure Groups(not needed if using Local Users)
Navigate to MANAGE|Local Users & Groups, Select Loca Groups.
Click the Configure icon by the Group for which you are providing VPN Access configurations.
Click on the VPN Access tab and be sure to select a Network this group has access to ( WAN RemoteAccess Networks are selected in the example below)
NOTE: For access to Local Network, you can add the local subnets under VPN Access List.
Configure WAN GroupVPN
Navigate to MANAGE|VPN|Base Settings screen.
Check Enable for the WAN GroupVPN.
Click the Configure icon for the WAN GroupVPN.
Click on the General tab.
Enter the Shared Secret (in this example, presharedsecret).
Click on the Proposals tab.
Enter the IKE and IPSec Proposal information, this example uses the default settings.
Click on the Advanced tab.
Verify that Require Authentication of VPN Clients via XAUTH is checked.
Select User Group for XAUTH users (in this example, Trusted Users is selected).
Click on the Client tab.
Select Allow Connections to: (in this example, This Gateway Only).
Check Set Default Route as this Gateway.
Check Apply VPN Access Control List (Optional: If WAN Remote Access Networks is NOT added to the VPN Access List you may keep this unchecked).
Configure Internal DHCP Server(Not needed for External DHCP Server)
Navigate to MANAGE|Network | DHCP Server screen.
Check Enable DHCPv4 Server.
Check Enable Conflict Detection.
Click Add Dynamic.
Enter a Range Start (example 192.168.24.20).
Enter a Range End (example 192.168.24.30).
Select a Gateway Preference (example 192.168.24.1).
Configure DHCP over VPN for Internal Server(or Configure DHCP relay address for External Server)
Go to the DHCP over VPN screen.
Select Central Gateway.
Check Use Internal DHCP Server.
Check For Global VPN Clients.
Check Send DHCP Requests to the server address listed below.
Enter the IP Address of your DHCP Server.
Configure NAT Policy
This NAT Policy is needed for many-to-one source IP address translation as remote VPN hosts go to the Internet via the VPN connection.
Navigate to MANAGE|Rules| NAT Policies.
Enter Original Source: Any Enter Translated Source:X1 IP Enter Original Destination:Any Enter Translated Destination:Original Enter Original Service: Any Enter Translated Service:Original Enter Inbound Interface:X1 (note this is your WAN interface) Enter Outbound Interface:X1
NOTE: In the Gen4 Pro products, and in NSA and NSA E-Class Products, the names of the network address objects are named after the interfaces. Thus the object named X1 IP will the correct choice for the Translated Source in those products, usually. Similar configurations can be done on other WANs, like X2, X3, etc. The TZ products instead use a friendlier name for the same network address object: WAN Primary IP. That object would be used as the Translated Source in those products. The TZ products also use friendlier names for the interfaces themselves. They are called LAN and WAN instead of X0 and X1. Thus the Inbound Interface and Outbound Interface would be set to WAN in those products, usually.
TIP:Routing All Traffic through the SonicWall allows an administrator to protect a user by enforcing Intrusion Prevention, Gateway Anti-Virus, Anti-Spyware, Client Anti-Virus, Content Filtering, and other policies on remote users’ traffic. On the UTM appliance which has subscriptions for the various Security Services mentioned above, the relevant configurations are done on the Network - Zones screen. There are enforcement checkboxes for the various Security Services, and usually they are turned on the for the LAN and WAN zones.
CAUTION: To protect traffic coming across a a 'Route all Traffic' WAN GroupVPN Policy, the administrator must edit the VPN zone and enable the checkboxes for the Intrusion Prevention, Gateway Anti-Virus, Anti-Spyware, Client Anti-Virus, and / or Content Filtering services.
Verify WAN GroupVPN configuration is correct.
Verify WAN GroupVPN is enabled.
Check VPN Summary page or Log files to verify that the tunnel has been established.