How do i set up a OneConnect VPN tunnel in cOS core

Last modified on 23 Aug, 2022. Revision 13
How to set up a OneConnect from cOS core with and without split tunnel
Up to date for
Core 13.00.09
Supported since
Core 13.00.09
Status OK
Author
Stefan Lindkvist

Question:

How do I set up a OneConnect VPN tunnel in cOS core?

Answer:

To create a OneConnect VPN we need to go in under Network > Interface and VPN > OneConnect and then press the add button and select OneConnect Interface.


Once the interface window opens up, you need to fill in information on the tunnel.

  • Name: A descriptive name.
  • Inner IP: This is the local IPv4 address on the firewall side within the OneConnect tunnel. This IP must belong to the same network segment as the IP Pool.
  • Outer Interface: The interface on which the OneConnect listens for connection attempts (usually the external interface, e.g. Wan).
  • Server IP: Which IP address the OneConnect server listens to for incoming connection attempts from clients.
  • Server Port/DTLS Port: What port type the connection is made over.
  • Authentication Source: What kind of authentication is required for the VPN.
  • Client IP Address Pool: The pool of IP addresses that, when connecting, one is assigned an IP from. Remember the Inner IP must be part of the same network as the pool but not be one of the pools IPs.
  • Netmask: Must be set for the IP pool to limit its size. Default setting is 255.255.255.0.
  • DNS: The DNS that will be given to connecting clients.
  • Client Routes: Default setting is All-routes setting so a connecting client route all traffic over the VPN.


Once these setting is made we can press OK and save the VPN. We can now to connect with the OneConnect client version 3 or higher or a 3rd party client such as OpenConnect.

If you are using a version 2.02.01 or older you need to run a SSL VPN instead. Information on how to set that up can be found in chapter 10 in the administration guide.


How to set up a split tunnel

If we want to split the tunnel so not all of the clients traffic goes over the VPN we can do like this;

First we need to create the objects in the address book. These objects will be the IP addresses and ranges that the clients can reach over the VPN once a connection has been established. To do this go under object > Address Book and press Add. The objects need to be specific IPv4 addresses, networks or address ranges.


Once we have created the objects we go back to the OneConnect interface we created and scroll down to the Client route option.



We can now select Custom instead of default All-Nets and include the objects we created.

Once we have added the correct routes we press OK and deploy. Now we have set up a split tunnel.


More information regarding OneConnect setup and example can be found in the Administration guide for cOS core version 13.00.09 released 23/2 2021


Related articles

Brian Smart Search (Beta)
15 Jan, 2024 dictionary troubleshoot core stream incontrol incenter oneconnect cloudservice
Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
28 Apr, 2023 openconnect oneconnect macos ios iphone
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
18 Mar, 2024 onetouch sslvpn oneconnect troubleshoot certificate
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Howto - Userbased rules
27 Feb, 2024 oneconnect userbased core
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core