Configuring Aggressive Mode Site to Site VPN when a Site has Dynamic WAN Public IP address

03/26/2020 1696 39187

DESCRIPTION:

Configuring a Site to Site VPN on the central location (Static WAN IP address)

• Central location network configuration

1. LAN Subnet: 192.168.168.0
2. Subnet Mask: 255.255.255.0
3. WAN IP: 66.249.72.115
4. Local IKE ID SonicWall Identifier: Chicago (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)

NOTE: The IP Address can be dynamic but it must always be Public.

RESOLUTION:

This solution explains the configuration of a Site to Site VPN on SonicWall appliances when a site has dynamic WAN IP address.

The VPN policy is setup using Aggressive Mode.

Configuring a Site to Site VPN on the Central location

• Creating Address Object for remote Site

1. Login to the central location SonicWall appliance.
2. Navigate to Manage | Policies | Objects | AddressObjects  page.
3. Click Add button, enter the following settings.
   
   
   • Name – newyork vpn,
   • Zone – VPN,
   • Type – Network,
   • Network – 10.10.10.0,
   • Netmask – 255.255.255.0
     
     
4. Click OK.
   
   
   

• Configurating a VPN Policy 

1. Navigate to Manage | Connectivity | VPN | Base Settings.
2. Check the box “Enable VPN” under Global VPN Settings.
3. Click Add button under VPN Policies section. The VPN Policy window pops up.

General Tab 

•   Select the Authentication method as  IKE Using Preshared Secret.
• Name: New York Aggressive Mode VPN.
•  IPSec Primary Gateway Name or Address: 0.0.0.0.
  
  
  

  NOTE: Since the WAN IP address changes frequently, it is recommended to use the 0.0.0.0 IP address as the Primary Gateway.

• IPSec Secondary Gateway Name or Address: 0.0.0.0.
• Shared Secret: SonicWall (The Shared Secret would be the same at both SonicWall’s. You can choose any Secret Key, but it should be entered sam on both sites).
• Local IKE ID: SonicWall Identifier - Chicago (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)..
• Peer IKE ID: SonicWall Identifier - newyork (This could be any string except it has to match the remote location VPN's Local IKE ID SonicWall Identifier).
  
  

 
Network Tab 

• Select Choose local network from list, and select the Address Object – X0 Subnet (LAN subnet).
• Select Choose destination network from list, and select the Address Object – newyork vpn.
  
  
  

Proposals Tab

• IKE (Phase 1) Proposal.
• Exchange:  Aggressive Mode.
• DH Group:  Group 2.
• Encryption: 3DES.
• Authentication: SHA1.
• Life Time (seconds): 28800 .
• IPSec (Phase 2) Proposal.
• Protocol:  ESP.
• Encryption: 3DES.
• Authentication: SHA1.
• Enable Perfect Forward Secrecy(not checked).
• Life Time (seconds): 28800. 
  
  
  
  

Advanced tab

• Ensure that the VPN Policy bound to: Zone WAN.
• Click OK 
  
  
  
  
  
  

Configuring a Site to Site VPN on the remote location (Dynamic WAN IP address)

NOTE: The Dynamic WAN IP Address must be Public.

Network Configuration 

1.  LAN Subnet: 10.10.10.0.
2. Subnet Mask: 255.255.255.0.
3.  WAN IP: DHCP (As this is a Dynamic IP Address).
4. Local IKE ID SonicWall Identifier: newyork (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).

• Creating Address Object for remote site

1. Login to the Remote location SonicWall appliance.
2. Navigate to Manage | Policies | Objects | AddressObjects page.
3. Click Add button, enter the following settings.
   
   
   • Name – Chicago vpn.
   • Zone – VPN.
   • Type – Network.
   • Network – 192.168.168.0.
   • Netmask – 255.255.255.0.
     
4. Click OK .
   

• Configuration VPN Policy

1. Navigate to Manage | Connectivity | VPN | Base Settings.
2. Check the box  Enable VPN under Global VPN Settings.
3.  Click  Add button under the VPN Policies section. The VPN Policy window pops up.

General Tab

•  Select the Authentication method as IKE Using Preshared Secret.
•   Name: Chicago Aggressive Mode VPN.
•  IPSec Primary Gateway Name or Address: 66.249.72.115 ( Gateway of the main site, which is static IP).
• IPSec Secondary Gateway Name or Address: 0.0.0.0.
• Shared Secret: SonicWall.
•  Local IKE ID: SonicWall Identifier - newyork (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).
• Peer IKE ID: SonicWall Identifier – Chicago (This has to match the central location VPN's Local IKE ID SonicWall Identifier).
  

 Network Tab 

• Select Choose local network from list, and select the Address Object – LAN Primary Subnet .
• Select Choose destination network from list, and select the Address Object – Chicago vpn.
  
  

Proposals Tab

• IKE (Phase 1) Proposal.
• Exchange:  Aggressive Mode.
• DH Group:  Group 2.
• Encryption: 3DES .
• Authentication: SHA1.
• Life Time (seconds): 28800  .
• IPSec (Phase 2) Proposal.
• Protocol:  ESP.
• Encryption: 3DES .
• Authentication: SHA1.
• Enable Perfect Forward Secrecy (not checked) .
• DH Group:  Group 2.
• Life Time (seconds): 28800.
  
  

 Advanced Tab

• Enable Keep Alive box should be checked.
• VPN Policy bound to: Zone WAN.
• Click OK .
  

How to Test

• From the remote location try to ping an IP address on the central location.
  

  NOTE:Before receiving successful replies, you might see couple of “Request Timed Out“ messages while the VPN tunnel is still establishing.