Setup Site-to-Site VPN With Sonicwall
Tuesday, May 20, 2008
I've been using the SonicWall devices
for a little while now. I started getting into them after a
recommendation from a friend and the TZ series has proven to be a good solution for small
to medium sized businesses.
You can find more information about
SonicWalls and the TZ series here but I'm going to go over how to
setup an IPSEC VPN between two tz180's using the Standard SonicOS
firmware. If you have the enhanced SonicOS, the steps are almost the same.
Overview:
- set the unique names of each device
- configure subnet, dhcp, etc
- create a VPN policy to connect to the other
NOTE: I'm not talking about setting passwords or security here -
it's assumed that you've already setup the environment.
Set the Unique Name on each device:
- log into the first device's web
interface
- click on VPN on the left side
- under "Unique Firewall Identifier" create a name logical name like "USNY1"
- log into the second device's web
interface
- click on VPN
- under "Unique Firewall
Identifier" create another name like "USNY2"
Configure Subnets for DHCP:
- log into the first device's web
interface
- click Network > LAN
- set the SonicWall LAN IP to
something like 10.0.1.1
- set the subnet mask to whatever is
appropriate for your network like 255.255.255.0
- repeat the sames steps for device
2 except make the ip and subnet different like 10.0.2.1
and 10.0.2.0/255.255.255.0
Setup VPN Policy:
Assuming you have the following
configuration we can create the VPN policy:
Site 1
Device Name: USNY1
Subnet: 10.0.1.0/24
Site 2
Device Name: USNY2
Subnet: 10.0.2.0/24
Setup Device 1
- On device 1 click on VPN >
Settings
- click Add under VPN Policies
- Fill out the information as shown
below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY2
[name of your device 2]
IPSec Primary Gateway Name or Address:
the public IP address of device 2
IPSec Secondary Gateway or
Name or Address: left blank in most cases
Shared Secret: Since
you will only be typing it in twice and this is the basis of the tunnel's security, you should set it to be very
strong. [https://www.grc.com/passwords.htm]
Write it down!
- click the Specify destination
networks below and click Add
- type in the subnet that device 2
is controlling - in this example 10.0.2.0/24
- click OK
Setup Device 2
[Almost same as above]
- On device 1 click on VPN >
Settings
- click Add under VPN Policies
- Fill out the information as shown
below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY1
[name of your device 1]
IPSec Primary Gateway Name or Address:
the public IP address of device 1
IPSec Secondary Gateway or Name
or Address: left blank in most cases
Shared Secret: same as the
password you generated above
- click the Specify destination
networks below and click Add
- type in the subnet that device 1
is controlling - in this example http://10.0.1.0/24
-
click OK
Check The logs:
If you've configured everything
correctly, you should be able to watch the VPN tunnel negotiation
process from the event logs.
- click on Log > Categories
- check "Log all categories"
- this will record VPN functions
- under Log click "View"
- review the logs for the following
events:
SENDING>>>> ISAKMP OAK INFO (InitCookie
0x69c45089cc845af4, MsgID: 0x26D85F88) *(HASH,
NOTIFY:DPD_ACK)
RECEIVED<<< ISAKMP OAK INFO (InitCookie
0x69c45089cc845af4, MsgID: 0x3AAF690F) *(HASH, NOTIFY:DPD_REQUEST)
Troubleshooting:
Phase 2 or
Algorithm's Don't Match
If you see a log with this kind of
message it is most likely caused by different encryption under the
Phase 2 settings. Go back and make sure they match exactly.
IKE
Initiator: Proposed IKE ID mismatch
This message is most
likely caused by the firewall names being mismatched. Make sure
that under VPN settings, the name is set to something unique and the
VPN policy on each device has each other's appropriate name.
Dynamic IP's
If you're connecting two sites with
dynamic IP addresses, I've read that you need to check the
"Aggressive Mode" type of VPN but maybe someone can confirm
that.
- click VPN and click
configure on the tunnel you created
- under proposals change "Exchange"
to Aggressive mode
- click the Advanced tab
- click Enable Keep Alive and Try to
bring up all possible Tunnels
- click OK
Other
If you're getting anything else check
out the log events reference guide here -
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf.
External Links:
Sonicwall.com - Had to put a link to this
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf - great guide for easy event log decoding
https://www.grc.com/passwords.htm - a good strong online password generator for one time passwords
I've been using the SonicWall devices for a little while now. I started getting into them after a recommendation from a friend and the TZ series has proven to be a good solution for small to medium sized businesses.
You can find more information about SonicWalls and the TZ series here but I'm going to go over how to setup an IPSEC VPN between two tz180's using the Standard SonicOS firmware. If you have the enhanced SonicOS, the steps are almost the same.
Overview:
- set the unique names of each device
- configure subnet, dhcp, etc
- create a VPN policy to connect to the other
Set the Unique Name on each device:
- log into the first device's web interface
- click on VPN on the left side
- under "Unique Firewall Identifier" create a name logical name like "USNY1"
- log into the second device's web interface
- click on VPN
- under "Unique Firewall Identifier" create another name like "USNY2"
Configure Subnets for DHCP:
- log into the first device's web interface
- click Network > LAN
- set the SonicWall LAN IP to something like 10.0.1.1
- set the subnet mask to whatever is appropriate for your network like 255.255.255.0
- repeat the sames steps for device 2 except make the ip and subnet different like 10.0.2.1 and 10.0.2.0/255.255.255.0
Setup VPN Policy:
Assuming you have the following configuration we can create the VPN policy:Site 1Setup Device 1
Device Name: USNY1
Subnet: 10.0.1.0/24
Site 2
Device Name: USNY2
Subnet: 10.0.2.0/24
- On device 1 click on VPN > Settings
- click Add under VPN Policies
- Fill out the information as shown
below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY2 [name of your device 2]
IPSec Primary Gateway Name or Address: the public IP address of device 2
IPSec Secondary Gateway or Name or Address: left blank in most cases
Shared Secret: Since you will only be typing it in twice and this is the basis of the tunnel's security, you should set it to be very strong. [https://www.grc.com/passwords.htm] Write it down! - click the Specify destination networks below and click Add
- type in the subnet that device 2 is controlling - in this example 10.0.2.0/24
- click OK
- On device 1 click on VPN > Settings
- click Add under VPN Policies
- Fill out the information as shown
below:
IPSec Keyring Mode: IKE using Shared Secret
Name: USNY1 [name of your device 1]
IPSec Primary Gateway Name or Address: the public IP address of device 1
IPSec Secondary Gateway or Name or Address: left blank in most cases
Shared Secret: same as the password you generated above
- click the Specify destination networks below and click Add
- type in the subnet that device 1 is controlling - in this example http://10.0.1.0/24
- click OK
Check The logs:
If you've configured everything correctly, you should be able to watch the VPN tunnel negotiation process from the event logs.- click on Log > Categories
- check "Log all categories" - this will record VPN functions
- under Log click "View"
- review the logs for the following
events:
SENDING>>>> ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x26D85F88) *(HASH, NOTIFY:DPD_ACK)
RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x3AAF690F) *(HASH, NOTIFY:DPD_REQUEST)
Troubleshooting:
Phase 2 or Algorithm's Don't MatchIf you see a log with this kind of message it is most likely caused by different encryption under the Phase 2 settings. Go back and make sure they match exactly.
IKE Initiator: Proposed IKE ID mismatch
This message is most likely caused by the firewall names being mismatched. Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.
Dynamic IP's
If you're connecting two sites with dynamic IP addresses, I've read that you need to check the "Aggressive Mode" type of VPN but maybe someone can confirm that.
- click VPN and click configure on the tunnel you created
- under proposals change "Exchange" to Aggressive mode
- click the Advanced tab
- click Enable Keep Alive and Try to bring up all possible Tunnels
- click OK
External Links:
Sonicwall.com - Had to put a link to thishttp://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf - great guide for easy event log decoding
https://www.grc.com/passwords.htm - a good strong online password generator for one time passwords