Benefits and Working of SonicOS VPN Auto Provisioning
09/24/2020 0 2085
The SonicOS VPN Auto Provisioning feature simplifies the provisioning of the site to site VPNs between two SonicWall firewalls. This section provides conceptual information and benefits of using the VPN Auto Provisioning feature.
The VPN Auto Provisioning feature simplifies the VPN provisioning of SonicWall firewalls. This is useful in large scale VPN deployments.
In a classic hub-and-spoke site-to-site VPN configuration, there are many complex configuration tasks needed on the spoke side, such as configuring the Security Association and configuring the Protected Networks. In a large deployment with many remote gateways or spokes, this can be a challenge.
VPN Auto Provisioning provides a simplified configuration process to eliminate many configuration steps on the remote VPN peers. In the context of the VPN Auto Provisioning feature, the term VPN AP Server is used for the Hub. Similarly, the term VPN AP Client is used to refer to a Spoke, Client, Remote Gateway, Remote Firewall, or Peer Firewall.
How VPN Auto Provisioning Works
There are two steps involved in VPN Auto Provisioning:
- SonicWall Auto Provisioning Server configuration for the central gateway, or VPN AP Server
- SonicWall Auto Provisioning Client configuration for the remote firewall, or VPN AP Client
In Server mode, you configure the Security Association (SA), Protected Networks, and other configuration fields as in a classic site-to-site VPN policy. In Client mode, the limited configuration is needed. In most cases, the remote firewall administrator simply needs to configure the IP address to connect to the peer server (central gateway), and then the VPN can be established.
On the Client side VPN Auto Provisioning is simple while still providing the essential elements of IP security as mentioned below:
Access control - Network access control is provided by the VPN AP Server. From the VPN AP Client perspective, destination networks are entirely under the control of the VPN AP Server administrator. However, a mechanism is provided to control access to VPN AP Client local networks.
Authentication - Authentication is provided with machine authentication credentials. In Phase 1 of the IPSec proposal, the Internet Key Exchange (IKE) protocol provides machine-level authentication with Preshared keys or digital signatures. You can select one of these authentication methods when configuring the VPN policy.
For the Preshared key authentication method, the administrator enters the VPN Auto Provisioning client ID and the key, or secret. For the digital signatures authentication method, the administrator selects the X.509 certificate which contains the client ID from the firewall’s local certificate store. The certificate must have been previously stored on the firewall.
Data confidentiality and integrity are provided by the Encapsulated Security Payload (ESP) crypto suite in Phase 2 of the IPSec proposal.
NOTE: SonicWall does not recommend configuring a single appliance as both an AP Server and an AP Client at the same time.
When policy changes occur at the VPN AP Server that affects a VPN AP Client configuration, the VPN AP Server uses IKE re-key mechanisms to ensure that a new Security Association with the appropriate parameters is established.
IKE Phase 1 Security Association
To allow IKE Phase 1 to be established, the set of possible choices is restricted; the VPN AP Client proposes multiple transforms (combined security parameters) from which the VPN AP Server can select its configured values. The VPN AP Server responds by selecting a single transform from those contained in the VPN AP Client proposals. The VPN AP Server provisions the VPN AP Client with the appropriate policy values including the Shared Secret.
IKE Phase 2 using a Provisioned Policy
The values received during the VPN AP provisioning transaction are used to establish any subsequent Phase 2 Security Associations. A separate Phase 2 SA is initiated for each Destination Network. Traffic must be initiated from behind the remote side in order to trigger the Phase 2 SA negotiation.
Phase 2 parameters are provisioned by the VPN AP Server, there is no chance of a configuration mismatch. If Phase 2 parameters change at the VPN AP Server, all Phase 1 and Phase 2 Security Associations are deleted and renegotiated, ensuring policy synchronization.
TIP: Please refer the KB below to Configure SonicWall VPN Auto Provisioning
Benefits of VPN Auto Provisioning
- After the initial VPN auto-provisioning, policy changes can be controlled at the central gateway and automatically updated at the spoke end. This solution is especially appealing in Enterprise and Managed Service deployments where central management is a top priority.
- Another benefit of the VPN Auto Provisioning feature is the ease of use and also the automatic configuration of security and connection profiles.