Article Applies To:

Affected SonicWALL Security Appliance Platforms:

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 70 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)

Firmware/Software Version: All SonicOS Standard and Enhanced versions.
Services: VPN


Feature/Application:

This article will detail all the steps necessary to create a working IKE IPSec VPN tunnel between a SonicWALL security appliance running SonicOS Standard and a SonicWALL security appliance running SonicOS Enhanced.

Scenario

Please note that all settings and screenshots contained within this article are taken from a SonicWALL TZ 170 running SonicOS Standard 3.1.6.3-4s acting as the remote site, and a SonicWALL NSA 240 running SonicOS Enhanced 5.6 acting as the central site.

 

Caveats:

  • Please take special care to correctly set the VPN proposal settings on the SonicWALL security appliances. If the settings do not match on the SonicWALLs, the security appliances will not be able to negotiate a tunnel from either side. For instance, when creating the address object for the destination network in SonicOS Enhanced, the Zone must be VPN.
  • Some Microsoft networking environments rely heavily on broadcasts to advertise and locate network resources (servers, print devices, etc). By default, SonicWALL devices are configured to not pass these Microsoft NetBIOS broadcasts across VPN tunnels. In this technote, we will detail how to configure SonicOS to pass these broadcasts across the VPN tunnel bidirectionally in the ‘Optional Steps’ section of this technote. Please note this may increase traffic in some environments.

Procedure: 

Configure SonicOS Standard VPN settings (remote site):

  • Log into the SonicWALL Management interface of the remote site Sonicwall.
  • Navigate to the VPN > Settings page.
  • Click on the Add button under the VPN Policies section.
  • Create a VPN policy with details as per the following screenshots.
  • When done click on the OK button to save the settings.

 


 

Configure SonicOS Enhanced VPN settings (central site)

  • Log into the SonicWALL Management interface of the central site Sonicwall.
  • Navigate to the Network > Address Objects page.
  • Create a new Address Object named "Remote Site LAN" with details as per the screenshot: 

 

  • Navigate to the VPN > Settings page.
  • Create a VPN policy with details as per the following screenshots.
  • Click OK to save.
 

 


How to Test:

From a system behind the remote site SonicWALL, attempt to connect to a network resource behind the central site, or ping the central site SonicWALL’s LAN interface IP address.

Once you’ve done this, log into the remote site SonicWALL’s management GUI and check the ‘VPN > Settings’ page. You should see the active VPN tunnel listed (see screenshots below). On the remote site, you should see that the tunnel has negotiated with the Primary IPSec gateway.

Tunnel up at the Enhanced (central) Site:

Tunnel up at the Standard (remote) Site:

If the tunnel does not negotiate successfully, check the SonicWALL’s log on the ‘Log > View’ page to see if there are any error messages for VPN negotiation. If the tunnel is not negotiating and there are error messages displayed, go over the settings on both side to make sure that they match and attempt to bring the tunnel up again.

You should see the active VPN tunnel listed (see screenshots above). On the remote site, you should see that the tunnel has negotiated with the Primary IPSec gateway. If the tunnel does not negotiate successfully, check the SonicWALL’s log on the ‘Log > View’ page to see if there are any error messages for VPN negotiation.

If the tunnel is not negotiating and there are error messages displayed, go over the settings on both side to make sure that they match and attempt to bring the tunnel up again.