SonicWALL Pro 3060 firewall, SonicOS Enhanced, Global VPN Client x86 (all up to date). Test client is XP Pro x86 with all updates.
Interface X0 = LAN
X1 = WAN
X2 = DMZ
X3 = WAN Failover
X4 = Guest WiFi
X5 = Unused
When a GVPN client connects, they're assigned an IP address from our internal LAN. Unfortunately that network is 192.168.0.0/24. Occasionally there's a clash with remote VPN connections, usually a home network that has the same 192.168.0.0 address.
I want the GVPN users to obtain an IP from a DHCP scope defined on the firewall. Let's say that scope is 10.0.50.10 thru .99.
This EE Article
seems to directly address my situation. I've applied its concepts, using Interface X5 for a new "fake" subnet, 10.0.50.0/24. The X5 interface is assigned IP 10.0.50.1. I assigned the X5 interface to zone WLAN. A new DHCP scope was created automatically.
Then I changed the DHCP Over VPN properties on the firewall so GVPN clients obtain their IP from the firewall, with IP Relay Address 10.0.50.1 (X5). I even connected a 10/100 switch to port X5 so the firewall wouldn't see that interface as having "no link".
When the GVPN client connects they get through all the Phase 1 and Phase 2 negotiation stuff successfully. No errors. The firewall shows a VPN tunnel, and it shows an IP assigned to the client from the correct DHCP scope.
But the client does not receive the IP address. It sits there waiting for an IP but never receives one. It finally times out. I spent the better part of the day today messing with this and I cannot get the IP to the client.
If the same remote client uses a standard L2TP VPN client, like Windows, OS X Lion, or even iOS 5.0, they are successfully assigned an IP from the L2TP Address Pool, also on the firewall. That pool is not on our LAN subnet, so everything is good.
And as I mentioned before, if the firewall config says for the GVPN client to obtain an IP address from our LAN DHCP server, that also works fine. But that's not the IP I want these clients to be using.
The obvious answer is "Don't use the SonicWALL VPN Client". Well I have a few users who claim it's more reliable than other methods and doesn't ever drop the connection. That may or may not be true, but that's what they say. It's also much easier for users to set up themselves (with minimal coaching from IT).
Can anyone tell me what I'm missing? I feel like I'm very close to making this work but some piece of the technical puzzle isn't in place.