SonicWall 7.0.1+ ikev2 (static)
Configuring SonicWall Next Generation Firewall
Version tested: SonicWall NSv Firewall version 7.0.1
In this section we will refer to the configuration file you can download from AWS as “template conf” and will explain how to use its contents for configuring SonicOSX 7.0.1
As a reference for this guide, you can find here the full AWS file: SonicWall 7.0.1+ ikev2 (static).txt
Create VPN Tunnels
To create VPN Tunnels go to Network > IPSec VPN > Rules and Settings and ensure that the Toggle switches for Enable VPN are enabled.
From Network > IPSec VPN > Rules and Settings > Policies click on Add to create a new IPSec Connection
Configure the tunnel as specified in the template conf #1: General Configuration
user@SerialNumber> configureconfig(SerialNumber)# address-object ipv4 AWSVPC network <vpc_subnet> <subnet-mask> zone VPNconfig(SerialNumber)# vpn policy tunnel-interface vpn-09825b7656c360cd9-0(add-tunnel-interface[AWSVPN])# gateway primary 3.121.44.186(add-tunnel-interface[AWSVPN])# bound-to interface X1(add-tunnel-interface[AWSVPN])# auth-method shared-secret(auth-method-shared-secret[AWSVPN])# shared-secret Q4VER78ilWKZwXdnLT3N1tsFwwDjMsj_(auth-method-shared-secret[AWSVPN])# ike-id local ip 3.74.79.64(auth-method-shared-secret[AWSVPN])# ike-id peer ip 3.121.44.186(auth-method-shared-secret[AWSVPN])# exitThe Local IKE ID is the Firewall Identifier, it’s showed in Network > IPSec VPN > Rules and Settings > Settings
and continue with #2: Internet Key Exchange (IKE) Configuration and #3: IPSec Configuration
(add-tunnel-interface[AWSVPN])# proposal ike exchange ikev2(add-tunnel-interface[AWSVPN])# proposal ike dh-group 2(add-tunnel-interface[AWSVPN])# proposal ike encryption aes-128(add-tunnel-interface[AWSVPN])# proposal ike authentication sha-1(add-tunnel-interface[AWSVPN])# proposal ike lifetime 28800(add-tunnel-interface[AWSVPN])# proposal ipsec protocol esp(add-tunnel-interface[AWSVPN])# proposal ipsec encryption aes-128(add-tunnel-interface[AWSVPN])# proposal ipsec authentication sha-1(add-tunnel-interface[AWSVPN])# proposal ipsec perfect-forward-secrecy dh-group 2(add-tunnel-interface[AWSVPN])# proposal ipsec lifetime 3600(add-tunnel-interface[AWSVPN])# Keep-alive(add-tunnel-interface[AWSVPN])# enable(add-tunnel-interface[AWSVPN])# commit(add-tunnel-interface[AWSVPN])# end
.png)
and let’s do the same also for the IPSec Tunnel #2
user@SerialNumber> configureconfig(SerialNumber)# address-object ipv4 AWSVPC network <vpc_subnet> <subnet-mask> zone VPNconfig(SerialNumber)# vpn policy tunnel-interface vpn-09825b7656c360cd9-1(add-tunnel-interface[AWSVPN])# gateway primary 18.192.255.235(add-tunnel-interface[AWSVPN])# bound-to interface X1(add-tunnel-interface[AWSVPN])# auth-method shared-secret(auth-method-shared-secret[AWSVPN])# shared-secret 5sS4AkV5MGEh3f2cZD8TpPCrtLvDDDuN(auth-method-shared-secret[AWSVPN])# ike-id local ip 3.74.79.64(auth-method-shared-secret[AWSVPN])# ike-id peer ip 18.192.255.235(auth-method-shared-secret[AWSVPN])# exit
and
(add-tunnel-interface[AWSVPN])# proposal ike exchange ikev2(add-tunnel-interface[AWSVPN])# proposal ike dh-group 2(add-tunnel-interface[AWSVPN])# proposal ike encryption aes-128(add-tunnel-interface[AWSVPN])# proposal ike authentication sha-1(add-tunnel-interface[AWSVPN])# proposal ike lifetime 28800(add-tunnel-interface[AWSVPN])# proposal ipsec protocol esp(add-tunnel-interface[AWSVPN])# proposal ipsec encryption aes-128(add-tunnel-interface[AWSVPN])# proposal ipsec authentication sha-1(add-tunnel-interface[AWSVPN])# proposal ipsec perfect-forward-secrecy dh-group 2(add-tunnel-interface[AWSVPN])# proposal ipsec lifetime 3600(add-tunnel-interface[AWSVPN])# Keep-alive(add-tunnel-interface[AWSVPN])# enable(add-tunnel-interface[AWSVPN])# commit(add-tunnel-interface[AWSVPN])# end
Configure Tunnel Interfaces
A tunnel interface is configured to be the logical interface associated with the tunnel.
As defined in #5: Tunnel Interface Configuration we should configure the tunnel interface as specified in the template conf
config(SerialNumber)# tunnel-interface vpn T1(add-interface[T1])# asymmetric-route(add-interface[T1])# policy vpn-09825b7656c360cd9-0(add-interface[T1])# ip-assignment VPN static(add-VPN-static)# ip 169.254.95.226 netmask 255.255.255.252(add-VPN-static)# commit(edit-VPN-static)# end
Navigate to Network > Interfaces and select Add Interface > VPN Tunnel Interface
do the same for the second interface:
config(SerialNumber)# tunnel-interface vpn T2(add-interface[T1])# asymmetric-route(add-interface[T1])# policy vpn-09825b7656c360cd9-1(add-interface[T1])# ip-assignment VPN static(add-VPN-static)# ip 169.254.60.38 netmask 255.255.255.252(add-VPN-static)# commit(edit-VPN-static)# end
Configure Static Routes
Configure static routes to route VPC network over the tunnel interfaces as specified in the template conf #6 Static Route Configuration
Go to Policy > Rules and Policies > Route Policy and create:
config(SerialNumber)# route-policy ipv4 interface T1 metric 1 source any destination name AWSVPC service any(add-route-policy)# commit
and
Config(SerialNumber)# route-policy ipv4 interface T2 metric 1 source any destination name AWSVPC service any(add-route-policy)# commit
Note:
Disable the option “Disable route when the interface is disconnected” to allow the simultaneous connection of both tunnels
In this case the destination AWS UC LAB is the AWSVPC Network (10.148.0.0/16)
Testing
Going back Network > IPSec VPN > Rules and Settings we should be able to see both tunnels up:
Increase the security in the VPN connection
Now, since AWS side VPN tunnels support better security, we can adjust SonicWall configuration accordingly.
So we can use:
AES-256 instead of AES-128
SHA512 instead of SHA1
Diffie-Hellman group 14 instead of DH 2, SonicWall supports DH14
IKEv2 whenever possible
Let’s adjust SonicWall configuration:
Network > IPSec VPN > Rules and Settings > edit both tunnels with the new parameters:
Now the IPSec tunnels will be up and running with maximum security:
We have done!
For more information and support please contact our UCCS Onboarding Team