• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• IPSec VPN Overview
  • About Virtual Private Networks
  • VPN Types
    • IPsec VPN
    • DHCP over VPN
    • L2TP with IPsec
    • SSL VPN
  • VPN Security
    • About IKEv1
    • About IKEv2
    • Mobility and Multi-homing Protocol for IKEv2 (MOBIKE)
    • About IPsec (Phase 2) Proposal
    • About Suite B Cryptography
  • VPN Base Settings and Displays
    • Policies
    • Active Tunnels
    • Settings
  • IPv6 VPN Configuration
• Site to Site VPNs
  • Planning Site to Site Configurations
  • General VPN Configuration
    • Configuring Settings on the General Tab
    • Configuring Settings on the Network Tab
    • Configuring Settings on the Proposals Tab
    • Configuring Settings on the Advanced Tab
  • Managing GroupVPN Policies
    • Configuring IKE Using a Preshared Secret Key
    • Configuring IKE Using 3rd Party Certificates
    • Downloading a GroupVPN Client Policy
  • Creating Site to Site VPN Policies
    • Configuring with a Preshared Secret Key
    • Configuring with a Manual Key
    • Configuring with a Third-Party Certificate
    • Configuring the Remote SonicWall Network Security Appliance
    • Configuring VPN Failover to a Static Route
• VPN Auto Provisioning
  • About VPN Auto Provisioning
    • Defining VPN Auto Provisioning
    • Benefits of VPN Auto Provisioning
    • How VPN Auto Provisioning Works
      • About Establishing the IKE Phase 1 Security Association
      • About Establishing IKE Phase 2 using a Provisioned Policy
  • Configuring a VPN AP Server
    • Starting the VPN AP Server Configuration
    • Configuring VPN AP Server Settings on General
    • Configuring VPN AP Server Settings on Network
    • Configuring Advanced Settings on Proposals
    • Configuring Advanced Settings on Advanced
  • Configuring a VPN AP Client
• Rules and Settings
  • Adding a Tunnel Interface
    • Creating a Static Route for the Tunnel Interface
  • Route Entries for Different Network Segments
  • Redundant Static Routes for a Network
• Advanced
  • Configuring Advanced VPN Settings
  • Configuring IKEv2 Settings
  • Using OCSP with SonicWall Network Security Appliances
    • OpenCA OCSP Responder
    • Loading Certificates to Use with OCSP
    • Using OCSP with VPN Policies
• DHCP over VPN
  • DHCP Relay Mode
  • Configuring the Central Gateway for DHCP Over VPN
  • Configuring DHCP over VPN Remote Gateway
  • Current DHCP over VPN Leases
• L2TP Servers and VPN Client Access
  • Configuring the L2TP Server
  • Viewing Currently Active L2TP Sessions
  • Configuring Microsoft Windows L2TP VPN Client Access
  • Configuring Google Android L2TP VPN Client Access
• AWS VPN
  • Overview
  • Creating a New VPN Connection
  • Reviewing the VPN Connection
    • Configuration on the Firewall
    • Configuration on Amazon Web Services
  • Route Propagation
  • AWS Regions
  • Deleting VPN Connections
• SonicWall Support
  • About This Document

VPN Auto-Added Access Rule Control

When adding VPN Policies, SonicOS auto-creates non-editable Access Rules to allow the traffic to traverse the appropriate zones. Consider the following VPN Policy, where the Local Network is set to Firewalled Subnets (in this case comprising the LAN and DMZ) and the Destination Network is set to Subnet 192.168.169.0.

While this is generally a tremendous convenience, you might want to suppress the auto-creation of Access Rules in support of a VPN Policy. One such instance would be the case of a large hub-and-spoke VPN deployment where all the spoke sites are addresses using address spaces that can easily be supernetted. For example, to provide access to/from the LAN and DMZ at the hub site to one subnet at each of 2,000 remote sites, addressed as follows:

• remoteSubnet0=Network 10.0.0.0/24 (mask 255.255.255.0, range 10.0.0.0-10.0.0.255)
• remoteSubnet1=Network 10.0.1.0/24 (mask 255.255.255.0, range 10.0.1.0-10.0.1.255)
• remoteSubnet2=Network 10.0.2.0/24 (mask 255.255.255.0, range 10.0.2.0-10.0.2.255)
• remoteSubnet2000=10.7.207.0/24 (mask 255.255.255.0, range 10.7.207.0-10.7.207.255)

Creating VPN Policies for each of these remote sites would result in having 2,000 VPN Policies, but would also create 8,000 Access Rules (LAN -> VPN, DMZ -> VPN, VPN -> LAN, and VPN -> DMZ for each site). However, all of these Access Rules could easily be handled with just four Access Rules to a supernetted or address range representation of the remote sites (more specific allow or deny Access Rules could be added as needed):

remoteSubnetAll=Network 10.0.0.0/13 (mask 255.248.0.0, range 10.0.0.0-10.7.255.255) or

remoteRangeAll=Range 10.0.0.0-10.7.207.255

To enable this level of aggregation, the Advanced tab of the VPN Policy dialog offers the Suppress automatic Access Rules creation for VPN Policy option for site to site VPN policies. By default, the checkbox is not selected, meaning the accompanying Access Rules are created automatically, as they've always been. By selecting the checkbox when creating the VPN Policy, you have the ability and need to create custom Access Rules for the VPN traffic.