SonicOS 7.1 System

Table of Contents

Configuring VPN Tunnel Interfaces

You can create a numbered tunnel interface by selecting VPN Tunnel Interface from the Add Interface drop-down menu. VPN tunnel interfaces are added to the Interface Settings table and then can be used with dynamic routing, including RIP, OSPF, and BGP, or a static route policy can use the VPN tunnel interface as the interface in a configuration for a static route-based VPN.

A VPN Tunnel Interface (TI) can be configured like a standard interface, including options to enable appliance management or user login using HTTP, HTTPS, Ping, or SSH in addition to multicast, flow reporting, asymmetric routing, fragmented packet handling, and Don't Fragment (DF) Bit settings.

A similar VPN policy and numbered tunnel interface must be configured on the remote gateway. The IP addresses assigned to the numbered tunnel interfaces (on the local gateway and the remote gateways) must be on the same subnet.

VPN tunnel interface deployment lists how a VPN Tunnel Interface can be deployed.

VPN Tunnel Interface Deployment
TI can be configured as an interface in TI cannot be configured as
Static Route Static ARP entries interface
NAT HA interface
ACL (Virtual Access Point Access Control List) WLB (WAN Load Balancing) interface
Static NDP (Neighbor Discovery Protocol) entries interface
OSPF OSPFv3/RIPnG: currently not supported for IPv6 advanced routing
RIP MAC_IP Anti-spoof interface
BGP DHCP server interface

For all platforms, the maximum supported number of VPN Tunnel Interfaces (numbered tunnel interfaces) is 64. The maximum number of unnumbered tunnel interfaces differs by platform and directly corresponds to the maximum number of VPN policies supported on each platform.

To configure a VPN Tunnel Interface

  1. Navigate to NETWORK | System > Interfaces.

  2. From Add Interface under the Interface Settings table, select VPN Tunnel Interface. The Add VPN Tunnel Interface dialog displays.

    VPN Tunnel Interface Settings

    The zone is defined as VPN and cannot be changed.

  3. From VPN Policy, select a VPN policy.
  4. In the Name field, enter a friendly name for this interface. The name can contain alphanumeric characters, periods (dots), or underscores; it cannot contain spaces or hyphens.
  5. Enter an IP address in the IP Address field. The default is 0.0.0.0, but you need to enter an explicit IP address or an error message displays.
  6. In the Subnet Mask field, enter the subnet mask. The default is 255.255.255.0.
  7. Optionally, add a comment in the Comment field.

  8. The Domain Name field is used to bound an accurate domain name with all web services provided by this interface. The value can be one of the following:

    • An FQDN address (*.company.com / www.company.com)

    • An IPv4 or IPv6 address string (a.a.a.a / b:b:b:b:b:b:b:b)

      When configured, all web access, along with SSL VPN service, should be accessed by only the Domain Name. No other attempts are allowed.

      Access through an exact IP address is implicitly trusted, whether this field is set or not.

      To enable this feature, make sure the Enforce HTTP Host Header Check option located on the Administrator page, is enabled as well.

  9. Optionally, specify the Management protocol(s) allowed on this interface: HTTPS, Ping, SNMP, and/or SSH.
  10. Optionally, specify the User Login protocol(s) allowed on this interface: HTTP and/or HTTPS.

  11. Click Advanced.

  12. To enable flow reporting on flows created for the tunnel interface, select Enable flow reporting.
  13. Optionally, enable multicast reception on the interface by selecting Enable Multicast Support. This option is not selected by default.
  14. Optionally, enable Asymmetric Route Support on the tunnel interface by selecting Enable Asymmetric Route Support. This option is not selected by default. For more information about asymmetric routing, see Asymmetric Routing.
  15. To use Routed Mode and add a NAT policy to prevent outbound/inbound translation, select User Routed Mode – Add NAT Policy to prevent outbound/inbound translation. When selected, the following option becomes available. This option is not selected by default.
  16. If Routed Mode is selected, to specify an interface for the NAT policy, select an interface from NAT Policy outbound/inbound interface. The available interfaces depend on your appliance. The default is ANY.

  17. To enable fragmented packet handling on this interface, select Enable Fragmented Packet Handling. If this option is not selected, fragmented packets are dropped and the VPN log report shows the log message Fragmented IPsec packet dropped.

    If this option is selected, the Ignore Don’t Fragment (DF) Bit option is available.

  18. Select Ignore Don't Fragment (DF) Bit to ignore the DF bit in the packet header. Some applications can explicitly set the Don’t Fragment option in a packet, which tells all appliances to not fragment the packet. This option, when enabled, causes the appliance to ignore the DF bit and fragment the packet regardless.
  19. Select Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU to block the notification that this interface can receive fragmented packets.
  20. Click OK. The numbered VPN tunnel interface is added to the Interface Settings table.