Route Based Virtual Private Network

Route Based Virtual Private Network Document Scope This solutions document provides details about Route Based Virtual Private Network (VPN) Technology, its advantages, and procedures to configure a Route Based VPN. This document contains the following sections: Overview section on page 1 Using Route Based VPN section on page 2 Overview This section provides an introduction to Route Based VPN. This section contains the following subsections: What is a Route Based VPN? section on page 1 Benefits section on page 2 Platforms section on page 2 What is a Route Based VPN? In general, a Virtual Private Network (VPN) is a way for companies to have the same security as if all the distributed networks were together, with only one access to the private network, or intranet. Each location has a firewall, configured specially so that it recognizes all the other firewall locations. When the firewall sees a packet headed outward to another protected location, the packet is encrypted. After it travels across the Internet, the receiving firewall then decrypts the packet. A policy-based approach forces the VPN policy configuration to include the network topology configuration. This makes it difficult for the network administrator to configure and maintain the VPN policy with a constantly changing network topology. With the Route Based VPN approach, network topology configuration is removed from the VPN policy configuration. The VPN policy configuration creates a Tunnel Interface between two end points. Static routes can then be added to the Tunnel Interface. The Route Based VPN approach moves network configuration from the VPN policy configuration to route configuration. SonicWALL Route Based VPN Feature Module 1

Using Route Based VPN Benefits Platforms Not only does Route Based VPN make configuring and maintaining the VPN policy easier, a major advantage of the Route Based VPN feature is that it provides flexibility on how traffic is routed. With this feature, users can now define multiple paths for overlapping networks over a clear or redundant VPN. Route The Route Based Based VPN VPN is a feature for is supported SonicOS 5.5 on Enhanced. SonicOS 5.5 Enhanced and higher. Using Route Based VPN This Route section based contains VPN configuration the following is a subsections: two step process. The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface. The second Configuring step involves Static creating Route a Based route VPN using Tunnel section Interface. on page 2 This Configuration section contains Overview the following section subsections: page 2 Adding Configuration a Tunnel Overview Interface section section on on page page 2 3 Creating Adding a a Tunnel Static Route Interface for Tunnel section Interface on page 3section on page 4 Route Creating Entries a Static for Route Different for Tunnel Network Interface Segments section section on on page page 4 5 Redundant Route Entries Static for Routes Different for Network a Network Segments section on section page on 6 page 5 Drop Redundant Tunnel Static Interface Routes section for a Network on page 6section on page 6 Creating Drop Tunnel a Static Interface Route for section Drop on Tunnel page 6Interface section on page 7 Advanced Route Configuration for Tunnel Interface section on page 8 Configuring Routing Protocol for a Tunnel Interface section on page 10 Configuring Static Route Based VPN Configuration Overview Additional Configuration Scenarios section on page 11 Route based VPN configuration is a two step process. The first step involves creating a Tunnel Interface. The crypto suites used to secure the traffic between two end-points are defined in the Tunnel Interface. The second step involves creating a static route using Tunnel Interface. Configuration Overview The Tunnel Interface is created when a Policy of type Tunnel Interface is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is The used Tunnel as the source Interface address is created of the when tunneled a Policy packet. of type Tunnel Interface is added for the remote gateway. The Tunnel Interface must be bound to a physical interface and the IP address of that physical interface is A route ties the traffic (source, destination, and service) to the Tunnel Interface. Any number of overlapping used as the source address of the tunneled packet. static routes can be added for the tunneled traffic. When networks are added or removed from the topology, A the Static static Route routes ties only the need traffic to (source, be updated destination, accordingly; and the service) tunnel to interface the Tunnel configuration Interface. Any does number not need of to overlapping be updated. static routes can be added for the tunneled traffic. When networks are added or removed from the topology, the static routes only need to be updated accordingly; the tunnel interface configuration does For more details about a general tunnel interface configuration, please refer to the SonicOS Enhanced 5.4 not need to be updated. Administrator s Guide: http://www.sonicwall.com/ 2 SonicWALL Route Based VPN Feature Module

Using Route Based VPN Adding a Tunnel Interface The following procedures explain how to add a Tunnel Interface: Step 1 Step 2 Navigate to VPN>Settings>VPN Policies. Click the Add... button. This will open the VPN Policy Configuration dialog box. On the General tab, select the policy type as Tunnel Interface. Step 3 Next, navigate to the Proposal tab and configure the IKE and IPSec proposals for the tunnel negotiation. SonicWALL Route Based VPN Feature Module 3

Using Route Based VPN Step 4 Navigate to the Advanced tab to configure the advanced properties for the Tunnel Interface. By default, Enable Keep Alive is enabled. This is to establish the tunnel with remote gateway proactively. Also, the default tunnel interface is bound to the X1 interface, but can be bound to any of the available interfaces. Creating a Static Route for Tunnel Interface After you have successfully added a Tunnel Interface, you may then create a Static Route. Follow the procedures to create a Static Route for a Tunnel Interface. Navigate to Network>Routing>Route Policies. Click the Add... button. A dialogue window appears for adding Static Route. Note that the Interface dropdown menu lists all available tunnel interfaces. 4 SonicWALL Route Based VPN Feature Module

Using Route Based VPN Auto-add Access Rule When using Any and not specifying the source of the route policy, inbound and outbound access rules that allow traffic between non-trusted zones and the tunnel interface will not be auto-added. VPN Allow Rules from and to these zones for the remote network(s) must be manually added for successful communication between these local and remote networks. Note The auto-added VPN > WAN allow rule(s) for the remote networks to Any is intended for route-all scenarios. Route Entries for Different Network Segments After a tunnel interface is created, multiple route entries can be configured to use the same tunnel interface for different networks. This provides a mechanism to modify the network topology without making any changes to the tunnel interface. The image below shows an example of same tunnel interface for different networks (Routes 1 & 2): SonicWALL Route Based VPN Feature Module 5

Drop Tunnel Interface Redundant Static Routes for a Network Also after more than one tunnel interface is configured, you can add multiple overlapping static routes; each static route uses a different tunnel interface to route the traffic. This provides routing redundancy for the traffic to reach the destination. The image below illustrates redundant static routes for a network (Routes 2 & 3): Drop Tunnel Interface The Drop Tunnel Interface is a pre-configured tunnel interface. This interface provides added security for traffic. An example of this would be if a static route bind interface is deemed the drop tunnel interface, then all the traffic for that route is dropped and not forwarded in clear. If a static route bind to tunnel interface is defined for traffic (source/destination/service), and it is desired that traffic should not be forwarded in the clear if the tunnel interface is down, it is recommended to configure a static route bind to drop tunnel interface for the same network traffic. As a result, if the tunnel interface is down, traffic will be dropped due to the drop tunnel interface static route. 6 SonicWALL Route Based VPN Feature Module

Drop Tunnel Interface Creating a Static Route for Drop Tunnel Interface To add a static route for drop tunnel interface, navigate to Network>Routing>Routing Policies. Click the Add... button. Similar to configuring a State route for a Tunnel Interface, configure the values for Source, Destination, and Service Objects. Under Interface, select Drop_tunnelIf. Once added, the route is enabled and displayed in the Route Policies. SonicWALL Route Based VPN Feature Module 7

Advanced Route Configuration for Tunnel Interface Advanced Route Configuration for Tunnel Interface To allow RIP and OSPF configuration, follow the steps below: Step 1 Enable the Allow Advance Routing option on tunnel interface configuration. With this option enabled, the tunnel interface will appear under Advanced Routing Configuration in the Network > Routing screen. 8 SonicWALL Route Based VPN Feature Module

Advanced Route Configuration for Tunnel Interface Step 2 Enable RIP and OSPF on the tunnel interface and configure the IP address borrowed from and Remote IP on both site appliances. Note The fields IP Address borrowed from and Remote IP Address require the IP addresses for routing protocol tunnels and must be in the same subnet. Note Remember that the Remote IP Address must match the IP Address in the remote site s RIP/OSPF configuration for the IP borrowed Interface address. SonicWALL Route Based VPN Feature Module 9

Advanced Route Configuration for Tunnel Interface Configuring Routing Protocol for a Tunnel Interface After you have successfully added a Tunnel Interface, you can navigate to the Network>Routing>Advanced Routing page for a full list of interfaces. To configure Advanced Routing options, click on the Configure RIP or Configure OSPF icon for the Tunnel Interface you wish to configure. This section contains the following subsections: Configuring RIP for a Tunnel Interface section on page 10 Configuring OSPF for a Tunnel Interface section on page 11 Configuring RIP for a Tunnel Interface From the Network>Routing>Routing Protocols page, click the Configure RIP icon. A dialog will appear which will allow you to configure the RIP for the Tunnel Interface. Click OK when you have finished configuring the RIP settings. 10 SonicWALL Route Based VPN Feature Module

Additional Configuration Scenarios Note If you select the Send and Receive option for RIP, you will have to select the RIP version for each message sent and received. Configuring OSPF for a Tunnel Interface From the Network>Routing>Routing Protocols page, click the Configure OSPF icon. A dialog will appear which will allow you to configure the OSPF for the Tunnel Interface. Click OK when you have finished configuring the OSPF settings. Additional Configuration Scenarios The following section contains procedures for more configuring more advanced route-based VPN scenarios. This section includes the following subsections: Single Tunnel Interface Configuration Between Two Sites section on page 12 Multiple Tunnel Interface Configuration Between Two Sites section on page 13 Failover and Load Balancing section on page 15 Mesh Configuration for Redundant Route-Based VPN Between Multiple Sites section on page 19 SonicWALL Route Based VPN Feature Module 11

Additional Configuration Scenarios Single Tunnel Interface Configuration Between Two Sites The following steps describe how to configure a single tunnel interface between two sites (Site A and Site B): Step 1 On the first site s network (Site A), create the first tunnel interface policy by navigating to the VPN > Settings screen. Select Tunnel Interface as the Policy Type, and fill in the Name for this interface. In this example, we have our Site A interface named as RTVPN1. Step 2 On the second site s network (Site B), repeat Step 1 to create a Policy Type. For this Site B interface, we have named it RTVPN2. Note Both interfaces are bound to the WAN (X1) interface on each respective appliance. 12 SonicWALL Route Based VPN Feature Module

Additional Configuration Scenarios Step 3 On the Site A appliance, navigate to the Network > Routing screen, and configure a static route from Site A to Site B, with Site A as the Source and Site B being the Destination. Step 4 On the Site B appliance, repeat step 3, with Site B as the Source and Site A as the Destination. Multiple Tunnel Interface Configuration Between Two Sites The following steps describe how to configure mu tip le tunnel interface between two sites (Site A and Site B): Step 1 For Site A s first network (Network 1), create a tunnel interface policy by navigating to the VPN > Settings screen. Select Tunnel Interface as the Policy Type, and fill in the Name for this interface. In this example, we have the Site A Network 1 interface named as RTVPN1. SonicWALL Route Based VPN Feature Module 13

Additional Configuration Scenarios Step 2 For Site A s second network (Network 2), create a tunnel interface policy by repeating Step 1. In this example, we have the Site A Network 2 interface named as RTVPN3. Step 3 On Site B s network, repeat Steps 1 & 2 to create a Policy Type for its two interfaces (Site B Network 1 and Site B Network 2). For the Site B Network 1 interface, we have named it RTVPN2-X1. For the Site B Network 2interface, we have named it RTVPN2-X2. 14 SonicWALL Route Based VPN Feature Module

Additional Configuration Scenarios Step 4 Step 5 On the Site A appliance, navigate to the Network > Routing screen, and configure a static route from Site A Network 1 (RTVPN 1) to Site B Network 1 (RTVPN2-X1), with Site A as the Source and Site B being the Destination. Configure another static route from Site A Network 2 (RTVPN3) to Site B Network 2 (RTVPN2-X2), with Site A as the Source and Site B being the Destination. Step 6 Repeat Steps 4 and 5 for the Site B appliance, configuring a static route from Site B Network 1 (RTVPN2-X1) to Site A Network 1 (RTVPN 1) and another static route from Site B Network 2 (RTVPN2-X2) to Site A Network 2 (RTVPN 2), with Site B as the Source and Site A as the Destination for both routes. Failover and Load Balancing When the tunnel interfaces are bound to a physical interface, you can configure tunnel failover or traffic load balancing using static routing on additional routes. Follow the steps below to configure failover and load balancing for multiple tunnel interfaces between two sites: Step 1 Add additional routes on Site A appliance: SonicWALL Route Based VPN Feature Module 15

Additional Configuration Scenarios For Site A Network 1 and Site B Network 1 with the interface as RTVPN3, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.8.23.208 for this example). For Site A Network 2 and Site B Network 2 with the interface as RTVPN1, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.9.23.209, for this example). Step 2 Repeat Step 1 to add additional routes on Site B appliance: 16 SonicWALL Route Based VPN Feature Module

Additional Configuration Scenarios For Site B Network 1 and Site A Network 1 with the interface as RTVPN2-X2, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.8.23.206 for this example). For Site B Network 2 and Site A Network 2 with the interface as RTVPN2-X1, add a tunnel interface with a metric lower than the static route for the same network with tunnel interface (10.9.23.209, for this example). Note Step 3 When the high priority route is not available, the low priority route is used to forward the traffic to the destination network. Navigate to the Network > Routing screen to configure the following tunnel interface VPN Policy on Site A: RTVPN1 bound to interface X1 for remote gateway 10.8.23.208. RTVPN3 bound to interface X2 for remote gateway 10.9.23.209. Step 4 Configure the following tunnel interface VPN Policy on Site B: RTVPN2 bound to interface X1 for remote gateway 10.6.23.206. RTVPN4 bound to interface X2 for remote gateway 10.7.23.207. Step 5 Next, configure the following static routes on Site A: For Site A Network 1 and Site B Network 1, configure the interface as RTVPN1. SonicWALL Route Based VPN Feature Module 17

Additional Configuration Scenarios For Site A Network 2 and Site B Network 2, configure the interface as RTVPN3. Step 6 Repeat Step 5 to configure the following static routes on Site B: For Site B Network 1 and Site A Network 1, configure the interface as RTVPN2. For Site B Network 2 and Site A Network 2, configure the interface as RTVPN4. Step 7 As the tunnel interfaces are bound to a physical interface and not to a zone, tunnel failover or traffic load balancing can be achieved using static routing. Route the following additional routes on Site A: For Site A Network 1 and Site B Network 1 with interface RTVPN3, configure a static route for the same network with tunnel interface RTVPN1. This is the static route you configured in Step 5. For Site A Network 2 and Site B Network 2 with interface RTVPN1, configure a static route for the same network with tunnel interface RTVPN3. This is the static route you configured in Step 5. Step 8 Route the following additional routes on Site B: For Site B Network 1 and Site A Network 1 with interface RTVPN4, configure a static route for the same network with tunnel interface RTVPN2. This is the static route you configured in Step 6. For Site B Network 2 and Site A Network 2 with interface RTVPN2, configure a static route for the same network with tunnel interface RTVPN4. This is the static route you configured in Step 6. 18 SonicWALL Route Based VPN Feature Module

Additional Configuration Scenarios Mesh Configuration for Redundant Route-Based VPN Between Multiple Sites Follow the steps to configure a mesh configuration for Site A, Site B, and Site C using the WAN interface X1: Step 1 Configure the following tunnel interface VPN policy on Site A: RTVPN1 bound to interface X1 for remote gateway 10.8.23.208 for traffic between Site A and Site B. RTVPN3 bound to interface X1 for remote gateway 10.10.23.210 for traffic between Site A and Site C. Step 2 Configure the following tunnel interface VPN Policy on Site B: RTVPN2 bound to interface X1 for remote gateway 10.6.23.206 for traffic between Site A and Site B. RTVPN4 bound to interface X1 for remote gateway 10.10.23.210 for traffic between Site B and Site C. Step 3 Configure the following tunnel interface VPN Policy on Site C: RTVPN5 bound to interface X1 for remote gateway 10.6.23.206 for traffic between Site A and Site C. RTVPN6 bound to interface X1 for remote gateway 10.8.23.208 for traffic between Site B and Site C Note When the direct route between site A and B is not available, traffic can be forwarded from Site A to Site B, or vice versa, via the Site C network if the connection between site A to Site C and Site B to Site C is available. Step 4 Next, configure static route on Site A: For Site A Network and Site B Network, configure RTVPN2 for traffic between Site A and Site B. For Site A Network and Site C Network, configure RTVPN4 for traffic between Site A and Site C. SonicWALL Route Based VPN Feature Module 19

Additional Configuration Scenarios For Site A Network and Site B Network, configure RTVPN 4 for traffic between Site A and Site B via Site C tunnel interface. Step 5 Configure static route on Site B: For Site B Network and Site A Network, configure RTVPN1 for traffic between Site A and Site B. For Site B Network and Site C Network, configure RTVPN3 for traffic between Site B and Site C. For Site B Network and Site A Network, configure RTVPN3 for traffic between Site A and Site B via site C tunnel interface. Step 6 Configure static route on Site C: For Site C Network and Site A Network, configure RTVPN5 for traffic between Site A and Site C. For Site B Network and Site C Network, configure RTVPN6 for traffic between Site B and Site C. For Site A Network and Site B Network, configure RTVPN6 for traffic between Site A and Site B via Site C tunnel interface RTVPN5 and RTVPN6. For Site B Network and Site A Network, configure RTVPN5 for traffic between Site A and Site B via Site C tunnel interface RTVPN5 and RTVPN6. Solution Document Version History Version Number Date Notes 1 6/24/2009 This document was created by A. Mendoza. 2 7/20/2009 Incorporated feedback from N. Kulshreshtha. 3 7/20/2009 Incorporated feedback from P. Lydon. 4 7/27/2009 Incorporated feedback from N. Kulshreshtha. 5 8/14/2009 Incorporated feedback from N. Kulshreshtha and N. Baumen. 6 8/10/2011 Incorporated feedback from N. Kulshreshtha. 7 8/15/2011 Incorporated additional feedback from N. Kulshreshtha 20 SonicWALL Route Based VPN Feature Module