Dell SonicWall TZ670 and Firebox Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Dell SonicWall TZ670.

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11 or higher
  • Dell SonicWall TZ670 with SonicOS v7.0.0 or higher

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a SonicWall TZ670.

Screen shot of the topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • You have configured the external interfaces and zones on the Dell SonicWall TZ670. In this guide, we use the X4 external interface with the 10.10.0.1/24 IP address. For more information about how to configure interfaces, go to the SonicWall User Guide.

Configure the Firebox

You can configure your Firebox for a policy-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of Add BOVPN page

  4. In the Name text box, type a descriptive name for the BOVPN. In this example, we type policy-based BOVPN.
  5. From the VPN Connection Type drop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type SonicWall.
  9. Click Next.
    The VPN Gateways settings page opens.

    10. Screenshot of VPN Gateway settings

  10. For your cloud-managed Firebox:
    1. SelectExternal.
    2. From the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your SonicWall WAN interface.
  12. To encrypt and decrypt the data that goes through the VPN tunnel, in the Pre-Shared Key text box, type a pre-shared key. This pre-shared key matches the pre-shared key you will configure for the IKE Gateway on the SonicWall firewall.
  13. Click Next.
    The Traffic settings page opens.

    14. Screenshot of traffic private network settings

  14. From the cloud-managed Firebox section, select the internal network that you want to be accessible through the VPN tunnel.
  15. For the SonicWall VPN endpoint, click Add Network Resource.
  16. In the Network Resource text box, type the IP address of the private network protected by the SonicWall firewall. In our example, we type 10.10.0.0/24.
  17. Click Add.
  18. Keep the default values for all other settings.
  19. Click Next.
    The Tunnel Routes page opens.

    20. Screenshot of Tunnel Routes settings

  20. Keep the default values for all settings.
  21. Click Next.
    The Security settings page opens.

    22. Screenshot of phase 1 and phase 2 security settings

  22. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 24.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  23. In the Phase 2 Settings section,:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  24. Keep all default values for all other settings.
  25. Click Add.
  26. (Optional) To open the VPN Configuration Summary page for the cloud-managed Firebox, click View Guide.
  27. Click Finish.

    28. When you add a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Firebox.

  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080..
  2. Select VPN > Branch Office VPN.

    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
    The Add page opens.

    4. Screenshot of the General Settings tab

  4. In the Gateway Name text box, type a name to identify this BOVPN gateway. In this example, we type gateway.1.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key and in the adjacent text box, type the pre-shared key.

  7. From the drop-down list, select String-Based .
  8. In the Gateway Endpoint section, click Add.

    The Gateway Endpoint Settings dialog box opens.

    9. Screen shot of the Local Gateway settings

  9. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Firebox.
  10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.

    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  11. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  12. In the adjacent text box, type the primary IP address of the external Firebox interface. In this example, we type 203.0.113.2.
  13. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    14. Screen shot of the Remote Gateway settings

  14. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  15. In the adjacent text box, type the IP address of your SonicWall WAN connection. In this example, we type 198.51.100.2.
  16. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  17. In the adjacent text box, type the IP address of your SonicWall WAN connection. In this example, we type 198.51.100.2.
  18. Keep the default values for all other settings.
  19. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.

    20. Screen shot of the completed Gateway Endpoint configuration

  20. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  21. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    22. Screen shot of the Phase 1 settings

  22. From the Version drop-down list, select IKEv2.
  23. Keep the default values for all other Phase 1 settings.
  24. Click Save.
    The gateway you added appears on the list of gateways.

    25. Screen shot of the Gateways and Tunnels lists

  25. In the Tunnels section, click Add.
    The tunnel settings page opens.

    26. Screen shot of the Advanced settings

  26. In the Name text box, type a name to identify the tunnel. In this example, we type tunnel.1.
  27. From the Gateway drop-down list, select the gateway that you configured. In this example, we select gateway.1.
  28. In the Addresses section, click Add.
    The Tunnel Route Settings page opens.

    29. Screen shot of the Tunnel Route settngs

  29. In the Local IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the local IP segment. This the local network protected by the Firebox.
  30. In the Remote IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the remote IP segment. This the local network protected by the Dell SonicWall device.
  31. Click OK.

    32. Screen shot of the Phase 2 settings

  32. Keep the default values for all Phase 2 Settings.
  33. Click Save.

Configure an IPSec VPN Tunnel for the SonicWall TZ670

To configure an IPSec VPN tunnel for the SonicWall TZ670:

  1. Log in to the SonicWall TZ670 Web UI at https://<IP address of TZ670>. The default IP address is 192.168.168.168.
  2. Select Object.
  3. From the navigation menu, select Match Objects > Addresses > Address Objects.
  4. To add a new subnet for the VPN tunnel, click Add.
    The Address Object Settings dialog box opens.

    5. Screenshot of Dell SonicWall Address Object settings

  5. In the Name text box, type a name for this subnet. In our example, we type WGINT.
  6. From the Zone Assignment drop-down list, select VPN.
  7. From the Type drop-down list, select Network.
  8. In the Network text box, type the IP address of the subnet. In this example, we type 192.168.35.0.
  9. In the Netmask/Prefix Length text box, type the netmask.
  10. Click Save.
  11. Click Close.
    The VPN tunnel object is created and appears in the list of objects.

    12. Screenshot of Dell sonicwall address objects page

  12. Select Network.
  13. From the navigation menu, select IPSec VPN > Rules and Settings.
  14. In the Policies section, click Add.
    The VPN Policy page opens with General tab selected.

    15. Screenshot of sonicwall VPN policy settings on the General tab

  15. In the Security Policy section:
    1. From the Policy Type drop-down list, select Site to Site.
    2. From the Authentication Method drop-down list, select IKE Using Preshared Secret.
    3. In the Name text box, type a name for this VPN. In our example, we type VPN with WG.
    4. In the IPsec Primary Gateway Name or Address text box, type the external IP address of your Firebox. In this example, we type 203.0.113.2.
  16. In the IKE Authentication section:
    1. Enable Mask Shared Secret.
    1. In the Shared Secret and Confirm Shared Secret text boxes, type the pre-shared secret key.
    2. From the Local IKE ID drop-down list, select IPv4 Address. In the adjacent text box, type the SonicWall outgoing public IP address. In this example, we type 198.51.100.2.
    3. From the Peer IKE ID drop-down list, select IPv4 Address. In the adjacent text box, type the external IP address of your Firebox. In this example, we type 203.0.113.2.
  17. Keep the default values for all other settings.
  18. Select the Network tab.
    The Network page opens.

    19. Screenshot of sonicwall VPN policy settings on the network tab

  19. In the Local Networks section, select Choose Local Network From List, then from the adjacent drop-down list, select the subnet you have already configured for the SonicWall. In our example, we select X4 Subnet.
  20. In the Remote Networks section, select Choose Destination Network From List, then from the adjacent drop-down list, select the subnet object you added in Step 5. In our example, we select WGINT.
  21. Select the Proposals tab.
    The Proposals page opens.

    22. Screenshot of sonicwall VPN policy settings on the Proposal tab

  22. In the IKE (Phase 1) Proposal section:
    1. From the Exchange drop-down list, select IKEv2 Mode.
    2. From the DH Group drop-down list, select Group 14.
    3. From the Encryption drop-down list, select AES-256.
    4. From the Authentication drop-down list, select SHA256.
  23. In the Ipsec (Phase 2) Proposal section:
    1. From the Protocol drop-down list, select ESP.
    2. From the Encryption drop-down list, select AES-256.
    3. From the Authentication drop-down list, select SHA256.
    4. Enable Enable Perfect Forward Secrecy.
    5. From the DH Group drop-down list, select Group 14.
  24. Keep the default values for all other settings.
  25. Select the Advanced tab.
    The Advanced page opens.

    26. Screenshot of sonicwall VPN policy settings on the Advanced tab

  26. Turn on the Enable Keep Alive toggle.
  27. From the VPN Policy Bound To drop-down list, select the WAN interface for the SonicWall. In this example, we select Interface X1.
  28. Keep the default values for all other settings.
  29. Click Save.
  30. Click Close.
    The Advanced VPN Settings page opens.

    31. Screenshot of Sonicwall Advanced VPN Settings.

  31. Keep all default values for all Advanced VPN Settings.
  32. Click Accept.

Test the Integration

  1. Log in to SonicWall Firewall Web UI at: https://<IP address of TZ670>.
  2. Select Network.
  3. From the navigation mentu, select IPSec VPN > Rules and Settings.
  4. Select the Active Tunnels tab.

    5. Screenshot of Firebox, IPSec tunnel status

  5. Verify that the VPN tunnels you configured are active.
  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN.
    The VPN page opens.

    4. Screenshot of WatchGuard Cloud VPN page

  4. Verify that the VPN tunnels are active.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.
    The Branch Office VPN page opens.

    4. Screenshot of Firebox VPN page on Fireware Web UI

  4. In the Tunnels section, verify that the VPN tunnels are active.