Configuring Vpns With Overlapping Networks

  • View
    214

  • Download
    0

Embed Size (px)

Text of Configuring Vpns With Overlapping Networks

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    1/18

    This document describes how to create VPN Tunnel between Sites that have identical and hence overlapping IP-Addresses. The following scenarios will be covered in this document in detail:

    VPN between Headquarters & remote sites with identical IP-Addresses

    VPN between Headquarters & remote sites with identical IP-Addresses, apply many-to-one NAT

    VPN between Headquarters & remote sites with identical IP-Addresses, hub and spoke

    Testbed-SetupIn all examples, we will use a PRO 3060 in the Headquarters, running SonicOS 3.1. As well we have two remote sites(TZ170) running SonicOS enhanced 3.1.

    Scenario 1: Headquarters & remote sites with identical IP-Addresses

    VPN Configuring VPNs with Overlapping Networks

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    2/18

    ScenarioThis company has a Headquarters and two remote offices. The Remote Sites have not been connected in any way to thHeadquarters in the past. To make installation as easy as possible, the same IP-Subnet has been used in all locations.Connecting all locations with each other typically causes some routing difficulties.

    In all Offices we have an existing IP-Addressing Scheme of 10.10.1.xNow, all remote sites have to be connected by VPNs. In this scenario, changing the IP-Addresses is not possible orwould cause a lot of work, so they have to remain the same. To make this work, we have to use a Hide-NAT in the VPNConfiguration. This way every local network may remain the same, the existing IP-Addresses will be hidden behind a 1:1NAT unique IP-Range.

    Note that for this scenario, SonicOS enhanced is required on all SonicWALL UTM appliance.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    3/18

    Setup HeadquartersTwo VPN Tunnels will be terminated to / from here, for RemoteSite1 and RemoteSite2.

    Adding the VPN Tunnel at HeadquartersConfigure a standard VPN Tunnel. There are only two changes needed to create the hide-NAT.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    4/18

    The object RemoteSite1_LAN specifies the IP-address range of RemoteSite1 (10.10.5.0) this will be translated to10.10.1.0.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    5/18

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    6/18

    Configuration in Remote Site 1

    Create a normal VPN tunnel and apply NAT.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    7/18

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    8/18

    Configuration on RemoteSite 2The configuration here is basically identical to RemoteSite 1. The only difference is the RemoteSite2_LAN needs to refeto a 10.10.6.0 Address.

    How does it work?

    IP-Addresses now get translated 1:1. If you want to reach an IP-Address in RemoteSite1, for example the LAN IP of theSonicWALL UTM appliance, which is configured to be 10.0.1.254 locally, use 10.10.5.254 from the headquarters instead

    Additional Information:

    When creating the VPN Tunnel as described above, two NAT Policies will get created automatically. This way, theadministrator still has full control over what has been configured and may, if needed, alter this configuration.

    VPN Settings Screen at Headquarters appliance:

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    9/18

    Extension to this scenario: Apply Many to one NAT

    In some cases, it is required that all communication from the remote offices is hidden behind 1 IP address (Many to oneNAT). This can be helpful if, for example, Terminal Services Access from the Remote Office to the Headquarter is neede(and only one IP from the remote location accesses the HQ), it can be accomplished by changing the following:

    RemoteSite:

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    10/18

    In the Headquarters change the configuration as follows:

    Note: By setting it up this way, only a one-way communication from the Remote Office to the Headquarter is possibl

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    11/18

    Step Two: Extended Solution. Allow traffic between RemoteSite1 & 2 across VPN

    In this example, we will enhance the scenario we set up in Step 1 (without the latest addition One to Many NAT) to allonetwork-traffic flow to the Headquarters AND between the Remote Sites, using the existing Tunnels and by routing alltraffic through the headquarters.

    This scenario (called Hub & Spoke) will eliminate the need for the administrator to create a fully meshed VPN network,requiring fewer total VPN policies. Even now, the existing overlapping IP-networks do not have to be changed.

    RemoteSite1 can reach RemoteSite2 per VPN without having a direct tunnel between both locations.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    12/18

    Setup Headquarter: Tunnel to Remote Site 1

    As we can only specify one Object in the Tunnel-definition, a new Address-Group Object which groups the Local LAN anLAN of RemoteSide2 needs to be created.

    Use this group in the Tunnel definition

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    13/18

    Now review the NAT Policies, manual intervention is required here. Make sure the following policies exist:

    Policy to handle traffic from RemoteSite2 to the LAN.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    14/18

    NAT Policy to handle traffic from the LAN to RemoteSite2

    Policy to handle traffic to RemoteSite1.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    15/18

    Policy for traffic from RemoteSite1 to HQ-LAN.

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    16/18

    Setup RemoteLocation1

    In the Remote Locations only one change needs to be applied, you have to extend the VPN Destination Network to refleall Networks that should be made available through this tunnel. At RemoteSite1, the LAN of RemoteLocation2 must beadded.

    Create a Network Object for RemoteSite2_LAN

    Now group this with the Headquarters_LAN Object

    And refer to this object in the VPN Tunnel definition:

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    17/18

    Summary

    Now all sites can communicate with each other. From the RemoteLocations, the Headquarters can be reached under the10.10.4.x addresses. Remote Location1 is available from the Headquarters and RemoteSite2 using 10.10.5.x, RemoteLocation 2 can be reached by 10.10.6.x Addresses from outside.

    VPN Settings overview for Headquarters

  • 8/2/2019 Configuring Vpns With Overlapping Networks

    18/18

    VPN Settings overview for RemoteSite1

    Additional Comment:In this document, default settings have been used wherever possible. For maximum security we strongly recommend touse a stronger encryption algorithm (e.g. AES), enable PFS and to use longer / more sophisticated pre-shared keys!