Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Implementing Hub and Spoke Site-to-Site VPN (Video Tutorial)

03/26/2020 1,928 People found this article helpful 129,384 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    It is possible to establish a site to site VPN between a hub SonicWall (such as a corporate headquarters) and multiple spoke SonicWalls (branch offices) where the branches are able to communicate using the hub as an intermediary. The purpose of this document is to outline all necessary steps to configure a VPN consisting of one hub and two spokes where all firewalls are running SonicOS Enhanced. An example is used throughout this document to clarify all concepts and instructions.

    Example Hub and Spoke Network

    Use of a simple example scenario will aid the creation of a hub and spoke VPN. It may be of further help to create a network diagram based on this information. The information from this example will be used throughout the rest of this document.

    Example Hub and Spoke Specifications

    Two branch offices (Networks A and C) will connect to a hub at the corporate headquarters (Network B). Networks A and C will be able to exchange traffic through the hub. Review the specifications in the following table:

    Branch Office ALAN A Subnet10.0.1.0/24
     WAN A IP Address192.168.1.1/24
    Corporate Office (hub) BLAN B Subnet10.0.2.0/24
     WAN B IP Address192.168.2.1/24
    Branch Office CLAN C Subnet10.0.3.0./24
     WAN C IP Address192.168.3.1./24

     

    Resolution

    To watch a video tutorial on this topic, click here.

    Create Address and Group Objects

    A number of address objects are needed in the implementation of any site to site VPN. This need is greater in a hub and spoke configuration. Group objects will also be required. The address objects will specify local and destination networks, which will be grouped together to permit hub and spoke communication. Access the Manage | Objects | Address Objects page in each firewall to configure the address and group objects as needed.


    Create the Address Objects

    Address objects must be configured as follows on all three firewalls to enable this VPN connection.

    Create the following address objects on Spoke A

    • Navigate to Manage | Objects | Address Objects,  click Add.
    • Name: LAN B Subnet.
    • Zone: VPN.
    • Type: Network.
    • IP Address: 10.0.2.0.
    • Subnet Mask: 255.255.255.0.


    • Name: LAN C Subnet.
    • Zone: VPN.
    • Type: Network.
    • IP Address: 10.0.3.0.
    • Subnet Mask: 255.255.255.0.



    Create the following address objects on Hub B

    • Name: LAN A Subnet.
    • Zone: VPN.
    • Type: Network .
    • IP Address: 10.0.1.0.
    • Subnet Mask: 255.255.255.0.


    • Name: LAN C Subnet.
    • Zone : VPN.
    • Type: Network.
    • IP Address: 10.0.3.0.
    • Subnet Mask: 255.255.255.0.


    Create the following address objects on Spoke C

    • Name: LAN A Subnet.
    • Zone: VPN.
    • Type: Network.
    • IP Address: 10.0.1.0.
    • Subnet Mask: 255.255.255.0.


    • Name: LAN B Subnet
    • Zone: VPN.
    • Type: Network.
    • IP Address: 10.0.2.0.
    • Subnet Mask: 255.255.255.0

     

    Screenshots of address objects for LAN A, LAB B and LAN C subnets

    Image

    Image


    Image

     
    Create the Group Objects

    The need to specify multiple local and destination networks mandates the creation of address object groups, since only one such object may be selected in the VPN policy configuration screen. Create the groups as specified below on each firewall, then join the specified address objects to the groups.

    Configure group on Spoke A

    • Group name: Destination B and C .
    • Members: LAN B Subnet, LAN C Subnet.

      Image

    Configure groups on Hub B:

    • Group name: Local B and C.
    • Members: LAN Subnets, LAN C Subnet.
      Image

    • Group name: Local A and B .
    • Members: LAN Subnets, LAN A Subnet.

      Image


    Configure groups on Spoke C

    • Group name: Destination A and B.
    • Members: LAN A Subnet, LAN B Subnet.

      Image


    Making the Connections

    Now that all address and group objects have been established, the security associations can be created to enable the hub and spoke VPN. Each spoke will need only one VPN policy pointing to the hub. The hub will require two VPN policies, one to each spoke. Each policy is created on the Manage | VPN | Base Settings page in the usual manner for any site to site tunnel, with the exception of the Network tab as shown below.

    Spoke A VPN Policy

    • On the Network tab for this VPN policy, specify the LAN Subnets object as the local network and the Destination B and C group object as the destination network.

      Image


    Hub B VPN Policy

    There should be two policies defined on the hub SonicWall, one pointing to Spoke A and the other to Spoke B. Specify the Local and Destination objects on the Network tab for each policy as follows.

    Spoke A policy

    • Local Network: Local B and C .
    • Destination Network: LAN A Subnet.
      Image

    Spoke C policy 

    • Local Network: Local A and B .
    • Destination Network: LAN C Subnet.
      Image


    Spoke C VPN Policy

    • On the Network tab for this VPN policy, specify the LAN Subnets object as the local network and the Destination A and B object as the destination network.

      Image


    Create the VPN to VPN Access Rule

    Follow these steps to create the access rule on each SonicWall appliance (the hub and both spokes) allowing communication between VPN tunnels:

    1. Navigate to Manage | Rules | Access Rules | Matrix.
    2. Select the edit icon at the point of intersection for the  VPN to VPN zone.
    3. Add a new rule.    

      • Action: Allow
      • Service: Any
      • Source: Any 
      • Destination: Any
    4. Click OK.

      Image


    How to Test

    After following all of the above steps, a working VPN should be successfully established between one hub SonicWall and two spokes. Expansion of this basic model may enable VPN tunnels to hundreds of spokes through a hub given sufficient bandwidth. This example scenario may be simply tested by pinging the IP addresses of various computers on the LAN sides of each SonicWall. EXAMPLE:From a computer behind the hub, ping computers behind the LANs of spokes A and C. Similarly, from each spoke, ping computers behind the hub and the opposite spoke.

    Related Articles

    • Configuring and troubleshooting SonicWALL Switches
    • How can I get alerted if a WAN link goes down in a WAN fail-over scenario?
    • Configuring and troubleshooting High Availability

    Categories

    • Firewalls > SonicWall SuperMassive 9000 Series > VPN
    • Firewalls > TZ Series > VPN
    • Firewalls > NSa Series > VPN
    • Firewalls > NSv Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:dd05288e52973a5809ba22c373a5ba22-70