Set up a VPN from a Firebox to a SonicWALL Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to define a manual BOVPN tunnel between a Firebox and a SonicWALL Security Appliance (SonicOS Enhanced 5.8.1.12-65o). Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and decide which common tunnel settings to use.

This topic does not give detailed information on what the different BOVPN settings mean, or the effects those settings can have on the tunnel that is built. If you want to know more about a particular setting, use these resources:

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the SonicWALL Network Security Appliance, with emphasis on any settings that do not match the default VPN configuration settings in Fireware.

VPN Settings WatchGuard Device Default SonicWALL Device Default Matched?
Phase 1 Settings
IKE Exchange Mode IKEv1, Main IKEv2 N
Authentication SHA1 SHA1 Y
Encryption 3DES 3DES

Y

Diffie-Hellman Group 2 2 Y
Phase 2 Settings
Perfect Forward Secrecy No No Y
Protocol ESP ESP Y
Authentication SHA1 SHA1 Y
Encryption AES (256-bit) 3DES N

WatchGuard and SonicWALL devices have different default settings for the Phase 1 IKE exchange mode, and Phase 2 encryption. For the VPN tunnel to build successfully, you must specify the same Phase 1 and 2 settings on your Firebox and SonicWALL devices.

For the strongest security, WatchGuard recommends that you change the default settings on the Firebox and SonicWALL devices to specify an AES variant for encryption.

Collect IP Address and Tunnel Settings

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also decide which Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a SonicWALL device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

SonicWALL device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the Firebox

On the Firebox, add a VPN Gateway and a VPN tunnel that uses that gateway.

Add the VPN Gateway

Add the VPN Tunnel

After you define the gateway, you can add tunnels. In this step, you will create a branch office tunnel configuration with the routes (local and remote endpoints for the tunnel)

Configure the SonicWALL Device

This procedure describes how to manually configure the VPN settings for the SonicWALL device.

In the SonicWALL web-based management interface:

  1. Select VPN > Settings.

Screen shot of the SonicWALL VPN Settings page

  1. In the VPN Policies section, click Add.
    The VPN Policy dialog box appears.

Screen shot of the General tab

  1. From the Policy Type drop-down list, confirm that Site to Site is selected.
  2. In the Name text box, type a meaningful name for the connection.
  3. In the IPsec Primary Gateway Name or Address text box, type the external IP address for the Firebox.
  4. In the Shared Secret and Confirm Shared Secret text boxes, type the pre-shared key you used on the Firebox.
  5. In the Local IKE ID text box, type the external IP address for the SonicWALL device.
  6. In the Peer IKE ID text box, type the external IP address for the Firebox.
  7. Select the Network tab.

Screen shot of the Network tab

  1. From the Choose local network from list drop-down list, select Create new address object.
    The Add Address Object dialog box appears.

Screen shot of the address object settings

  1. In the Name text box, type a meaningful name for this address object.
  2. From the Type drop-down list, select Network.
    The IP Address text box is replaced by text boxes for Network and Netmask.
  3. In the Network text box, type the subnet ID for the private network IP address of the SonicWALL device.
  4. In the Netmask text box, type the subnet mask for the private network IP address of the SonicWALL device.
  5. Click OK.

In our testing with the Chrome browser, the Add Address Object dialog box failed to close correctly at this point. We did not experience this problem with Internet Explorer.

  1. From the Choose remote network from list drop-down list, select Create new address object.
    The Add Address Object dialog box appears.
  2. In the Name text box, type a meaningful name for this address object.
  3. From the Type drop-down list, select Network.
    The IP Address text box is replaced by text boxes for Network and Netmask.
  4. In the Network text box, type the subnet ID for the private network IP address of the Firebox.
  5. In the Netmask text box, type the subnet mask for the private network IP address of the Firebox.
  6. Click OK.
  7. Select the Proposals tab.

Screen shot of the Proposals tab

  1. From the Exchange drop-down list, under IKE (Phase 1) Proposal, select Main.
  2. In the IPSec (Phase 2) Proposal section, in the Encryption drop-down list, select AES (256-bit).
  3. Click OK to complete the VPN configuration.

After you have configured the VPN on both devices, you can try to send traffic through the tunnel as a test of the VPN.

See Also

Troubleshoot Branch Office VPN Tunnels

Give Us Feedback     Get Support     All Product Documentation     Technical Search