How can I setup Site to Site VPN with IKE2 Dynamic client Proposal in SonicOS 6.2 and above?

03/26/2020 805 25501

DESCRIPTION:

Feature/Application:
SonicOS provides IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes globally rather than configure these IKE Proposal settings on an individual policy basis. This scenario could be used while one site has dynamic WAN IP address.
And then on the other site, "IPSec Primary Gateway Name or Address" in the VPN policy General tab will be filled in "0.0.0.0" or left blank.

RESOLUTION:

Configuration on the Central Office  (Static WAN IP address)

• Central location network configuration 
  LAN Subnet: 192.168.136.0
  Subnet Mask: 255.255.255.0
  WAN IP: 10.103.193.114
  Local IKE ID SonicWall Identifier: Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier)
   
  

Creating Address Object for remote Site

1. Login to the central location SonicWall appliance.
2. Navigate to Manage | Policies |Objects | Address Objects page.
3. At the top of the page and click Add button, enter the following settings. 
   
   
   • Name – Remote_Lan
   • Zone – VPN
   • Type – Network
   • Network – 192.168.126.0
   • Netmask – 255.255.255.0
4. Click OK .
   

Configuring a VPN Policy 

1. Navigate to  Manage | Connectivity | VPN | Base Settings.
2. Check the box Enable VPN under Global VPN Settings.
3. Click  Add button under VPN Policies section. The VPN Policy window pops up.

General tab 

• Select the Authentication method as IKE Using Preshared Secret.
• Name: To_Branch_Office.
• IPSec Primary Gateway Name or Address: 0.0.0.0.
  
  

  NOTE: Since the Remote WAN IP address changes frequently, it is recommended to use the 0.0.0.0 IP address as the Primary Gateway.

• IPSec Secondary Gateway Name or Address: 0.0.0.0.
• Shared Secret: SonicWall (The Shared Secret would be the same at both SonicWall’s).
• Local IKE ID: SonicWall Identifier - Shanghai (This could be any string except it has to match the remote location VPN's Peer IKE ID SonicWall Identifier).
• Peer IKE ID: SonicWall Identifier - San Jose (This could be any string except it has to match the remote location VPN's Local IKE ID SonicWall Identifier). 

Network tab 

• Select Choose local network from list, and select the Address Object – X0 Subnet (LAN subnet).
• Select Choose destination network from list, and select the Address Object –Remote_Lan.
  

 


Proposals tab 

• IKE (Phase 1) Proposal
• Exchange:  IKEv2 Mode
• DH Group: Group 5
• Encryption: AES-256
• Authentication: SHA-512
• Life Time (seconds): 28800  
  
  

  NOTE:The menu "DH Group", "Encryption" and "Authentication" will be gray-out since "IPSec Primary Gateway Name or Address" in General tab is filled in "0.0.0.0" or leaved blank. And they will be configured in step (Configuring the IKEv2 Dynamic Client Proposal, below).
  
  

• IPSec (Phase 2) Proposal
• Protocol:  ESP
• Encryption: 3DES 
• Authentication: SHA1
• Enable Perfect Forward Secrecy(not checked)
  

Advanced tab 

• Ensure that the VPN Policy bound to: Zone WAN.
• Click OK .
  

Configuring the IKEv2 Dynamic Client Proposal:

1. Navigate to Manage | Connectivity | VPN | Advanced Settings.
2. Check the Cconfiguration under IKEv2 Settings. The configuration window pops up.
   
   
   •  DH Group: Group 5
   • Encryption: AES-256 
   • Authentication: SHA-512
3. Click OK .
   
   

Configuration on the remote location (Dynamic WAN IP address)
 
Network Configuration 

• LAN Subnet: 192.168.126.0.
• Subnet Mask: 255.255.255.0.
• WAN IP: DHCP (As this is a Dynamic IP Address).
• Local IKE ID SonicWall Identifier: San Jose (This has to match the central location VPN'sPeer IKE ID SonicWall Identifier).
  
   
  

Creating Address Object for remote site

1. Login to the Remote location SonicWall appliance.
2. Navigate to Manage | Policies |Objects | Address Objects page.
3. Scroll down to the bottom of the page and click on Add button, enter the following settings.
   
   
   • Name – Central_Lan.
   • Zone – VPN.
   • Type – Network.
   • Network – 192.168.136.0.
   • Netmask – 255.255.255.0.
     
4. Click OK 
   

 

Configuration VPN Policy 

1. Navigate to Manage | Connectivity | VPN | Base Settings.
2. Check the box Enable VPN under Global VPN Settings.
3. Click on the  Add  button under the VPN Policies section. The VPN Policy window pops up.
    
   

General tab 

• Select the Authentication method as  IKE Using Preshared Secret.
• Name: To_Central_Office.
• IPSec Primary Gateway Name or Address: 10.103.193.114.
• IPSec Secondary Gateway Name or Address: 0.0.0.0.
• Shared Secret: SonicWall.
• Local IKE ID: SonicWall Identifier - San Jose (This has to match the central location VPN's Peer IKE ID SonicWall Identifier).
• Peer IKE ID: SonicWall Identifier – Shanghai (This has to match the central location VPN's Local IKE ID SonicWall Identifier).
  
   

Network tab 

• Select Choose local network from list, and select the Address Object – LAN Primary Subnet.
• Select Choose destination network from list, and select the Address Object – Central_Lan.
  

 

Proposals tab
 

• IKE (Phase 1) Proposal..
• Exchange: IKEv2Mode.
• DH Group:  Group 5.
• Encryption: AES-256.
• Authentication: SHA-512.
• Life Time (seconds): 28800 .
• IPSec (Phase 2) Proposal.
• Protocol:  ESP.
• Encryption: 3DES .
• Authentication: SHA1.
• Enable Perfect Forward Secrecy (not checked).
  

 

Advanced tab 

• Enable Keep Alive box should be checked.
• VPN Policy bound to: Zone WAN.
• Click OK .
  

How to Test

• From the remote location try to ping an IP address on the central location.
  

  NOTE: Before receiving successful replies, you might see couple of “Request Timed Out“ messages while the VPN tunnel is still establishing.