The following article shows how to configure an IPSEC VPN to protect Radius authentication on a firewall configured to operate in FIPS-mode.
VPN is between the firewall and internal Radius server on Windows 2016
One of the key requirements to enable FIPS mode on a SonicWall Firewall is to protect Radius authentication with IPSEC VPN. To undestand better how FIPS mode work please refer to the KB Article [[How do I enable FIPS Mode?|170505541129412]]
Enable the Routing and Remote Access Services role using the Server Manager.
Click the “Add roles and features” option. Alternatively, you can find it under the “Manage” menu on the top right.
Click “Next” on the “Before you begin” screen.
Select “Role-based or feature-based installation” and click “Next”.
Click “Select a server from the server pool”, and select the local server. Click “Next”.
Scroll down to “Remote Access”, and select it. Click “Next”. Click “Next” again to skip the “Features” section.
On the “Remote Access” section that provides information about DirectAccess, VPN, and Web Application Proxy, click “Next”.
On the “Role Services” section, select/check both “DirectAccess and VPN (RAS)” and “Routing”. If/when you are prompted to install additional feature requirements, click “Add Features”. Click “Next”.
Finally, on the “Confirm installation selections” section, click “Install”. Optionally, enable/check the “Restart the destination server automatically if required” to do so during the installation. Otherwise, you can plan to restart manually at a convenient time if required.
Configure Routing and Remote Access Services.
Open “Routing and Remote Access” from the Administrative Tools folder in the Control Panel.
Right-click on the “<server name> (local)” entry. Click “Configure and Enable Routing and Remote Access”.
On the Welcome screen, click “Next”.
On the Configuration screen, click “Custom configuration” and click “Next”.
On the Custom Configuration screen, select “LAN routing” and click “Next”. Click “Finish”.
Review the prompt from Routing and Remote Access, then click “OK”. Click “Start service” on the next prompt informing you that the Routing and Remote Access service is ready to use. Wait for the service to start.
Close Routing and Remote Access.
1.Configuring the Windows Firewall with Advanced Security.
Open the Windows Firewall under Control Panel.
Click “Advanced settings” on the left panel. The “Windows Firewall with Advanced Security” will open.
Click on “Connection Security Rules” on the left panel. Create a new rule in the “Connection Security Rules” section.
On the Rule Type screen, select “Tunnel”. Click “Next”.
On the Tunnel Type screen, select “Custom configuration” and “No. Send all network traffic that matches this connection security rule through the tunnel”. Click “Next”.
On the Requirements screen, select “Require authentication for inbound and outbound connections”. Click “Next”.
In “Which computers are in Endpoint 1?” click on “Add…” and enter the server IP address: 192.168.168.16
In “What is the local tunnel endpoint (closest to computers in Endpoint 1)?” click on “Edit…” and enter the server IP address: 192.168.168.16
In “What is the local tunnel endpoint (closest to computers in Endpoint 2)?” click on “Edit…” and enter the firewall IP address: 192.168.168.168
Click on “Next >”
On the Authentication Method screen, select “Advanced”, and click “Customize…”.
Under “First authentication methods”, click “Add…”.
On the Add First Authentication Method window, select the “Preshared key” option, and enter a preshared key that will also be used on the firewall’s VPN Policy later the setup. In this example the Preshared key is 1234test1234 Click “OK”. Click “OK” again to go back to the Authentication Method screen. Click “Next”.
On the Profile screen, check all the boxes and click “Next”. On the Name screen, provide a name for the new rule and optionally provide a description. Click “Finish”. Back on the Windows Firewall with Advanced Security window you’ll now see the Connection Security Rule that was just created.
Right-click on “Windows Firewall with Advanced Security” on the left panel. Select “Properties”.
Click on the “IPsec Settings” tab. Under “IPsec defaults” click “Customize…”.
On the Customize IPsec Defaults window, under “Key exchange (Main Mode)” select “Advanced” and click “Customize…”.
On the Customize Advanced Key Exchange Settings window we will define the Phase 1 proposals. Click “Add…”.
For Integrity algorithm select “SHA-256”. For Encryption algorithm select “AES-CBC 256”. For “Key exchange algorithm” select “Diffie-Hellman Group 14”. Click “OK”. Under “Key lifetimes” enter 480 minutes. Click “OK”.
On the Customize IPsec Defaults window, under “Data protection (Quick Mode)” select “Advanced” and click “Customize…”. There may be pre-defined entries in either list. If there are entries under “Data integrity algorithms”, look for one defined with “ESP” Protocol and “AES-GMAC 256”Integrity. If it exists, click on it and click “Edit…” to change the Key Lifetime to 480 minutes with the default 100,000 KB. If the entry does not exist, create it and use the arrow buttons to move it into the topmost position.
Back at the Windows Firewall with Advanced Security window, enable the Connection Security Rule if it isn’t already enabled. At this point the VPN will be active, but the firewall’s VPN policy hasn’t been configured yet.
Expand Monitoring and Security Associations on the left panel. Those sections will display the the VPN information and active tunnels.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
On the firewall’s Management UI, navigate to Objects | Addresses.
Click the Address Objects tab. Click the Addbutton to create a new Host Type Address Object in the VPN Zone with the IP address of the Windows server. In this example, 192.168.168.16. Click Save.
On the firewall’s Management UI, navigate to NETWORK | IPSec VPN | Rules and Settings. Click the + Add button.
VPN Policy configuration:
Policy Type: “Site to Site”.
Authentication Method: “IKE using Preshared Secret”.
Enter a name for the VPN Policy. In this example, I entered the server’s hostname, WIN2016DC.
Enter the server’s IP address into the “IPsec Primary Gateway Name or Address” In this example, 192.168.168.16 (Windows Server IP Address)
Enter the preshared key configured earlier on the server. In this example it was “1234test1234”.
If the “Mask Shared Secret” checkbox is enabled, confirm the shared secret. I’ve disabled that option to display the key for this example.
Select “Choose local network from list” and choose “X0 Subnet” from the list.
Select “Choose destination network from list” and choose the new object created for the Windows server. In this example, “Radius-192.168.168.16”
Phase 1 IKE Proposals
Exchange: “Main Mode”
DH Group: “Group 14”
Life Time (seconds): “28800"
Phase 2 IPSec Proposals
Leave Perfect Forward Secrecy disabled (default)
Life Time (seconds): “28800”
Enable/check the “Enable Keep Alive”
Set the “VPN Policy bound to” dropdown to the interface where the Windows server resides. In this example, the X0 interface:
VPN Tunnel should go up, as indicated by the green dot.