Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Global VPN Client IP Assignment Using The Sonicwall Appliance

Published:
This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t practical for one reason or another.

This article assumes the WAN GlobalVPN VPN policy has already been configured and is functioning.  Additionally, this article is in two parts:

Part One will use an already configured WLAN zone for assigning IP addresses to GVC hosts.
Part Two will walk through setting up the WLAN zone if not already configured.


Part One – Setup DHCP for GVC Hosts Utilizing The WLAN Zone


NOTE: It is assumed that WLAN already has access to LAN and LAN to WLAN.

What you’ll need to know:
- The IP address assigned to the interface the WLAN zone is assigned to.

1. Login to the SonicWALL appliance and go to VPN > DHCP over VPN.

2. Confirm Central Gateway is selected in the drop down and click Configure (See Image 1 Below).



3. Check the following boxes:
    - Use Internal DHCP Server
    - For Global VPN Client

4. In the Relay IP Address text box, type the IP address assigned to the interface the WLAN zone is assigned to.  See Image 2 below for the final settings.  Once the settings are completed, click OK.



5. Once completed, establish a VPN connection and confirm the IP address is assigned from the DHCP scope assigned to the WLAN zone.


Part Two: Setting Up DHCP For GVC Hosts When WLAN Hasn’t Been Configured

What you’ll need:
- Identify a IP subnet that isn’t currently being utilized on the internal network.
- An available interface on the SonicWALL

1. Click Network > Interface and edit an available Interface that isn’t being utilized for another purpose.  For this article, I have selected the X3 interface.

2. Select the WLAN zone in the Zone drop down (See Image 3 Below).



3. Give the interface an IP address.  For this article, I have chosen 10.10.10.20 (See Image 4 Below).



4. Click OK.  You’ll get a prompt regarding the management interface.  Disregard this message as the management interface is configured on the LAN interface.

5. Click Network > DHCP Server.  Once the WLAN zone settings are saved to the Interface, the SonicWALL appliance automatically created a new DHCP scope specifically for hosts connected to the X3 interface (or, whichever Interface was chosen).

6. Edit the new DHCP scope and modify the Start and End IP range if the default is not acceptable.

7. Click the DNS/WINS tab.  If you desire your GVC hosts to resolve hosts on the LAN network, you’ll need to enter the Active Directory domain (if utilized) and internal DNS servers.  Also, if you have any WINS servers, you’ll need to enter those here too.

8. Once configured, click OK.

9. Click VPN > VPN Over DHCP.

10. Confirm Central Gateway is selected in the drop down and click Configure (See Image 1 Below).



11. Check the following boxes:

    - Use Internal DHCP Server
    - For Global VPN Client

12. In the Relay IP Address text box, type the IP address assigned to the interface the WLAN zone is assigned to.  See  Image 2 below for the final settings.  Once the settings are completed, click OK.



13. Now, we need to confirm Firewall Access between the WLAN <-> LAN zones.  Click Firewall > Access Rules (See Image 5 Below).



14. The default View Style is Matrix.  Click the WLAN > LAN matrix intersection to see the rules affecting this traffic.

15. See the screen shot below to see the default rule.  The rule in my screen shot is Allow, but the default MAY be Deny.  Click Edit to bring up the particulars of the Access Rule.  In the Action section, click the Allow radio button and click OK (See Image 6 Below).



16. Click the LAN > WLAN matrix intersection to confirm the default rule is configured to allow traffic.  Use the procedure in Step 15 to change this to allow.  Otherwise, proceed to the next step.

17. Now, establish a VPN connection and confirm the IP address is assigned from the DHCP scope assigned to the WLAN zone.
4
17,407 Views

Comments (8)

Top Expert 2010

Author

Commented:
What does the log of the GVC say?
Everything in the GVC client log looks good up to the point "Renewing IP address for the virtual interface [MAC address]".  It sits there and eventually times out with "Failed to renew the IP address for the virtual interface".  While that timeout is going on, the firewall shows the VPN link is up and traffic is moving in both directions.  An IP has been allocated from the correct scope for the WLAN interface.  But the client never seems to receive it.
Top Expert 2010

Author

Commented:
Hmmm. I'd probably want to see some screen shots of the configuration as you have it, but that's hard to do here and should be in a question.

Are the subnets between the two different? Is the local subnet different than the subnet being assigned by the X5 DHCP scope on the Sonicwall?
The LAN subnet is good old 192.168.0.0/24.  I can honestly blame a previous admin for that.

The fabricated X5 subnet is 10.0.69.0/24.  The X5 Interface is 10.0.69.1.  DHCP Scope for that is 10.0.69.10 thru .99.

If I change the "DHCP over VPN" properties so the client obtains an IP from our LAN DHCP server, everything is fine.  But the whole point of this exercise is to get the VPN clients off the pesky 192.168.0.0 subnet.

Perhaps interestingly, I have a different DHCP scope for L2TP Pool.  If the client connects from some standard L2TP VPN client, it works fine.

I may have to post this as a new question...  It seems like I'm very close to getting this to work but some small detail isn't right yet.
Top Expert 2010

Author

Commented:
Let me know if you do. I've been on a EE vacation as I've had some life changes, new baby, that has left me too busy for EE. I don't get updates on new questions at the moment.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community