Dell SonicWall TZ670 and Firebox Route-Based BOVPN Integration Guide

This integration guide describes how to configure a route-based Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Dell SonicWall TZ670.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11 or higher
  • SonicWall TZ670 with SonicOS v7.0.0 or higher

Topology

This diagram shows the topology for a route-based BOVPN connection between a Firebox and a SonicWall TZ670.

Screen shot of the topology for a route-based BOVPN connection between a Firebox and a Dell SonicWall TZ670.

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • You have configured the external interfaces and zones on the SonicWall TZ670. In this guide, we use the X4 external interface with the 10.10.0.1/24 IP address. For more information about how to configure interfaces, go to the SonicWall User Guide.

Configure the Firebox

You can configure your Firebox for a route-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of WatchGuard Cloud Add BOVPN page with endpoint settings

  4. In the Name text box, type a descriptive name for the BOVPN. In this example, we type route-based vpn.
  5. From the VPN Connection Type drop-down list, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In this example, we type SonicWall.
  9. Click Next.
    The VPN Gateways settings page opens.

    10. Screenshot of WatchGuard Cloud Add BOVPN > VPN Gateways page

  10. For your cloud-managed Firebox:
    1. Select External.
    2. From the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your SonicWall WAN interface.
  12. To encrypt and decrypt the data that goes through the VPN tunnel, in the Pre-Shared Key text box, type a shared secret. This pre-shared key matches the pre-shared key you will configure for the IKE Gateway on the SonicWall firewall.
  13. Click Next.
    The Traffic settings page opens.

    14. Screenshot of WatchGuard Cloud Add BOVPN > Traffic page

  14. From the cloud-managed Firebox section, select the internal networks that you want to be accessible through the VPN tunnel.
  15. For the SonicWall VPN endpoint, click Add Network Resource.
  16. In the Network Resource text box, type the IP address of the private network protected by the SonicWall firewall. In this example, we type 10.10.0.0/24.
  17. Click Add.
  18. Keep the default values for all other settings.
  19. Click Next.
    The Security settings page opens.

    20. Screenshot of WatchGuard Cloud Add BOVPN > Security page

  20. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 24.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  21. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  22. Keep the default values for all other settings.
  23. Click Add.
  24. (Optional) To open the VPN Configuration Summary page for the cloud-managed Firebox, click View Guide.
  25. Click Finish.
    WatchGuard Cloud creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
    The Add page opens.

    4. Screen shot of the add BOVPN page

  4. In the Interface Name text box, type a name for this BOVPN virtual interface. In this example, we type BovpnVif.1.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key and in the adjacent text box, type the pre-shared key.
  8. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    9. Screen shot of the Local Gateway tab

  9. For Interface, select Physical, and from the adjacent drop-down list, select the interface that has the external (public) IP address of the Firebox.
  10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  11. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  12. In the adjacent text box, type the primary IP address of the external Firebox interface. In this example, we type 203.0.113.2.
  13. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    14. Screen shot of the Remote Gateway tab

  14. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  15. In the adjacent text box, type the IP address of your SonicWall WAN interface. In this example, we type 198.51.100.2.
  16. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  17. In the adjacent text box, type the IP address of your SonicWall WAN interface. In this example, we type 198.51.100.2.
  18. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.

    19. Screen shot of the completed Gateway Endpoint settings

  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When It Is Inactive check box.
  20. Select the Add This Tunnel to the BOVPN-Allow Policies check box.
  21. Select the VPN Routes tab.
    The VPN Routes page opens.

    22. Screen shot of the VPN Routes tab

  22. Click Add.
    The VPN Route Settings dialog box opens.

    23. Screen shot of the VPN Route Settings

  23. From the Choose Type drop-down list, select Network IPv4.
  24. In the Route To text box, type the Network IP address of a route that will use this virtual interface. In this example, we type 10.0.10.0.
  25. Click OK.
    The VPN route settings are added.

    26. Screen shot of the completed VPN Route settings

  26. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    27. Screen shot of the Phase 1 settings

  27. From the Version drop-down list, select IKEv2.
  28. Keep the default values for all other Phase 1 settings.
  29. Keep the default values for all Phase 2 Settings.

    30. Screen shot of the Phase 2 settings

  30. Click Save.

For more information about how to configure BOVPN virtual interfaces on the Firebox, go to BOVPN Virtual Interfaces.

Configure the SonicWall TZ670

To configure the SonicWall, complete these steps:

  1. Configure an IPSec VPN Tunnel
  2. Configure a BOVPN Route

Configure an IPSec VPN Tunnel

To configure an IPSec VPN tunnel, from the SonicWall Web UI:

  1. Log in to the SonicWall Web UI at: https://<IP address of TZ670>. The default IP address is 192.168.168.168.
  2. Select Object.
  3. From the navigation menu, select Match Objects > Addresses > Address Objects.
  4. To add a new subnet for the VPN tunnel, click Add.
    The Address Object Settings dialog box opens.

    5. Screen shot of the Dell SonicWALL address object settings

  5. In the Name text box, type a name for this subnet. In our example, we type WGINT.
  6. From the Zone Assignment drop-down list, select VPN.
  7. From the Type drop-down list, select Network.
  8. In the Network text box, type the IP address of the subnet. In this example, we type 192.168.35.0.
  9. In the Netmask/Prefix Length text box, type the netmask.
  10. Click Save.
  11. Click Close.
    The VPN tunnel object is created.
  12. Select Network.
  13. From the navigation menu, select IPSec VPN > Rules and Settings.
  14. In the Policies section, click Add.
    The VPN Policy dialog box opens with General tab selected.

    15. Screen shot of the Dell SonicWALL General tab

  15. In the Security Policy section:
    1. From the Policy Type drop-down list, select Tunnel Interface.
    2. From the Authentication Method drop-down list, select IKE Using Preshared Secret.
    3. In the Name text box, type a name for this VPN. In our example, we type VPN with WG.
    4. In the IPsec Primary Gateway Name or Address text box, type the external IP address of your Firebox. In this example, we type 203.0.113.2.
  16. In the IKE Authentication section:
    1. Enable Mask Shared Secret.
    2. In the Shared Secret and Confirm Shared Secret text boxes, type the pre-shared secret key.
    3. From the Local IKE ID drop-down list, select IPv4 Address. In the adjacent text box, type the SonicWall outgoing public IP address. In this example, we type 198.51.100.2.
    4. From the Peer IKE ID drop-down list, select IPv4 Address. In the adjacent text box, type the external IP address of your Firebox. In this example, we type 203.0.113.2.
  17. Select the Proposals tab.
    The Proposals page opens.

    18. Screen shot of the Dell SonicWALL Proposals settings

  18. In the IKE (Phase 1) Proposal section:
    1. From the Exchange drop-down list, select IKEv2 Mode.
    2. From the DH Group drop-down list, select Group 14.
    3. From the Encryption drop-down list, select AES-256.
    4. From the Authentication drop-down list, select SHA256.
  19. In the Ipsec (Phase 2) Proposal section:
    1. From the Protocol drop-down list, select ESP.
    2. From the Encryption drop-down list, select AES-256.
    3. From the Authentication drop-down list, select SHA256.
    4. Enable Enable Perfect Forward Secrecy.
    5. From the DH Group drop-down list, select Group 14.
  20. Keep the default values for all other settings.
  21. Select the Advancedtab.
    The Advanced page opens.

    22. Screen shot of the Dell SonicWALL Advanced settings

  22. Turn on the Enable Keep Alive toggle.
  23. From the VPN Policy Bbound To drop-down list, select the WAN interface for the SonicWall. In our example, we select Interface X1.
  24. Click Save.
  25. Click Close.

    The Advanced VPN Settings page opens.

    26. Screen shot of the Dell SonicWALL Advanced VPN Settings

  26. Keep the default values for all Advanced VPN settings.
  27. Click Accept.

Configure a BOVPN Route

To configure a route, from the SonicWall Web UI:

  1. Log in to the SonicWall TZ670 Web UI at: https://<IP address of TZ670>. The default IP address is 192.168.168.168.
  2. Select Policy.
  3. From the navigation menu, select Rules and Policies > Routing Rules
  4. In the Routing Rules section, click Add.
    The Adding Rule page opens.

    5. Screen shot of Dell SonicWALL routing rule settings

  5. In the Name text box, type a name for this routing rule. In this example, we type VPN Tunnel Routing Rule.
  6. From the Source drop-down list, select the interface for the SonicWall. In our example, we use the X4 Subnet interface with the IP address 10.10.0.0/24.
  7. From the Destination drop-down list, select the subnet you created for your Firebox in the Configure an IPSec VPN Tunnel section. In our example, we select WGINT.
  8. From the Service Object drop-down list, select Any.
  9. Select the Next Hop tab.
    The Next Hop page opens.

    10. Screen shot of Dell SonicWALL route settings on Next Hop tab

  10. From the Interface drop-down list, select the tunnel interface you created in the Configure an IPSec VPN Tunnel section. In our example, we select VPN with WG.
  11. In the Metric text box, type 1.
  12. Keep the default values for all other settings.
  13. Click Save.

Test the Integration

  1. Log in to the SonicWall Firewall Web UI at: https://<IP address of TZ670>.
  2. Select Network.
  3. From the navigation menu, select IPSec VPN > Rules and Settings.
  4. Verify that the VPN tunnels you configured are active.

    5. Screenshot of Firebox, IPSec tunnel status

  1. Log in to WatchGuard Cloud.
    If you log in with Service Provider, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN.
    The VPN page opens.

    4. Screenshot of Firebox, WGC VPN live status

  4. Click the BOVPN you configured.
  5. Verify that the VPN tunnels are active.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.

    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.

    The Branch Office VPN page opens.

    4. Screenshot of Firebox, on permise VPN live status

  4. In the Tunnels section, verify that the VPN tunnels are active.