Sonicwall

  • Article

This topic describes how to configure Sonicwall to work in a VPN site-to-site solution with ISA Server.

Sonicwall: Preshared Secret Configuration Overview

The following IPSec settings will be used in this section of this configuration document:

  • Phase I
    • Main mode
    • 3DES
    • SHA-1
    • MODP Group 2 (1024 bits) for DH
    • SA lifetime of 28,800 seconds
    • Preshared Secret
  • Phase II
    • 3DES
    • SHA-1
    • PFS & MODP Group 2 (1024 bits) for DH
    • SA lifetime of 3600 seconds
    • ESP tunnel mode

Preshared Secret Checklist

Use the following checklist for preshared secrets.

____

Install and configure the Sonicwall device

____

Determine remote gateway external IP address

____

Determine remote networks IP address and netmask protected by the remote gateway

____

Set preshared secret

____

Configure VPN

____

Test IPSec tunnel

For installation and configuration information and documentation, refer to the documents found on the Sonicwall website (www.sonicwall.com).

Sonicwall Walk-through Procedure 1: Configuring the Preshared Secret Solution

This topic describes in detail the process to configure the Sonicwall device to successfully establish a site-to-site IPSec tunnel with the ISA Server computer using the settings specified in Sonicwall: Preshared Secret Configuration Overview. This section includes tips that can be used to improve the functionality of the IPSec tunnel, performance of the device, or the security of the device.

Note

The step-by-step instructions in the following sections assume that you have a working knowledge of Sonicwall, and only the parameters directly related to the scenarios are described in detail.

Configure VPN

Use these steps to configure VPN.

  1. Browse to the Web-based Sonicwall Manager and log on.
  2. Select VPN from the left menu.
  3. Select Enable VPN.
  4. Select the Configure tab in the VPN screen. On this tab:
    • Select –Add New SA- as the Security Association from the drop-down list.
    • Select IKE using Preshared Secret as the IPSec Keying Mode from the drop-down list.
    • Enter 14.15.16.17 as the IPSec Gateway Name.
    • Select Main Mode as the Exchange from the drop-down list..
    • Select Group 2 as the Phase 1 DH Group from the drop-down list.
    • Enter 28800 as the SA Life time (secs).
    • Select 3DES & SHA1 as the Phase 1 Encryption/Authentication from the drop-down list.
    • Select Strong Encryption and Authentication (ESP 3DES HMAC SHA1) as the Phase 1 Encryption/Authentication from the drop-down list.
    • Enter Cool-Dude! as the Shared Secret.
  5. Select Specify Destination Networks Below.
  6. Select Add a New Network.
  7. In the VPN Destination Network screen:
    • Enter 10.4.5.0 as the Network:
    • Enter 255.255.255.0 as the Subnet mask.
  8. Select Add a New Network and in the VPN Destination Network screen:
    • Enter 10.5.6.0 as the Network.
    • Enter 255.255.255.0 as the Subnet mask.
  9. In the Configure tab of the VPN screen, select Advanced Settings.
  10. In the VPN Advanced Settings screen:
    • Select Enable Perfect Forward Secrecy.
    • Select Group 2 as the Phase 2 DH Group from the drop-down list.
    • Select LAN as the VPN Termination.
  11. Test the IPSec tunnel after the third-party gateway peer has been configured by sending icmp traffic to the remote internal network through the IPSec tunnel using the ping utility.

Sonicwall: Certificate Configuration Overview

This section outlines the IPSec settings and the specific settings required for this device to perform Certificate Authentication.

The following IPSec settings will be used in this section of this configuration document:

  • Phase I
    • Main mode
    • 3DES
    • SHA-1
    • MODP Group 2 (1024 bits) for DH
    • SA lifetime of 28,800 seconds
    • Certificate Authentication
  • Phase II
    • 3DES
    • SHA-1
    • PFS & MODP Group 2 (1024 bits) for DH
    • SA lifetime of 3600 seconds
    • ESP tunnel mode

Certificate Checklist

Use the following checklist for certificates.

____

Install and configure Cisco Concentrator 3005 VPN Concentrator

____

Determine remote gateway external IP address

____

Determine remote networks protected by the remote gateway

____

Determine Certificate Authority to use to create local certificate

____

Configure certificate

____

Configure VPN

____

Test IPSec tunnel

For installation and configuration information and documentation, refer to the documents found on the Sonicwall website (www.sonicwall.com).

Sonicwall Walk-through Procedure 2: Configuring the Certificate Solution

This topic describes in detail the process to configure the Sonicwall device to successfully establish a site-to-site IPSec tunnel with the ISA Server computer using the settings specified in Sonicwall: Certificate Configuration Overview. This section includes tips that can be used to improve the functionality of the IPSec tunnel, performance of the device, or the security of the device.

Note

The step-by-step instructions in the following sections assume that you have a working knowledge of Sonicwall, and only the parameters directly related to the scenarios are described in detail.
We recommend that you apply your changes after each step.

Configure Certificates

Use the following steps to configure certificates.

  1. Copy the Certificate Authority’s certification authority (CA) and certificate revocation list (CRL) from the Certificate Authority to the local machine.

  2. Browse to the Web-based Sonicwall Manager and log on.

  3. Select VPN from the left menu and select the CA Certificates tab. On this tab:

    • Select -Add New CA Certificate- from the Certificates from the drop-down list.
    • Enter the local path to the CA copied in the Certificate Authority.
    • Select Import.

  4. In the VPN CA Certificates screen:

    • Enter the local path to the CRL copied from the Certificate Authority.
    • Select Import.

  5. Select the Local Certificates tab in the VPN screen. On this tab:

    • Select -Add New Local Certificate- in Certificates from the drop-down list.
    • Enter Sonicwall as the Certificate Name.
    • Select Country from the drop-down list and enter US in the corresponding space.
    • Select State from the drop-down list and enter MD in the corresponding space.
    • Select Locality, City, County from the drop-down list and enter Timonium in the corresponding space.
    • Select Company or Organization from the drop-down list and enter Fabrikam in the corresponding space.
    • Select Department from the drop-down list and enter TestLab in the corresponding space.
    • Select Email Address from the drop-down list and enter test@fabrikam.com in the corresponding space.
    • Select Common Name from the drop-down list and enter Sonicwall in the corresponding space.

    Note

    As these values are entered, the Subject Distinguished Name field is automatically populated.

  6. Select 1024 bits as the Subject Key Size from the drop-down list.

  7. Select Generate.

  8. Select Export to export the certificate request to a file on the local machine and transfer the new certificate request to the Certificate Authority for enrollment and creation of the new certificate pair.

  9. In the Local Certificates screen:

    • Select Sonicwall in Certificates from the drop-down list.
    • Enter the local path to the newly created certificate pair copied from the Certificate Authority in Import Signed Certificate.
    • Select Import Certificate.

Configure VPN

Use the following steps to configure VPN.

  1. Select VPN from the left menu, and then select Enable VPN.

  2. Select the Configure tab in the VPN screen. On this tab:

    • Select -Add New SA- as the Security Association from the drop-down list.
    • Select IKE using 3rd Party Certificates as the IPSEc Keying Mode from the drop-down list.
    • Enter 14.15.16.17 as the IPSec Gateway Name.
    • Select Main Mode as the Exchange from the drop-down list.
    • Select Group 2 as the Phase 1DH Group from the drop-down list.
    • Enter 28800 as the SA Life time (secs)
    • Select 3DES & SHA1 as the Phase 1 Encryption/Authentication from the drop-down list.
    • Select Strong Encryption and Authentication (ESP 3DES HMAC SHA1) as the Phase 1 Encryption/Authentication from the drop-down list.
    • Enter /C=US/ST=MD/L=Timonium/O=Fabrikam/OU=TestLab/CN=isaserver/Email=test@fabrikam.com as Distinguished Name for the Peer Certificate’s ID.

    Note

    The syntax for this field must be in the form of /C=??/ST=??/L=?? … and must be the full DN of the Peer Certificate.

  3. Select Specify destination networks below.

  4. Select Add New Network.

  5. In the VPN Destination Network screen:

    • Enter 10.4.5.0 as the Network.
    • Enter 255.255.255.0 as the Subnet mask.

  6. Select Add a New Network, and in the VPN Destination Network screen:

    • Enter 10.5.6.0 as the Network.
    • Enter 255.255.255.0 as the Subnet mask.

  7. In the Configure tab of the VPN screen select Advanced Settings.

  8. In the VPN Advanced Settings screen:

    • Select Enable Perfect Forward Secrecy.
    • Select Group 2 as the Phase 2 DH Group from the drop-down list.
    • Select LAN in VPN Terminated at.

  9. Test the IPSec tunnel after the third-party gateway peer has been configured by sending icmp traffic to the remote internal network through the IPSec tunnel using the ping utility.

Troubleshooting the Sonicwall Scenario

The following section contains troubleshooting tips. For additional troubleshooting, refer to the Sonicwall Knowledge Base articles on the Sonicwall website (www.sonicwall.com). For troubleshooting information, check the:

  • Default Sonicwall logs can be viewed through the Web-based Sonicwall Manager by selecting Log from the left menu.
  • Default Sonicwall logs can be sent to a log server using syslog.