Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

FIPS Mode: Radius protected with IPSEC VPN

05/27/2022 0 People found this article helpful 18,013 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    The following article shows how to configure an IPSEC VPN to protect Radius authentication on a firewall configured to operate in FIPS-mode.

    VPN is between the firewall and internal Radius server on Windows 2016

    Cause

    One of the key requirements to enable FIPS mode on a SonicWall Firewall is to protect Radius authentication with IPSEC VPN.
    To undestand better how FIPS mode work please refer to the KB Article [[How do I enable FIPS Mode?|170505541129412]]

    Resolution

    SCENARIO

    Image

    Please also check the following video which guides through the configuration steps of a Site-to-Site VPN between SonicWall and Windows Server (the video uses Windows 2012 R2 as example but it's applicable to Server 2016). VIDEO: How to configure a Site-to-Site VPN between SonicWall and Windows Server

     

    WINDOWS SERVER CONFIGURATION

     

    Enable the Routing and Remote Access Services role using the Server Manager.

    1. Click the “Add roles and features” option. Alternatively, you can find it under the “Manage” menu on the top right.
      Image
    2. Click “Next” on the “Before you begin” screen.
    3. Select “Role-based or feature-based installation” and click “Next”.Image
    4. Click “Select a server from the server pool”, and select the local server. Click “Next”.
    5. Scroll down to “Remote Access”, and select it. Click “Next”. Click “Next” again to skip the “Features” section.
      Image
    6. On the “Remote Access” section that provides information about DirectAccess, VPN, and Web Application Proxy, click “Next”.
    7. On the “Role Services” section, select/check both “DirectAccess and VPN (RAS)” and “Routing”. If/when you are prompted to install additional feature requirements, click “Add Features”. Click “Next”.
    8. Finally, on the “Confirm installation selections” section, click “Install”. Optionally, enable/check the “Restart the destination server automatically if required” to do so during the installation. Otherwise, you can plan to restart manually at a convenient time if required.ImageImage

     

    Configure Routing and Remote Access Services.

    1. Open “Routing and Remote Access” from the Administrative Tools folder in the Control Panel.
    2. Right-click on the “<server name> (local)” entry. Click “Configure and Enable Routing and Remote Access”. Image
    3. On the Welcome screen, click “Next”.
    4. On the Configuration screen, click “Custom configuration” and click “Next”.Image
    5. On the Custom Configuration screen, select “LAN routing” and click “Next”. Click “Finish”. Image
    6. Review the prompt from Routing and Remote Access, then click “OK”. Click “Start service” on the next prompt informing you that the Routing and Remote Access service is ready to use. Wait for the service to start.Image
    7. Close Routing and Remote Access.

    1.  Configuring the Windows Firewall with Advanced Security.

    1. Open the Windows Firewall under Control Panel.
    2. Click “Advanced settings” on the left panel. The “Windows Firewall with Advanced Security” will open.
    3. Click on “Connection Security Rules” on the left panel. Create a new rule in the “Connection Security Rules” section.Image
    4. On the Rule Type screen, select “Tunnel”. Click “Next”.
    5. On the Tunnel Type screen, select “Custom configuration” and “No. Send all network traffic that matches this connection security rule through the tunnel”. Click “Next”.Image
    6. On the Requirements screen, select “Require authentication for inbound and outbound connections”. Click “Next”.Image
    7. In “Which computers are in Endpoint 1?” click on “Add…” and enter the server IP address: 192.168.168.16
      Image
    8. In “What is the local tunnel endpoint (closest to computers in Endpoint 1)?” click on “Edit…” and enter the server IP address: 192.168.168.16Image
    9. In “What is the local tunnel endpoint (closest to computers in Endpoint 2)?” click on “Edit…” and enter the firewall IP address: 192.168.168.168Image
    10. Click on “Next >”
    11. On the Authentication Method screen, select “Advanced”, and click “Customize…”.
    12. Under “First authentication methods”, click “Add…”.Image
    13. On the Add First Authentication Method window, select the “Preshared key” option, and enter a preshared key that will also be used on the firewall’s VPN Policy later the setup. In this example the Preshared key is 1234test1234 Click “OK”. Click “OK” again to go back to the Authentication Method screen. Click “Next”.Image
    14. On the Profile screen, check all the boxes and click “Next”. On the Name screen, provide a name for the new rule and optionally provide a description. Click “Finish”.
      Back on the Windows Firewall with Advanced Security window you’ll now see the Connection Security Rule that was just created.Image
    15. Right-click on “Windows Firewall with Advanced Security” on the left panel. Select “Properties”.
    16. Click on the “IPsec Settings” tab. Under “IPsec defaults” click “Customize…”.Image
    17. On the Customize IPsec Defaults window, under “Key exchange (Main Mode)” select “Advanced” and click “Customize…”.
    18. On the Customize Advanced Key Exchange Settings window we will define the Phase 1 proposals. Click “Add…”.
    19. For Integrity algorithm select “SHA-256”. For Encryption algorithm select “AES-CBC 256”. For “Key exchange algorithm” select “Diffie-Hellman Group 14”. Click “OK”. Under “Key lifetimes” enter 480 minutes. Click “OK”.Image
    20. On the Customize IPsec Defaults window, under “Data protection (Quick Mode)” select “Advanced” and click “Customize…”.
      There may be pre-defined entries in either list. If there are entries under “Data integrity algorithms”, look for one defined with “ESP” Protocol and “AES-GMAC 256” Integrity. If it exists, click on it and click “Edit…” to change the Key Lifetime to 480 minutes with the default 100,000 KB. If the entry does not exist, create it and use the arrow buttons to move it into the topmost position.
      Image
    21. Back at the Windows Firewall with Advanced Security window, enable the Connection Security Rule if it isn’t already enabled. At this point the VPN will be active, but the firewall’s VPN policy hasn’t been configured yet.
    22. Expand Monitoring and Security Associations on the left panel. Those sections will display the the VPN information and active tunnels.Image

    FIREWALL CONFIGURATION

    Resolution for SonicOS 7.X

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

     

    1. On the firewall’s Management UI, navigate to Objects | Addresses.
    2. Click the Address Objects tab. Click the Add button to create a new Host Type Address Object in the VPN Zone with the IP address of the Windows server. In this example, 192.168.168.16. Click Save.
      Image
    3. On the firewall’s Management UI, navigate to NETWORK | IPSec VPN | Rules and Settings.
      Click the + Add button.
    4. VPN Policy configuration:
    • General tab
    • Policy Type: “Site to Site”.
    • Authentication Method: “IKE using Preshared Secret”.
    • Enter a name for the VPN Policy. In this example, I entered the server’s hostname, WIN2016DC.
    • Enter the server’s IP address into the “IPsec Primary Gateway Name or Address” In this example, 192.168.168.16 (Windows Server IP Address)
    • Enter the preshared key configured earlier on the server. In this example it was “1234test1234”.

    If the “Mask Shared Secret” checkbox is enabled, confirm the shared secret. I’ve disabled that option to display the key for this example.Image

    Network tab

    1. Select “Choose local network from list” and choose “X0 Subnet” from the list.
    2. Select “Choose destination network from list” and choose the new object created for the Windows server. In this example, “Radius-192.168.168.16”

    Image

     

    Proposals tab

    Phase 1 IKE Proposals

    Exchange: “Main Mode”

    • DH Group: “Group 14”
    • Encryption: “AES-256”
    • Authentication: “SHA256”
    • Life Time (seconds): “28800"

    Phase 2 IPSec Proposals

    • Protocol: “ESP”
    • Encryption: “AESGMAC-256”
    • Leave Perfect Forward Secrecy disabled (default)
    • Authentication: SHA1
    • Life Time (seconds): “28800”

    Image

    Advanced tab

    1. Enable/check the “Enable Keep Alive”
    2. Set the “VPN Policy bound to” dropdown to the interface where the Windows server resides. In this example, the X0 interface:

      Image
    3. Click Save.
    4. VPN Tunnel should go up, as indicated by the green dot.

    Image

    Related Articles

    • Firewall is not generating syslog packets
    • Configuring SNMP in SonicOS
    • Why is SonicWall blocking access to websites?

    Categories

    • Firewalls > NSv Series
    • Firewalls > NSa Series
    • Firewalls > TZ Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:63d06900c8ef267d887744bb716d43f8-78