Sonicwall 6.5 IPsec Configuration

Overview

In this article, you will learn how to connect your Sonicwall to the Acreto Ecosystem. To make it possible and secure, we will use the IPSec VPN connection. Network Diagram Network Diagram

Prerequisites

  1. Sonicwall 6.5 installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  • Type: IPsec
  • Category: Data Center
  • Model: AWS site-to-site VPN
  • Connections from: Public IP
  • Local network: local_network
  • Save and Commit the changes

Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (use /32 prefix for public interface). This allows testing connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sonicwall configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All the details may be found within the Gateway details panel - please check the video below for further instructions.

Sophos - VPN wizard panel Sophos - VPN wizard panel

Task 2: Configure IPsec VPN on Sonicwall

To configure the IPsec VPN using tunnel interface, proceed with the following steps:

  1. Goto MANAGE » VPN » Base Settings.

  2. Under the VPN Policies click the ADD button

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Under the General tab, enter the following values:

    • Security Policy
      • Policy Type: Tunnel Interface
      • Authentication Method: IKE using Preshared Secret
      • Name: Acreto
      • IPsec Primary Gateway Name or Address: <Wedge_Tunnel_IP>
    • IKE Authentication
      • Shared Secret:
      • Confirm Shared Secret:
      • Local IKE ID: IPv4 Address: wedge_tunnel_IP Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration
      • Peer IKE ID: IPv4 Address: Local Public IP Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Goto Proposals

    • IKE (Phase 1) Proposal
      • Exchange: IKEv2 Mode
      • DH Group: Group 2
      • Encryption: AES-256
      • Authentication: SHA256
      • Life Time (seconds): 10800
    • IPsec (Phase 2) Proposal
      • Protocol: ESP
      • Encryption: AES-256
      • Authentication: SHA256
      • Enable Perfect Forward Secrecy: Yes
      • DH Group: Group 14
      • Life Time (seconds): 3600 Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  5. Advanced Settings

    • Enable Keep Alive: Enable Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  6. Click the OK button.

Task 3: Create a new tunnel interface

Next, we will create the tunnel interface that will be used to route the traffic.

  1. Goto MANAGE » Network » Interfaces

  2. In the middle of the screen, for the field Add Interface, select VPN Tunnel Interface.

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Create a new interface with the following values:

    • VPN Policy: Acreto
    • Name: vdi_Acreto
    • IP Address: <any random IP as 2.2.2.2>
    • Subnet Mask: 255.255.255.255

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Click the OK button.

Task 4: Configure Routing

To allow the traffic from the LAN subnet to route through the tunnel interface, perform the following steps:

  1. Goto MANAGE » Network » Routing

  2. Under the tab Route Policies, click the Add button Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Create a new rule with the following values under General:

    • Route Policy Settings
    • Name: Lan_to_Acreto
    • Source: <lan_subnets>
    • Destination: Any
    • Service: Any
    • Interface: <tunnel_interface>

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Click the OK button

Task 5: Configure Access Rules

Verify existing or create a new access rule to allow the desired traffic

  1. Goto MANAGE » Rules » Access Rules

  2. Click the Add button Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  3. Under General, provide the following values:

    • Name: To_Acreto
    • Action: Allow
    • From: <Lan_interface>
    • To: <tunnel_interface>
    • Source Port: Any
    • Service: Any
    • Source: <lan_subnet>
    • Destination: Any

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

  4. Click the OK button

Task 6: Verify the connection

Once the tunnel connection is successfully established, its status will change to UP.

  1. To verify the status on Sonicwall, navigate to goto MANAGE » VPN » Base Settings

    • VPN Policies

    The status of the VPN policy should be Green.

    Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

    • Currently Active VPN Tunnels

    The active VPN tunnel will be shown in the list.

  2. Execute tracert 1.1.1.1 (or traceroute 1.1.1.1) on internal server check the route to external host 1.1.1.1. It should show Acreto’s IP in the path. Sonicwall6.5 - ipsec - configuration Sonicwall6.5 - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.