How can I configure a tunnel interface VPN (Route-Based VPN)?

NOTE: This is an example where the Tunnel Interface is an Unnumbered interface without a borrowed interface IP. This is used when Advanced Routing is not needed and only static routes are used for remote networks.

The advantages of Tunnel Interface VPN (Static Route-Based VPN) between two SonicWall UTM appliances include:

1. The network topology configuration is removed from the VPN policy configuration, which makes the configuration and maintenance of the VPN policy easier.
2. More flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN.

• The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface.
• The second step involves creating a static or dynamic route using Tunnel Interface. The Tunnel Interface is created when a Policy of type Tunnel Interface is added for the remote gateway.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Log into the Site A SonicWall

1. Navigate to Network|IPSec VPN|Rules and Settings and click on Add.
2. The General tab of Tunnel Interface VPN named is shown with the IPSec Gateway equal to the other device'sX1 IP address.
    NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
   
   
   
   
3. Navigate to Policy |Rules and Policies | Routing Rules and click Add.
4. The Route Policy example shown below is one in which the source is Any, and the destination is the siteb_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site b; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object siteb_subnet are also shown: 192.168.10.0 / 255.255.255.0. 
   
   
   
                      

Log into the Site B SonicWall

1. Navigate to Network|IPSec VPN|Rules and Settings and click on Add.The General tab of Tunnel Interface VPN named is shown with the IPSec Gateway equal to the other device's X1 IP address.
   
   
   
    NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
   
   
2. Navigate to Policy |Rules and Policies | Routing Rules and click Add.
3. The Route Policy example shown below is one in which the source is Any, and the destination is the siteb_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site b; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object sitea_subnet are also shown: 10.10.50.0 / 255.255.255.0. 
   
   
   
                      
   
   

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Log into the SiteA SonicWall

1. Navigate to Manage | VPN | Base Settings and click on Add. 
2. The General tab of Tunnel Interface VPN named is shown with the IPSec Gateway equal to the other device's X1 IP address.
   
   NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
   
   
   
3. Navigate to Network | Routing and click Add.
4. The Route Policy example shown below is one in which the source is Any, and the destination is the siteb_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site b; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object siteb_subnet are also shown: 192.168.10.0 / 255.255.255.0. 
   
   

 Log into the SiteB SonicWall

1. Navigate to VPN | Settings and click Add. The General tab of Tunnel Interface VPN  is shown with the IPSec Gateway equal to the other device's X1 IP address.
   
   NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
   
   
   
   
   
2. Navigate to Network | Routing and click Add. 
3. The Route Policy example shown below is one in which the source is Any, and the destination is the sitea_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site a ; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object sitea_subnet are also shown: 10.10.50.0 / 255.255.255.0.