3 Site VPN strategy

Set the user up with a Sonic Wall and the other two sites with Sonic Walls and build site-to-site tunnels from User to A and User to B. I do this with Cisco routers and it works great.

Split Tunnel

Please refer to SonicWall article below:
https://www.sonicwall.com/en-us/support/knowledge-base/170503392435592

Whenever I set up site to site, they are always split tunnel.

....Unless you setup a single WAN GroupVPN policy for this user. It's a configuration matter. Split Tunnelling allows you to refine what goes over VPN tunnel and what goes over default network connection.

For site to site, tunneling is a hardware issue (done in Sonic Wall or other) and not related much to the OS.

I believe sonicwall not having free version available. As mentioned you don't require site A to communicate with site B. Best way to use SonicWALL SSL VPN.

Will this be do-able if any of the sites have dynamic IP addresses?

You can have the two business sites static and the user's office dynamic. This works, but assumes the dynamic address does not change frequently. Mine has not changed in about 2 years. ISP's are reluctant to change your IP because your activities are tied to it.

Hi Tom,

FYI: You guys are conflating different terminologies. Tunneling via S2S (Site-to-Site) has no "Tunnel All Mode" or "Split Tunnel Mode" because you are connecting to two different networks. Those are both features specifically relating to C2S (Client-to-Site) VPNs. In SonicWALL C2S VPNs would be namely: SSL-VPN (Browser Add-on, NetExtender, MobileConnect) and GVC (Global VPN Client).

Please clarify if you are asking:

Scenario 1

You can achieve this by installing two SonicWALL appliances and setting up a S2S VPN between them. Then when the user in question needs remote access to both resources in sites A & B they can get them by accessing C2S VPNs, such as an SSL-VPN, on one of the SonicWALLs and thereby access the other network's resources via the VPN & static routes. Here's how to do this:

Scenario 2

My question is do you want the user/s to be able to connect to both networks simultaneously or individually? Individually is not a problem. You can setup either an SSL-VPN or a GVC VPN and configure the clients so that the user/s can switch between the networks via profiles where the user/s are connected to one network at a time. This will provide the most security because you can setup Tunnel All Mode, which is a Security Best Practice. However, if you want the user/s to connect to both sites simultaneously you may run into issues and certainly you cannot setup either/any C2S VPN in Tunnel All Mode but rather Split Tunnel Mode. Since C2S VPNs can only connect to one network at a time you would need to setup an SSL-VPN on one SonicWALL and then on the other SonicWALL setup a GVC. You will have to test this configuration because it is not a typical request and therefore could be problematic. Alternatively, you could create a S2S with another device that supports IPSec.

Let me know if you have any questions!

I use Cisco and Juniper boxes for this and can connect to all 3 tunnels simultaneously. That may be an option for you.

Will this be do-able if any of the sites have dynamic IP addresses?

Please address my questions above so we can provide a solution...otherwise we are just spinning our wheels. If you are talking about S2S VPN yes you can configure it if one side has a dynamic IP address. The VPN Proposal Exchange mode would be Aggressive Mode, which has security vulnerabilities and will not pass any kind of decent security audit. To get around that you can either:

Site to Site in my configuration uses MAIN Mode.  Aggressive is for Client Software. I was addressing Site to Site.

@John, the OP has not answered my questions yet. As I have annotated both scenarios are quite different and I need clarification on which the OP wants. SonicWALL can have a user connect to a VPN via C2V and access both firewalls if they are connected to a VPN via S2S. However, in the other scenario where the firewalls do not have a VPN connecting them and the user needs to connect to two networks simultaneously it is problematic to do so...not impossible! See what I mean...the two scenarios are quite different.

Ideally, I'd like the user to be able to connect to Site A and Site B at the same time.  I'd also prefer to have the sites connected via hardware, not client software for daily simplicity.

I do what you want with Cisco routers. I am not sure if Sonic Wall supports multiple tunnels.

@John -

Site to Site in my configuration uses MAIN Mode.  Aggressive is for Client Software. I was addressing Site to Site.

I'm sorry but you are incorrect on this one. We argued this in a previous question. Main Mode is a type of Proposal Exchange that requires both sides of the VPN to have Static Public IPs. Aggressive Mode again is another type of Proposal Exchange that is less secure (the Hash is not encrypted) and is only used when a Dynamic Public IP address exists on any end of the VPN tunnel. Therefore you cannot configure a Main Mode proposal with a dynamic IP address on either side!

This is also why in a C2S VPN, in most cases, you cannot configure the Proposal because, from the VPN server's perspective the Initiator of the VPN will always be dynamic as multiple users are logging in from multiple IPs, hence Aggressive Mode. In this regard the VPN Server see that the IPs must change to accommodate remote users so it doesn't matter if a user logs in from a static or dynamic IP...the fact is that as soon as another user logs in the Initiators IP changes, hence the other end of the VPN will be perpetually dynamic. So you were partially correct when you said, "Aggressive is for Client Software" but to leave it that definitively will only misinform EE users who do not understand VPNs. Aggressive Mode is for dynamic IPs would be the correct statement. So regardless, if the VPN is a S2S or a C2S if any end of the VPN is dynamic you must use Aggressive Mode or an alternative method such as IKEv2 or Main Mode w/DDNS.

I hope this helps you understand the differences a bit more.

Therefore you cannot configure a Main Mode proposal with a dynamic IP address on either side!

My own site is dynamic, but as I pointed out above, I configure it as Static and change whenever I need to. I use MAIN mode on all my tunnels.

They all work and they all work simultaneously

@John - where do I begin....

This is not the design of Main Mode. You are most likely implementing DDNS or some other facet like "I configure it as Static and change whenever I need to." to counter it. You shouldn't ever need to change anything...it is a S2S VPN...unless the peer changes it's IP, again, hence dynamic, hence you should be either implementing Main Mode w/DDNS, IKEv2 or Aggressive Mode. I'm trying to educate you on the facts. What you are saying is plain wrong: Main Mode DOES NOT equal S2S and Aggressive Mode DOES NOT equal C2S - to say otherwise is technically inaccurate! :) Study up on VPN Proposal Exchanges and get back to me off this thread and I think you'll agree with me. I'm not pontificating here it is very black and white.

I use Main Mode and it works fine

You (Blue Street Tech) are trying to tell the world I don't know what I am doing. I DO know what I am doing and posting my experiences that's all.

Argue away if you must.

Bye All

None of us are perfect and we are all learning. EE is a place just for that. I'm not trying to tell the world you don't know what you are doing but rather correcting one small aspect that can affect someone else's learning significantly. It is not personal at all. We are in the scientific community not the liberal arts and so our answers must reflect that accordingly: there are right and wrong ways of doing things in IT irrespective of subjectivity. I think you have a tremendous amount of knowledge and I respect that. I have said things on EE that were plain wrong in the past...all of us have...we are not gods! As we continue to learn as Experts hopefully it is an iron sharpens iron concept. :)

Ok, then to clarify a little... a Sonicwall at each site... preferably those two have static IPs, connect them S2S.  Connect the end user via NetExtender to either of the sites, by which then they'd have access to both networks.

Precisely!

Hi Tom,

Did my comment address your questions: https:#a42438143 (see Scenario 1 - setup a S2S VPN and use SSL-VPN so user can gain access to both network resources) if so please select as Best Solution to close this question. If you have more questions please keep them coming!

Let me know. Thanks!

This is basically a road warrior case.
Set up one SSTP server on each location, then have the user connect to both VPNs. No need for expensive hardware.

HTH,
Dan

@Dan, not sure if you read all the back and forth but the OP preferably wants to set this up using SonicWALL equipment and is setting up a S2S VPN tunnel between the two offices with an SSL-VPN for the end-user. We had to get through if the OP actually wanted to setup a S2S VPN or have the end-user connect two C2S VPNS simultaneously, which was unclear based on his questoin. :)

I saw you and John arguing and I stopped reading :)

On a side note, for the past couple of years I'm using OpenVPN for S2S tunnels and SSTP for C2S tunnels whenever I can.
OpenVPN because it's open source and not broken yet and SSTP because it has a built in client in Windows (and it's not broken yet).

I saw you and John arguing and I stopped reading :)

LOL :D It has forced me to write an article so that others can understand the Main Mode exchange was innately not designed to use dynamic IPs...though it can be forceably accomplished by poor workarounds...it wasn't designed to and is not smart to do so from an pragmatic & security standpoint! Here I go again... oh boy.

Yes, agreed. I'm a big fan of OpenVPN especially when VPN services (VPNaaS) are required. IPSec has not been cracked to my knowledge unless you are referring to Aggressive Mode, which was a poor design, IMO, from the start since the Hash was never encrypted thereby the IDii & IDir (the identities) were ripe for the picking.

Glad I could help...thanks for the points!

Seems like the client will finally make a decision on firewall technology at site A and site B, because there is no IPSEC capability, or is not utilized for the need.