Question/Topic

Answer/Article
Article Applies To:
Affected SonicWALL Security Appliance Platforms:

Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless
Firmware/Software Versions:
All versions of SonicOS Enhanced for UTM appliances.
All versions of SonicWALL Global VPN Client (GVC), including v.4.2.6.305, v.4.0.0.842
Description:
This article will show users how to configure a 'Route all Traffic' WAN GroupVPN Policy on a SonicWALL UTM appliance. The result is that remote
computers with SonicWALL Global VPN Client (GVC) software connected to the policy will route all internet traffic through its VPN connection to the UTM
network. Once traffic from remote users' GVC computers to the UTM network is decrypted and unencapsulated from the VPN, the original destinations
of the traffic from the remote computer are honored and used for routing. Traffic from the GVC client destined for the Internet will be routed to the
UTM device's WAN gateway router and traffic destined for the LAN and other internal networks will be routed as per the routing logic which applies to
local hosts. Routing All Traffic through the SonicWALL allows an administrator to protect a user by enforcing Intrusion Prevention, Gateway Anti-Virus,
Anti-Spyware, Client Anti-Virus, Content Filtering, and other policies on remote users traffic.

The related configurations on the UTM appliance which has subscriptions for the various Security Services mentioned above are done in the Network -
Zones screen. There are enforcement checkboxes for the various Security Services, and usually they are turned on the for the LAN and WAN zones.
To accomplish the abovementioned protection of traffic coming across a a 'Route all Traffic' WAN GroupVPN Policy, the administator must enable the
VPN zone enforcements for the Intrusion Prevention, Gateway Anti-Virus, Anti-Spyware, Client Anti-Virus, and / or Content Filtering services.

Recommended Versions
SonicOS Enhanced 5.0 and above on a Gen5 SonicWALL UTM Appliance
SonicWALL GVC 4.2.6.305 (the last released versions, supported on all versions of Windows XP and Vista, both 32- and 64-bit)
The examples in this article use the default access rules which are created when enabling the WAN Group VPN. These default access rules allow all VPN
Traffic to pass to the LAN and WAN.
Procedure:
Task list:
1. Configure Users (No need to configure if you are using an external LDAP server)
2. Configure WAN GroupVPN
3. Configure Internal DHCP Server (not needed if you are using an External DHCP Server)
4. Configure DHCP over VPN for External Server (Not needed if you are using an Internal DHCP Server)
5. Configure NAT Policies

Before You Begin
Decide if you are using an LDAP server or Local Users for authentication
Decide if you are using the SonicWALL Internal DHCP server or an External DHCP Server

Configure Users
Select Local Users from the Users Menu (not needed if using LDAP)
Click Add User
UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
Page 1 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Fill out the details on the Settings tab, then click the VPN Access Tab.
Be sure to give the user access to a Network, LAN Subnets is chosen in the example below. Click OK.


Configure Groups

(not needed if using Local Users)
Go to the Users - Local Groups screen
Click the Configure icon by the Group for which you are providing VPN Access configurations.

Page 2 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Click on the VPN Access tab and be sure to select a Network this group has access to (LAN Subnets and WAN RemoteAccess Networks are
selected in the example below)
Click OK

Configure WAN GroupVPN

Go to the VPN - Settings screen

Check Enable for the WAN GroupVPN
Click the Configure icon for the WAN GroupVPN
Page 3 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Click on the General Tab
Enter the Shared Secret (in this example, presharedsecret)

Click on the Proposals Tab
Enter the IKE and IPSec Proposal information, this example uses the default settings.
Page 4 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Click on the Advanced Tab
Verify that Require Authentication of VPN Clients via XAUTH is checked
Select User Group for XAUTH users (in this example, Trusted Users is selected)

Click on the Client Tab
Select Allow Connections to: (in this example, This Gateway Only)
Check Set Default Route as this Gateway
Check Apply VPN Access Control List (Optional: If WAN Remote Access Networks is NOT added to the VPN Access List you may keep this
unchecked.)

Page 5 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Configure Internal DHCP Server
(Not needed for External DHCP Server)
Go to the Network - DHCP Server screen
Check Enable DHCP Server
Check Enable Conflict Detection
Click on Add Dynamic

Enter a Range Start (example 192.168.24.20)
Enter a Range End (example 192.168.24.30)
Select a Gateway Preference (example 192.168.24.1)
Click OK
Page 6 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Configure DHCP over VPN for Internal Server
(or Configure DHCP relay address for External Server)
Go to the DHCP over VPN screen
Select Central Gateway
Click Configure

Check Use Internal DHCP Server
Check For Global VPN Clients
OR
Check Send DHCP Requests to the server address listed below
Click Add
Enter the IP Address of your DHCP Server
Click OK
Click OK
Page 7 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

Configure NAT Policy
This NAT Policy is needed for many-to-one source IP address translation as remote VPN hosts go to the internet via the VPN connection.
Go to the Network - NAT Policies screen
Click Add
Enter Original Source: In this example, Any
Enter Translated Source: In this example, X1 IP
Enter Original Destination: In this example, Any
Enter Translated Destination: In this example, Original
Enter Original Service: In this example, Any
Enter Translated Service: In this example, Original
Enter Inbound Interface: In this example, X1 (note this is your WAN interface)
Enter Outbound Interface: In this example, X1
NOTE: in the Gen4 Pro products, and in NSA and NSA E-Class Products, the names of the network address objects are named after the interfaces. Thus the object
named X1 IP will the correct choice for the Translated Source in those products, usually. Similar configurations can be done on other WANs, like X2, X3, etc.

The TZ products instead use a friendlier name for the same network address object: WAN Primary IP. That object would be used as the Translated Source in
those products. The TZ products also use friendlier names for the interfaces themselves. They are called LAN and WAN instead of X0 and X1. Thus the
Inbound Interface and Outbound Interface would be set to WAN in those products, usually.

Routing All Traffic through the SonicWALL allows an administrator to protect a user by enforcing Intrusion Prevention, Gateway Anti-Virus, Anti-
Spyware, Client Anti-Virus, Content Filtering, and other policies on remote users traffic. On the UTM appliance which has subscriptions for the various
Security Services mentioned above, the relevant configurations are done on the Network - Zones screen. There are enforcement checkboxes for the
various Security Services, and usually they are turned on the for the LAN and WAN zones.
Page 8 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t

To protect traffic coming across a a 'Route all Traffic' WAN GroupVPN Policy, the administator must edit the VPN zone and enable the checkboxes
for the Intrusion Prevention, Gateway Anti-Virus, Anti-Spyware, Client Anti-Virus, and / or Content Filtering services.

Troubleshooting
Verify WAN GroupVPN configuration is correct
Verify WAN GroupVPN is enabled
Check VPN Summary page or Log files to verify that the tunnel has been established
Review all configuration steps.








KBID 6430
Date Modified 1/6/2011
Page 9 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t
Date Created 3/18/2009
Use Alerts to be notified when new information is added or
changed in an individual answer or category of information you care
about. All Alert notifications sent in a single email once each day.
Notify me if this item has activity
Notify me if content in this category has activity
or you can subscribe to our RSS feed for this category by clicking
the link below
Subscribe
Page 10 of 10 UTM - VPN: How to configure a 'Route all Traffic' WAN GroupVPN Policy
08.02.2012 https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6430&p=t