Dynamic Route Based VPN in SonicOS 5.9.0 - Basic Config

03/26/2020 759 People found this article helpful 473,642 Views

Description

Beginning with SonicOS 5.9.0, configuring dynamic route based VPN has changed from previous versions. In the new configuration method, a Tunnel Interface must be configured under Network | Interfaces page and OSPF configured on the Tunnel Interface under Network | Routing | Advanced Routing page.

This articles describes the basic method to perform this task.

Resolution

Tasklist:

Dynamic route based VPN configuration is a four step process:

The first step involves creating a Tunnel Interface VPN policy . The crypto suites used to secure the traffic between two end-points are defined in the policy.
The second step is to create a new Tunnel Interface under Network | Interfaces.
The third step involves configuring OSPF for the Tunnel Interface under Network |Routing.
The fourth step involves creating access rules from LAN/DMZ to VPN and from VPN to LAN/DMZ to allow traffic over the VPN.

In this scenario a Dynamic Route-based VPN is configured between an NSA 2400 (Site A) and an NSA 220 (Site B). For this article, we'll be using the following IP addresses as examples to demonstrate the VPN configuration. You can use these examples to create VPN policies for your network, substituting your IP addresses for the examples shown here:

Site A - NSA 2400

WAN (X1): 1.1.1.1
LAN (X0) Subnet: 10.10.10.0/24
Tunnel Interface IP: 192.168.1.1/24

Site B - NSA 220

WAN (X1): 2.2.2.2
LAN (X0) Subnet: 192.168.168.0/24
Tunnel Interface IP: 192.168.1.2/24

Site A (NSA 2400) Configuration

Adding a Tunnel Interface VPN policy
Create and configure a tunnel interface
Configuring OSPF for a Tunnel Interface
Adding rules to allow traffic over the VPN

Site B (NSA 220) Configuration

Adding a Tunnel Interface VPN policy
Create and configure a tunnel interface
Configuring OSPF for a Tunnel Interface
Adding rules to allow traffic over the VPN

Tunnel Status, OSPF Neighborship, Dynamic Routes

Troubleshooting

Procedure:

Site A (NSA 2400) Configuration

Adding a Tunnel Interface
Create and configure a Tunnel Interface
Configuring OSPF for a Tunnel Interface
Adding rules to allow traffic over the VPN

Adding a Tunnel Interface VPN policy

01. Login to the SonicWall management interface.
02. Navigate to the VPN | Settings page.
03. Click on the Add button to create a tunnel interface VPN as per the screen shots.

Create and configure a Tunnel Interface

01. Navigate to the Network | Interfaces page.
02. Select Tunnel Interface from the Add Interface drop-down menu to open the Add Tunnel Interface window.

03. The Zone will be pre-selected with VPN.
04. Under VPN Policy, select the VPN policy created earlier.
05. Mode / IP Assignment will be pre-selected with Static IP Mode.
06. Under IP Address and Subnet Mask, enter an IP address and subnet mask. The remote site must be in the same subnet as this IP address.
07. Click on OK to save.

Configuring OSPF for a Tunnel Interface

01. Navigate to the Network | Routing Page.
02. Click on the drop-down under Routing Mode and select Advanced Routing.
03. Click on OK on the warning window.
04. The tunnel interface created earlier will be visible now.

05. Click on the Configure OSPF button on the Tunnel Interface to open the OSPF configuration window.
06. Enter information as per the screenshot in the OSPFv2 Configuration window
07. The OSPF Router ID must be a unique IP address in your network.
08. Click on OK to save the settings.

Adding rules to allow traffic over the VPN

Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.

01. Navigate to Network| Address Objects

02. Click on Add to create an address object for the destination network (see screenshot below)

03. Navigate to Firewall | Access Rules
04. Go to LAN to VPN
05. Create an access rule as per the screenshot.

06. Navigate to VPN to LAN
07. Create an access rule as per the screenshot.

Site B (NSA 220) Configuration

Adding a Tunnel Interface
Create and configure a Tunnel Interface
Configuring OSPF for a Tunnel Interface
Adding rules to allow traffic over the VPN

Adding a Tunnel Interface VPN policy

01. Login to the SonicWall management interface.
02. Navigate to the VPN | Settings page.
03. Click on the Add button to create a tunnel interface VPN as per the screen shots.

Create and configure a Tunnel Interface

01. Navigate to the Network | Interfaces page.
02. Select Tunnel Interface from the Add Interface drop-down menu to open the Add Tunnel Interface window.

03. In the Add Tunnel Interface window, the Zone will be pre-selected with VPN.
04. Under VPN Policy, select the VPN policy created earlier.
05. Mode / IP Assignment will be pre-selected with Static IP Mode.
06. Under IP Address and Subnet Mask, enter an IP address and subnet mask. The remote site must be in the same subnet as this IP address.
07. Click on OK to save.

Configuring OSPF for a Tunnel Interface

01. Navigate to the Network | Routing Page.
02. Click on the drop-down under Routing Mode and select Advanced Routing.
03. Click on OK on the warning window.
04. The Tunnel Interface created earlier will be visible now.
05. Click on the Configure OSPF button on the Tunnel Interface to open the OSPF configuration window.
06. Enter information as per the screenshot in the OSPFv2 Configuration window
07. The OSPF Router ID must be a unique IP address in your network.
08. Click on OK to save the settings.

Adding rules to allow traffic over the VPN

Although the tunnel will be up and OSPF will be able to detect neighbors, traffic will be blocked to the other side of the tunnel until access rules are created from the local zones to the VPN zone.

01. Navigate to Network | Address Objects
02. Click on Add to create an address object for the destination networks and group them (see screenshot below)

03. Navigate to Firewall | Access Rules
04. Go to LAN to VPN
05. Create an access rule as per the screenshot.

06. Navigate to VPN to LAN
07. Create an access rule as per the screenshot.

OSPF Neighborship, Dynamic Routes

The VPN tunnel status will be green as soon as the the configuration of the VPN Tunnel Interface policies are completed on both sites.

The screenshots below shows the OSPF neighborship status on both sites and also the dynamically learned routes from each other.

Site A
Site B
Testing

Test by pinging an IP address from one site to another. Only the subnets defined in the access rules will be accessible.

Troubleshooting

Check the following when the VPN tunnel is not up:

Gateway IP address.
Pre-shared secret
Proposal mismatch

Check the following when the VPN tunnel is up but the VPN Tunnel Interface is unable to form neighborship:

Make sure the interface the VPN is bound to is not configured in L2 Bridged Mode.
Make sure the VPN Tunnel Interfaces are in the same OSPF Area
OSPFv2 Areas Type must have the same area type on both sites. (Normal, Stub Area, Totally Stubby Area, Not-So-Stubby Area, Totally Stubby NSSA)
OSPF Router-ID should not be duplicate.
The Tunnel Interfaces created should be configured with an IP addresses in the same subnet.

Check the following when the VPN Tunnel Interface has formed neighborship but dynamic routes are not present:

Make sure the local and destination networks are not overlapping.
Make sure Redistribute Connected Networks is checked in the OSPFv2 Configuration.

Check the following when unable to pass traffic across the tunnel even after neighborship is formed

Make sure OSPF has dynamically learnt the routes to the remote networks. Look under Route Policies on the Network | Routing page.
Make sure access rules have been created from local network zones to the VPN zone.
Make sure access rules have been created from the VPN zone to local network zones.
The zone of local network address objects should match the zone to which that network belongs to. For eg. LAN, DMZ etc
The destination network should be assigned zone VPN .
Make sure no conflicting rules with higher priority are present.
Make sure no conflicting static routes are present in the routing table. Check under Route Policies on the Network | Routing page.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Dynamic Route Based VPN in SonicOS 5.9.0 - Basic Config

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch