<

Go Premium for a chance to win a PS4. Enter to Win

x

Global VPN Client IP Assignment Using The Sonicwall Appliance

Published on
25,384 Points
15,484 Views
4 Endorsements
Last Modified:
Awarded
This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t practical for one reason or another.

This article assumes the WAN GlobalVPN VPN policy has already been configured and is functioning.  Additionally, this article is in two parts:

Part One will use an already configured WLAN zone for assigning IP addresses to GVC hosts.
Part Two will walk through setting up the WLAN zone if not already configured.


Part One – Setup DHCP for GVC Hosts Utilizing The WLAN Zone


NOTE: It is assumed that WLAN already has access to LAN and LAN to WLAN.

What you’ll need to know:
- The IP address assigned to the interface the WLAN zone is assigned to.

1. Login to the SonicWALL appliance and go to VPN > DHCP over VPN.

2. Confirm Central Gateway is selected in the drop down and click Configure (See Image 1 Below).



3. Check the following boxes:
    - Use Internal DHCP Server
    - For Global VPN Client

4. In the Relay IP Address text box, type the IP address assigned to the interface the WLAN zone is assigned to.  See Image 2 below for the final settings.  Once the settings are completed, click OK.



5. Once completed, establish a VPN connection and confirm the IP address is assigned from the DHCP scope assigned to the WLAN zone.


Part Two: Setting Up DHCP For GVC Hosts When WLAN Hasn’t Been Configured

What you’ll need:
- Identify a IP subnet that isn’t currently being utilized on the internal network.
- An available interface on the SonicWALL

1. Click Network > Interface and edit an available Interface that isn’t being utilized for another purpose.  For this article, I have selected the X3 interface.

2. Select the WLAN zone in the Zone drop down (See Image 3 Below).



3. Give the interface an IP address.  For this article, I have chosen 10.10.10.20 (See Image 4 Below).



4. Click OK.  You’ll get a prompt regarding the management interface.  Disregard this message as the management interface is configured on the LAN interface.

5. Click Network > DHCP Server.  Once the WLAN zone settings are saved to the Interface, the SonicWALL appliance automatically created a new DHCP scope specifically for hosts connected to the X3 interface (or, whichever Interface was chosen).

6. Edit the new DHCP scope and modify the Start and End IP range if the default is not acceptable.

7. Click the DNS/WINS tab.  If you desire your GVC hosts to resolve hosts on the LAN network, you’ll need to enter the Active Directory domain (if utilized) and internal DNS servers.  Also, if you have any WINS servers, you’ll need to enter those here too.

8. Once configured, click OK.

9. Click VPN > VPN Over DHCP.

10. Confirm Central Gateway is selected in the drop down and click Configure (See Image 1 Below).



11. Check the following boxes:

    - Use Internal DHCP Server
    - For Global VPN Client

12. In the Relay IP Address text box, type the IP address assigned to the interface the WLAN zone is assigned to.  See  Image 2 below for the final settings.  Once the settings are completed, click OK.



13. Now, we need to confirm Firewall Access between the WLAN <-> LAN zones.  Click Firewall > Access Rules (See Image 5 Below).



14. The default View Style is Matrix.  Click the WLAN > LAN matrix intersection to see the rules affecting this traffic.

15. See the screen shot below to see the default rule.  The rule in my screen shot is Allow, but the default MAY be Deny.  Click Edit to bring up the particulars of the Access Rule.  In the Action section, click the Allow radio button and click OK (See Image 6 Below).



16. Click the LAN > WLAN matrix intersection to confirm the default rule is configured to allow traffic.  Use the procedure in Step 15 to change this to allow.  Otherwise, proceed to the next step.

17. Now, establish a VPN connection and confirm the IP address is assigned from the DHCP scope assigned to the WLAN zone.
4
Comment
Author:digitap
  • 3
  • 3
  • 2
8 Comments
 
 

Administrative Comment

by:Glen Knight
Hi digitap,
I merely changed the first point in the second section from a number 1 to so that it was in line with the rest, the remainder carried on from this.

I see you have renumbered them so this is fine.

I will await your images.

Thanks
demazter
EE Page Editor
0
 
 

Administrative Comment

by:Glen Knight
No worries, you did all the hard work.  You made my job easy! ;)
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
This article is exactly what I'm trying to do.  The Global VPN Client test system establishes a VPN link successfully.  It gets to "Acquiring IP Address" and then nothing.  The firewall shows that the link is up, and an IP has been assigned from the correct DHCP scope (I happen to be using Interface X5 for WLAN).  But the client never receives the IP address.  I've been messing with this all morning and can't figure it out.

Anyone have any ideas why the allocated IP isn't reaching the VPN client?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 33

Author Comment

by:digitap
What does the log of the GVC say?
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
Everything in the GVC client log looks good up to the point "Renewing IP address for the virtual interface [MAC address]".  It sits there and eventually times out with "Failed to renew the IP address for the virtual interface".  While that timeout is going on, the firewall shows the VPN link is up and traffic is moving in both directions.  An IP has been allocated from the correct scope for the WLAN interface.  But the client never seems to receive it.
0
 
LVL 33

Author Comment

by:digitap
Hmmm. I'd probably want to see some screen shots of the configuration as you have it, but that's hard to do here and should be in a question.

Are the subnets between the two different? Is the local subnet different than the subnet being assigned by the X5 DHCP scope on the Sonicwall?
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
The LAN subnet is good old 192.168.0.0/24.  I can honestly blame a previous admin for that.

The fabricated X5 subnet is 10.0.69.0/24.  The X5 Interface is 10.0.69.1.  DHCP Scope for that is 10.0.69.10 thru .99.

If I change the "DHCP over VPN" properties so the client obtains an IP from our LAN DHCP server, everything is fine.  But the whole point of this exercise is to get the VPN clients off the pesky 192.168.0.0 subnet.

Perhaps interestingly, I have a different DHCP scope for L2TP Pool.  If the client connects from some standard L2TP VPN client, it works fine.

I may have to post this as a new question...  It seems like I'm very close to getting this to work but some small detail isn't right yet.
0
 
LVL 33

Author Comment

by:digitap
Let me know if you do. I've been on a EE vacation as I've had some life changes, new baby, that has left me too busy for EE. I don't get updates on new questions at the moment.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Other articles by this author
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month