Solved

How to allow iPad to VPN into network through Sonicwall NSA 240

Posted on 2013-11-18
12
4,078 Views
Last Modified: 2014-01-14
I have been trying to configure my SonicWall NSA 240 to allow an iPad the ability to VPN into our network so it can access some of our network resources. I found an article that shows how to configure the L2TP protocol to connect to our network via VPN which worked but it connects to the incorrect subnet and therefore the iPad cannot access our network. How can I configure the connection to connect to the correct subnet (e.g. 192.168.0.XXXX) below is the article I used.

Create a VPN on your iPad, iPhone or iPod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance
This article will easily explain how to configure your Apple iPad, iPhone or iPod Touch to access your network by using the SonicWALL WAN GroupVPN Security Association and the built-in L2TP server.  This relates to SonicOS Enhanced version 5.2.x (or newer) firmware.
Access is granted to the LAN behind via the SonicWALL appliance.  You do not need a third party L2TP server solution.
How to configure your SonicWALL L2TP VPN server
Follow these easy steps in order:
1 - Login to your SonicWALL NSA UTM appliance as the Administrator in Configuration Mode.
 
2 - Navigate to Network and Address Objects
3 - Add the following Address Object:
Name: iPad L2TP Subnet (or another name you wish to identify with)
Zone Assignment: VPN
Type: Network
Network: 10.99.79.0 - This is the new network subnet that we will assign purely for L2TP connections.  It should NOT be a subnet range in use on your network.  You do not need to use this address, we have selected for display purposes.
Netmask: 255.255.255.0 - We have chosen to use a Class C subnet.
 
4 - Click OK to add the Address Object
5 - From the SonicWALL NSA menu select Users and Settings
6 - Ensure that Local Users are available.  If you already have LDAP or RADIUS ensure that + Local Users is selected.  This ensures you can use your Local User database on the SonicWALL (covered later).
7 - From the SonicWALL NSA menu navigate to VPN and L2TP Server.
8 - Enable the L2TP server and click on Configure.  Set the details as follows:
Keep alive time (secs): 60
DNS Server 1: 192.168.168.1 (well, obviously use your internal DNS server)
DNS Server 2: 192.168.168.2 (again this is for display purposes - if you have a second DNS server, use it)
WINS Server 1: 0.0.0.0 (or enter your WINS IP address here)
WINS Server 2: 0.0.0.0 (as above)
Select Use the Local L2TP IP Pool
Start IP: 10.99.79.1 (this is the start IP of the L2TP network you created earlier)
End IP: 10.99.79.10 (this is the end IP of the L2TP network you created earlier)
User group for L2TP users: Trusted Users (or Everyone if you prefer)
 
9 - From the SonicWALL NSA menu, whilst still in VPN select Settings
10 - Configure the WAN GroupVPN policy with the following settings:
General Tab
Shared Secret: password (well, enter your password here)
 
Proposals Tab
IKE (Phase 1) Proposal
DH Group:  Group 2
Encryption:  3DES
Authentication:  SHA1
Life Time (seconds):  28800
Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption:  3DES
Authentication:  SHA1
Enable Perfect Forward Secrecy:  Disabled
Life Time (seconds):  28800
 
Advanced Tab
Enable Windows Network (NetBIOS) Broadcast:  Enabled
Enable Multicast:  Disabled
Management via this SA:  Unchecked for both HTTP and HTTPS
Default LAN Gateway:  Public (WAN) IP address of the SonicWALL appliance
Require Authentication of VPN Clients via XAUTH:  Enabled
User Group for XAUTH Users:  Trusted Users (or Everyone)
Allow Unauthenticated VPN Client Access:  Disabled
 
Client Tab
Cache XAUTH User Name and Password on Client:  Always
Virtual Adapter settings:  DHCP Lease
Allow Connections to:  This Gateway Only
Set Default Route as this Gateway:  Enabled
Apply VPN Access Control List:  Disabled
Use Default Key for Simple Client Provisioning: Disabled
 
11 - Returning to the SonicWALL appliance menu, and still in VPN, select DHCP over VPN
12 - Select Central Gateway and click on Configure and ensure the following:
Use Internal DHCP Server:  Enabled
For Global VPN Client:  Enabled
For Remote Firewall:  Disabled
Send DHCP requests to the server address listed below:  Disabled
Relay IP Address (Optional):  0.0.0.0
 
13 - From the SonicWALL menu navigate to Firewall and Access rules
14 - Select VPN to WAN from the matrix or drop down menu and add the following rule:
Action:  Allow
From Zone:  VPN
To Zone:  WAN
Service:  ANY
Source:  WAN RemoteAccess Networks
Destination:  ANY
Users Allowed:  All
Schedule:  Always on
 
15 - From the SonicWALL menu navigate to Network and NAT Policies
16 - Add the following NAT Policy:
Original Source:  iPad L2TP Subnet (or whatever you created in Step 3)
Translated Source:  WAN Primary IP (usually X1 IP)
Original Destination:  Any
Translated Destination:  Original
Original Service:  Any
Translated Service:  Original
Inbound Interface:  Any
Outbound Interface:  X1 (your WAN interface)
 
17 - From the SonicWALL NSA menu navigate to Users and Local Users
18 - Create a new user (if one doesn't exist) and then select the VPN Access tab and add the following objects:
LAN Subnets
WAN RemoteAccess Networks
iPad L2TP Subnet (or whatever you called the Address Object that you created in step 3)
NOTE: You can add these networks to the Trusted Users or Everyone list if you wish - or individually for users.  You must also add any other Address Objects to which you may require access here.  We have used the basic LAN Subnets for access to the LAN above for demonstrative purposes.
19 - Click on OK to add the user
Thats your SonicWALL Appliance ready! - Now go to Part 2: Setup your iPad / iPhone / iPod Touch
 
This article will easily explain how to configure your Apple iPad, iPhone or iPod Touch to access your network by using the SonicWALL WAN GroupVPN Security Association and the built-in L2TP server.  This relates to SonicOS Enhanced version 5.2.x (or newer) firmware.
(You must have completed Part 1 here)
iPad / iPhone / iPod Touch Configurations
1:  From the Home Screen navigate to the Settings icon
 
       
2:  Select the General option
       
3:  Select Network
       
4:  Select VPN
       
5:  Select Add VPN Configuration
       
6:  Ensure that L2TP is selected.  This is the only option you want.
       
7:  Fill out the Add Configuration fields as follows:
Description - This is a name of your choosing that identifies the VPN connection to you (you can have more than one L2TP VPN connection setup).
Server - This is the WAN IP address of your SonicWALL NSA UTM appliance.
Account - This is the user account you created on the SonicWALL NSA appliance under Local Users.
RSA SecurID - Ensure that this is turned OFF.
Password - This is your password you setup for the account listed above.  You can chose to not enter a password here, which means that the iPad / iPhone / iPod Touch will ask you to complete every time you establish a connection.
Secret - This is the GroupVPN pre-shared secret you have setup.
Send All Traffic - Turn OFF.  You can turn on if you wish to send all your internet traffic through your L2TP connection also.  Leaving it off sends internet traffic over your wireless / 3G connection and only traffic destined for your network via the L2TP VPN.  Some configurations we have noted need to have this turned on no matter what.
Now press Save to store the configuration on your device.
8:  Your configuration will now appear and you can slide the VPN option to ON.  Your iPad / iPhone / iPod Touch will begin communicating with the SonicWALL and, upon a successful connection, will display a VPN icon on the top bar (usually left on the iPad and on the right on the iPhone / iPod Touch).
Enjoy!
0
Comment
Question by:tparus
12 Comments
 
LVL 20

Expert Comment

by:carlmd
Comment Utility
In step 18 above did you have what you want to access configured in LAN subnets?

What network do you connect to?

I suspect you have not set the correct subnet in the the access list.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
For iOS devices the ssl VPN and free app work really well and setup is simple. I find that the performance of sslvpn for osx and windows laptops to be lacking but use it on all my ios devices as it's fast for those for some reason. I Remote Desktop through it from my iPad all the time.

http://community.spiceworks.com/topic/249205-how-to-setup-vpn-on-sonicwall-tz210
0
 

Author Comment

by:tparus
Comment Utility
Yes, I added the correct subnets to the access list. When It connects it connects to the router subnet which is the public IP and never gets further than that. I can see when the user connect via VPN and the logs show that he connected successfully however when he tries to access our network the process times out and does not connect. I have played with the access list and remove all except the LAN subnet but it still connects to the public IP subnet.
0
 
LVL 11

Expert Comment

by:diprajbasu
Comment Utility
you can download sonicwall mobile connect.
the step by step guide has given.
just follow the downloaded link.

http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=482
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Hi tparus,

Unless you have specific internal requirements L2TP is an old school way to alllow mobile connectivity. The newer preferred way is to setup SSL-VPN then all mobiles can download SonicWALL's Mobile Connect from the appropriate mobile App Stores for iOS devices and Androids to connect using the SSL-VPN. As @aarontomosky pointed out it's free, works terrifically.

What is your current firmware version? With you model the latest release is SonicOS 5.9.0.2.107o.

What is the iOS version you are trying to connect with? Do you have varying iOS versions in the field or are they all standardized?

Here's a step-by-step on the SSL-VPN setup for SonicOS Enhanced 5.2 - 5.8.x:

1. Setup the SSL-VPN Zone

Login to the SonicWALL and go to SSL-VPN > Server Settings page and enable the WAN Zone. The default port is 4433.

NOTE: In older SonicOS versions the SSL-VPN Zones settings are available under SSL-VPN > Client Settings page.

SSL-VPN can only be connected using interface IP addresses. By default SSL-VPN is enabled on the WAN zone and users can connect to it using the WAN interface IP address. Likewise for other zones and, if enabled, can only be connected using the interface IP address.

The SSL VPN > Portal Settings page is used to configure the appearance and functionality of the SSL VPN Virtual Office web portal. The Virtual Office portal is the website that uses a login to launch NetExtender.

2. Client Settings

The SSL VPN > Client Settings page allows you to configure the client address range information and NetExtender client settings. The most important being where the SSL-VPN will terminate (e.g. on the LAN in this case) and which IPs will be given to connecting clients. Finally, select from where users should be able to login (probably, this will be the WAN, so just click on the WAN entry):

NOTE: For SonicOS Enhanced +5.5, NetExtender cannot be terminated on an interface that is paired to another interface using L2 Bridge Mode. This includes interfaces bridged with a WLAN interface. Interfaces that are configured with L2 Bridge Mode are not listed in the "SSLVPN Client Address Range" Interface drop-down menu. For NetExtender termination, an interface should be configured as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of "Static".

Configuring NetExtender Client Settings: Enable the option Create Client Connection Profile - The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.

3. Client Routes

The SSL VPN > Client Routes page allows you to control the network access allowed for SSL VPN users. The NetExtender client routes are passed to all NetExtender clients and are used to govern which private networks and resources remote user can access via the SSL VPN connection.

NOTE: All clients can see these routes. Also, here you may enable/disable “Tunnel All Mode” (this is the equivalent of “This gateway only” option while configuring GroupVPN).

4. Local Users

Under Users > Local users, ensure that the relevant user or user group is a member of the “SSLVPN Services” group:
      Groups Tab: To setup membership for individual users
      Members Tab: To setup membership for local or LDAP user group, edit the SSLVPN Services user group and add the user group under the Members tab

VPN Access Tab: On the VPN Access Tab allows users to access networks using a VPN tunnel, select one or more networks from the Networks list and click the arrow button -> to move them to the Access List. To remove the user’s access to a network, select the network from the Access List, and click the left arrow button <-.

NOTE: The SonicOS has now created a new Zone under Firewall > Access Rules, named SSLVPN zone. Additionally, Access Rules are auto-created from and to SSLVPN zone from other zones. Optionally, you could modify the auto-created SSLVPN to LAN rule to allow access only to those users that are configured (recommended to use single rule with groups rather than multiple rules with individual users). Ignore any warning that login needs to be enabled from SSLVPN zone.

Prior to SonicOS Enhanced 5.6, the “VPN access list” that we normally use for GVC VPNs has no effect. You control access using the firewall rules.

5. Enable User Login

Go to WAN interface and ensure HTTPS user login is enabled.I'd be happy to troubleshoot L2TP for iOS but honestly the Mobile Connect is a better solution for compatibility and ease-of-use for user deployment as well. Let me know if you have any questions!
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:tparus
Comment Utility
OK, so I tried the SSL VPN connection and maybe it would work but when I go to my public IP I get me OWA login screen. I assume I will need to use one of the other public IP addresses we have but how would I configure the router to have the SSL VPN connection go through that IP?
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
Comment Utility
OK, so I tried the SSL VPN connection and maybe it would work
What does that mean? Did it work or not?

Getting the OWA page instead of the SonicWALL management page is by design I'd assume. You have Exchange running internally, correct? OWA is open for port 80 (possibly for IIS redirects) and 443 so that your users can access OWA. So if you have remote management enabled on the SonicWALL and you are trying to access the SonicWALL's remote management on the default ports (80 & 443), that would be why you are being directed to OWA instead. The HTTPS service cannot be used with the SonicWALL's WAN IP address to pass traffic to an internal web server (e.g. Exchange) when allowing remote administrative access. Regular HTTPS rules can be written for an HTTPS server using any other WAN IP address or you need to change the default ports for SonicWALL management access. Also, the SonicWALL will not respond to HTTP/HTTPS management traffic on a published Static ARP IP address.

The simplest way to fix this is to just change the management ports in the SonicWALL, here's how:
The SonicWALL uses default ports of 80 (HTTP) and 443 (HTTPS) for management. These can be changed by logging into the UTM appliance by using a web browser and under the System > Administration page and make sure that new management ports doesn't conflict with any of the ports that the firewall is listening on. Here are some examples of unused ports (8080 (for your new HTTP), 444 (for your new HTTPS), etc.) but, again, they can be whatever you like just as long as they are not being used in another instance of port forwarding. Be sure to click Apply in the top of the page to make sure the changes are saved.

You must include the port number when you use the IP address to log into the SonicWALL security appliance. For example, if you configure the HTTP Management port to be 444, then you must type: 444 into the Web browser, e.g. https://1.1.1.1:444. This will also add another layer of security for logging into the SonicWALL security appliance by changing the default port.

SSL-VPN should be on port 4433 by default, which is intended to avoid conflict like you experienced above with OWA and SonicWALL remote mgmt.
0
 

Author Comment

by:tparus
Comment Utility
I am confused. You talk about the Management port for the SonicWall which is not what I am trying to accomplish. I am trying to get the SSL-VPN connection to work so that a user can get on our LAN. By what you are saying above I will need to change the management ports on the SonicWall so that it does not use the current SSL port. OWA is configured to connect to the SSL port via certificate so that my users can see their emails remotely. I also have GVPN connecting to the same public IP and it works just fine so I feel like I am missing something. If I change the SSL port for the management console will that work for the SSL-VPN?
0
 
LVL 24

Assisted Solution

by:diverseit
diverseit earned 500 total points
Comment Utility
OK, let me break this down for you,

SSL-VPN should be on port 4433. Yours may be on 443 as well.
OWA will have port forwarding on port 443.
Remote management will be on port 443 by default. If you do not have management enabled on the WAN then you can disregard changing its ports and just focus on changing the SSL-VPN ports.

See the conflict?

To resolve simply:
1. Change SSL-VPN port from whatever it is to 4433 (which is incidentally the default) by going to SSL VPN >Server Settings > SSL VPN Port:.
2. Change the management ports from HTTP (80) & HTTPS (443) to HTTP (8080) and HTTPS (4444) by going to System > Administration > Web Management Settings.

In order to login to the SSL-VPN you need to use Server: <public_IP>:4433
And I'm assuming you have already setup the users properly. If not let me know and I'll provide instruction for that as well.

Make sense?
0
 

Author Comment

by:tparus
Comment Utility
Testing. I will update this case when I have some results. Will be on vacation till Christmas so I wont be able to update until after then.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Sounds good. Merry Christmas.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now