Users unable to access remote Site to Site VPN network through GVC or SSL-VPN.
02/22/2023 534 People found this article helpful 493,784 Views
Description
GVC (Global VPN Client) user is not able to access the site to site VPN remote network.
Many UTM appliances have both kinds of VPNs in use: SSLVPN or WAN GroupVPN for remote GVC (Global VPN Client) users and site to site VPNs for connectivity to other locations which have their own Internet connections and VPN gateway devices. Imagine an organization with sites in Pittsburgh, PA and Cleveland, OH. Both sites have SonicWall UTM devices and they do a site to site VPN to each other. The LAN network used in Pittsburgh is 172.25.5.0 /24 and the one in Cleveland is 172.25.10.0 /24 . Now consider a remote user at their home who needs access to various corporate resources, and they have only a simple home router on their cable service. They use GVC to connect to the Pittsburgh office but they must use data on servers located in both offices: 172.25.5.0 /24. The below solution will allow the user to access the server in Cleveland by connecting to Pittsburgh, and by having additional permissions which utilize the site to site VPN. Without this solution, the remote user might have to make a separate GVC connection to the Cleveland UTM appliance. This cannot be done at the same time as the connection to Pittsburgh unless neither of the GroupVPN policies use the DHCP option, which is very desirable for Windows networking features like NetBIOS.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
NOTE: For demonstration, we choose the GVC user below. However, it is similar for SSL-VPN users too.
Add the site-to-site remote network to the GVC user's VPN access list in the UTM web management GUI. Or, you can do this for an entire local users group and users will inherit this VPN access permission when they connect with GVC the next time. Please follow the procedure as below:
1. Log into the firewall web management GUI, go to the Device| Users | Local Users & Groups screen.
2. Click Configure button of the Test User Account.
3. Navigate to VPN Access tab inside the Edit window for the user.
4. Select the Remote Networks and move it to right.
NOTE: Remote Network is a custom-created Network to have access to a remote site VPN network. It could be a different name in every firewall.
5. Click OK .
6. Now when GVC user connects to WAN GroupVPN on the SonicOS Enhanced UTM appliance, they will have access to networks at two locations.
However, if you have multiple users, it wouldn't make sense to do it for every user. So it is preferred to create a user group and give VPN access. Or if it is necessary for everyone connected through SSL or GVC to access a remote site Network it is recommended to create an access rule VPN to VPN any-any rule as following :-
- Navigate to Policy| Rules and Policies |Access Rules select VPN to VPN matrix,
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
NOTE: For demonstration, we choose the GVC user below. However it is similar for SSL-VPN users too.
Add the site-to-site remote network to the GVC user's VPN access list in the UTM web management GUI. Or, you can do this for an entire local users group and users will inherit this VPN access permission when they connect with GVC the next time. Please follow the procedure as below:
- Log into the firewall web management GUI, go to the Manage | Users | Local Users & Groups screen.
- Click Configure button of the GVC user.
- Navigate to VPN Access tab inside the Edit window for the user.
- Select the Remote Network and move it to right.
NOTE: Remote Network is a custom created Network to have access to remote site VPN network. It could be different name in every firewall.
- Click OK .
- Now when GVC user connects to WAN GroupVPN on the SonicOS Enhanced UTM appliance, they will have access to networks at two locations.
However, if you have multiple users, it wouldn't make sense to do it for every user. So it is preferred to create a user group and give vpn access. Or if it is necessary for everyone connected through SSL or GVC to access remote site Network it is recommended to create an access rule VPN to VPN any-any rule as following
- Navigate to Manage | Rules and select VPN to VPN matrix
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
NOTE: For demonstration we choose GVC user below. However it is similar for SSL-VPN user too.
Add the site to site remote network to the GVC user's VPN access list in the UTM web management GUI. Or, you can do this for an entire local users group and users will inherit this VPN access permission when they connect with GVC the next time. Please follow the procedure as below:
- Log into the firewall web management GUI, go to the Users | Local Users screen.
- Click Configure button of the GVC user.
- Navigate to VPN Access tab inside the Edit window for the user.
- Select the Remote VPN network and move it to right.
- Click OK .
- Now when GVC user connects to WAN GroupVPN on the SonicOS Enhanced UTM appliance, they will have access to networks at two locations.
However if you have multiple users, it wouldn't make sense to do it for every user. So it is preferred to create a user group and give vpn access. Or if it is necessary for everyone connected through SSL or GVC to access remote site Network it is recommended to create an access rule VPN to VPN any-any rule as following.
- Navigate to Firewall | Access Rules and select VPN to VPN matrix.
Related Articles
Categories