Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Global VPN Client - remote site resources

Hello,

I would like to know how to configure access to remote site resources, when I am connected to the main site with my Global VPN Client (windows).

Main Site = NSA2650 (firmware 6.5)

Site B is behind the Main Site, throw Site to Site vpn. And I want to access Site B from my laptop running vpn client connected to the main site.

I have read: https://www.sonicwall.com/support/knowledge-base/accessing-remote-site-resources-when-connected-to-the-main-site-via-remote-vpn-client/170505963174776/

I have configured my user account, to have same address object in its Access List, but it doesn`t work (I mean, the same address object that is configured as: "Choose destination network from list" in the site to site VPN configuration for site B.

Am I doing something wrong? 😣

Any help will be welcome.

Thank you very much in advance. 😌

Category: VPN Client
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    AjishlalAjishlal Cybersecurity Overlord ✭✭✭
    Accepted Answer

    Hi @SWuservpn,

    I always prefer different DHCP pool for GVC users. Do one think configure one empty Firewall port for GVC ( Dont connect any cable on that port) & configure a different subnet for the GVC and its should be under LAN Zone.

    For example follow the below screen shot.

    LAN Interface:

    GVC Interface (Should be empty port & do not use for anything)


    Then configure the DHCP Pool for the GVC Users:

    Then Configure the DHCP Over VPN as same as below;


    try above steps and let us know if its help you to resolve your GVC issues.

Answers

  • Hello @SWuservpn,

    Please make sure that the GVC clients are getting IP addresses from the same subnet that is used as the local network in the site to site VPN on the NSa 2650. Otherwise, the traffic will not be sent across the site to site VPN as there is no SA formed between the GVC IP and remote network.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • KaranMKaranM Administrator

    Thanks @shiprasahu93

    @SWuservpn , adding to what Shipra suppgested, in case you are using a separate subnet for GVC, you might need to add that subnet under Local network (Main Site) and Remote Network on site B. This will form the SA between GVC and remote site as well.


    Regards

    Karan

    Knowledge Management Senior Analyst at SonicWall.

  • Thanks for your speed!!!! I am not using dhcp for GVC clients. When I see the Clients status, I can see their private/local lan ip.

    So, if I want them to access some remote sites behind my main site (I mean remote sites connected by other site to site vpns...) ==> I have to publicate their ip addresses to the remote site vpn....OK!!

    Maybe it could be easier serving dhcp directly from my main site LAN, that is already publicated on all my remote sites (site to site). How do I configure the Dynamic DHCP Scope to serve the GVC clients? 🤨


    And thanks KARANM for your answer too!!!... I could configure a Dynamic DHCP Scope like 192.168.99.x for all my GVC clients, and add that network to my site to site vpns configuration... (same question, how to configure the new dhcp scope to serve the GVC clients...?)

    Thanks for your answers!

  • Checking settings....is that in the WAN GroupVPN settings? Client/Client Connections, Virtual Adapter settings: DHCP Lease?

    Thanks.

  • ...and I think I have to configure VPN/DHCP over VPN, pointing to some dhcp scope...correct?

    Thanks.

  • Shipra Sahu

    Technical Support Advisor, Premier Services

  • Thank you very much shiprasahu93

    I was reading it right now!!

    I will test it as soon as possible. Not easy with some users connected....

    Thanks!

  • No problem. Let us know how it goes.
    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Hello again, a little confused with DHCP over VPN / Configure / DHCP Relay: Central Gateway (I guess)

    _____________________________________________________________

    "Use Internal DHCP Server-

    Enables the SonicWall to be the DHCP server for either the Global VPN Client connections to this SonicWall or for Remote firewall connections via VPN. For this example we would only be concerned with Global VPN Client (GVC)."

    _____________________________________________________________

    I would like to use the Internal DHCP server of my NSA2650. Where must I set that I want to use this or that scope? (for example the LAN dhcp server that I can enable.....or some special scope of a different network....).

    Sorry for so many questions!

    Thanks!

  • If you do not specify any relay IP, by default the GVC clients will get IP from X0 subnet scope. I would suggest going with that as usually that's included in the site to site VPN as well. You can set a separate scope but then you would need to add that be scope to the site to site VPN.

    So just enable the DHCP over VPN with relay IP set to 0.0.0.0

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Thanks shiprasahu93 !!!

    I will try this, and test it as soon as possible.

    Thank you all of you.

  • SWuservpnSWuservpn Newbie ✭
    edited December 2020

    Hello shiprasahu93

    I have a DHCP lan scope enabled at my main site. I have configured DHCP over VPN:

    Central Gateway / Use internal dhcp server (For Global VPN Client)

    In this attempt to enable dhcp over vpn connections, I have suffered too long delays in receiving dynamic ip on remote clients. The remote client stays in "Acquiring ip" state for too long. Most of the time you don't get an address.

    In some cases, after some retries at remote client (user/password), they receive ip from my dhcp main site....Other times, I was updating the short scope I had enabled (LAN)....and it seems that awake the dhcp server (strange behavior...).

    When it worked, in Users/Status, I could see IP Address assigned from my dhcp scope correctly..... under IP Address field: "private ip (public ip)"...

    What should I configure to get the DHCP scope to quickly deliver the ip to remote users? This behavior (Acquiring ip) has been repeated for all remote users without exception.

    Thanks for your help.

  • Hello @SWuservpn,

    What version of GVC are you testing with? Is this problem happening to all users?

    Please take a look at the KB below:

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Hello again shiprasahu93 ,

    Thanks for your answers.

    Global VPN Client Version = 4.10.5.1021

    Yes, happening to all users.

    I will read that KB, and let you know.

    Thanks!

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @SWuservpn

    Hi Please make sure you enabled the DHCP relay as same as below;


  • Hello Ajishlal ,

    I haven't. I left 0.0.0.0 there, that is an error I suppose. Now I rollback, because I have another strange problem. Many pcs can't connect in the LAN. A simple ipconfig shows that there is ip conflict (duplicated).

    I can see that my dhcp is being bombarded by queries rapidly taking up all available addresses. I think I have detected that is happening when using a new Aruba-HP brand switch. Now this has become a priority, perhaps it would be correct to open a new post with this topic and pause the "DHCP over VPN" query for now.

    Have you ever experienced something like this, patching a switch with a X (LAN) interface of your NSA?

    I can see this in my NSA log:

    ID   1040

    Category   Network

    Group   DHCP Server

    Event   DHCP Server IP Conflict Detected

    Msg. Type   Standard Note String

    Priority   Alert

    Message   DHCP Server: IP conflict detected

    Src. Name   

    Dst. Name   

    Notes   IP configured at 30:30:30:30:30:30

    Any help is welcome.😃

  • Sorry for the delay,

    Thank you Ajishlal , I will do that about dhcp, as soon as possible!!!

    Regarding the problem I was commenting on above, we finally had a device (not a pc) that was crazy, claiming all the assigned ip's as if they were its own ...

    Thanks again for your time.

  • SWuservpnSWuservpn Newbie ✭

    Hello Ajishlal _ sorry for this delay and thanks again. One question about your config., I think you told me to set this new subnet under my LAN ZONE, to grant access to my LAN Devices directly from my GVC clients...., Am I right?

    I guess that my NSA will allow directly communication between new subnet <==> LAN because they will be in same zone.

    I understand that after configuring that.... I would have to reconfigure the site B vpn (adding that new subnet on my Local Networks....and adding it on the B Site Remote Network). I mean....that remote site B, is where I need to reach, directly from my GVC.

    Thank you very much.

  • SWuservpnSWuservpn Newbie ✭

    Hello, ok, it was obvious that yes, my new interface (subnet), under Lan zone, comunicates with LAN (X0), but I'm still not receiveing dhcp on my remotes GVC.

    I have tried the settings suggested by Ajishlal (new subnet, on one free interface, and new dhcp scope that runs ok if I patch directly on its).

    To test it, I change the config on:

    VPN / DHCP over VPN

    WAN Group VPN / Client _ Virtual adapter settings ==> DHCP lease

    But the remote clients stay in "Acquiring ip" state like before.

    Best way to test it, is to access a remote pc, for example via teamviewer, and run connections tests satying at central office (NSA).

    Not easy to find the solution. I have to rollback config fast, because of the fact that I disconnect users every time I change settings :(

    Thanks again for your help.

Sign In or Register to comment.