The
VPN > DHCP over VPN
page allows you to configure a SonicWALL security appliance to obtain an IP address lease from a DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.
The SonicWALL security appliance at the remote and central site are configured for VPN
tunnels for initial DHCP traffic as well as subsequent IP traffic between the sites. The SonicWALL security appliance at the remote site (Remote Gateway
) passes DHCP broadcast packets through its VPN tunnel. The SonicWALL security appliance at the central site (Central
Gateway
) relays DHCP packets from the client on the remote network to the DHCP server on the central site.
To configure
DHCP over VPN
for the Central Gateway
, use the following steps:
|
1.
|
Select
VPN > DHCP over VPN
.
|
|
2.
|
Select
Central Gateway
from the DHCP Relay Mode
menu.
|
|
3.
|
Click
Configure
. The DHCP over VPN Configuration
window is displayed.
|
|
4.
|
Select
Use Internal DHCP Server
to enable the SonicWALL Global VPN Client or a remote firewall or both to use an internal DHCP server to obtain IP addressing information. Check the For Global VPN Client
checkbox to use the DHCP Server for Global VPN Clients.
|
|
6.
|
Click
Add
. The Add DHCP Server
window is displayed. Type the IP addresses of DHCP servers in the IP Address
field, and click OK
.
The SonicWALL security appliance now directs DHCP requests to the specified servers.
|
To edit an entry in the
IP Address
table, click Edit
. To delete a DHCP Server, highlight the entry in the IP Address
table, and click Delete
. Click Delete All
to delete all entries.
|
1.
|
Select
Remote Gateway
from the DHCP Relay Mode
menu.
|
|
2.
|
Click
Configure
. The DHCP over VPN Configuration
window is displayed.
|
|
3.
|
In the
General
tab, the VPN policy name is automatically displayed in the Relay DHCP through this VPN Tunnel filed if the VPN policy has the setting Local network obtains IP
addresses using DHCP through this VPN Tunnel
enabled.
|
|
5.
|
If you enter an IP address in the
Relay IP address
field, this IP address is used as the DHCP Relay Agent IP address in place of the Central Gateway’s address, and must be reserved in the DHCP scope on the DHCP server. This address can also be used to manage this SonicWALL security appliance remotely through the VPN tunnel from behind the Central Gateway.
|
|
6.
|
If you enter an IP address in the
Remote Management IP Address
field, this IP address is used to manage the SonicWALL security appliance from behind the Central Gateway, and must be reserved in the DHCP scope on the DHCP server.
|
|
7.
|
If you enable
Block traffic through tunnel when IP spoof detected
, the SonicWALL security appliance blocks any traffic across the VPN tunnel that is spoofing an authenticated user’s IP address. If you have any static devices, however, you must ensure that the correct Ethernet address is typed for the device. The Ethernet address is used as part of the identification process, and an incorrect Ethernet address can cause the SonicWALL security appliance to respond to IP spoofs.
|
|
8.
|
If the VPN tunnel is disrupted, temporary DHCP leases can be obtained from the local
DHCP server. Once the tunnel is again active, the local DHCP server stops issuing leases. Enable the Obtain temporary lease from local DHCP server if tunnel is down
check box. By enabling this check box, you have a failover option in case the tunnel ceases to function. If you want to allow temporary leases for a certain time period, type the number of minutes for the temporary lease in the Temporary Lease
Time
box. The default value is 2 minutes.
|
|
10.
|
To configure
Static Devices on the LAN
, click Add
to display the Add LAN Device Entry
window, and type the IP address of the device in the IP
Address
field and then type the Ethernet address of the device in the Ethernet
Address
field.
|
An example of a static device is a printer as it cannot obtain an IP lease dynamically. If you
do not have Block traffic through tunnel when IP spoof detected
enabled, it is not necessary to type the Ethernet address of a device. You must exclude the Static IP addresses from the pool of available IP addresses on the DHCP server so that the DHCP server does not assign these addresses to DHCP clients. You should also exclude the IP address used as the Relay IP Address
. It is recommended to reserve a block of IP address to use as Relay IP addresses. Click OK
.
|
11.
|
To exclude devices on your LAN, click
Add
to display the Add Excluded LAN Entry
window. Enter the MAC address of the device in the Ethernet Address
field. Click OK
.Click OK
to exit the DHCP over VPN Configuration
window.
|
The scrolling window shows the details on the current bindings: IP and Ethernet address of the
bindings, along with the Lease Time, and Tunnel Name.
To delete a binding, which frees the IP address in the DHCP server, select the binding from the
list, and then click the Delete
icon. The operation takes a few seconds to complete. Once completed, a message confirming the update is displayed at the bottom of the Web browser window.
Click
Delete All
to delete all VPN leases.