How can I configure a tunnel interface VPN (Static Route-Based VPN)?

05/15/2024 1,998 People found this article helpful 501,781 Views

Description

NOTE: This is an example where the Tunnel Interface is an Unnumbered interface without a borrowed interface IP. This is used when Advanced Routing is not needed and only static routes are used for remote networks.

The advantages of Tunnel Interface VPN (Static Route-Based VPN) between two SonicWall UTM appliances include:

The network topology configuration is removed from the VPN policy configuration, which makes the configuration and maintaining of the VPN policy easier.
More flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Log into the Site A SonicWall

Navigate to Network|IPSec VPN|Rules and Settings and click on Add.
The General tab of Tunnel Interface VPN named is shown with the IPSec Gateway equal to the other device'sX1 IP address.
NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
Navigate to Policy |Rules and Policies | Routing Rules and click Add.
The Route Policy example shown below is one in which the source is Any, and the destination is the siteb_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site b; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object siteb_subnet are also shown: 192.168.10.0 / 255.255.255.0.

Log into the Site B SonicWall

Navigate to Network|IPSec VPN|Rules and Settings and click on Add.The General tab of Tunnel Interface VPN named is shown with the IPSec Gateway equal to the other device's X1 IP address.

NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
Navigate to Policy |Rules and Policies | Routing Rules and click Add.
The Route Policy example shown below is one in which the source is Any, and the destination is the sitea_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site a; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object sitea_subnet are also shown: 10.10.50.0 / 255.255.255.0.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Log into the SiteA SonicWall

Navigate to Manage | VPN | Base Settings and click on Add.
The General tab of Tunnel Interface VPN named is shown with the IPSec Gateway equal to the other device's X1 IP address.

NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
Navigate to Network | Routing and click Add.
The Route Policy example shown below is one in which the source is Any, and the destination is the siteb_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site b; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object siteb_subnet are also shown: 192.168.10.0 / 255.255.255.0.

Log into the SiteB SonicWall

Navigate to VPN | Settings and click Add. The General tab of Tunnel Interface VPN is shown with the IPSec Gateway equal to the other device's X1 IP address.

NOTE: The settings used on the Proposals tab are not shown, but these must be identical on the Tunnel Interface VPNs done on both appliances.
Navigate to Network | Routing and click Add.
The Route Policy example shown below is one in which the source is Any, and the destination is the sitea_subnet, the service is Any, and the Interface is set to the name of the previously-created Tunnel Interface VPN, named to site a ; note that the Gateway field is grayed out because SonicOS is smart enough to know that there is already a specific network interface tied to the tunnel interface VPN created above. The properties of the VPN network address object sitea_subnet are also shown: 10.10.50.0 / 255.255.255.0.