Advertise SSL VPN subnet via OSPF?
I have recently set up a group of Sonicwall firewalls to use tunnel mode site to site VPN's with OSPF routing. This is all working pretty much as expected, but I also have SSL VPN configured on these firewalls and want the SSL VPN's subnet to be advertised through OSPF to the other firewalls so that SSL VPN users can access resource across the site to site tunnels. I've tried doing this by adding the network in the ARS OSPF shell, but that didn't work. I'm not sure if the SSL VPN can be redistributed into OSPF but trying it with connected or static redistribution didn't work. Does anyone know of a way to accomplish this?
Best Answer
-
TKWITS Community Legend ✭✭✭✭✭
You failed to mention that you were redistributing to Ciscos in your original post. Getting OSPF to share the SSLVPN client route CONSISTENTLY with the Cisco ended up being the nail in the coffin. We ended up just doing static routes. I couldn't determine the rhyme or reason why some SSLVPN client routes would get shared while others wouldn't. It doesn't share the entire subnet/range, it shares each INDIVIDUAL route. Looking back it probably has to do with the ancient software the Ciscos were running, but ya know the client was unhappy and statics were easy enough.
OSPF SSLVPN route redistribution Sonicwall to Sonicwall is no problem.
0
Answers
This is possible. I've done it with Gen6, but its been a while. No need to go into the shell, I believe you just have to redistribute static routes using the 'standard' ABR.
Some background here is how SSL VPN client addresses get added to the Sonicwalls routing table (static routes, not in the ARS table). This is different than other vendors (Cisco). Getting OSPF to share SSL VPN client routes between Sonicwalls and Ciscos was a fun time.
I did add static and connected routes to the redistribution, but it didn't seem to work on a TZ600. However, the fact that you were able to get it working is encouraging so I'll recheck to see if I've overlooked something. And yes, in this case I'm also trying this between Cisco routers and the Sonicwalls. Most of the kinks have been worked out otherwise.
Ok, thanks and that's what I've ended up doing. I am able to add in statics on the Cisco router side and things work as expected. Eventually, the Cisco's are being migrated to Sonicwalls so this will be a non-issue later on, but needed the short term workaround.
You're welcome.
For additional clarification for future readers.
As mentioned in the 'answer' the Sonicwall doesn't share the entire SSLVPN subnet/range, it shares each INDIVIDUAL route. That means routes will only show up when clients connect.