- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
How can I setup Site to Site VPN with IKE2 Dynamic client Proposal in SonicOS 6.2 and above?
03/26/2020 
830 People found this article helpful
112,168 Views
Description
Feature/Application:
SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes globally rather than configure these IKE Proposal settings on an individual policy basis. This scenario could be used while one site has dynamic WAN IP address.
And then on the other site, "IPSec Primary Gateway Name or Address" in the VPN policy General tab will be filled in "0.0.0.0" or left blank.
Resolution
Configuration on the Central Office (Static WAN IP address)
- Central location network configuration
LAN Subnet: 192.168.136.0
Subnet Mask: 255.255.255.0
WAN IP: 10.103.193.114
Local IKE ID SonicWall Identifier: Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)
Creating Address Object for remote Site
- Login to the central location SonicWall appliance.
- Navigate to Manage | Policies |Objects | Address Objects page.
- At the top of the page and click Add button, enter the following settings.
- Name – Remote_Lan
- Zone – VPN
- Type – Network
- Network – 192.168.126.0
- Netmask – 255.255.255.0
- Click OK .
Configuring a VPN Policy
- Navigate to Manage | Connectivity | VPN | Base Settings.
- Check the box Enable VPN under Global VPN Settings.
- Click Add button under VPN Policies section. The VPN Policy window pops up.
General tab
- Select the Authentication method as IKE Using Preshared Secret.
- Name: To_Branch_Office.
- IPSec Primary Gateway Name or Address: 0.0.0.0.
NOTE: Since the Remote WAN IP address changes frequently, it is recommended to use the 0.0.0.0 IP address as the Primary Gateway. - IPSec Secondary Gateway Name or Address: 0.0.0.0.
- Shared Secret: SonicWall (The Shared Secret would be the same at both SonicWall’s).
- Local IKE ID: SonicWall Identifier - Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier).
- Peer IKE ID: SonicWall Identifier - San Jose (This could be any string except it has to match the remote location VPN's Local IKE ID SonicWall Identifier).
Network tab
- Select Choose local network from list, and select the Address Object – X0 Subnet (LAN subnet).
- Select Choose destination network from list, and select the Address Object –Remote_Lan.
Proposals tab
- IKE (Phase 1) Proposal
- Exchange: IKEv2 Mode
- DH Group: Group 5
- Encryption: AES-256
- Authentication: SHA-512
- Life Time (seconds): 28800
NOTE:The menu "DH Group", "Encryption" and "Authentication" will be gray-out since "IPSec Primary Gateway Name or Address" in General tab is filled in "0.0.0.0" or leaved blank. And they will be configured in step (Configuring the IKEv2 Dynamic Client Proposal, below). - IPSec (Phase 2) Proposal
- Protocol: ESP
- Encryption: 3DES
- Authentication: SHA1
- Enable Perfect Forward Secrecy(not checked)
Advanced tab
- Ensure that the VPN Policy bound to: Zone WAN.
- Click OK .
Configuring the IKEv2 Dynamic Client Proposal:
- Navigate to Manage | Connectivity | VPN | Advanced Settings.
- Check the Cconfiguration under IKEv2 Settings. The configuration window pops up.
- DH Group: Group 5
- Encryption: AES-256
- Authentication: SHA-512
- Click OK .
Configuration on the remote location (Dynamic WAN IP address)
Network Configuration
- LAN Subnet: 192.168.126.0.
- Subnet Mask: 255.255.255.0.
- WAN IP: DHCP (As this is a Dynamic IP Address).
- Local IKE ID SonicWall Identifier: San Jose (This has to match the central location VPN'sPeer IKE ID SonicWall Identifier).
Creating Address Object for remote site
- Login to the Remote location SonicWall appliance.
- Navigate to Manage | Policies |Objects | Address Objects page.
- Scroll down to the bottom of the page and click on Add button, enter the following settings.
- Name – Central_Lan.
- Zone – VPN.
- Type – Network.
- Network – 192.168.136.0.
- Netmask – 255.255.255.0.
- Click OK
Configuration VPN Policy
- Navigate to Manage | Connectivity | VPN | Base Settings.
- Check the box Enable VPN under Global VPN Settings.
- Click on the Add button under the VPN Policies section. The VPN Policy window pops up.
General tab
- Select the Authentication method as IKE Using Preshared Secret.
- Name: To_Central_Office.
- IPSec Primary Gateway Name or Address: 10.103.193.114.
- IPSec Secondary Gateway Name or Address: 0.0.0.0.
- Shared Secret: SonicWall.
- Local IKE ID: SonicWall Identifier - San Jose (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).
- Peer IKE ID: SonicWall Identifier – Shanghai (This has to match the central location VPN's Local IKE ID SonicWall Identifier).
Network tab
- Select Choose local network from list, and select the Address Object – LAN Primary Subnet.
- Select Choose destination network from list, and select the Address Object – Central_Lan.
Proposals tab
- IKE (Phase 1) Proposal..
- Exchange: IKEv2Mode.
- DH Group: Group 5.
- Encryption: AES-256.
- Authentication: SHA-512.
- Life Time (seconds): 28800 .
- IPSec (Phase 2) Proposal.
- Protocol: ESP.
- Encryption: 3DES .
- Authentication: SHA1.
- Enable Perfect Forward Secrecy (not checked).
Advanced tab
- Enable Keep Alive box should be checked.
- VPN Policy bound to: Zone WAN.
- Click OK .
How to Test
- From the remote location try to ping an IP address on the central location.
NOTE: Before receiving successful replies, you might see couple of “Request Timed Out“ messages while the VPN tunnel is still establishing.
Related Articles
- How to configure SSLVPN Tunnel all mode for one or more particular users (Local or Domain users)
- How to disable TOTP for a Local User with admin privileges via CLI.
- Parserror on Event logs.
Categories
- Firewalls > NSa Series > VPN
- Firewalls > NSv Series > VPN
- Firewalls > TZ Series > VPN
YES
NO