Sonicwall 7.0 IPsec Configuration

Overview

In this article, you will learn how to connect your Sonicwall to the Acreto Ecosystem. To make it possible and secure, we will use the IPSec VPN connection. Network Diagram Network Diagram

Prerequisites

  1. Sonicwall 7.0 installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  • Type: IPsec
  • Category: Data Center
  • Model: AWS site-to-site VPN
  • Connections from: Public IP
  • Local network: local_network
  • Save and Commit the changes

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (use /32 prefix for public interface). This allows testing connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sonicwall configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All the details may be found within the Gateway details panel - please check the video below for further instructions.

Sophos - VPN wizard panel Sophos - VPN wizard panel

Task 2: Configure IPsec VPN on Sonicwall

To configure the IPsec VPN using tunnel interface, proceed with the following steps:

  1. Goto NETWORK » IPsec VPN » Rules and Settings.

  2. Click the ADD button.

  3. Under the General tab, enter the following values:

    • Security Policy
      • Policy Type: Tunnel Interface
      • Authentication Method: IKE using Preshared Secret
      • Name: Acreto
      • IPsec Primary Gateway Name or Address: <Wedge_Tunnel_IP>
    • IKE Authentication
      • Shared Secret: PSK
      • Confirm Shared Secret: PSK
      • Local IKE ID: IPv4 Address: Wedge_tunnel_IP
      • Peer IKE ID: IPv4 Address: Local Public IP Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration
  4. Goto Proposals

    • IKE (Phase 1) Proposal
      • Exchange: IKEv2 Mode
      • DH Group: Group 2
      • Encryption: AES-256
      • Authentication: SHA256
      • Life Time (seconds): 10800
    • IPsec (Phase 2) Proposal
      • Protocol: ESP
      • Encryption: AES-256
      • Authentication: SHA256
      • Enable Perfect Forward Secrecy: Yes
      • DH Group: Group 14
      • Life Time (seconds): 3600 Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration
  5. Advanced Settings

    • Enable Keep Alive: Enable Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration
  6. Click the OK button.

Task 3: Create a new tunnel interface

Next, we will create the tunnel interface that will be used to route the traffic.

  1. Goto NETWORK » System » Interfaces.

  2. Click the Add Interface button and select VPN Tunnel Interface

  3. Create a new interface with the following values:

    • VPN Policy: Acreto
    • Name: vti_Acreto
    • IP Address: <any random IP as 2.2.2.2>
    • Subnet Mask: 255.255.255.254

    Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  4. Click the OK button.

Task 4: Configure Routing

To allow the traffic from the LAN subnet to route through the tunnel interface, perform the following steps:

  1. Goto POLICY » Rules and Policies » Route Policy

  2. Create a new rule with the following values under General tab:

    • Name: Lan_to_Acreto
    • Source: <lan_subnets>
    • Destination: Any
    • Select Service radio button
    • Service: Any

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  1. Click Next Hop tab and give the following values :

    • Select Standard Route radio button
    • Interface: <tunnel_interface>

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  1. Click the SAVE button

Task 5: Configure Security Policy

Verify existing or create a new access rule to allow the desired traffic

  1. Goto POLICY » Rules and Policies » Security Policy

  2. Click the Add button

  3. Under General, provide the following values:

    • Name: To_Acreto
    • Action: Allow
    • From: <Lan_interface>
    • To: <tunnel_interface>
    • Source Port: Any
    • Service: Any
    • Source: <lan_subnet>
    • Destination: Any

Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  1. Click the OK button

Task 6: Verify the connection

Once the tunnel connection is successfully established, its status will change to UP.

  1. To verify the status on Sonicwall, navigate to goto NETWORK » IPsec VPN » Rules and Settings » Active Tunnels tab.

    • The status of the VPN policy should be Green.

    Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

    • Currently Active VPN Tunnels

    The active VPN tunnel will be shown in the list.

    Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

  2. Execute tracert 1.1.1.1 (or traceroute 1.1.1.1) on internal server check the route to external host 1.1.1.1. It should show Acreto’s IP in the path. Sonicwall7.0 - ipsec - configuration Sonicwall7.0 - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.