Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to create a Hub and Spoke Tunnel Interface VPN network with OSPF

03/26/2020 792 People found this article helpful 101,566 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This document explains how to create a Hub and Spoke VPN network architecture using Tunnel Interface and OSPF instead of  policy-based Site to Site VPN tunnels.

    Dynamic Route-based VPN using Tunnel Interface and OSPF offers a greater flexibility as there is little to do if the network architecture changes. Adding a new Spoke will also be greatly simplified as all the existing spokes will automatically get the new network architecture using OSPF.

    Resolution

     Image

    Creation of the Hub and Spoke VPN environment

    A- Hub

    Create VPN tunnel from the hub to both spokes under VPN | Settings.

    We will first create the tunnel from the Hub to Spoke-1 with gateway IP address 1.1.211.2 in our example.

    Under VPN | Settings, add a new policy.

    Image

     Figure 1

    Use a Police Type of Tunnel Interface instead of Site to Site, Enter the remote IP address, the shared secret and IKE Ids as per Figure 1

    Image

    Figure 2

    Proposal options can left as default as per Figure 2

    Image

    Figure 3

    In the Advanced Options (Figure 3), it is important to enable “Allow Advanced Routing” as it will allow use of RIP or OSPF


    Make similar configuration for the second VPN tunnel to Spoke 2 as shown in Figure 4, 5 and 6.

    Image

    Figure 4

    Image

    Figure 5

    Image

    Figure 6


    B- Spoke 1

    The Figure 7, 8 and 9 show the configuration made on Spoke 1

    Image

     Figure 7

    Image

    Figure 8

    Image

    Figure 9


    C- Spoke 2

    Finally, figures 10, 11 and 12 show the configuration on Spoke 2

    Image

    Figure 10

    Image

    Figure 11

    Image

    Figure 12

    Once done, the tunnel should quickly be up and a Green LED will appear as show below (Figure 13) for the Hub

    Image

     Figure 13


    Creation of the OSPF network

    a- Hub

    Under Network | Routing, ensure you have activated the Advanced Routing Mode (Figure 14) and then configure OSPF for both VPN Tunnel Interface (Figure 15)

    Image

    Figure 14

    • Set OSPF mode to “Enabled”.
    • Set "OSPF Router ID" to the X0 IP address. This value will need to be different on every router of your OSPF network otherwise OSPF neighborship may not be established.
    • Enable Redistribute Connected Networks.
    • Enable Redistribute Remote VPN Networks.
    • Set "IP Borrowed From"  under “Global Unnumbered Configuration” as X1 IP.
    • Set Remote IP Address as Spoke-1 X1 Interface IP address.

    The Figure 15 show all this configuration

    Image

    Figure 15

    Make the same kind of configuration for the second Spoke VPN Tunnel Interface, as per Figure 16

    Image

    Figure 16

    The OSPF is now ready on the Hub but is still not synchronized, the red LED show that no neighbour have been detected as show on Figure 17

    Image

    Figure 17

    B- Spoke 1

    Figure 18 show the configuration made on Spoke 1

    Image

    Figure 18

    C- Spoke 2

    The configuration for Spoke 2 is shown in Figure 19

    Image

    Figure 19

    Once the entire OSPF configuration is finished, the OSPF neighborship will be established within few seconds and gren LED will appear on Network, Routing page as in Figure 20 for the Hub.

    Image

    Figure 20

    Figures 21, 22 and 23 Show the resultant routing table on respectively the Hub, Spoke 1 and Spoke 2

    Image

    Figure 21

    Image

    Figure 22

    Image

    Figure 23


    Creating Rules


    Once neighborship is established and dynamic routes have been obtained, you need to create access rules in each site to allow traffic from one site to the other.

    For example to allow traffic from the LAN zone to the remote sites, create the following access rules in the Hub and the Spokes.

    Create the following access rules in the Hub:

    • Zone: LAN to VPN
    • Service: Any
    • Source: LAN Subnets
    • Destination: Spoke-1 Network.
    • Zone: LAN to VPN
    • Service: Any
    • Source: LAN Subnets
    • Destination: Spoke-2 Network.

    To allow traffic from the remote sites to the LAN zone, create the following access rules:

    • Zone: VPN to LAN
    • Service: Any
    • Source: Spoke-1 Network + Spoke-2 Network (Address Objects Group)
    • Destination: LAN Subnets

    To allow traffic from one Spoke to the other Spoke over the VPN, create the following access rules:

    • Zone: VPN to VPN
    • Service: Any
    • Source: Spoke-1 Network
    • Destination: Spoke-2 Network
    • Zone: VPN to VPN
    • Service: Any
    • Source: Spoke-2 Network
    • Destination: Spoke-1 Network

    Likewise, in Spoke-1 create the following access rules

    • Zone: LAN to VPN
    • Service: Any
    • Source: LAN Subnets
    • Destination: Hub Network.
    • Zone: LAN to VPN
    • Service: Any
    • Source: LAN Subnets
    • Destination: Spoke-2 Network.

    To allow traffic from the remote sites to the LAN zone, create the following access rules:

    • Zone: VPN to LAN
    • Service: Any
    • Source: Spoke-2 Network + Hub Network (Address Objects Group)
    • Destination: LAN Subnets

    In Spoke-2 create the following access rules

    • Zone: LAN to VPN
    • Service: Any
    • Source: LAN Subnets
    • Destination: Hub Network.
    • Zone: LAN to VPN
    • Service: Any
    • Source: LAN Subnets
    • Destination: Spoke-1 Network.

    To allow traffic from the remote sites to the LAN zone, create the following access rules:

    • Zone: VPN to LAN
    • Service: Any
    • Source: Spoke-1 Network + Hub Network (Address Objects Group)
    • Destination: LAN Subnets

     


    Troubleshooting:

    If the Tunnel Interface does not comes up:

    Check the VPN Pre-shared Key, needs to be the same both sides of the tunnel

    Check the IKE IDs, needs to be symmetrical (Local ID on site A is Remote ID on site B)

    Check Proposal tab, needs to be the same on both side of the tunnel

    If the OSPF neighborship cannot be established :

    - Check the OSPF Router ID is different on every firewall

    - Check the Unnumbered Global Configuration is correctly configured (Use the WAN or Public Interfaces)

     


     

    See Also:

    Implementing Hub and Spoke Site-to-Site VPN on SonicOS Enhanced

    Related Articles

    • How to configure SSLVPN Tunnel all mode for one or more particular users (Local or Domain users)
    • How to disable TOTP for a Local User with admin privileges via CLI.
    • Parserror on Event logs.

    Categories

    • Firewalls > SonicWall SuperMassive 9000 Series > VPN
    • Firewalls > SonicWall NSA Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:957d8e7b1ca3887eccd6a78a7ba67e6e-76