Skip to main content
Skip table of contents

SonicWall 6.5.4+ ikev2 (dynamic)

Configuring SonicWall Next Generation Firewall

Version tested: SonicWall NSv Firewall version 6.5.4

In this section we will refer to the configuration file you can download from AWS as “template conf” and will explain how to use its contents for configuring SonicOSX 6.5.4

As a reference for this guide, you can find here the full AWS file: SonicWall 6.5.4+ ikev2 (dynamic).txt


Create VPN Tunnels

To proceed with the configuration of the network Tunnels to be used to connect through VPN, we need to enable BGP and Advanced Routing from Manage > Network > Routing:

  • Enable Advanced Routing

  • Clicking the drop-down next BGP and select Enable

Furthmore, click Network in the top navigation menu and navigate to Manage > VPN > Base Settings and ensure that the option Enable VPN are enabled.

Click on Add to create a new IPSec Connection

Configure the tunnel as specified in the template conf #1: General Configuration

user@SerialNumber> configure
config(SerialNumber)# vpn policy tunnel-interface vpn-0fb6e2b822bf56336-0
(add-tunnel-interface[AWSVPN])# gateway primary 3.73.150.117
(add-tunnel-interface[AWSVPN])# bound-to interface X1
(add-tunnel-interface[AWSVPN])# auth-method shared-secret
(auth-method-shared-secret[AWSVPN])# shared-secret T0EFClMFHrVRdGsKaTmjuWU5oLkq46dB
(auth-method-shared-secret[AWSVPN])# ike-id local ip  18.185.96.236
(auth-method-shared-secret[AWSVPN])# ike-id peer ip 3.73.150.117
(auth-method-shared-secret[AWSVPN])# exit

The Local IKE ID is the Firewall Identifier, it’s showed in Manage > VPN > Base Settings

and continue with #2: Internet Key Exchange (IKE) Configuration and  #3: IPSec Configuration

(add-tunnel-interface[AWSVPN])# proposal ike exchange ikev2
(add-tunnel-interface[AWSVPN])# proposal ike dh-group 2
(add-tunnel-interface[AWSVPN])# proposal ike encryption aes-128
(add-tunnel-interface[AWSVPN])# proposal ike authentication sha-1
(add-tunnel-interface[AWSVPN])# proposal ike lifetime 28800
(add-tunnel-interface[AWSVPN])# proposal ipsec protocol esp
(add-tunnel-interface[AWSVPN])# proposal ipsec encryption aes-128
(add-tunnel-interface[AWSVPN])# proposal ipsec authentication sha-1
(add-tunnel-interface[AWSVPN])# proposal ipsec perfect-forward-secrecy dh-group 2
(add-tunnel-interface[AWSVPN])# proposal ipsec lifetime 3600
(add-tunnel-interface[AWSVPN])# Keep-alive
(add-tunnel-interface[AWSVPN])# enable
(add-tunnel-interface[AWSVPN])# commit
(add-tunnel-interface[AWSVPN])# end

and let’s do the same also for the IPSec Tunnel #2

user@SerialNumber> configure
config(SerialNumber)# vpn policy tunnel-interface vpn-0fb6e2b822bf56336-1
(add-tunnel-interface[AWSVPN])# gateway primary 35.158.166.146
(add-tunnel-interface[AWSVPN])# bound-to interface X1
(add-tunnel-interface[AWSVPN])# auth-method shared-secret
(auth-method-shared-secret[AWSVPN])# shared-secret BapkuMZKLpasLNwT6QSaHpuCd0WC1IOt
(auth-method-shared-secret[AWSVPN])# ike-id local ip  18.185.96.236
(auth-method-shared-secret[AWSVPN])# ike-id peer ip 35.158.166.146
(auth-method-shared-secret[AWSVPN])# exit

and

(add-tunnel-interface[AWSVPN])# proposal ike exchange ikev2
(add-tunnel-interface[AWSVPN])# proposal ike dh-group 2
(add-tunnel-interface[AWSVPN])# proposal ike encryption aes-128
(add-tunnel-interface[AWSVPN])# proposal ike authentication sha-1
(add-tunnel-interface[AWSVPN])# proposal ike lifetime 28800
(add-tunnel-interface[AWSVPN])# proposal ipsec protocol esp
(add-tunnel-interface[AWSVPN])# proposal ipsec encryption aes-128
(add-tunnel-interface[AWSVPN])# proposal ipsec authentication sha-1
(add-tunnel-interface[AWSVPN])# proposal ipsec perfect-forward-secrecy dh-group 2
(add-tunnel-interface[AWSVPN])# proposal ipsec lifetime 3600
(add-tunnel-interface[AWSVPN])# Keep-alive
(add-tunnel-interface[AWSVPN])# enable
(add-tunnel-interface[AWSVPN])# commit
(add-tunnel-interface[AWSVPN])# end

Configure Tunnel Interfaces

A tunnel interface is configured to be the logical interface associated with the tunnel. 

As defined in #5: Tunnel Interface Configuration we should configure the tunnel interface as specified in the template conf 

config(SerialNumber)# tunnel-interface vpn T1
(add-interface[T1])# asymmetric-route
(add-interface[T1])# policy vpn-0fb6e2b822bf56336-0
(add-interface[T1])# ip-assignment VPN static
(add-VPN-static)# ip 169.254.85.174 netmask 255.255.255.252
(add-VPN-static)# commit
(edit-VPN-static)# end

Navigate to Manage Network Interfaces and from Add Interface drop-down choose VPN Tunnel Interface

do the same for the second interface:

config(SerialNumber)# tunnel-interface vpn T2
(add-interface[T1])# asymmetric-route
(add-interface[T1])# policy vpn-0fb6e2b822bf56336-1
(add-interface[T1])# ip-assignment VPN static
(add-VPN-static)# ip 169.254.215.14 netmask 255.255.255.252
(add-VPN-static)# commit
(edit-VPN-static)# end

Configure BGP

Connect at firewall throught Management Console:

  1. Connect at Firewall through SSH and use management as the SSH username → management@<firewall_ip_address>

  2. Switch to the black SonicOS/X CLI window by pressing Ctrl+S and then the spacebar

  3. Enter in configuration mode:

Configure the BGP as reported in the template #6: Border Gateway Protocol (BGP) Configuration

Tunnel 1:

config(SerialNumber)# routing
(config-routing)# bgp
ARS BGP>configure terminal
ARS BGP(config)>router bgp 65000
ARS BGP(config-router)>network <Local_subnet>/24
ARS BGP(config-router)>neighbor 169.254.85.173 remote-as 64512
ARS BGP(config-router)>neighbor 169.254.85.173 timers 10 30
ARS BGP(config-router)>neighbor 169.254.85.173 soft-reconfiguration inbound
ARS BGP(config-router)>end
ARS BGP>exit

Tunnel 2:

config(SerialNumber)# routing
(config-routing)# bgp
ARS BGP>configure terminal
ARS BGP(config)>router bgp 65000
ARS BGP(config-router)>network <Local_subnet>/24
ARS BGP(config-router)>neighbor 169.254.215.13 remote-as 64512
ARS BGP(config-router)>neighbor 169.254.215.13 timers 10 30
ARS BGP(config-router)>neighbor 169.254.215.13 soft-reconfiguration inbound
ARS BGP(config-router)>end
ARS BGP>exit

Check the status of BGP:

ARS BGP>show ip bgp summary

Finally save the configuration of BGP:

ARS BGP>write

Configure routes policies to route VPC network over the tunnel interfaces 

Go to Manage Network > Routing > Route Policies and create: 

and

Note: 

  • In this case the destination AWS VPC is the Network 10.148.0.0/16

  • Disable the option “Disable route when the interface is disconnected” because if the VPN is down, the Route Policy of that tunnel goes down automatically independently of tunnel interface state

Testing

Going back Manage VPN > Base Settings we should be able to see both tunnels up:

From Manage Network Routing > Settings we should be able to see that router BGP is up:

Increase the security in the VPN connection

Now, since AWS side VPN tunnels support better security, we can adjust SonicWall configuration accordingly.

So we can use:

  • AES-256 instead of AES-128

  • SHA512 instead of SHA1

  • Diffie-Hellman group 14 instead of DH 2, SonicWall supports DH14

  • IKEv2 whenever possible

Let’s adjust SonicWall configuration:

Manage VPN > Base Settings > edit both tunnels with the new parameters:

Now the IPSec tunnels will be up and running with maximum security:

We have done!

For more information and support please contact our UCCS Onboarding Team

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.