SonicWall 7.0.1+ ikev2 (dynamic)
Configuring SonicWall Next Generation Firewall
Version tested: SonicWall NSv Firewall version 7.0.1
In this section we will refer to the configuration file you can download from AWS as “template conf” and will explain how to use its contents for configuring SonicOSX 7.0.1
As a reference for this guide, you can find here the full AWS file: SonicWall 7.0.1+ ikev2 (dynamic).txt
Create VPN Tunnels
To proceed with the configuration of the network Tunnels to be used to connect through VPN, we need to enable BGP and Advanced Routing from Network > System > Dynamic Routing > Settings:
Enable Advanced Routing
Clicking the drop-down next BGP and select Enable

Furthmore, click Network in the top navigation menu and navigate to IPSec VPN > Rules and Settings and ensure that the Toggle switches for Enable VPN are enabled

To create VPN Tunnels go to Network > IPSec VPN > Rules and Settings > Policies > Clik "Add”
Configure the tunnel as specified in the template conf #1: General Configuration
user@SerialNumber> configure
config(SerialNumber)# vpn policy tunnel-interface vpn-0259490daa3746bd9-0
(add-tunnel-interface[AWSVPN])# gateway primary 18.159.234.246
(add-tunnel-interface[AWSVPN])# bound-to interface X1
(add-tunnel-interface[AWSVPN])# auth-method shared-secret
(auth-method-shared-secret[AWSVPN])# shared-secret 1_l3737VBLOluTPHwFGSEi_G3Cu399vv
(auth-method-shared-secret[AWSVPN])# ike-id local ip 3.127.248.9
(auth-method-shared-secret[AWSVPN])# ike-id peer ip 18.159.234.246
(auth-method-shared-secret[AWSVPN])# exit
** The Local IKE ID is the Firewall Identifier, it’s showed in Network > IPSec VPN > Rules and Settings > Settings

and continue with #2: Internet Key Exchange (IKE) Configuration and #3: IPSec Configuration
(add-tunnel-interface[AWSVPN])# proposal ike exchange ikev2
(add-tunnel-interface[AWSVPN])# proposal ike dh-group 2
(add-tunnel-interface[AWSVPN])# proposal ike encryption aes-128
(add-tunnel-interface[AWSVPN])# proposal ike authentication sha-1
(add-tunnel-interface[AWSVPN])# proposal ike lifetime 28800
(add-tunnel-interface[AWSVPN])# proposal ipsec protocol esp
(add-tunnel-interface[AWSVPN])# proposal ipsec encryption aes-128
(add-tunnel-interface[AWSVPN])# proposal ipsec authentication sha-1
(add-tunnel-interface[AWSVPN])# proposal ipsec perfect-forward-secrecy dh-group 2
(add-tunnel-interface[AWSVPN])# proposal ipsec lifetime 3600
(add-tunnel-interface[AWSVPN])# Keep-alive
(add-tunnel-interface[AWSVPN])# enable
(add-tunnel-interface[AWSVPN])# commit
(add-tunnel-interface[AWSVPN])# end

and let’s do the same also for the IPSec Tunnel #2
user@SerialNumber> configure
config(SerialNumber)# vpn policy tunnel-interface vpn-0259490daa3746bd9-1
(add-tunnel-interface[AWSVPN])# gateway primary 52.58.117.12
(add-tunnel-interface[AWSVPN])# bound-to interface X1
(add-tunnel-interface[AWSVPN])# auth-method shared-secret
(auth-method-shared-secret[AWSVPN])# shared-secret x25eUJVTPqRaNO_xdi51qJPwJI1RTImF
(auth-method-shared-secret[AWSVPN])# ike-id local ip 3.127.248.9
(auth-method-shared-secret[AWSVPN])# ike-id peer ip 52.58.117.12
(auth-method-shared-secret[AWSVPN])# exit

and
add-tunnel-interface[AWSVPN])# proposal ike exchange ikev2(add-tunnel-interface[AWSVPN])# proposal ike dh-group 2(add-tunnel-interface[AWSVPN])# proposal ike encryption aes-128(add-tunnel-interface[AWSVPN])# proposal ike authentication sha-1(add-tunnel-interface[AWSVPN])# proposal ike lifetime 28800(add-tunnel-interface[AWSVPN])# proposal ipsec protocol esp(add-tunnel-interface[AWSVPN])# proposal ipsec encryption aes-128(add-tunnel-interface[AWSVPN])# proposal ipsec authentication sha-1(add-tunnel-interface[AWSVPN])# proposal ipsec perfect-forward-secrecy dh-group 2(add-tunnel-interface[AWSVPN])# proposal ipsec lifetime 3600(add-tunnel-interface[AWSVPN])# Keep-alive


Configure Tunnel Interfaces
A tunnel interface is configured to be the logical interface associated with the tunnel.
As defined in #5: Tunnel Interface Configuration we should configure the tunnel interface as specified in the template conf
config(SerialNumber)# tunnel-interface vpn T1
(add-interface[T1])# asymmetric-route
(add-interface[T1])# policy vpn-0259490daa3746bd9-0
(add-interface[T1])# ip-assignment VPN static
(add-VPN-static)# ip 169.254.53.210 netmask 255.255.255.252
(add-VPN-static)# commit
(edit-VPN-static)# end
Navigate to Network > Interfaces and select Add Interface > VPN Tunnel Interface

do the same for the second interface:
config(SerialNumber)# tunnel-interface vpn T2(add-interface[T1])# asymmetric-route(add-interface[T1])# policy vpn-0259490daa3746bd9-1(add-interface[T1])# ip-assignment VPN static(add-VPN-static)# ip 169.254.117.130 netmask bgp(add-VPN-static)# commit(edit-VPN-static)# end

Configure BGP
Open the CLI Console

or connect at firewall throught Management Console:
Connect at Firewall through SSH and use management as the SSH username → management@<firewall_ip_address>
Switch to the black SonicOS/X CLI window by pressing Ctrl+S and then the spacebar
Enter in configuration mode:

Configure the BGP as reported in the template #6: Border Gateway Protocol (BGP) Configuration
Tunnel 1:config(SerialNumber)# routing
(config-routing)# bgp
ARS BGP>configure terminal
ARS BGP(config)>router bgp 65000
ARS BGP(config-router)>network <Local_subnet>/24
ARS BGP(config-router)>neighbor 169.254.53.209 remote-as 64512
ARS BGP(config-router)>neighbor 169.254.53.209 timers 10 30
ARS BGP(config-router)>neighbor 169.254.53.209 soft-reconfiguration inbound
ARS BGP(config-router)>end
ARS BGP>exit
.png)
Tunnel 2:config(SerialNumber)# routing
(config-routing)# bgp
ARS BGP>configure terminal
ARS BGP(config)>router bgp 65000
ARS BGP(config-router)>network <Local_subnet>/24
ARS BGP(config-router)>neighbor 169.254.117.129 remote-as 64512
ARS BGP(config-router)>neighbor 169.254.117.129 timers 10 30
ARS BGP(config-router)>neighbor 169.254.117.129 soft-reconfiguration inbound
ARS BGP(config-router)>end
ARS BGP>exit
.png)
Note: It's possible configure both tunnels one single time under the configuration of router BGP
Check the status of BGP:
ARS BGP>show ip bgp summary
.png)
Finally save the configuration of BGP:
ARS BGP>write
.png)
Testing
Going back Network > IPSec VPN > Rules and Settings we should be able to see both tunnels up:


Increase the security in the VPN connection
Now, since AWS side VPN tunnels support better security, we can adjust SonicWall configuration accordingly.
So we can use:
AES-256 instead of AES-128
SHA512 instead of SHA1
Diffie-Hellman group 14 instead of DH 2, SonicWall supports DH14
IKEv2 whenever possible
Let’s adjust SonicWall configuration:
Network > IPSec VPN > Rules and Settings > edit both tunnels with the new parameters:

We have done!
For more information and support please contact our UCCS Onboarding Team