Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Benefits and Working of SonicOS VPN Auto Provisioning

09/24/2020 0 People found this article helpful 84,974 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    The SonicOS VPN Auto Provisioning feature simplifies the provisioning of the site to site VPNs between two SonicWall firewalls. This section provides conceptual information and benefits of using the VPN Auto Provisioning feature.

    Resolution

    The VPN Auto Provisioning feature simplifies the VPN provisioning of SonicWall firewalls. This is useful in large scale VPN deployments.

    In a classic hub-and-spoke site-to-site VPN configuration, there are many complex configuration tasks needed on the spoke side, such as configuring the Security Association and configuring the Protected Networks. In a large deployment with many remote gateways or spokes, this can be a challenge.

    VPN Auto Provisioning provides a simplified configuration process to eliminate many configuration steps on the remote VPN peers. In the context of the VPN Auto Provisioning feature, the term VPN AP Server is used for the Hub. Similarly, the term VPN AP Client is used to refer to a Spoke, Client, Remote Gateway, Remote Firewall, or Peer Firewall.

    How VPN Auto Provisioning Works

    There are two steps involved in VPN Auto Provisioning:

    • SonicWall Auto Provisioning Server configuration for the central gateway, or VPN AP Server
    • SonicWall Auto Provisioning Client configuration for the remote firewall, or VPN AP Client

    In Server mode, you configure the Security Association (SA), Protected Networks, and other configuration fields as in a classic site-to-site VPN policy. In Client mode, the limited configuration is needed. In most cases, the remote firewall administrator simply needs to configure the IP address to connect to the peer server (central gateway), and then the VPN can be established.

    On the Client side VPN Auto Provisioning is simple while still providing the essential elements of IP security as mentioned below:

    Access control - Network access control is provided by the VPN AP Server. From the VPN AP Client perspective, destination networks are entirely under the control of the VPN AP Server administrator. However, a mechanism is provided to control access to VPN AP Client local networks.

    Authentication - Authentication is provided with machine authentication credentials. In Phase 1 of the IPSec proposal, the Internet Key Exchange (IKE) protocol provides machine-level authentication with Preshared keys or digital signatures. You can select one of these authentication methods when configuring the VPN policy.

    For the Preshared key authentication method, the administrator enters the VPN Auto Provisioning client ID and the key, or secret. For the digital signatures authentication method, the administrator selects the X.509 certificate which contains the client ID from the firewall’s local certificate store. The certificate must have been previously stored on the firewall.

    Data confidentiality and integrity are provided by the Encapsulated Security Payload (ESP) crypto suite in Phase 2 of the IPSec proposal.

    NOTE: SonicWall does not recommend configuring a single appliance as both an AP Server and an AP Client at the same time.

    When policy changes occur at the VPN AP Server that affects a VPN AP Client configuration, the VPN AP Server uses IKE re-key mechanisms to ensure that a new Security Association with the appropriate parameters is established.

    IKE Phase 1 Security Association

    To allow IKE Phase 1 to be established, the set of possible choices is restricted; the VPN AP Client proposes multiple transforms (combined security parameters) from which the VPN AP Server can select its configured values. The VPN AP Server responds by selecting a single transform from those contained in the VPN AP Client proposals. The VPN AP Server provisions the VPN AP Client with the appropriate policy values including the Shared Secret.

    IKE Phase 2 using a Provisioned Policy

    The values received during the VPN AP provisioning transaction are used to establish any subsequent Phase 2 Security Associations. A separate Phase 2 SA is initiated for each Destination Network. Traffic must be initiated from behind the remote side in order to trigger the Phase 2 SA negotiation. 

    Phase 2 parameters are provisioned by the VPN AP Server, there is no chance of a configuration mismatch. If Phase 2 parameters change at the VPN AP Server, all Phase 1 and Phase 2 Security Associations are deleted and renegotiated, ensuring policy synchronization.

    TIP: Please refer the KB below to Configure SonicWall VPN Auto Provisioning 

    https://www.SonicWall.com/support/knowledge-base/how-to-configure-SonicWall-vpn-auto-provisioning-in-SonicOS-6-2-7-and-above/170505991835447/

    Benefits of VPN Auto Provisioning

    • After the initial VPN auto-provisioning, policy changes can be controlled at the central gateway and automatically updated at the spoke end. This solution is especially appealing in Enterprise and Managed Service deployments where central management is a top priority.
    • Another benefit of the VPN Auto Provisioning feature is the ease of use and also the automatic configuration of security and connection profiles.



    Related Articles

    • App Control fails by schema error when editing VPN category
    • How to remove 2FA for admin using CLI
    • 2FA authentication error using TOTP "Please try again later"

    Categories

    • Firewalls > TZ Series > VPN
    • Firewalls > SonicWall NSA Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:a39913c6a0ef126b3331d1fb2ef6d8e7-77