sonicos 5.8 route based vpn feature module

Route Based Virtual Private Network

Document Scope

This solutions document provides details about Route Based Virtual Private Network (VPN) Technology, its advantages, and procedures to configure a Route Based VPN.

This document contains the following sections:

• “Overview” section on page 1

• “Using Route Based VPN” section on page 2

OverviewThis section provides an introduction to Route Based VPN. This section contains the following subsections:

• “What is a Route Based VPN?” section on page 1

• “Benefits” section on page 2

• “Platforms” section on page 2

What is a Route Based VPN?

In general, a Virtual Private Network (VPN) is a way for companies to have the same security as if all the distributed networks were together, with only one access to the private network, or intranet. Each location has a firewall, configured specially so that it recognizes all the other firewall locations. When the firewall sees a packet headed outward to another protected location, the packet is encrypted. After it travels across the Internet, the receiving firewall then decrypts the packet.

A policy-based approach forces the VPN policy configuration to include the network topology configuration. This makes it difficult for the network administrator to configure and maintain the VPN policy with a constantly changing network topology.

With the Route Based VPN approach, network topology configuration is removed from the VPN policy configuration. The VPN policy configuration creates a Tunnel Interface between two end points. Static routes can then be added to the Tunnel Interface. The Route Based VPN approach moves network configuration from the VPN policy configuration to route configuration.

1SonicWALL Route Based VPN Feature Module

Using Route Based VPN

Benefits

Not only does Route Based VPN make configuring and maintaining the VPN policy easier, a major advantage of the Route Based VPN feature is that it provides flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN.

Platforms

Route Based VPN is a feature for SonicOS 5.5 Enhanced.

Using Route Based VPNThis section contains the following subsections:

• “Configuring Static Route Based VPN” section on page 2

• “Configuration Overview” section on page 2

• “Adding a Tunnel Interface” section on page 3

• “Creating a Static Route for Tunnel Interface” section on page 4

• “Route Entries for Different Network Segments” section on page 5

• “Redundant Static Routes for a Network” section on page 6

• “Drop Tunnel Interface” section on page 6

• “Creating a Static Route for Drop Tunnel Interface” section on page 7

Configuring Static Route Based VPN

Route based VPN configuration is a two step process. The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface. The second step involves creating a static route using Tunnel Interface.

Configuration Overview

The Tunnel Interface is created when a Policy of type “Tunnel Interface” is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.

A Static Route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of overlapping static routes can be added for the tunneled traffic. When networks are added or removed from the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does not need to be updated.

Benefits

Not only does Route Based VPN make configuring and maintaining the VPN policy easier, a major advantage of the Route Based VPN feature is that it provides flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN.

Platforms

The Route Based VPN feature is supported on SonicOS 5.5 Enhanced and higher.

Using Route Based VPNRoute based VPN configuration is a two step process. The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface. The second step involves creating a route using Tunnel Interface.

This section contains the following subsections:

• “Configuration Overview” section on page 2

• “Adding a Tunnel Interface” section on page 3

• “Creating a Static Route for Tunnel Interface” section on page 4

• “Route Entries for Different Network Segments” section on page 5

• “Redundant Static Routes for a Network” section on page 6

• “Drop Tunnel Interface” section on page 6

• “Advanced Route Configuration for Tunnel Interface” section on page 8

• “Configuring Routing Protocol for a Tunnel Interface” section on page 10

• “Additional Configuration Scenarios” section on page 11

Configuration Overview

The Tunnel Interface is created when a Policy of type “Tunnel Interface” is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.

A route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of overlapping static routes can be added for the tunneled traffic. When networks are added or removed from the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does not need to be updated.

For more details about a general tunnel interface configuration, please refer to the SonicOS Enhanced 5.4 Administrator’s Guide: http://www.sonicwall.com/

2 SonicWALL Route Based VPN Feature Module

http://www.sonicwall.com/

http://www.sonicwall.com/


Adding a Tunnel Interface

The following procedures explain how to add a Tunnel Interface:

Step 1 Navigate to VPN>Settings>VPN Policies. Click the Add... button. This will open the VPN Policy Configuration dialog box.

Step 2 On the General tab, select the policy type as “Tunnel Interface.”

Step 3 Next, navigate to the Proposal tab and configure the IKE and IPSec proposals for the tunnel negotiation.



Step 4 Navigate to the Advanced tab to configure the advanced properties for the Tunnel Interface. By default, “Enable Keep Alive” is enabled. This is to establish the tunnel with remote gateway proactively.

Also, the default tunnel interface is bound to the X1 interface, but can be bound to any of the available interfaces.

Creating a Static Route for Tunnel Interface

After you have successfully added a Tunnel Interface, you may then create a Static Route. Follow the procedures to create a Static Route for a Tunnel Interface.

Navigate to Network>Routing>Route Policies. Click the Add... button. A dialogue window appears for adding Static Route. Note that the “Interface” dropdown menu lists all available tunnel interfaces.



Auto-add Access RuleWhen using “Any” and not specifying the source of the route policy, inbound and outbound access rules that allow traffic between non-Trusted zones and the tunnel interface will not be auto-added. VPN Allow Rules from and to these zones for the remote network(s) must be manually added for successful communication between these local and remote networks.

Note The auto-added VPN > WAN allow rule(s) for the remote networks to “Any” is intended for route-all scenarios.

Route Entries for Different Network Segments

After a tunnel interface is created, multiple route entries can be configured to use the same tunnel interface for different networks. This provides a mechanism to modify the network topology without making any changes to the tunnel interface.

The image below shows an example of same tunnel interface for different networks (Routes 1 & 2):


Drop Tunnel Interface

Redundant Static Routes for a Network

Also after more than one tunnel interface is configured, you can add multiple overlapping static routes; each static route uses a different tunnel interface to route the traffic. This provides routing redundancy for the traffic to reach the destination.

The image below illustrates redundant static routes for a network (Routes 2 & 3):

Drop Tunnel InterfaceThe Drop Tunnel Interface is a pre-configured tunnel interface. This interface provides added security for traffic. An example of this would be if a static route bind interface is deemed the drop tunnel interface, then all the traffic for that route is dropped and not forwarded in clear. If a static route bind to tunnel interface is defined for traffic (source/destination/service), and it is desired that traffic should not be forwarded in the clear if the tunnel interface is down, it is recommended to configure a static route bind to drop tunnel interface for the same network traffic. As a result, if the tunnel interface is down, traffic will be dropped due to the drop tunnel interface static route.


Drop Tunnel Interface

Creating a Static Route for Drop Tunnel Interface

To add a static route for drop tunnel interface, navigate to Network>Routing>Routing Policies. Click the Add... button. Similar to configuring a State route for a Tunnel Interface, configure the values for Source, Destination, and Service Objects. Under Interface, select “Drop_tunnelIf.”

Once added, the route is enabled and displayed in the Route Policies.


Advanced Route Configuration for Tunnel Interface

Advanced Route Configuration for Tunnel InterfaceTo allow RIP and OSPF configuration, follow the steps below:

Step 1 Enable the Allow Advance Routing option on tunnel interface configuration.

With this option enabled, the tunnel interface will appear under “Advanced Routing Configuration” in the Network > Routing screen.



Step 2 Enable RIP and OSPF on the tunnel interface and configure the “IP address borrowed from” and “Remote IP” on both site appliances.

Note The fields “IP Address borrowed from” and “Remote IP Address” require the IP addresses for routing protocol tunnels and must be in the same subnet.

Note Remember that the Remote IP Address must match the IP Address in the remote site’s RIP/OSPF configuration for the “IP borrowed Interface” address.



Configuring Routing Protocol for a Tunnel Interface

After you have successfully added a Tunnel Interface, you can navigate to the Network>Routing>Advanced Routing page for a full list of interfaces.

To configure Advanced Routing options, click on the Configure RIP or Configure OSPF icon for the Tunnel Interface you wish to configure.

This section contains the following subsections:

• “Configuring RIP for a Tunnel Interface” section on page 10

• “Configuring OSPF for a Tunnel Interface” section on page 11

Configuring RIP for a Tunnel Interface

From the Network>Routing>Routing Protocols page, click the Configure RIP icon. A dialog will appear which will allow you to configure the RIP for the Tunnel Interface. Click OK when you have finished configuring the RIP settings.


Additional Configuration Scenarios

Note If you select the Send and Receive option for RIP, you will have to select the RIP version for each message sent and received.

Configuring OSPF for a Tunnel Interface

From the Network>Routing>Routing Protocols page, click the Configure OSPF icon. A dialog will appear which will allow you to configure the OSPF for the Tunnel Interface. Click OK when you have finished configuring the OSPF settings.

Additional Configuration ScenariosThe following section contains procedures for more configuring more advanced route-based VPN scenarios. This section includes the following subsections:

• “Single Tunnel Interface Configuration Between Two Sites” section on page 12

• “Multiple Tunnel Interface Configuration Between Two Sites” section on page 13

– “Failover and Load Balancing” section on page 15

• “Mesh Configuration for Redundant Route-Based VPN Between Multiple Sites” section on page 19



Single Tunnel Interface Configuration Between Two Sites

The following steps describe how to configure a single tunnel interface between two sites (Site A and Site B):

Step 1 On the first site’s network (Site A), create the first tunnel interface policy by navigating to the VPN > Settings screen. Select ‘Tunnel Interface” as the Policy Type, and fill in the Name for this interface. In this example, we have our Site A interface named as “RTVPN1.”

Step 2 On the second site’s network (Site B), repeat Step 1 to create a Policy Type. For this Site B interface, we have named it “RTVPN2.”

Note Both interfaces are bound to the WAN (X1) interface on each respective appliance.



Step 3 On the Site A appliance, navigate to the Network > Routing screen, and configure a static route from Site A to Site B, with Site A as the ‘Source’ and Site B being the ‘Destination.’

Step 4 On the Site B appliance, repeat step 3, with Site B as the ‘Source’ and Site A as the ‘Destination.’

Multiple Tunnel Interface Configuration Between Two Sites

The following steps describe how to configure mu tip le tunnel interface between two sites (Site A and Site B):

Step 1 For Site A’s first network (Network 1), create a tunnel interface policy by navigating to the VPN > Settings screen. Select ‘Tunnel Interface” as the Policy Type, and fill in the Name for this interface. In this example, we have the Site A Network 1 interface named as “RTVPN1.”



Step 2 For Site A’s second network (Network 2), create a tunnel interface policy by repeating Step 1. In this example, we have the Site A Network 2 interface named as “RTVPN3.”

Step 3 On Site B’s network, repeat Steps 1 & 2 to create a Policy Type for its two interfaces (Site B Network 1 and Site B Network 2). For the Site B Network 1 interface, we have named it “RTVPN2-X1.”

For the Site B Network 2interface, we have named it “RTVPN2-X2.”



Step 4 On the Site A appliance, navigate to the Network > Routing screen, and configure a static route from Site A Network 1 (RTVPN 1) to Site B Network 1 (RTVPN2-X1), with Site A as the ‘Source’ and Site B being the ‘Destination.’

Step 5 Configure another static route from Site A Network 2 (RTVPN3) to Site B Network 2 (RTVPN2-X2), with Site A as the ‘Source’ and Site B being the ‘Destination.’

Step 6 Repeat Steps 4 and 5 for the Site B appliance, configuring a static route from Site B Network 1 (RTVPN2-X1) to Site A Network 1 (RTVPN 1) and another static route from Site B Network 2 (RTVPN2-X2) to Site A Network 2 (RTVPN 2), with Site B as the ‘Source’ and Site A as the ‘Destination’ for both routes.

Failover and Load Balancing

When the tunnel interfaces are bound to a physical interface, you can configure tunnel failover or traffic load balancing using static routing on additional routes. Follow the steps below to configure failover and load balancing for multiple tunnel interfaces between two sites:

Step 1 Add additional routes on Site A appliance:



• For Site A Network 1 and Site B Network 1 with the interface as RTVPN3, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.8.23.208 for this example).

• For Site A Network 2 and Site B Network 2 with the interface as RTVPN1, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.9.23.209, for this example).

Step 2 Repeat Step 1 to add additional routes on Site B appliance:



• For Site B Network 1 and Site A Network 1 with the interface as RTVPN2-X2, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.8.23.206 for this example).

• For Site B Network 2 and Site A Network 2 with the interface as RTVPN2-X1, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.9.23.209, for this example).

Note When the high priority route is not available, the low priority route is used to forward the traffic to the destination network.

Step 3 Navigate to the Network > Routing screen to configure the following tunnel interface VPN Policy on Site A:

• RTVPN1 bound to interface X1 for remote gateway 10.8.23.208.


Step 4 Configure the following tunnel interface VPN Policy on Site B:



Step 5 Next, configure the following static routes on Site A:

• For Site A Network 1 and Site B Network 1, configure the interface as RTVPN1.



• For Site A Network 2 and Site B Network 2, configure the interface as RTVPN3.

Step 6 Repeat Step 5 to configure the following static routes on Site B:

• For Site B Network 1 and Site A Network 1, configure the interface as RTVPN2.

• For Site B Network 2 and Site A Network 2, configure the interface as RTVPN4.

Step 7 As the tunnel interfaces are bound to a physical interface and not to a zone, tunnel failover or traffic load balancing can be achieved using static routing. Route the following additional routes on Site A:

• For Site A Network 1 and Site B Network 1 with interface RTVPN3, configure a static route for the same network with tunnel interface RTVPN1. This is the static route you configured in Step 5.

• For Site A Network 2 and Site B Network 2 with interface RTVPN1, configure a static route for the same network with tunnel interface RTVPN3. This is the static route you configured in Step 5.

Step 8 Route the following additional routes on Site B:

• For Site B Network 1 and Site A Network 1 with interface RTVPN4, configure a static route for the same network with tunnel interface RTVPN2. This is the static route you configured in Step 6.

• For Site B Network 2 and Site A Network 2 with interface RTVPN2, configure a static route for the same network with tunnel interface RTVPN4. This is the static route you configured in Step 6.



Mesh Configuration for Redundant Route-Based VPN Between Multiple Sites

Follow the steps to configure a mesh configuration for Site A, Site B, and Site C using the WAN interface X1:

Step 1 Configure the following tunnel interface VPN policy on Site A:

• RTVPN1 bound to interface X1 for remote gateway 10.8.23.208 for traffic between Site A and Site B.

• RTVPN3 bound to interface X1 for remote gateway 10.10.23.210 for traffic between Site A and Site C.

Step 2 Configure the following tunnel interface VPN Policy on Site B:

• RTVPN2 bound to interface X1 for remote gateway 10.6.23.206 for traffic between Site A and Site B.

• RTVPN4 bound to interface X1 for remote gateway 10.10.23.210 for traffic between Site B and Site C.

Step 3 Configure the following tunnel interface VPN Policy on Site C:

• RTVPN5 bound to interface X1 for remote gateway 10.6.23.206 for traffic between Site A and Site C.

• RTVPN6 bound to interface X1 for remote gateway 10.8.23.208 for traffic between Site B and Site C

Note When the direct route between site A and B is not available, traffic can be forwarded from Site A to Site B, or vice versa, via the Site C network if the connection between site A to Site C and Site B to Site C is available.

Step 4 Next, configure static route on Site A:

• For Site A Network and Site B Network, configure RTVPN2 for traffic between Site A and Site B.

• For Site A Network and Site C Network, configure RTVPN4 for traffic between Site A and Site C.



• For Site A Network and Site B Network, configure RTVPN 4 for traffic between Site A and Site B via Site C tunnel interface.

Step 5 Configure static route on Site B:

• For Site B Network and Site A Network, configure RTVPN1 for traffic between Site A and Site B.

• For Site B Network and Site C Network, configure RTVPN3 for traffic between Site B and Site C.

• For Site B Network and Site A Network, configure RTVPN3 for traffic between Site A and Site B via site C tunnel interface.

Step 6 Configure static route on Site C:

• For Site C Network and Site A Network, configure RTVPN5 for traffic between Site A and Site C.

• For Site B Network and Site C Network, configure RTVPN6 for traffic between Site B and Site C.

• For Site A Network and Site B Network, configure RTVPN6 for traffic between Site A and Site B via Site C tunnel interface RTVPN5 and RTVPN6.

• For Site B Network and Site A Network, configure RTVPN5 for traffic between Site A and Site B via Site C tunnel interface RTVPN5 and RTVPN6.

Solution Document Version History

Version Number Date Notes

1 6/24/2009 This document was created by A. Mendoza.

2 7/20/2009 Incorporated feedback from N. Kulshreshtha.

3 7/20/2009 Incorporated feedback from P. Lydon.


5 8/14/2009 Incorporated feedback from N. Kulshreshtha and N. Baumen.


7 8/15/2011 Incorporated additional feedback from N. Kulshreshtha


sonicos 5.8 route based vpn feature module

Documents