VPN > Settings
578
SonicOS Enhanced 4.0 Administrator Guide
–
If you wish to use a router on the LAN for traffic entering this tunnel destined for an
unknown subnet, for example, if you configured the other side to Use this VPN Tunnel
as default route for all Internet traffic, you should enter the IP address of your router
into the Default LAN Gateway (optional) field.
–
Select an interface or Zone from the VPN Policy bound to menu. A Zone is the
preferred selection if you are using WAN Load Balancing and you wish to allow the VPN
to use either WAN interface.
Step 15 Click OK.
VPN Auto-Added Access Rule Control
When adding VPN Policies, SonicOS Enhanced auto-creates non-editable Access Rules to
allow the traffic to traverse the appropriate Zones. Consider the following VPN Policy, where
the Local Network is set to Firewalled Subnets (in this case comprising the LAN and DMZ) and
the Destination Network is set to Subnet 192.168.169.0. The VPN Policy appears as follows:
And the following Access Rules are added for inbound and outbound traffic:
While this is generally a tremendous convenience, there are some instances where is might be
preferable to suppress the auto-creation of Access Rules in support of a VPN Policy. One such
instance would be the case of a large hub-and-spoke VPN deployment where all the spoke site
are addresses using address spaces that can easily be supernetted. For example, assume we
wanted to provide access to/from the LAN and DMZ at the hub site to one subnet at each of
2,000 remote sites, addressed as follows:
remoteSubnet0=Network 10.0.0.0/24 (mask 255.255.255.0, range 10.0.0.0-10.0.0.255)
remoteSubnet1=Network 10.0.1.0/24 (mask 255.255.255.0, range 10.0.1.0-10.0.1.255)
remoteSubnet2=Network 10.0.2.0/24 (mask 255.255.255.0, range 10.0.2.0-10.0.2.255)
remoteSubnet2000=10.7.207.0/24 (mask 255.255.255.0, range 10.7.207.0-10.7.207.255)
Creating VPN Policies for each of these remote sites would result in the requisite 2,000 VPN
Policies, but would also create 8,000 Access Rules (LAN -> VPN, DMZ -> VPN, VPN -> LAN,
and VPN -> DMZ for each site). However, all of these Access Rules could easily be handled
with just 4 Access Rules to a supernetted or address range representation of the remote sites
(More specific allow or deny Access Rules could be added as needed):
remoteSubnetAll=Network 10.0.0.0/13 (mask 255.248.0.0, range 10.0.0.0-10.7.255.255)
or
remoteRangeAll=Range 10.0.0.0-10.7.207.255
To enable this level of aggregation, the Advanced tab of the VPN Policy window page offers
the option to Auto-Add Access Rules for VPN Policy setting. By default, the checkbox is
selected, meaning the accompanying Access Rules will be automatically created, as they've
always been. By deselecting the checkbox upon creating the VPN Policy, the administrator will
have the ability and need to create custom Access Rules for VPN traffic.