Route Based Virtual Private Network

Full text

(1)

1 SonicWALL Route Based VPN Feature Module

Route Based Virtual Private Network

Document Scope

This solutions document provides details about Route Based Virtual Private Network (VPN) Technology, its advantages, and procedures to configure a Route Based VPN.

This document contains the following sections: “Overview” section on page 1

“Using Route Based VPN” section on page 2

Overview

This section provides an introduction to Route Based VPN. This section contains the following subsections: “What is a Route Based VPN?” section on page 1

“Benefits” section on page 2

“Platforms” section on page 2

What is a Route Based VPN?

In general, a Virtual Private Network (VPN) is a way for companies to have the same security as if all the distributed networks were together, with only one access to the private network, or intranet. Each location has a firewall, configured specially so that it recognizes all the other firewall locations. When the firewall sees a packet headed outward to another protected location, the packet is encrypted. After it travels across the Internet, the receiving firewall then decrypts the packet.

A policy-based approach forces the VPN policy configuration to include the network topology

configuration. This makes it difficult for the network administrator to configure and maintain the VPN policy with a constantly changing network topology.

(2)

Using Route Based VPN

2 SonicWALL Route Based VPN Feature Module

Benefits

Not only does Route Based VPN make configuring and maintaining the VPN policy easier, a major advantage of the Route Based VPN feature is that it provides flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN.

Platforms

Route Based VPN is a feature for SonicOS 5.5 Enhanced.

Using Route Based VPN

This section contains the following subsections:

“Configuring Static Route Based VPN” section on page 2

“Configuration Overview” section on page 2

“Adding a Tunnel Interface” section on page 3

“Creating a Static Route for Tunnel Interface” section on page 4

“Route Entries for Different Network Segments” section on page 5

“Redundant Static Routes for a Network” section on page 6

“Drop Tunnel Interface” section on page 6

“Creating a Static Route for Drop Tunnel Interface” section on page 7

Configuring Static Route Based VPN

Route based VPN configuration is a two step process. The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface. The second step involves creating a static route using Tunnel Interface.

Configuration Overview

The Tunnel Interface is created when a Policy of type “Tunnel Interface” is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.

A Static Route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of overlapping static routes can be added for the tunneled traffic. When networks are added or removed from the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does not need to be updated.

Benefits

Not only does Route Based VPN make configuring and maintaining the VPN policy easier, a major advantage of the Route Based VPN feature is that it provides flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN.

Platforms

The Route Based VPN feature is supported on SonicOS 5.5 Enhanced and higher.

Using Route Based VPN

Route based VPN configuration is a two step process. The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface. The second step involves creating a route using Tunnel Interface.

This section contains the following subsections: “Configuration Overview” section on page 2

“Adding a Tunnel Interface” section on page 3

“Creating a Static Route for Tunnel Interface” section on page 4

“Route Entries for Different Network Segments” section on page 5

“Redundant Static Routes for a Network” section on page 6

“Drop Tunnel Interface” section on page 6

“Advanced Route Configuration for Tunnel Interface” section on page 8

“Configuring Routing Protocol for a Tunnel Interface” section on page 10

“Additional Configuration Scenarios” section on page 11

Configuration Overview

The Tunnel Interface is created when a Policy of type “Tunnel Interface” is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is used as the source address of the tunneled packet.

A route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of overlapping static routes can be added for the tunneled traffic. When networks are added or removed from the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does not need to be updated.

(3)

Using Route Based VPN

3 SonicWALL Route Based VPN Feature Module

Adding a Tunnel Interface

The following procedures explain how to add a Tunnel Interface:

Step 1 Navigate to VPN>Settings>VPN Policies. Click the Add... button. This will open the VPN Policy Configuration dialog box.

Step 2 On the General tab, select the policy type as “Tunnel Interface.”

(4)

Using Route Based VPN

4 SonicWALL Route Based VPN Feature Module

Step 4 Navigate to the Advanced tab to configure the advanced properties for the Tunnel Interface. By default, “Enable Keep Alive” is enabled. This is to establish the tunnel with remote gateway proactively.

Also, the default tunnel interface is bound to the X1 interface, but can be bound to any of the available interfaces.

Creating a Static Route for Tunnel Interface

After you have successfully added a Tunnel Interface, you may then create a Static Route. Follow the procedures to create a Static Route for a Tunnel Interface.

(5)

Using Route Based VPN

5 SonicWALL Route Based VPN Feature Module

Auto-add Access Rule

When using “Any” and not specifying the source of the route policy, inbound and outbound access rules that allow traffic between non-Trusted zones and the tunnel interface will not be auto-added. VPN Allow Rules from and to these zones for the remote network(s) must be manually added for successful

communication between these local and remote networks.

Note The auto-added VPN > WAN allow rule(s) for the remote networks to “Any” is intended for route-all scenarios.

Route Entries for Different Network Segments

After a tunnel interface is created, multiple route entries can be configured to use the same tunnel interface for different networks. This provides a mechanism to modify the network topology without making any changes to the tunnel interface.

(6)

Drop Tunnel Interface

6 SonicWALL Route Based VPN Feature Module

Redundant Static Routes for a Network

Also after more than one tunnel interface is configured, you can add multiple overlapping static routes; each static route uses a different tunnel interface to route the traffic. This provides routing redundancy for the traffic to reach the destination.

The image below illustrates redundant static routes for a network (Routes 2 & 3):

Drop Tunnel Interface

(7)

Drop Tunnel Interface

7 SonicWALL Route Based VPN Feature Module

Creating a Static Route for Drop Tunnel Interface

To add a static route for drop tunnel interface, navigate to Network>Routing>Routing Policies. Click the Add... button. Similar to configuring a State route for a Tunnel Interface, configure the values for Source, Destination, and Service Objects. Under Interface, select “Drop_tunnelIf.”

(8)

Advanced Route Configuration for Tunnel Interface

8 SonicWALL Route Based VPN Feature Module

Advanced Route Configuration for Tunnel Interface

To allow RIP and OSPF configuration, follow the steps below:

Step 1 Enable the Allow Advance Routing option on tunnel interface configuration.

With this option enabled, the tunnel interface will appear under “Advanced Routing Configuration” in the

(9)

Advanced Route Configuration for Tunnel Interface

9 SonicWALL Route Based VPN Feature Module

Step 2 Enable RIP and OSPF on the tunnel interface and configure the “IP address borrowed from” and “Remote IP” on both site appliances.

Note The fields “IP Address borrowed from” and “Remote IP Address” require the IP addresses for routing protocol tunnels and must be in the same subnet.

(10)

Advanced Route Configuration for Tunnel Interface

10 SonicWALL Route Based VPN Feature Module

Configuring Routing Protocol for a Tunnel Interface

After you have successfully added a Tunnel Interface, you can navigate to the

Network>Routing>Advanced Routing page for a full list of interfaces.

To configure Advanced Routing options, click on the Configure RIP or Configure OSPF icon for the Tunnel Interface you wish to configure.

This section contains the following subsections:

“Configuring RIP for a Tunnel Interface” section on page 10

“Configuring OSPF for a Tunnel Interface” section on page 11

Configuring RIP for a Tunnel Interface

(11)

Additional Configuration Scenarios

11 SonicWALL Route Based VPN Feature Module

Note If you select the Send and Receive option for RIP, you will have to select the RIP version for each message sent and received.

Configuring OSPF for a Tunnel Interface

From the Network>Routing>Routing Protocols page, click the Configure OSPF icon. A dialog will appear which will allow you to configure the OSPF for the Tunnel Interface. Click OK when you have finished configuring the OSPF settings.

Additional Configuration Scenarios

The following section contains procedures for more configuring more advanced route-based VPN scenarios. This section includes the following subsections:

“Single Tunnel Interface Configuration Between Two Sites” section on page 12

“Multiple Tunnel Interface Configuration Between Two Sites” section on page 13

“Failover and Load Balancing” section on page 15

(12)

Additional Configuration Scenarios

12 SonicWALL Route Based VPN Feature Module

Single Tunnel Interface Configuration Between Two Sites

The following steps describe how to configure a single tunnel interface between two sites (Site A and Site B): Step 1 On the first site’s network (Site A), create the first tunnel interface policy by navigating to the VPN >

Settings screen. Select ‘Tunnel Interface” as the Policy Type, and fill in the Name for this interface. In this

example, we have our Site A interface named as “RTVPN1.”

Step 2 On the second site’s network (Site B), repeat Step 1 to create a Policy Type. For this Site B interface, we have named it “RTVPN2.”

(13)

Additional Configuration Scenarios

13 SonicWALL Route Based VPN Feature Module

Step 3 On the Site A appliance, navigate to the Network > Routing screen, and configure a static route from Site A to Site B, with Site A as the ‘Source’ and Site B being the ‘Destination.’

Step 4 On the Site B appliance, repeat step 3, with Site B as the ‘Source’ and Site A as the ‘Destination.’

Multiple Tunnel Interface Configuration Between Two Sites

The following steps describe how to configure mu tip le tunnel interface between two sites (Site A and Site B):

(14)

Additional Configuration Scenarios

14 SonicWALL Route Based VPN Feature Module

Step 2 For Site A’s second network (Network 2), create a tunnel interface policy by repeating Step 1. In this example, we have the Site A Network 2 interface named as “RTVPN3.”

Step 3 On Site B’s network, repeat Steps 1 & 2 to create a Policy Type for its two interfaces (Site B Network 1 and Site B Network 2). For the Site B Network 1 interface, we have named it “RTVPN2-X1.”

(15)

Additional Configuration Scenarios

15 SonicWALL Route Based VPN Feature Module

Step 4 On the Site A appliance, navigate to the Network > Routing screen, and configure a static route from Site A Network 1 (RTVPN 1) to Site B Network 1 (RTVPN2-X1), with Site A as the ‘Source’ and Site B being the ‘Destination.’

Step 5 Configure another static route from Site A Network 2 (RTVPN3) to Site B Network 2 (RTVPN2-X2), with Site A as the ‘Source’ and Site B being the ‘Destination.’

Step 6 Repeat Steps 4 and 5 for the Site B appliance, configuring a static route from Site B Network 1 (RTVPN2-X1) to Site A Network 1 (RTVPN 1) and another static route from Site B Network 2

(RTVPN2-X2) to Site A Network 2 (RTVPN 2), with Site B as the ‘Source’ and Site A as the ‘Destination’ for both routes.

Failover and Load Balancing

When the tunnel interfaces are bound to a physical interface, you can configure tunnel failover or traffic load balancing using static routing on additional routes. Follow the steps below to configure failover and load balancing for multiple tunnel interfaces between two sites:

(16)

Additional Configuration Scenarios

16 SonicWALL Route Based VPN Feature Module

For Site A Network 1 and Site B Network 1 with the interface as RTVPN3, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.8.23.208 for this example).

For Site A Network 2 and Site B Network 2 with the interface as RTVPN1, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.9.23.209, for this example).

(17)

Additional Configuration Scenarios

17 SonicWALL Route Based VPN Feature Module

For Site B Network 1 and Site A Network 1 with the interface as RTVPN2-X2, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.8.23.206 for this example).

For Site B Network 2 and Site A Network 2 with the interface as RTVPN2-X1, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.9.23.209, for this example).

Note When the high priority route is not available, the low priority route is used to forward the traffic to the destination network.

Step 3 Navigate to the Network > Routing screen to configure the following tunnel interface VPN Policy on Site A:

RTVPN1 bound to interface X1 for remote gateway 10.8.23.208. RTVPN3 bound to interface X2 for remote gateway 10.9.23.209. Step 4 Configure the following tunnel interface VPN Policy on Site B:

RTVPN2 bound to interface X1 for remote gateway 10.6.23.206. RTVPN4 bound to interface X2 for remote gateway 10.7.23.207. Step 5 Next, configure the following static routes on Site A:

(18)

Additional Configuration Scenarios

18 SonicWALL Route Based VPN Feature Module

For Site A Network 2 and Site B Network 2, configure the interface as RTVPN3.

Step 6 Repeat Step 5 to configure the following static routes on Site B:

For Site B Network 1 and Site A Network 1, configure the interface as RTVPN2. For Site B Network 2 and Site A Network 2, configure the interface as RTVPN4.

Step 7 As the tunnel interfaces are bound to a physical interface and not to a zone, tunnel failover or traffic load balancing can be achieved using static routing.

Route the following additional routes on Site A:

For Site A Network 1 and Site B Network 1 with interface RTVPN3, configure a static route for the same network with tunnel interface RTVPN1. This is the static route you configured in Step 5. For Site A Network 2 and Site B Network 2 with interface RTVPN1, configure a static route for the

same network with tunnel interface RTVPN3. This is the static route you configured in Step 5. Step 8 Route the following additional routes on Site B:

For Site B Network 1 and Site A Network 1 with interface RTVPN4, configure a static route for the same network with tunnel interface RTVPN2. This is the static route you configured in Step 6. For Site B Network 2 and Site A Network 2 with interface RTVPN2, configure a static route for the

(19)

Additional Configuration Scenarios

19 SonicWALL Route Based VPN Feature Module

Mesh Configuration for Redundant Route-Based VPN Between

Multiple Sites

Follow the steps to configure a mesh configuration for Site A, Site B, and Site C using the WAN interface X1: Step 1 Configure the following tunnel interface VPN policy on Site A:

RTVPN1 bound to interface X1 for remote gateway 10.8.23.208 for traffic between Site A and Site B. RTVPN3 bound to interface X1 for remote gateway 10.10.23.210 for traffic between Site A and Site C. Step 2 Configure the following tunnel interface VPN Policy on Site B:

RTVPN2 bound to interface X1 for remote gateway 10.6.23.206 for traffic between Site A and Site B. RTVPN4 bound to interface X1 for remote gateway 10.10.23.210 for traffic between Site B and Site C. Step 3 Configure the following tunnel interface VPN Policy on Site C:

RTVPN5 bound to interface X1 for remote gateway 10.6.23.206 for traffic between Site A and Site C. RTVPN6 bound to interface X1 for remote gateway 10.8.23.208 for traffic between Site B and Site C

Note When the direct route between site A and B is not available, traffic can be forwarded from Site A to Site B, or vice versa, via the Site C network if the connection between site A to Site C and Site B to Site C is available.

Step 4 Next, configure static route on Site A:

(20)

Additional Configuration Scenarios

20 SonicWALL Route Based VPN Feature Module

For Site A Network and Site B Network, configure RTVPN 4 for traffic between Site A and Site B via Site C tunnel interface.

Step 5 Configure static route on Site B:

For Site B Network and Site A Network, configure RTVPN1 for traffic between Site A and Site B. For Site B Network and Site C Network, configure RTVPN3 for traffic between Site B and Site C. For Site B Network and Site A Network, configure RTVPN3 for traffic between Site A and Site B via

site C tunnel interface. Step 6 Configure static route on Site C:

For Site C Network and Site A Network, configure RTVPN5 for traffic between Site A and Site C. For Site B Network and Site C Network, configure RTVPN6 for traffic between Site B and Site C. For Site A Network and Site B Network, configure RTVPN6 for traffic between Site A and Site B via

Site C tunnel interface RTVPN5 and RTVPN6.

For Site B Network and Site A Network, configure RTVPN5 for traffic between Site A and Site B via Site C tunnel interface RTVPN5 and RTVPN6.

Solution Document Version History

Version Number Date Notes

1 6/24/2009 This document was created by A. Mendoza.

2 7/20/2009 Incorporated feedback from N. Kulshreshtha.

3 7/20/2009 Incorporated feedback from P. Lydon.

4 7/27/2009 Incorporated feedback from N. Kulshreshtha.

5 8/14/2009 Incorporated feedback from N. Kulshreshtha and N.

Baumen.

6 8/10/2011 Incorporated feedback from N. Kulshreshtha.

Figure

Updating...

Related subjects : virtual private network (VPN)