Implementing Hub and Spoke Site-to-Site VPN in Sonicwall
BackgroundWe had a situation where we need to connect to one of our client side Servers through VPN.The client provided the details for configuring site to site VPN. But the problem we faced was that the client will only provide a single site to site VPN.
Our situation was our main office development users and branch office users need to access the same server.So I had to do some research on how to make it work.
Finnaly to achive the connection we established a Hub and Spoke method VPN connection where the main office firewall act as a hub and branches are able to communicate to the client VPN using the hub as an intermediary.
For this demonstration am using sonicwall firewall in all offices
The branch offices (Networks A) and Client Office (Network C) will connect to a hub at the corporate headquarters (Network B). Networks A and C will be able to exchange traffic through the hub. Review the specifications in the following table:
Branch Office A
LAN A Subnet 10.0.1.0/24
WAN A IP Address 192.168.1.1/24
Corporate Office (hub) B
LAN A Subnet 10.0.2.0/24
WAN B IP Address 192.168.2.1/24
Client Office C
Server IP 94.188.133.150
WAN C IP Address 192.168.3.1./24
To achieve Hub and Spoke VPN connection ,First we need to establish a site to site vpn with Client office and then create a site to site VPN with branch office including the Client Office IP Address.
Step 1
Creating Site to site VPN for Client Office.For configuring site to site vpn ,we need to create some Address and Group Objects
Create Address and Group Objects
A number of address objects are needed in the implementation of any site to site VPN. This need is greater in a hub and spoke configuration. Group objects will also be required. The address objects will specify local and destination networks, which will be grouped together to permit hub and spoke communication
For that log in to the firewall web interface of Corporate Office Sonicwall .Access the Network > Address Objects page .
Address Object for Client Remote Server
Name: Client Remote Server IP
Zone: VPN
Type: Host
IP Address: 10.0.3.10
Name: Main Office Lan
Zone: LAN
Type: Host
IP Address: 10.0.2.10
Netmask : 255.255.255.0
Name: Branch Office Lan
Zone: VPN
Type: Host
IP Address: 10.0.1.10
Netmask : 255.255.255.0
Click Add Group
Group name: Group for Client VPN
Members : Main Office Lan ,Branch Office Lan
Step 2
Navigate to VPN > Settings page and Click Add button. The VPN Policy window is displayed.Click the General tab
- Select IKE using Preshared Secret from the Authentication Method menu.
- Enter a name for the policy in the Name field.
- Enter the WAN IP address of the remote connection :94.188.133.150
- Enter a Shared Secret password to be used to setup the Security Association the Shared Secret and Confirm Shared Secret fields. The Shared Secret must be at least 4 characters long, and should comprise both numbers and letters.
Under Local Networks, select a local network from Choose local network from list: and select the address object Group for Client VPN (Main Office LAN and Branch Office Lan)
- Under Destination Networks, select Choose destination network from list: and select the address object Client Remote Server IP
Note: Settings must be same as Client Remote VPN.
5. Click the Advanced tab
- Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel. If one end of the tunnel fails, using Keepalives will allow for the automatic
renegotiation of the tunnel once both sides become available again without having to wait for the proposed Life Time to expire.
- Select Enable Windows Networking (NetBIOS) Broadcast to allow access to remote network resources by browsing the Windows® Network Neighborhood.
- Select an interface or zone from the VPN Policy bound to menu. A Zone WAN is the preferred selection if you are using WAN Load Balancing and you wish to allow the VPN to use either WAN interface.
Create the VPN to VPN Access Rule
Follow these steps to create the access rule on each SonicWALL appliance allowing communication between VPN tunnels:
Click Firewall > Access rules > select Matrix.
Select the edit icon at the point of intersection for the “VPN to VPN” zone.
Add a new rule:
Action: Allow
Service: Any
Source: Any
Destination: Any
Click OK.
After following all of the above steps, a working VPN should be successfully established and a green light will be indicate in the vpn window.
In branch office Sonicwall we need to create Address objects and Address group
Address Object for Client Remote Server
Name: Client Remote Server IP
Zone: VPN
Type: Host
IP Address: 10.0.3.10
Address Object for Main Office Lan
Name: Main Office Lan
Zone: LAN
Type: Host
IP Address: 10.0.2.10
Netmask : 255.255.255.0
Create Address Group for main , Client Server IP and brach office address objects
Group for Main Office VPN
Members : Main Office Lan & Client Remote Server IP
Now we have created address objects and group for Site to site VPN with Main Office. Next will configure Site to site Vpn for Main Office .
Do the same procedure in Step 2 ,only change will be in Network Tab
In Network tab ,Choose local network will be Branch Office LAN and Choose destination network will be Group for Main Office VPN
Create the VPN to VPN Access Rule
Follow these steps to create the access rule on each SonicWALL appliance allowing communication between VPN tunnels:
Click Firewall > Access rules > select Matrix.
Select the edit icon at the point of intersection for the “VPN to VPN” zone.
Add a new rule:
Action: Allow
Service: Any
Source: Any
Destination: Any
Click OK.
After following all of the above steps, a working VPN should be successfully established and a green light will be indicate in the vpn window.
0 comments:
Post a Comment