SonicOS 7.1 System
- SonicOS 7.1
- About SonicOS
- Interfaces
- About Interfaces
- Interface Settings IPv4
- Adding Virtual Interfaces
- Configuring Routed Mode
- Enabling Bandwidth Management on an Interface
- Configuring Interfaces in Transparent IP Mode (Splice L3 Subnet)
- Configuring Wireless Interfaces
- Configuring WAN Interfaces
- Configuring Tunnel Interfaces
- Configuring VPN Tunnel Interfaces
- Configuring Link Aggregation and Port Redundancy
- Configuring One Arm Mode
- Configuring an IPS Sniffer Mode Appliance
- Configuring Security Services (Unified Threat Management)
- Configuring Wire and Tap Mode
- Layer 2 Bridged Mode
- Key Features of SonicOS Layer 2 Bridged Mode
- Key Concepts to Configuring L2 Bridged Mode and Transparent Mode
- Comparing L2 Bridged Mode to Transparent Mode
- Comparison of L2 Bridged Mode to Transparent Mode
- Benefits of Transparent Mode over L2 Bridged Mode
- ARP in Transparent Mode
- VLAN Support in Transparent Mode
- Multiple Subnets in Transparent Mode
- Non-IPv4 Traffic in Transparent Mode
- ARP in L2 Bridged Mode
- VLAN Support in L2 Bridged Mode
- L2 Bridge IP Packet Path
- Multiple Subnets in L2 Bridged Mode
- Non-IPv4 Traffic in L2 Bridged Mode
- L2 Bridge Path Determination
- L2 Bridge Interface Zone Selection
- Sample Topologies
- Configuring Network Interfaces and Activating L2B Mode
- Configuring Layer 2 Bridged Mode
- Asymmetric Routing
- Configuring Interfaces for IPv6
- 31-Bit Network Settings
- PPPoE Unnumbered Interface Support
- Failover & LB
- Neighbor Discovery
- ARP
- MAC IP Anti-Spoof
- Web Proxy
- PortShield Groups
- SonicOS Support of X-Series Switches
- About the X-Series Solution
- Performance Requirements
- Key Features Supported with X-Series Switches
- PortShield Functionality and X-Series Switches
- PoE/PoE+ and SFP/SFP+ Support
- X-Series Solution and SonicPoints
- Managing Extended Switches using GMS
- Extended Switch Global Parameters
- About Links
- Logging and Syslog Support
- Supported Topologies
- Port Graphics
- Port Configuration
- External Switch Configuration
- External Switch Diagnostics
- Configuring PortShield Groups
- SonicOS Support of X-Series Switches
- PoE Settings
- VLAN Translation
- IP Helper
- Dynamic Routing
- DHCP Server
- Configuring a DHCP Server
- Configuring Advanced Options
- Configuring DHCP Option Objects
- Configuring DHCP Option Groups
- Configuring a Trusted DHCP Relay Agent Address Group (IPv4 Only)
- Enabling Trusted DHCP Relay Agents
- Configuring IPv4 DHCP Servers for Dynamic Ranges
- Configuring IPv6 DHCP Servers for Dynamic Ranges
- Configuring IPv4 DHCP Static Ranges
- Configuring IPv6 DHCP Static Ranges
- Configuring DHCP Generic Options for DHCP Lease Scopes
- DHCP and IPv6
- Multicast
- Network Monitor
- AWS Configuration
- SonicWall Support
Configuring VPN Tunnel Interfaces
You can create a numbered tunnel interface by selecting VPN Tunnel Interface from the Add Interface drop-down menu. VPN tunnel interfaces are added to the Interface Settings table and then can be used with dynamic routing, including RIP, OSPF, and BGP, or a static route policy can use the VPN tunnel interface as the interface in a configuration for a static route-based VPN.
A VPN Tunnel Interface (TI) can be configured like a standard interface, including options to enable appliance management or user login using HTTP, HTTPS, Ping, or SSH in addition to multicast, flow reporting, asymmetric routing, fragmented packet handling, and Don't Fragment (DF) Bit settings.
A similar VPN policy and numbered tunnel interface must be configured on the remote gateway. The IP addresses assigned to the numbered tunnel interfaces (on the local gateway and the remote gateways) must be on the same subnet.
VPN tunnel interface deployment lists how a VPN Tunnel Interface can be deployed.
TI can be configured as an interface in | TI cannot be configured as |
---|---|
Static Route | Static ARP entries interface |
NAT | HA interface |
ACL (Virtual Access Point Access Control List) | WLB (WAN Load Balancing) interface |
Static NDP (Neighbor Discovery Protocol) entries interface | |
OSPF | OSPFv3/RIPnG: currently not supported for IPv6 advanced routing |
RIP | MAC_IP Anti-spoof interface |
BGP | DHCP server interface |
For all platforms, the maximum supported number of VPN Tunnel Interfaces (numbered tunnel interfaces) is 64. The maximum number of unnumbered tunnel interfaces differs by platform and directly corresponds to the maximum number of VPN policies supported on each platform.
To configure a VPN Tunnel Interface
- Navigate to NETWORK | System > Interfaces.
-
From Add Interface under the Interface Settings table, select VPN Tunnel Interface. The Add VPN Tunnel Interface dialog displays.
The zone is defined as VPN and cannot be changed.
- From VPN Policy, select a VPN policy.
- In the Name field, enter a friendly name for this interface. The name can contain alphanumeric characters, periods (dots), or underscores; it cannot contain spaces or hyphens.
- Enter an IP address in the IP Address field. The default is
0.0.0.0
, but you need to enter an explicit IP address or an error message displays. - In the Subnet Mask field, enter the subnet mask. The default is
255.255.255.0
. - Optionally, add a comment in the Comment field.
-
The Domain Name field is used to bound an accurate domain name with all web services provided by this interface. The value can be one of the following:
-
An FQDN address (
*.company.com / www.company.com
) -
An IPv4 or IPv6 address string (
a.a.a.a / b:b:b:b:b:b:b:b
)When configured, all web access, along with SSL VPN service, should be accessed by only the Domain Name. No other attempts are allowed.
Access through an exact IP address is implicitly trusted, whether this field is set or not.
To enable this feature, make sure the Enforce HTTP Host Header Check option located on the Administrator page, is enabled as well.
-
- Optionally, specify the Management protocol(s) allowed on this interface: HTTPS, Ping, SNMP, and/or SSH.
- Optionally, specify the User Login protocol(s) allowed on this interface: HTTP and/or HTTPS.
-
Click Advanced.
- To enable flow reporting on flows created for the tunnel interface, select Enable flow reporting.
- Optionally, enable multicast reception on the interface by selecting Enable Multicast Support. This option is not selected by default.
- Optionally, enable Asymmetric Route Support on the tunnel interface by selecting Enable Asymmetric Route Support. This option is not selected by default. For more information about asymmetric routing, see Asymmetric Routing.
- To use Routed Mode and add a NAT policy to prevent outbound/inbound translation, select User Routed Mode – Add NAT Policy to prevent outbound/inbound translation. When selected, the following option becomes available. This option is not selected by default.
- If Routed Mode is selected, to specify an interface for the NAT policy, select an interface from NAT Policy outbound/inbound interface. The available interfaces depend on your appliance. The default is ANY.
-
To enable fragmented packet handling on this interface, select Enable Fragmented Packet Handling. If this option is not selected, fragmented packets are dropped and the VPN log report shows the log message Fragmented IPsec packet dropped.
If this option is selected, the Ignore Don’t Fragment (DF) Bit option is available.
- Select Ignore Don't Fragment (DF) Bit to ignore the DF bit in the packet header. Some applications can explicitly set the Don’t Fragment option in a packet, which tells all appliances to not fragment the packet. This option, when enabled, causes the appliance to ignore the DF bit and fragment the packet regardless.
- Select Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU to block the notification that this interface can receive fragmented packets.
- Click OK. The numbered VPN tunnel interface is added to the Interface Settings table.
Was This Article Helpful?
Help us to improve our support portal