Global VPN Client - remote site resources
Hello,
I would like to know how to configure access to remote site resources, when I am connected to the main site with my Global VPN Client (windows).
Main Site = NSA2650 (firmware 6.5)
Site B is behind the Main Site, throw Site to Site vpn. And I want to access Site B from my laptop running vpn client connected to the main site.
I have configured my user account, to have same address object in its Access List, but it doesn`t work (I mean, the same address object that is configured as: "Choose destination network from list" in the site to site VPN configuration for site B.
Am I doing something wrong? 😣
Any help will be welcome.
Thank you very much in advance. 😌
Best Answer
-
Ajishlal Community Legend ✭✭✭✭✭
Hi @SWuservpn,
I always prefer different DHCP pool for GVC users. Do one think configure one empty Firewall port for GVC ( Dont connect any cable on that port) & configure a different subnet for the GVC and its should be under LAN Zone.
For example follow the below screen shot.
LAN Interface:
GVC Interface (Should be empty port & do not use for anything)
Then configure the DHCP Pool for the GVC Users:
Then Configure the DHCP Over VPN as same as below;
try above steps and let us know if its help you to resolve your GVC issues.
0
Answers
Hello @SWuservpn,
Please make sure that the GVC clients are getting IP addresses from the same subnet that is used as the local network in the site to site VPN on the NSa 2650. Otherwise, the traffic will not be sent across the site to site VPN as there is no SA formed between the GVC IP and remote network.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Thanks @shiprasahu93
@SWuservpn , adding to what Shipra suppgested, in case you are using a separate subnet for GVC, you might need to add that subnet under Local network (Main Site) and Remote Network on site B. This will form the SA between GVC and remote site as well.
Regards
Karan
Knowledge Management Senior Analyst at SonicWall.
Thanks for your speed!!!! I am not using dhcp for GVC clients. When I see the Clients status, I can see their private/local lan ip.
So, if I want them to access some remote sites behind my main site (I mean remote sites connected by other site to site vpns...) ==> I have to publicate their ip addresses to the remote site vpn....OK!!
Maybe it could be easier serving dhcp directly from my main site LAN, that is already publicated on all my remote sites (site to site). How do I configure the Dynamic DHCP Scope to serve the GVC clients? 🤨
And thanks KARANM for your answer too!!!... I could configure a Dynamic DHCP Scope like 192.168.99.x for all my GVC clients, and add that network to my site to site vpns configuration... (same question, how to configure the new dhcp scope to serve the GVC clients...?)
Thanks for your answers!
Checking settings....is that in the WAN GroupVPN settings? Client/Client Connections, Virtual Adapter settings: DHCP Lease?
Thanks.
...and I think I have to configure VPN/DHCP over VPN, pointing to some dhcp scope...correct?
Thanks.
Yes, please take a look at the 'Configure DHCP over VPN' section in the KB below
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Thank you very much shiprasahu93
I was reading it right now!!
I will test it as soon as possible. Not easy with some users connected....
Thanks!
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hello again, a little confused with DHCP over VPN / Configure / DHCP Relay: Central Gateway (I guess)
_____________________________________________________________
"Use Internal DHCP Server-
Enables the SonicWall to be the DHCP server for either the Global VPN Client connections to this SonicWall or for Remote firewall connections via VPN. For this example we would only be concerned with Global VPN Client (GVC)."
_____________________________________________________________
I would like to use the Internal DHCP server of my NSA2650. Where must I set that I want to use this or that scope? (for example the LAN dhcp server that I can enable.....or some special scope of a different network....).
Sorry for so many questions!
Thanks!
So just enable the DHCP over VPN with relay IP set to 0.0.0.0
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Thanks shiprasahu93 !!!
I will try this, and test it as soon as possible.
Thank you all of you.
Hello shiprasahu93
I have a DHCP lan scope enabled at my main site. I have configured DHCP over VPN:
Central Gateway / Use internal dhcp server (For Global VPN Client)
In this attempt to enable dhcp over vpn connections, I have suffered too long delays in receiving dynamic ip on remote clients. The remote client stays in "Acquiring ip" state for too long. Most of the time you don't get an address.
In some cases, after some retries at remote client (user/password), they receive ip from my dhcp main site....Other times, I was updating the short scope I had enabled (LAN)....and it seems that awake the dhcp server (strange behavior...).
When it worked, in Users/Status, I could see IP Address assigned from my dhcp scope correctly..... under IP Address field: "private ip (public ip)"...
What should I configure to get the DHCP scope to quickly deliver the ip to remote users? This behavior (Acquiring ip) has been repeated for all remote users without exception.
Thanks for your help.
Hello @SWuservpn,
What version of GVC are you testing with? Is this problem happening to all users?
Please take a look at the KB below:
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hello again shiprasahu93 ,
Thanks for your answers.
Global VPN Client Version = 4.10.5.1021
Yes, happening to all users.
I will read that KB, and let you know.
Thanks!
Hi @SWuservpn
Hi Please make sure you enabled the DHCP relay as same as below;
Hello Ajishlal ,
I haven't. I left 0.0.0.0 there, that is an error I suppose. Now I rollback, because I have another strange problem. Many pcs can't connect in the LAN. A simple ipconfig shows that there is ip conflict (duplicated).
I can see that my dhcp is being bombarded by queries rapidly taking up all available addresses. I think I have detected that is happening when using a new Aruba-HP brand switch. Now this has become a priority, perhaps it would be correct to open a new post with this topic and pause the "DHCP over VPN" query for now.
Have you ever experienced something like this, patching a switch with a X (LAN) interface of your NSA?
I can see this in my NSA log:
ID 1040
Category Network
Group DHCP Server
Event DHCP Server IP Conflict Detected
Msg. Type Standard Note String
Priority Alert
Message DHCP Server: IP conflict detected
Src. Name
Dst. Name
Notes IP configured at 30:30:30:30:30:30
Any help is welcome.😃
Sorry for the delay,
Thank you Ajishlal , I will do that about dhcp, as soon as possible!!!
Regarding the problem I was commenting on above, we finally had a device (not a pc) that was crazy, claiming all the assigned ip's as if they were its own ...
Thanks again for your time.
Hello Ajishlal _ sorry for this delay and thanks again. One question about your config., I think you told me to set this new subnet under my LAN ZONE, to grant access to my LAN Devices directly from my GVC clients...., Am I right?
I guess that my NSA will allow directly communication between new subnet <==> LAN because they will be in same zone.
I understand that after configuring that.... I would have to reconfigure the site B vpn (adding that new subnet on my Local Networks....and adding it on the B Site Remote Network). I mean....that remote site B, is where I need to reach, directly from my GVC.
Thank you very much.
Hello, ok, it was obvious that yes, my new interface (subnet), under Lan zone, comunicates with LAN (X0), but I'm still not receiveing dhcp on my remotes GVC.
I have tried the settings suggested by Ajishlal (new subnet, on one free interface, and new dhcp scope that runs ok if I patch directly on its).
To test it, I change the config on:
VPN / DHCP over VPN
WAN Group VPN / Client _ Virtual adapter settings ==> DHCP lease
But the remote clients stay in "Acquiring ip" state like before.
Best way to test it, is to access a remote pc, for example via teamviewer, and run connections tests satying at central office (NSA).
Not easy to find the solution. I have to rollback config fast, because of the fact that I disconnect users every time I change settings :(
Thanks again for your help.