Configuring Layer 3 Management over IPsec

In this example, the central IPsec gateway acts as the SonicPoint WLAN controller; see SonicPoint Layer 3 Management over IPsec Configuration. The SonicPoint is deployed under the VPN local LAN subnet of the remote IPsec gateway. SonicPoint clients receive a DHCP client lease for the SonicPoint from the DHCP scope on the central gateway. The DHCP over VPN feature must be configured on the remote IPsec gateway.

SonicPoint Layer 3 Management over IPsec Configuration

* 
NOTE: This example assumes that the VPN IPsec tunnel between the two SonicWall security appliances is established successfully.

To configure SonicPoint Layer 3 Management over IPsec, perform the following steps:

1
Configuring the VPN Tunnel on the Central Gateway
2
Configuring the VPN Tunnel on the Remote Gateway
3
Configuring the CAPWAP DHCP Option Object on the Central Gateway
4
Configuring the DHCP Scope on the Central Gateway
5
Configuring the WT0 Interface on the Central Gateway
Configuring the VPN Tunnel on the Central Gateway
To configure the VPN tunnel on the Central Gateway:
1
Navigate to the VPN > Settings page.

2
Under the VPN Policies table, click Add. The VPN Policy dialog displays.

3
From the Policy Type drop-down menu, select Site to Site. This is the default.
4
From the Authentication Method drop-down menu, select the method you want. For example, IKE using Preshared Secret. This is the default.
5
In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Central Gateway.
6
In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.77.
7
If you are using IKE, configure the IKE authentication settings.
8
Click the Network tab.

9
Under Local Networks, select the Choose local network from list option.
10
From the Choose local network from list drop-down menu, select X0 Subnet.
11
Under Remote Networks, select the option you want and, if applicable, the network you want from the associate drop-down menu.
12
Click the Advanced tab.

13
Select the Allow SonicPoint N Layer 3 Management option.
14
Click OK. The VPN Policies table is updated.

15
Navigate to the VPN > DHCP over VPN page.

16
From the DHCP over VPN drop-down menu, select Central Gateway. This is the default.
17
Click the Configure button. The DHCP over VPN Configuration dialog displays.

18
Select the following options:
User Internal DHCP Server
For Global VPN Client
For Remote Firewall
19
Click OK.
Configuring the VPN Tunnel on the Remote Gateway
To configure the VPN tunnel on the remote gateway:
1
Navigate to the VPN > Settings page.
2
Under the VPN Policies table, click Add. The VPN Policy dialog displays.

3
From the Policy Type drop-down menu, select Site to Site. This is the default.
4
From the Authentication Method drop-down menu, select the appropriate method for your network. For example, IKE using Preshared Secret. This is the default.
5
In the Name field, enter a descriptive name for the VPN tunnel. For example, VPN to Remote Gateway.
6
In the IPSec Primary Gateway Name or Address field, enter the IP address of the remote gateway. For example, 10.03.49.79.
7
Click the Network tab.

8
Under Local Networks, select the Choose local network from list option. This is the default.
9
From the Choose local network from list drop-down menu, select X1 Subnet.
10
Under Remote Networks, select the option you want and, if appropriate, the network from the associated drop-down menu. The default is Choose destination network from list.
* 
NOTE: If you have not created an address object for your remote gateway, you can do so by selecting Create new address object from one of the menus.
11
Under Remote Networks, select Create new address object from the appropriate menu. The Add Address Object dialog displays.

12
In the Name field, enter Remote Gateway X0 Subnet.
13
From the Zone Assignment drop-down menu, select LAN. This is the default.
14
From the Type drop-down menu, select Network. Another option appears.

15
In the Network field, enter the IP address of the remote gateway. For example, 192.168.168.0.
16
In the Netmask/Prefix Length field, enter the mask. For example, 255.255.255.0.
17
Click OK.
18
Click the Advanced tab.

19
Select the Allow SonicPointN Layer 3 Management option.
20
Click OK. the VPN Policies table is updated.

21
Navigate to the VPN > DHCP over VPN page.

22
From the DHCP over VPN drop-down menu, select Remote Gateway.
23
Click the Configure button. The DHCP over VPN Configuration dialog displays.

24
From the DHCP lease bound to drop-down menu, select the interface that is connected to the SonicPoint. For example, Interface X4.
25
(Optional) Select the Accept DHCP Request from bridged WLAN interface option if you want it.
26
In the Relay IP Address field, enter the IP address of the interface connected to the SonicPoint. For example 30.30.30.1.
* 
NOTE: If enabled, this IP address is used as the DHCP Relay Agent IP address (giaddr) in place of the Central gateway’s address and must be reserved in the DHCP scope on the HDCP server.

This address also can be used to manage this SonicWall remotely through the VPN tunnel from behind the Central Gateway.
27
In the Remote Management IP Address field, enter the IP address that is used to manage this SonicWall security appliance remotely from behind the Central Gateway.
* 
NOTE: This IP address was configured in Configuring the Access Controller Interface, and must be reserved in the DHCP scope on the DHCP server. In the example it is 10.10.10.1.
28
Select the Block traffic through tunnel when IP spoof detected option.
29
Select the Obtain temporary lease from local DHCP server if tunnel is down option.
30
In the Temporary Lease Time (minutes) field, leave the default value of 2.
31
Click OK.
Configuring the CAPWAP DHCP Option Object on the Central Gateway
To configure the CAPWAP DHCP Option Object on the Central Gateway:
1
Navigate to the Network > DHCP Server page.

2
In the DHCP Server Settings section, click Advanced. The DCHP Advanced Settings dialog displays.

3
Click Add Option. The Add DHCP Option Object dialog displays.

4
In the Option Name field, enter a descriptive name, such as capwap or CAPWAP DHCP.
5
From the Option Number drop-down menu, select 138 (CAPWAP AC IPv4 Address List).
6
In the Option Value field, enter the IP address you want to use for the DHCP group. For example, 192.168.168.168.
7
Click OK to add the DHCP Option Object.
8
Click OK to close the DHCP Advanced Settings dialog and return to the Network > DHCP Server page.
Configuring the DHCP Scope on the Central Gateway
To configure the DHCP Scope on the Central Gateway:
1
Navigate to the Network > DHCP Server page.

2
Click the Add Dynamic button. The Dynamic Range Configuration dialog displays.

3
Select the Enable this DHCP Scope option. This is the default.
4
In the Range Start field, enter the IP address at which to start the DHCP range. For example, 30.30.30.2.
* 
NOTE: The range values must be within the same subnet as the Default Gateway. For example, 30.30.30.2 to 30.30.30.100.
5
In the Range End field, enter the IP address at which to end the DHCP range. For example, 30.30.30.100.
6
In the Lease Time (minutes) field, use the default value, 1440.
7
In the Default Gateway field, enter the IP address of the default gateway.
* 
NOTE: This value will be the IP address of the interface connected to the SonicPoint. For example, 30.30.30.1.
8
In the Subnet Mask field, enter the subnet mask of the default gateway. For example, 255.255.255.0.
9
Click the Advanced tab.

10
In the DHCP Generic Options section, from the DHCP Generic Option Group drop-down menu, select the CAPWAP DHCP option.
* 
NOTE: The CAPWAP DHCP option was created in Configuring the CAPWAP DHCP Option Object on the Central Gateway.
11
Select the Send Generic options always option. This is the default.
12
Click OK. The DHCPv4 Server Lease Scopes table is updated.

Configuring the WT0 Interface on the Central Gateway
To configure the Wireless Tunnel interface (WT0) on the Central Gateway:
1
Navigate to the Network > Interfaces page.
2
From the Add Interface drop-down menu in the Interface Settings section, select Add WLAN Tunnel Interface. The Add WLAN Tunnel Interface dialog is displayed.

3
From the Zone drop-down menu, select WLAN. More options display.

4
In the Tunnel Id field, select 0. This is the default.
5
From the Tunnel Source Interface drop-down menu, select X0.
6
From the Mode / IP Assignment drop-down menu, select Static IP Mode. This is the default.
7
In the IP Address field, select 172.17.31.1.
8
In the Subnet Mask field, select 255.255.255.0. This is the default.
9
From the SonicPoint Limit drop-down menu, select the maximum number of SonicPoints allowed on your network. For example, 48 SonicPoints. The default is 64 SonicPoints.
10
Optionally, enter a comment in the Comment field.
11
Click OK. The Interface Settings table is updated.